Archive | October, 2011

VeriSign Demands The Power To Take Down Websites/Domains

Outsmart Malicious Hackers


I was scanning the news today, and nothing much was going on. There were some half-arsed stories about Anonymous and LulzSec – but nothing really worth writing about. And then, and then I spotted this, which quite frankly scares the shit out of me.

As much as it may well have a use in law enforcement, I’m sorry but I don’t want any single organization, corporation or entity to have the power to take out domains.

It’s just plain wrong, and well the UK has already started tabling something like this back in September.

VeriSign, which manages the database of all .com internet addresses, wants powers to shut down “non-legitimate” domain names when asked to by law enforcement.

The company said today it wants to be able to enforce the “denial, cancellation or transfer of any registration” in any of a laundry list of scenarios where a domain is deemed to be “abusive”.

VeriSign should be able to shut down a .com or .net domain, and therefore its associated website and email, “to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process”, according to a document it filed today with domain name industry overseer ICANN.

The company has already helped law enforcement agencies in the US, such as the Immigration and Customs Enforcement agency, seize domains that were allegedly being used to sell counterfeit goods or facilitate online piracy, when the agency first obtained a court order.

That seizure process has come under fire because, in at least one fringe case, a seized .com domain’s website had already been ruled legal by a court in its native Spain.

Senior ICE agents are on record saying that they believe all .com addresses fall under US jurisdiction.

But the new powers would be international and, according to VeriSign’s filing, could enable it to shut down a domain also when it receives “requests from law enforcement”, without a court order.

Yes VeriSign do manage all the .com and .net domains, but they aren’t technically ruled under the US jurisdiction – there are plenty of .com domains that are hosted outside of the US, including the DNS infrastructure.

What I’m especially interested in, is how they plan to handle the fact that lots of things are illegal in some countries and perfectly legal in others. The part that scares me is they will be able to take down a domain without a court order, just on ‘request’ from a law enforcement agency.

To me, that opens it up to abuse – if you are going to do something like this, at least institute a due process to manage it properly.


“Various law enforcement personnel, around the globe, have asked us to mitigate domain name abuse, and have validated our approach to rapid suspension of malicious domain names,” VeriSign told ICANN, describing its system as “an integrated response to criminal activities that utilize Verisign-managed [top-level domains] and DNS infrastructure”.

The company said it has already cooperated with US law enforcement, including the FBI, to craft the suspension policies, and that it intends to also work with police in Europe and elsewhere.

It’s not yet clear how VeriSign would handle a request to suspend a .com domain that was hosting content legal in the US and Europe but illegal in, for example, Saudi Arabia or Uganda.

VeriSign made the request in a Registry Services Evaluation Process (RSEP) document filed today with ICANN. The RSEP is currently the primary mechanism that registries employ when they want to make significant changes to their contracts with ICANN.

The request also separately asks for permission to launch a “malware scanning service”, not dissimilar to the one recently introduced by ICM Registry, manager of the new .xxx extension.

That service would enable VeriSign to scan all .com websites once per quarter for malware and then provide a free “informational only” security report to the registrar responsible for the domain, which would then be able to take re-mediation action. It would be a voluntary service.

Scary thoughts really. However the malware scanning service sounds like something that would help the Internet clean up all the nasty stuff, but then again – do the registrars really care, and would they respond?

Either way, I don’t like the fact that these draconian control laws may be placed on the Internet as we know – that basically allow US law enforcement agencies to take down domains as they please.

What I’m guessing, if this is implemented, it may well become a major target for Social Engineering efforts. What’s more effective than a traditional DDoS attack? Having the domain completely killed by VeriSign – that’s what.

Source: The Register

Posted in: Legal Issues, Social Engineering, Web Hacking

Topic: Legal Issues, Social Engineering, Web Hacking


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


File Disclosure Browser – Tool To Explore .DS_Store Files

Keep on Guard!


The File Disclosure Browser takes .DS_Store files found on websites and parses through them to find a list of all potential files in the directory. It can then either just display the URLs for the files or if you give it a proxy it can browse to the files itself.

The author wrote it after reading the PDC blog post on passing DirBuster through Burp and figured doing the same thing for the contents of DS_Store files would be useful. He also plans to extend this to work with other disclosure files, including dwsync.xml files created by Dreamweaver and possibly some of the code repository files, cvs, svn, git etc.

Requirements

To run the app you need to install the CPAN module, you can do this by becoming root, entering the CPAN shell then asking it to do the install:

You can download File Disclosure Browser v1.0 here:

fdb_1.0.tar.bz2

Or read more here.

Posted in: Forensics, Privacy, Web Hacking

Topic: Forensics, Privacy, Web Hacking


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


New Research Shows Facebook’s URL Scanner Is Vulnerable To Cloaking

Keep on Guard!


Oh look, Facebook security (or insecurity) is in the news again – not that this technique is anything revolutionary or ground-breaking.

It’s basically a HTTP referer detection system for the Facebook URL scanner (the thing that generates the preview/thumbnail etc for links posted to Facebook). By detecting it, you can feed it something benign – but when a normal user comes – feed them some malware.

So be careful what you click in Facebook, or Google+ or anything else that gives you a preview but doesn’t really show you the URL or what is on the page.

Members of a hacking think-tank called Blackhat Academy claim that Facebook’s URL scanning systems can be tricked into thinking malicious pages are clean by using simple content cloaking techniques.

Such attacks involve Web pages filtering out requests that come from specific clients and feeding them content that is different from what is displayed to regular users.

Attackers have been using this method to poison search results on Google for years now by serving keyword-filled pages to its indexing robot, but redirecting visitors to malware when they click on the links. However, it turns out that Facebook is also vulnerable to this type of content forging. “Hatter,” one of the Blackhat Academy members, provided a live demonstration, which involved posting the URL to a JPEG file on a wall.

Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its corresponding link actually redirected users to YouTube. This happened because the destination page was able to identify Facebook’s original request and served a JPEG file.

“While most major sites that allow link submission are vulnerable to this method, sites including Websense, Google+ and Facebook make the requests easily identifiable,” the Blackhat Academy hackers said.

This kind of technique is VERY popular in the Blackhat SEO world, or at least it was back in the day – you could feed pages to the search engines that weren’t really human readable, but they were perfect in terms of link density, keywords and so on for Google and other search engines.

When humans visited, they’d get the normal page – when search bots visited they’d get a specially tailored version to hike the page up in the rankings. I’m not sure if it goes on (Google is a hell of a lot smarter now) – but I’d be surprised if it’s totally gone.

Websense of course are claiming that it doesn’t really effect them due to the all the l33t techniques they use to filter URLs…cool story bro.


“These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked to. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistent domain name,” they explained.

Earlier this week, Facebook signed a partnership with Websense to use the security vendor’s cloud-based, real-time Web scanner for malicious URL detection. Blackhat Academy has now provided proof-of-concept code, which, according to its advisory, can be used to bypass it.

Websense doesn’t believe that to be the case. “This is nothing new. We use numerous methodologies and systems to ensure that our analysis of content (in real time) is not manipulated by malware authors, including using IP addresses not attributable to Websense so that malware authors are unaware that it is Websense analyzing the content,” the company said.

“Also, the Websense ThreatSeeker Network is fed via an opt-in feedback loop from tens of thousands of customers distributed globally. These IPs are also not attributable to Websense.com. It is because of technologies like this that Facebook chose Websense to provide protection for their growing user base of more than 750 million users,” it added.

That could well be true, but it’s worth keeping in mind that Websense primarily sells security solutions to businesses and Facebook is usually blocked on many corporate networks. It would be logical to assume that relying on its customers’ appliances to scan URLs on the social networking website might not have an immediate impact.

I know Facebook have signed the agreement, but have they started using Websense filtering yet? We did write something about their collaboration last year – Websense Offers Facebook Users Free ‘Firewall’ Service.

Well if it keeps Facebook users safe from malware, and stops us having to fix more computers for our friends and relatives – it’s good in my books.

We will have to wait and see though until it’s fully implemented if it stops the next round of Facebook malware from sprouting and running riot.

Source: Network World

Posted in: Exploits/Vulnerabilities, Malware

Topic: Exploits/Vulnerabilities, Malware


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


CIAT – The Cryptographic Implementations Analysis Toolkit

Keep on Guard!


The Cryptographic Implementations Analysis Toolkit (CIAT) is a compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable). It is particularly helpful in the forensic analysis and reverse engineering of malware using cryptographic code and encrypted payloads.

This was an interesting find because it wasn’t too long ago I published a post about Mediggo, a Tool To Detect Weak Or Insecure Cryptosystems Using Generic Cryptanalysis Techniques.

Requirements

Windows Binaries included in this distribution as well as supporting libraries were compiled using gcc, Mingw and Msys.

Linux binaries were compiled using gcc 4.1.2. They were tested from command line in machine with Windows Vista Home Premium (32 bit + SP1) and on Linux Gentoo 2008.0 X86 operating systems.



They should run without problems in any computer with Windows 2000, XP or VISTA 32bit and any Linux x86 with Mesa3-D, but I cannot guarantee that. If you have problems with these
binaries or want to run the programs in other platform you’ll need to compile them yourself.

Compiling

Version 1.02 includes standard configuration scripts for Unix like systems. The old Makefile (Makefile.linux32) is still included; if you use Windows I suggest you use MINGW+MSYS.

You can download CIAT v1.02 here:

ciat-1.02.zip

Or read more here.

Posted in: Cryptography, Forensics

Topic: Cryptography, Forensics


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


Security By Obscurity Not So Bad After All?

Keep on Guard!


I’m sure you’ve been taught, as have I – that security through or by obscurity is bad (changing port numbers, removing service banners and so on). I’ve personally always used it, as an additional line of defence on my systems.

As a hacker I know, the more information a system gives me straight off the bat – the easier it’s going to be for me to hack it. Well the latest news is that this tactic may not be so bad after all.

Security by obscurity may not be so bad after all, according to a provocative new research paper that questions long-held security maxims.

The Kerckhoffs’ Principle holds that withholding information on how a system works is no security defence. A second accepted principle is that a defender has to defend against all possible attack vectors, whereas the attacker only needs to find one overlooked flaw to be successful, the so-called fortification principle.

However a new research paper from Prof Dusko Pavlovic of Royal Holloway, University of London, applies game theory to the conflict between hackers and security defenders in suggesting system security can be improved by making it difficult for attackers to figure out how their mark works. For example, adding a layer of obfuscation to a software application can make it harder to reverse engineer.

I agree with this, I wouldn’t exactly say this is ground-breaking though – I’ve always believed this. It’s not that I’d use obscurity as a singular defence, but I don’t see how it makes a system any less secure – the fact is from my perspective it definitely makes it harder to attack.

I mean the way in which Pavlovic is looking at it is rather more complex (in terms of a game), but it’s the same idea – if the attacker has less information, he’s going to have a harder time. Surely this all goes way back to Sun Tzu art of war..


Pavlovic compares security to a game in which each side has incomplete information. Far from being powerless against attacks, a defender ought to be able to gain an advantage (or at least level the playing field) by examining an attacker’s behaviour and algorithms while disguising defensive moves. At the same time defenders can benefit by giving away as few clues about their defensive posture as possible, an approach that the security by obscurity principle might suggest is futile.

Public key encryption works on the basis that making the algorithm used to derive a code secret is useless and codes, to be secure, need to be complex enough so that they can’t be unpicked using a brute force attack. As computer power increases we therefore need to increase the length of an encryption key in order outstrip the computational power an attacker might have at his disposal. This still hold true for cryptography, as Pavlovic acknowledges, but may not be case in other scenarios.

Pavlovic argues that an attacker’s logic or programming capabilities, as well as the computing resources at their disposal, might also be limited, suggesting that potential shortcomings in this area can be turned to the advantage of system defenders.

Of course obscurity should never be used in cryptography, that would just be idiotic – but when it comes to defending networks, servers and systems – I’m fine with it as an additional precaution.

I think this might spawn some interesting discussion either way, what do you guys think?

You can read the paper here: Gaming security by obscurity [PDF]

Source: The Register

Posted in: Countermeasures, Hacking News

Topic: Countermeasures, Hacking News


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


MagicTree v1.0 Released – Productivity Tool For Penetration Testers

Keep on Guard!


We wrote about MagicTree back in January of this year when it was first launched – MagicTree – Penetration Tester Productivity Tool .

It’s come quite a long way and the authors are happy to announce that MagicTree version 1.0 has been released and is available for download.

MagicTree is a productivity tool for penetration testers. It allows consolidating data coming from various security tools, query and re-use the data and generate reports. It’s aim is to automate the boring and the mind-numbing work, so you can spend your time hacking.

Version 1.0 includes a lot of bug fixes and a number of new features, such as:


  • Support for Acunetix data import
  • Support for W3AF data import
  • Support for OpenVAS 4 XML format
  • Importing data from flat text files
  • Simplified manual creation of ports
  • Copy/paste and drag and drop support for tree nodes, table view data, queries and tasks
  • mt:sort() custom XPath function for sorting data, such as findings, in TableView and reports
  • More sophisticated auto-creation of tree nodes. We now support netblocks in various formats (192.168.1.1/24 , 192.168.1.0-192.168.1.255, 192.168.1.0/255.255.255.0), DNS names, IP addresses and URLs.
  • Search in output files panel
  • Creating cross-references by drag and drop
  • Better support for KDE and XFCE desktop environments on Linux. View in Browser and opening reports now works on both.

The full changelog is available here – ChangeLog-1.0.txt

You can download MagicTree v1.0 here:

MagicTree-1.0-build1615.jar

Or read more here.

Posted in: Hacking News, Security Software

Topic: Hacking News, Security Software


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.