Hacker's e-Mag

Social Engineering [from Eden Guide to Hacking >> Active Recon]

2011-10-03T09:09:00.000-07:00

Eden Guide To Hacking : https://github.com/abhishekkr/eden_guide_to_hacking

Social Engineering
direct link : https://github.com/abhishekkr/eden_..... ineering.txt

Most creative non-technical hacker practice known to mankind.

a.) It's Art of Communication with People for 'Information Leakage'.

You have a 'Victim' identified by now and wanna collect more and more available information related to them.
Not just any relevant information, but sensitive details, that Victim or related people handover to you in confidence.
You think like a con-artist, assess weakness of your victim & the possibilities of make-believe for them.
Then you come up with an entire scenario to pose yourself a reliable savior for your Victim to be saved; a benefactor.
And you will find them revealing such discreet and sensitive information so that they can encash the situation to its max. And let you gather all sensitive information that you can.

b.) Example: "The pretend employee loosing access at critical time"

You are a management personnel on client location in middle of a very life-changing deal.
You need to get some files from your organization's machine or file-share; but can't access them due to firewall policies on either side.
If you can't seal the deal, the failure will take away your job and the person refusing you such crucial-moment help.
And there are many chances that you'll get the data fetched from your pretended 'Employee', mailed to you.

c.) Example: "I'm here to check your Network from Agency"

You are at home of your Victim when some family member, hopefully not much security aware is in-charge and pose as the Network Guy from the Telecom Agency they use.
Offering new organization customer satisfaction mumble-jumble, you try to get access to check health status of network devices installed there, and more computing devices if possible.
Now, if the devices are tweakable without any credential request from the family member there... try that first.
If it doesn't work and even they don't have access, then pose as attempting the 'Master Password' so they don't inform the Victim.

d.) For ultimate case studies, read "Art of Deception" by "Kevin Mitnick", the most famous Social Engineering Hacker 'known'.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

BEAST beating SSL & TLS :: What You Can do to be Secured

2011-09-23T09:25:00.000-07:00

B.E.A.S.T.?
Browser Exploit Against SSL/TLS Tool [B.E.A.S.T.], is the new Javscript utility created by J. Rizzo & T. Duong capable of breaking SSL3.0 & TLS1.0 level protection for HTTPS connections and deciphering the secure connection data.

What It Does?
There have been previous mention of cryptanalysis attacks over
+ SSL3.0
| (a Paper 'Analysis of SSL3.0 Protocol' by D.Wagner & B.Schneier in 1999 ), &
+ TLS1.0
| (a Paper 'Renegotitating TLS' by Marsh Ray in 2009).
B.E.A.S.T. is a pure exploit tool built over these (or similar) visions.
B.E.A.S.T. is based upon blockwise-adaptive chosen-plaintext attack approach exploited on victim's end via man-in-the-middle attack.

Point-to-Note!
It's a MitM over Browser, javascript injected does all harvesting of plaintext attack (which currently takes around 30 minutes for useful data) and then enables you to break the encrypted session.

Security Measures until F!XED

Use a different browser (totally different, i.e. just not a new instance of same browser but a new browser, as in FireFox & Chrome are different) for browsing your Secured Connection. And a different browser for you general web surfing experience, even any external links from your secured session used browser should be copied and opened in the general web-surfing browser.
It's better if the browser used for secured session is used in Private Browsing Mode.
Don't keep log-in active in any service if you are not using it currently.

Something you should already be doing, if not start now...
Use browser extensions like AdBlock & NoScript, to protect your browser from injected IFrames and infected AdServices which are the major source channel for BEAST also.

To get a more detailed insight at the exploit Paper & Code, get your hands over
http://www.insecure.cl/Beast-SSL.rar

What to do at Server Side
http://isc.sans.edu/diary/SSL+TLS+part+3+/11635

Open Intelligence Gathering FOR Passive Reconnaissance FROM "Eden Guide To Hacking"

2011-09-13T09:00:00.000-07:00


Open Intelligence Gathering : github.com/abhishekkr.....Open_Intelligence..


FOR 


Passive Reconnaissance : github.com/abhishekkr.....section0_Passive_Recon


FROM 


"Eden Guide To Hacking" : github.com/abhishekkr/eden_guide_to_hacking




The following content structure is discussed in detail @

https://github.com/abhishekkr/eden_guide_to_hacking/blob/b00ef1502b9f91953f5d734efd4a03c3a0f04002/part1_Hacking_Cycle/chapter4_Reconnaissance/section0_Passive_Recon/article0_Open_Intelligence_Gathering.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[+] Open Intelligence Gathering
 |
 |[+] What Is Open Intelligence?
 |
 |[+] Legal Documents Got Them
 |
 |[+] Search Engines Sort Them
 |
 |[+] Web Activity Caught Them
 | |
 | |[+] You Blog/Comment
 | |[+] You Socialize
 | |[+] You Subscribe
 | |[+] You Show/Click Ads
 | |[+] Even If You Surf Web
 | |_
 |
 |[+] Automating the Act
 | |
 | |[+] Paterva Maltego CE
 | | |[+] URL
 | | |[+] What it does?
 | | |[+] Example Usage
 | | |_
 | |
 | |[+] The Harvester
 | | |[+] URL
 | | |[+] What it does?
 | | |[+] Example Usage
 | | |_
 | |_
 |_

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"DevOps with SecOps" ~ short intro to Security Implications in DevOps Process

2011-08-29T05:47:00.000-07:00

It's a short introduction to Security Implications in the new emerging & highly required domain of DevOps.

DevOps with Sec-ops

View more presentations from Abhishek Kumar

As currently, the major concern around DevOps world is 'The Mantra of Automation' at the level of
+ System/Environments Provisioning
    (easy & fast using Cloud Support)
+ Idempotent Configuration
    (using Automated Configuration Services)
+ Logging & Analytics
    (using automated detailed logging and clever analysis )

This presentation just mentions the security considerations related to all these 3 DevOps processes...

+ Provisioning being affected by

 |=+ Non-Robust Cloud Frameworks,

 |=+ Vulnerable Service APIs, &

 |=+ Virtualization BreakOuts

|

+ Configuration Management threatened by

 |=+ Non-Robust Services, &

 |=+ Non-preferred storage of sensitive

 |     configuration data

|

+ Analytics

 |=+  Log Analysis frameworks have been 

 |     several times attacked by infecting 

 |     the received logs resulting in service

 |     level non-sanitized input  attacks. 

|_

howto check for safety of Shorten URLs before opening them in your browsers

2011-08-11T15:37:00.000-07:00

Short URLs were in fashion a while back and now they are in requirement.
No matter which social, professional or public web portal you browse, you get to see short url.

But Short URLs from so many sources are not secure as a carefully planted short url redirecting (sometimes single redirection and sometimes multiple) to an infected web portal.
So, all the short links from non-reliable sources must be first traced back to original links and only visited if they cross-check successfully.

So, how to know the actual portal to be visited without using that URL and following it to final location.

[] from your shell
$ curl --head -L http://short.en/url | grep Location:
so, place the short url to be checked in place of "http://short.en/url" in the command provided above and then you can see the entire url trace and the final url to be visited...
~~~~~~~~~~~~~~~~~~~~

[] from the web-app
Link: http://webhoudini.appspot.com/

At this portal paste in the link in Short URL text box and click the 'Unshorten' button to see the actual redirected URL.

~~~~~~~~~~~~~~~~~~~~

[Eden Guide to Hacking] 'Hacking Philosophy' ~ from Rig Veda and Sun Tzu's Art of War

2011-07-28T01:24:00.000-07:00

This is a part of "Eden Guide to Hacking" which is my writing attempt for a quick to read, broadway guide to HACKING ~ for anyone to have grasp of important concepts and skills which makes up the knowledge base of a hacker.
W.I.P. @ https://github.com/abhishekkr/eden_guide_to_hacking/

'Hacking Philosophy' ~ from Rig Veda and Sun Tzu's Art of War

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Art of Hacking
 |
 |[+] from 'Rig Veda'
 | |
 | |[+] "Who so would kill us, 
 | |  whether he be a strange foe or one of us."
 | |  Means: "The security parameters could be defeated by
 | |   (un/mis)-handled feature or an already compromised
 | |   component present within an un-breakable system."
 | |
 | |[+] "Loosed from the Bowstring fly away, thou arrow,
 | |   sharpened by our Prayer.
 | |  Go to the foemen, strike them home, and let not one
 | |   be left alive."
 | |  Means: "Make an exploit robust, accurate, infectious
 | |   and untraceable."
 | |_
 |
 |[+] skills could be seen as 13 chapters of Sun Tzu's
 | | 'Art of War' ~
 | |
 | |[+] Laying Plans
 | | |
 | | |[+] Exploit the parameter never thought to be a
 | | |  part of the security implications of the system.
 | | |_
 | |
 | |[+] Waging War
 | | |
 | | |[+] Don't overburden yourself with complex routes,
 | | |  if there exist less techie but more easy options.
 | | |_
 | |
 | |[+] Strategic Attack Planning
 | | |
 | | |[+] Exploit the parameter never thought to be a
 | | |  part of the security implications of the system.
 | | |_
 | |
 | |[+] Tactical Disposition
 | | |
 | | |[+] First secure your own location & technologies,
 | | |  then you are in safe & stronger place to attack.
 | | |_
 | |
 | |[+] Directed Energy
 | | |
 | | |[+] Attacking a complex security infrastrucure is
 | | |  no different than a simple one. Break it down.
 | | |_
 | |
 | |[+] Weaknesses & Strengths
 | | |
 | | |[+] Analyze the system well to aim its vulnerability
 | | |  and leave it's alarm system untouched.
 | | |_
 | |
 | |[+] Engaging the Force
 | | |
 | | |[+] One can't defeat an opponent without knowledge
 | | |  of opponent's security & service design.
 | | |_
 | |
 | |[+] Variations & Adaptability
 | | |
 | | |[+] The system, service & security could be set up
 | | |  with any kind of tweaking and hence makes the 
 | | |  pre-analysis for attack a failure.
 | | |  Attacker must be always ready to amend its ways.
 | | |_
 | |
 | |[+] The Army on the March
 | | |
 | | |[+] When to attack, and when to wait.
 | | |  Instincts to stay out of trap & sense enemies.
 | | |_
 | |
 | |[+] Situational Positioning
 | | |
 | | |[+] Access, attack & safety parameters involved.
 | | |_
 | |
 | |[+] The 9 Battlegrounds
 | | |
 | | |[+] Different types of security parameters lead to
 | | |  different attack or sometimes no attack practices.
 | | |_
 | |
 | |[+] 5 Ways of Attacking with Fire
 | | |
 | | |[+] Break-in target's system with deception
 | | |[+] Starve the resources powering security
 | | |[+] Attack availability of service
 | | |[+] Defeat the implemented security system
 | | |[+] Infect reachable systems related to target
 | | |_
 | |
 | |[+] Intelligence & Espionage
 | | |
 | | |[+] Gather as much information possible and 
 | | |  try attacks like spear phishing to have a slave.
 | | |_
 | |_
 |
 |[+] It's your Dharma to Hack, if you are a Geek.
 |
 |[+] & it all starts in following part of this Eden Guide
 |_
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link: https://github.com/abhishekkr/eden_guide_to_hacking/blob/master/part0_Fundamentals/chapter2_Hacking_Philosophy/article1_Art_of_Hacking.txt

User Authentication & Authorization [AT] Google AppEngine

2011-06-30T09:19:00.000-07:00

AppEngine, a PaaS provided with a 'limited free' version to all GMail users (Google Account Owners). So, you can host your WebContent their making use of Python, Java or Go.

AppEngine enables you to use existing Google A/c of your Web-App users to be used for their authentication & authorization at your AppEngine-hosted Web-App also.

So, there are two main ways to acieve that:

to import google.appengine.api.users
this USERS module from AppEngine APIs enables your Web-App to identify the users on the basis of their Google A/c ID (GMail ID) and then make the decision of routing the user to secured Resource or forbidden resource error message.
[ An Example on Usage ]
to specify 'login' under 'app.yaml'
so the major basic configuration about your Web-App and routing configuration reside in 'app.yaml' file which has default location of Web-App root location.
So, you can specify at secured 'url' specifications to enforce user for a Google A/c (GMail) login.
[ An Example Of Usage ]

In, both of these implementations whenever a user tries to visit a 'secured url' on your Web-App, they are automatically redirected to Google A/c Log-In page further redirecting them back to your Web-App on succesful log-in.

The Curious Case of static_dir

Initially while working for my newly initiated opensource project 'py-gae-legs', I added entire 'secure URL' logic by method#1 i.e. using 'users' api.
It was all working fine & secured until I added some static-content using static_dir and tried securing it's url using the same tactic.

But, there was a thing about 'static_dir' which I investigated after my supposed-to-be secure static_dir's content was all publicly available if someone could enumerate/know the complete url.
{I'm in the category of people who keep their learning pace up along with working over it... and anyway I wasn't gonna read the entire #^(

The thing about it was... the directories marked to be 'static_dir' in 'app.yaml' are no more located on the AppEngine Server in the same location after you update your Web-App.
So, the entire directory structure would remain same... it's just that the 'static_dir' marked locations would somehow vanish from it on your Web-App's location at AppEngine and served from some other provision made by Google which maps back to the location.

So, to secure the 'static_dir' located urls... the only way ( that I know of ) is to implement it at the very core of Web-App configurations i.e. in 'app.yaml' using the Method#2.

So, you can enforce Google Login to be mandatory by setting 'login:required' for that 'url' setting. If you want only a selected Users to see that, then you'll have to add all those Google A/c (GMail) IDs by doing following
[a.] goto Dashboard of your GoogleAppEngine Web-App,
the URL-Box link would look like:
https://appengine.google.com/permissions?app_id=s%7E$GAE_APPLICATION_NAME
[b.] click the link 'Permission' from Right-Menu-Column,
[c.] now, invite all those user's by providing their e-mail ID and changing their role to 'Viewer'and at app.yaml provide 'login:admin' instead of 'login:required'.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lately, I've been involved at starting an OpenSource project 'py-gae-legs'.

It's a very basic subset of WebApp-Framework for the lovers of RoR (have been working on it for past few months, love the ease it gives but hate the convention being the soul) style of web-app creation.

This project just aims web-development specifically aimed to be hosted over AppEngine (currently).
Almost done with it's basic starters to look at:
[] gae-flat-web : to create an architecture hosting your already created static website, http://gae-flat-web.appspot.com
[] gae-private-web : [W.I.P.] to host all your private content hosted securely (by Google) in an by-invite only website

How I got "2 Time Life-Time Banned" From Google Adsense

2011-05-25T16:05:00.000-07:00

A Life-Time Ban from Google Adsense

I kin'of registered for Google Adsense service on my portal [ http://www.alwayspost.cjb.net/ (it's dead now, no more belongs to me) ] in very initial days, probably starting 2004.
I used to have few newbie blogs (not these, other newbie blogs) on blogger related to movies, wallpapers & technology.
So, in a very honest way I added the provided AdSense code to my blogs and started posting regularly. It was working at a sloooow rate but I was Ok with it.

I recently moved over from C++ to play with VB6 and was trying all fun stuff I could get my hands on.
One of the fun things I found was making mouse-clicks at desired locations.
& zooom~click~drag~code~drag~adjust~code...
there was an ie-ocx-control in a form, loading all my blogs one-by-one and code (pre-loaded with specific locations of X-Y locations of Ads on the pages) forging mouse-left-clicks on all Ads... all repeated with a simple Timer.

Just left it on for a night... had LOADS of Ad Clicks and never tried it again.
One week later, there was a mail from AdSense in my GMail A/c stating I've been banned for life-time from Google's AdSense service.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Second Life' in Google AdSense

I signed-up for a new e-mail address and tried registering with a new mailing address, and there it was... my new AdSense account.
This time I did nothing against the rules.

Google released Page Creator (which is closed now) and I registered a new portal on my mailing-address at [ http://abhikumar163.googlepages.com ] and start linking it on forums with nice technological content to get valid page hits.

And, I made a mistake. I placed a link to my old-&-no-more-existing-portal [ http://www.alwayspost.cjb.net/ ] which was the portal registered with my earlier AdSense account.

Google's Crawler & Staff noticed it after I attained some amount in my account, and blocked my account and banned me for life-time Second time.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Currently, I'm on my Second Life-time Ban... and don't wanna Third Play, may be when I get bored again.

Full site SSL-ification is not an option, need to make SSL secure first

2011-03-30T04:28:00.000-07:00

I have heard (Recently and in past) security aware lives wasting a lot of their potential over the argument like
+ 'Basic HTTP is insecure' {sometimes in novice past}
+ 'SSL-ify entire web service' {still a lot push is there}

Now, 'Basic HTTP' being insecure is not a flaw by design... but a flaw by choice.
First of all, when foundation of HTTP were laid attackers were not in the scene. The only concern was ultra productive usability and that is not possible putting all kind of security checks on the service.
Secondly, HTTP wasn't meant to be secure, it was just meant to transfer data in adhering to a protocol which can be used by web-services to recieve user's requests and deliver requested content, that's all.
Cryptography mixed into it will destroy the ease and speed it has. Cryptography over it is instead a necessary (in some cases) and correct (design) option.
Though it has been haunting the websites by attacks like
+[] SSL Stripping

It's due to a flaw in the way Security is implemented in a web application. For example, you visit Facebook Login page at facebook.com which have a HTTPS link in its unprotected page-content to send over the credentials in a protected manner. But what if some attacker using Monkey-in-the-Middle strategy changed that HTTPS link to a HTTP link and sniff your sent credentials... w00t right.

+[] Sidejacking

It occurs due to web-application sending cookie information over non-ssl links. This allows any Man-in-the-Middle to sniff the cookie then replicate in his/her own browser and use the service identifying user just on basis of cookie information... it pwn3d services like GMail, Y!Mail, Hotmail, etc. until Q1-2010.

Then, 'Full Site SSL-ification' is a good choice from theoretical security point-of-view, but just in theory.
Different SSL-Defeating attacks involving
+[] Flaws in Libraries like NSS

There was a (earlier exploited, later) famous flaw in libraries with the case of NULL inclusion in URLs used for Domain name on which SSL Certificate is being issued. Mozilla Engine used NSS Cryptography libraries purely written in C and using basic insecure string functions for comparisons were tricked by certificates for domain name like <<www.paypal.com\0innocent.com>> stopping at first null after <<www.paypal.com>>. Webkit, Opera used null-stripping but they were tricked in just reversed attack using certificates for domain-name like <<www.pay\0pal.com>> stripping out usefull null.

+[] Fake SSL Certificate generation

Not a flaw in SSL, neither in its implementation but in the authorities enforcing it.
In a recent disclosure, Comodo Inc (a major issuer of SSL Certificate) accepted that an attacker was able to get credentials of 'Comodo Registration Authority' based in Southern Europe.
An Iranian attacker used the privilege to issue 9 fraud SSL certificates to 7 web domains including those for Google, Yahoo and Skype.

So, if you will look deeper into serial-murder case file of
SSL Certificates, you'll see it ain't safe...
and so there is no point in argument over its mixed/full
implementation.

Indian Airport Internet ~ Hacking Policies Not Tweaking Systems

2011-03-15T23:16:00.000-07:00

Few Indian Airport avail WiFi Internet Connectivity to Customers... and what I'm going to discuss about is not hacking the WiFi Network but a simple naive way to hack the Service Scheme instead and gain much more free access than provided little i.e. 30min

I found it in two cities (Delhi, Bengaluru among visited Indian Airports) till now. Both have different hardware supporting it but the same service scheme.

The Service Acts in following way:
Step.1:
You'll get an Open WiFi Network by the name of Airport which lets you to connect without any credentials.
Connect to it.
Step.2:
Open web-browser and hit any URL; this will redirect you to a single page provided by Service Provider with details of how you can get credentials for free-demo WiFi-access.
Here, you'll have to submit your Mobile Phone number, which will receive SMS of credentials for demo access.
Get the credentials.
Step.3:
Use those credentials on the same page, under login section.
You are connected to WiFi for internet access until demo-time (30 minutes) pass.

Loopholes in Service Scheme:
[] Continuous Access For Longer Duration
The more mobile numbers you can have access to...

give your friends/family/personal/official Mobile Numbers to gain more demo credentials...
and simply ask them to forward respective SMS to you

...the more duration you can have demo WiFi access.

Now, the system don't check your MAC Address for earlier demo privileged machines...
so you don't even require anything as simple as mac-changer.

[] Parallel Access For Same Credential Set
As, I already said MAC is not checked... so suppose you have multiple WiFi enabled devices.
You can use the same credentials on all devices at the same time.
Just need to consider what is the time-frame for that credential to expire.

Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'

2011-03-04T07:23:00.000-08:00

this is the work that I presented in 'nullcon - 2011' an security conference held at Goa by an emerging Security Community of India known as 'null'
it's mainly regarding preventing XSS Attacks with an entire new Concept based on 'Bug-As-A-Service' and 'Attacking-The-Attacker'...
any views/questions/comments/critics/confusions
----------
Presentation:

Presentation on "XSS Defeating Concept in (secure)SiteHoster" : 'nullcon-2011'

View more presentations from Abhishek Kumar

----------
Concept-Part-1 WhitePaper:

XSS Defeating Trick ~=ABK=~ WhitePaper

View more documents from Abhishek Kumar

----------
Concept-Part-2 WhitePaper:

XSS Defeating Concept - Part 2

View more documents from Abhishek Kumar

----------

Apache SOLR ~ a talented yet careless server

2011-02-18T11:14:00.000-08:00

SOLR... what it is?
link: http://wiki.apache.org/solr/FAQ#What_is_Solr.3F
in short... it's an enterprise class search server

SOLR Security Consideration... are clearly stated
link: http://wiki.apache.org/solr/SolrSecurity

[] Solr does not concern itself with security either at the document level or the communication level.

[] It strongly recommends that the application server containing Solr be firewalled such that the only clients with access to Solr are your own

[] Default installation of Solr allows any client with access to it to add, update, and delete documents (and of course search/read too), including access to the Solr configuration and schema files and the administrative user interface.

[] Even if firewalled, it might be vulnerable to CSRF because Solr's basic behavior is to receive updates and deletes via HTTP...
So if you restricted Solr's /update handler to accept connections from approved hosts/clients... then also approved clients can be tricked to open another page with malicious script while they are authenticated at Solr.

[] Basic technique to mitigate this risk is to configure Servlet Container to server speicifc IPs or with HTTP-Authentication.

[] Solr doesn't aim to for Document Level Security, recommended way is through Apache Lucene Connector Framework.

SOLR is a very capable search server, but if you need to use it... be sure to make it unreachable.

Weak Excuses after Weak Security :: Mozilla's user a/c on Public Server

2010-12-29T05:09:00.000-08:00

now this year has been filled with loads of news related to user-data getting leaked from different websites... but it wasn't much disturbing as web-vulnerabilities in Facebook are well known and accepted as cons of the deal and neither 1.3m a/c details leaked from Gawker came as a shock (it was more of a Tweet-Flood)

but
On Dec-17-2010, Mozilla was reported about availability of its user-accounts (partially, which were used on addons.mozilla.org) over a public server.
They have projects like Firefox (super famous web-browser), NSS (one of the most famous libraries for developing secured client-server application), and more... if an organization like them do a mistake like this, oh yeah... hackers paradise

it's how they defend themselves...

database included 44,000 inactive accounts using older
but don't you think... even inactive users on a site deserve their privacy, and if they were inactive and not important then better purge the information pertaining to account... why keep it instead
md5-based password hashes
they don't use it now... for active users they support SHA-512 per-user-salt mechanism; now that's good
current addons.mozilla.org users and accounts are not at risk
so if I don't use Mozilla anymore... they wouldn't respect my a/c details anymore and still keep it... so that in future they could 'arrrrgh sorrry' me, brutally nice
incident did not impact any of Mozilla’s infrastructure
it was available on a public server and not a hacked-n-fetched... bravo
only outsider who accessed the data was the security researcher that reported the mistake to Mozilla
how are they so sure... if none else reported it doesn't mean that none else saw it, and it is not necessary that everyone accessing it will 'remain in' logs.

References:
http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/
http://www.thetechherald.com/article.php/201052/6620/Mozilla-password-disclosure-a-non-event

bypass of user level restrictions, a case of bug in 'Scribd.com'

2010-12-21T00:59:00.000-08:00

http://www.youtube.com/watch?v=g-ETsFjRhqsFew weeks back, saw Scribd.com offering me to buy/upload something for downloading a Document uploaded on it. Second time when I opened some document, in another browser it shows disabled 'download', 'print', and 'mobile' option.

As I didn't get that Document to download, I didn't felt like reading it online also... so just thought why not try to download it and if I succeed, then I'll read it online.
And I read it online :)

So, here is a bug (which has now been fixed) in Scribd.com... that allowed users to get a local copy of documents which were devoid of download and print options.

It's how layered limitation can be broken, and why restrictions must be implemented root-level-up and not just as user-level module.

@YouTube: http://www.youtube.com/watch?v=g-ETsFjRhqs
How-To [ download the not-allowed ]
example: Bypass Scribd.com disabling Downloading/Print/Mobile on some links

Example Website Bug : a bug of Scribd.com (reported & got fixed) from aBionic@Vimeo

so, now you can either Print the document or create a PDF/image printing this document using softwares like PDFCreator.

only '.org' and '.net' domains under DNSSEC protection till now, WHAT ABOUT YOU

2010-12-17T05:08:00.000-08:00

Are you protected with DNSSEC:
[] in mid-2010, DNSSEC got deployed over 'root-DNS-server' and '.org' domain
[] on 10-Dec-2010, Verisign deployed DNSSEC in '.net' zone too
{securing more than 13million registrations online}
[] preparations are up to sign the '.com' zone in first quarter of 2011

Verisign has even launched a cloud based DNSSEC implementation service to ease its implementation in organisations.

Refer to http://www.securityweek.com/verisign-launches-new-dnssec-signing-service
For those who are not much familiar with DNSSEC, its a security layer standardized to be implemented over traditional DNS services... it will help the users counter DNS vulnerabilities exposed by researchers like 'Dan Kaminsky' including DNS poisoning attacks.
Refer to http://www.dnssec.net

Its implementation would require more processing power, bandwidth usage and more storage needs as it uses intensive encryption mechanism over all DNS traffic.

Though, I was surprised hearing initially of its implementation over root DNS server as its alterantive DNSCURVE (suggested by Dan Kaminsky) was conceptually better in security and easy on resources too. Don't know it was fair selection or just another political/community-biased decision.

=begin :footer

# waited about a week to have time doing this post in detail...

# but more delay would deny its usability... so its here

=end :footer

XSSed Orkut after Twitter after Facebook

2010-09-26T12:49:00.000-07:00

'Are you social?'
ohhh... let me rephrase it 'Are you net-social?'
yeah... then how much socially secure are you when the plain-text attacks are htting millions.

2 months back with Facebook
now almost treated as synonym of Social Networking, and more than 400 million active users... Facebook was exposed to be vulnerable of a XSS vulnerability instead of proper implementation of HTTPOnly cookie protection as that doesn't count for XSS. The PoC video is being linked below along with article.
Article: http://www.acunetix.com/blog/news/cross-site-scripting-xss-facebook/
Video: http://www.youtube.com/watch?v=iTddmr_JRYM&hl&fmt=22

Last Week with Twitter
the microblogging favorite of masses, and offering a newer promising UX... Twitter accidently resurfaced the XSS hole while site update procedure. Famous as 'onMouseOver' flaw simply injected the XSS code as tweet to execute the function on mouse hover event by victim
Article: http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html

Previous Day with Orkut
previous day was a 'Good Saturday' (i.e. what 'Bom Sabado' means in Portugese) 'scrapping' off the privacy of Orkut Users. This attack is supposed to originate from Brazil and compromised enormous Orkut accounts in a span of few hours. The code with details can be viewed at the link below.
Article: http://antrix.net/posts/2007/orkut-xss/

Problem with IEEE 802.1x implementation's fallback option

2010-09-06T06:45:00.000-07:00

Problem with IEEE 802.1x implementation's fallback option
---------------------------------------------------------
I was just looking over some gyan for 802.1x implementation on Cisco's Portal.
They have a very nice guide over Phase Deployment Model for Identity Based Network Services.
While learning a bit, I saw mention of fallback option for IEEE 802.1x. Then I checked whether Juniper has it or not and it supports it too.

MAB i.e. MAC Authnetication Bypass porviding support for Legacy Devices (say Printers) which are not capable of IEEE 802.1x and hence require some other method of authentication.
And the method provided to them is adding the incapable device's MAC Address to a static (or even dynamic based on implementation) MAC list on 802.1x provider.

There goes the cocroach surviving Nuclear Attack. The super-strong 802.1x bypassed by a MAC ...are they really having faith on this, or have it implemented in super-man style. Though currently I can't think of any super-man for MAC Authentication. All I see is Sipper-Man :( sipping my security away.

Attacker just have to DUPLICATE allowed MAC, and enjoy the falling security.

Seriously, I'm afraid... if anyone know the manner of its implementation hidden to me till now, which makes it secure. Please, let me know asap.

If you want their support to make your environment vulnerable:
Cisco Support: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/standalone_mab.html
Juniper Support: http://kb.juniper.net/KB11429

XSS Defeating PoC : if have any time for Experimentation

2010-09-06T02:54:00.000-07:00

It's still in experimental state, if you find some time please try it and let me know of your experience.

Video Demo of the same PoC: http://www.youtube.com/watch?v=ENiiAccY1v0

Project Base: http://sourceforge.net/downloads/sitehoster/v1.0beta%20RC1/

WhitePaper is also available at SourceForge link above

and at : http://www.slideshare.net/AbhishekKr/whitepaper-abktrick-to-subvert-xss

I was working on a XSS-Patch PoC, which I now feel works proper enough to prove its point.

This neither require Web-Developers for any Filtering/Validation, nor any javascript blocking add-on on user's browser.

I'm not good at explaining still I've tried to do that in the above linked WhitePaper.

And the ZIP file can be extracted, having 'StartDemo.bat' to be executed to start the server already patched with XSS Subverting Module.

Then browse, 'http://localhost/tweet.htm' in any browser... and it lets you Submit any text to Server w/o validation which is as it is saved there. But when retrieved on 'Read...' remains inactive for any

hrberry.com :: php flaw self-inviting DoS, leaked framework and server info [by, ABK]

2010-08-26T17:20:00.000-07:00

Posted@ https://sites.google.com/site/abklabs/home/secured/posts.xml

[]Patched:
Yes

[]Product Name:
http://www.hrberry.com
Payroll Helpdesk, serving several prestigious companies

[]Victim Name:
Ascent Consulting Services Pvt. Ltd.
[http://ascent-online.com]

[]Vuln Summary:
There were validation flaws for GET Request Parameters sent to CAPTCHA image generating PHP script on the Portal.
This allowed attacker to trick the app to generate any number of characters consuming processing power.
It had a timout after 30 seconds (too much) and generated error message with full PATH of PHP file.
Also worked on older un-patched version of OpenSSL.

to read detailed Description... click here

Rapid7's neXpose

2010-06-19T13:31:00.000-07:00

Rapid7's neXpose
http://www.rapid7.com/vulnerability-scanner.jsp

You can download the Community Edition of this famous and highly efficient Network Vulnerability Scanner by Rapid7.

[] NeXpose Community Edition provides users with:
> vulnerability scanning for up to 32 IPs at a time
   {limited, but for free it's nice}
> Regular vulnerability updates
   {everytime I start it, updates get checked}
> Accurate scan results
   {it gives real detailed analysis of flaws found}
> Prioritized risk assessment
   {though its priorities don't match mine most of times}
> Remediation guidance
   {yeah it's good, with required tweaks}
> Out-of-the box Metasploit integration
   {from the Metasploit v3.31 it can be fully integrated with NeXpose}
   Link: http://www.metasploit.com/redmine/projects/framework/wiki/NeXpose_Plugin
> Extensive community support at http://community.rapid7.com
   {it's so easy, you wouldn't require it}
> Simple deployment
   {if you can browse through a new website, you can use it}
> No cost start-up security solution
   {Community edition afterall}

on 18-Feb-2010 :: NetWitness reported 'Kneber Botnet' {CRITICAL}

2010-02-18T22:11:00.000-08:00

On 18-Feb-2010; NetWitness has reported of new malware 'Kneber botnet';

its a variant of Zeus and mainly target stealing Credentials, Key-logging, etc.

... has affected more than 2500 organizations;

... currently no IPS/IDS have adequate signatures detecting it.

... it can also act with other malwares, fav noticed is Waledac (a P2P Trojan)

[] A try to check if Machine is infected by a Kneber (Zeus Variant), is

        The registry key can be found by following this path, he said:

        HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

        normally will have an entry like "C:\WINDOWS\system32\userinit.exe,"
        ZeuS will add itself to the list, typically as 'ntos.'
        But could always change its name; so if any un-relevant entries found here... may be machine is infected.

        If any more entries found, or suspicion is there scan the file listed here.

[] Its suggested to patch all latest MS10-* and Adobe releases on all the machines;
    and as always not open suspicious e-mails


[]NetWitness said that Kneber was primarily found on corporate and government computers, however home users are likely to attract the infestation as well.


[] more details @

*** http://www.netwitness.com/resources/pressreleases/feb182010.aspx ***

http://www.networkworld.com/news/2010/021810-kneber-botnet-faq.html?hpg1=bn

http://www.nytimes.com/2010/02/19/technology/19cyber.html?em

http://www.technewsworld.com/rsstory/69372.html

ABK SiteHoster -=[developing a HTTP Network Server to be secure at implementation]=-

2010-01-16T05:21:00.000-08:00

ABK SiteHoster

Sourceforge Link : http://sourceforge.net/projects/sitehoster/

Google Code Link : http://code.google.com/p/sitehoster/

Youtube Demo Link: http://www.youtube.com/watch?v=CogPa646vi8

Currently in it's BETA stage and can only serve URL as per HTTP v0.9, so not secure but basic WebServer

Actually developing it as a HTTP Network Server to be secure at its implementation, normally all WebServer present out there are vulnerable cuz they didn't implemented Security at their very core but as an extra sheild outside.
Here in this project I'll be aiming at making it secure from the core itself and making it self-secured by immunizing it from all kinds of Web-App attacks.

ABK SiteHoster is aLEHNS (a Lightweight Extensible HTTP Network Server). Developed in pure Java. Currently supports HTTP 0.9, easily delivering normal HTML oriented WebSites. Aiming to be a full-fledged WebSite Server with all Web Services.

n00bRAT -[Linux Remote Admin Tool]- (Use as Trojan to test your Firewall/IDS)

2009-12-12T08:01:00.000-08:00

n00bRAT -[Linux Remote Admin Tool]-

I am working on an open-source undetectable TuX.RAT project, currently in its Beta stage, released at Sourceforge at following link.
Give feedback of how to grow this project... what our geek community wants.

URL :: http://sourceforge.net/projects/n00brat/

::Description::
An undetectable Remote Administration Tool -OR- trojan, an all new approach. Easily usable, Client just requires any Web Browser to control remote machine via WebPage. Fooling firewalls/ids/ips security solutions, as it operates like any web-site.

::Usage::
* Remote Administration Tool for Linux/Unix (POSIX Based Machines)
* Can use it like a Trojan to test your Firewall / IDS / IPS

A Demo Video of Why This? What Code Is? How it Works?
http://www.youtube.com/watch?v=Jnx7nD0qU7M

Scareware / Ransomware [Know Ur Lingo]

2009-10-10T02:16:00.000-07:00

[Know Ur Lingo]

Scareware
are the rogue security softwares i.e. malicious softwares pretending to be security solutions working against viruses and worms. It pranks user to feel its need to make the machine secure against some attack or virus infection and gets installed.
Ransomware
are the malwares which hold the infected machine/service/data as hostage, and demand ransom for disinfecting the hostage. ;)

COUNTERMEASURES
if you think you have been infected by such malwares, or wanna minimize the risk of getting infected beforehand... you can use security solutions like
Microsoft Malicious Software Removal Tool : http://www.microsoft.com/security/malwareremove/default.aspx

Or you could get your file scanned by Kaspersky Free Online Virus Scan http://www.kaspersky.com/scanforvirus

ADS [ Alternate Data Stream ] : NTFS - The Dark Side

2009-09-06T20:44:00.000-07:00

ADS [ Alternate Data Stream ] : NTFS - The Dark Side

The feature of NTFS from WinNT v3.1 onwards which is very dangerous as can be used to hide files on your system even undetected from several Antivirus, and other Security Products.

This ADS can even be used to hide malicious files, so to counter such covert attacks one need to figure out the the unwanted files in ADS on their disk drives.

To hide files in ADS (say adsF.ext into ADS of mainF.ext), at command prompt
cmd:\> type adsF.ext > mainF.ext:adsFile.ext
Now to access it (say it opens in Notepad)
cmd:\> notepad mainF.ext:adsFile.ext

For this several professional tools can be used, like
HijackThis (from Trend Micro) : http://free.antivirus.com/
Lads (from Heysoft) : http://www.heysoft.de/en/software/lads.php?lang=EN
SFind (in Forensic Toolkit) : http://www.foundstone.com/us/resources/

Here we discuss how to use ADS to hide files... and how to secure yourself from files in ADS.

To get a live demo Video on this stuff watch the video below:
http://blip.tv/file/2565748
or
http://www.youtube.com/watch?v=h96meoDYWSg

Vulnerable Microsoft's Video ActiveX Control Allows Remote Access [ 0-day attacks]

2009-07-07T22:34:00.000-07:00

Vulnerable Microsoft's Video ActiveX Control Allows Remote Access [ 0-day attacks]

As made public on June 6'2009, Microsoft's Video ActiveX has Remote Code Exploit threat, where using a malformed web-page Remote code execution could be enabled on the target machine. Cybercriminals are using the vulnerability to install a data stealing trojan on target machine affecting Microsoft Directshow.

If the target user is using IE, then attacker could get local user rights using exploits by without any user-intervention. So, the CyberCriminal just need to pursue victim to view it's malformed web-page and the victim's machine gets compromised.

Microsoft states it is aware of the vulnerability and suggests Kill-bit MPEG2TuneRequest ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF) as the workaround to avoid the threat.
The defense it would provide is more than the minor side-effects it would cause.

To Avoid Threat
This kill-bit to avoid the threat can be automatically applied to your windows machine by "Microsoft Fix It" from online utility provided by Microsoft.com @ http://support.microsoft.com/kb/972890

Microsoft's Link : Enable The Fix || Workaround
Microsoft's Link : Disable The Fix || Workaround

Data 'bout Threat
Can be exploited via any kind of HTML document, a website or e-mail, etc. . This vulnerability is not a risk if you are using Windows Vista.

. 967 Chinese websites replorted to successive redirecting to finally download a JPG file containing the exploit, detected by Trend Micro as JS_DLOADER.BD., that downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates AV processes, and drops other malware on the affected system.

Detailed Info from Microsoft Security Advisory

First Firefox Malware : Trojans Stealing Passwords Typed in Firefox using Firefox Add-on Disguise

2009-07-03T20:53:00.000-07:00

First Firefox Malware : Trojans using Firefox Add-on Disguise
Roll your mouse over topics to expand them... :)
Information On Malware

Symptoms of Infection

List of Accounts mainly under attack

What To Do If Infected
__________________________________________________
Bitdefender released information on this threat naming it as Trojan.PWS.ChromeInject.A, which spawns with the execution of Firefox and poses as a Plug-in to it, mainly works on Key Banking... can get access to all your passwords entered in the Password boxes opened in Firefox Browser.

The ChromeInject suffix refers to the Chrome component Firefox has. This malware infects your machine via drive-by download or download duping.
Once installed on the machine it registers itself as a fake 'GreaseMonkey' (a great firefox add-on for website customization using javascripts), and using javascript checks your machine for mainly banking passwords of more than 100 sites (like PayPal, etc.).
All this sensitive data collected by it is then transferred online to a server supposed to be located in Russia.

So, don't stop using Greasemonkey... but make sure you download it from Mozilla.com, so that you don't fall pray to malware.
__________________________________________________

ATMs under Trojan Attack in Eastern Europe

2009-06-13T18:18:00.000-07:00

ATMs under Trojan Attack in Eastern Europe

security experts revealed a family of data-stealing trojans is infecting automatic teller machines in Eastern Europe over the past 18 months

It monitors transaction message queue for track 2 data stored on inserted cards. If it contains data belonging to a banking customer, it logs it, along with the PIN code that was entered.

The software works with Controller Cards... in its Primary Menu the main features it provide are
1. Print Collected Data
2. Restore logged files before malware infected the machine
3. Uninstallling the malware

there is a secomdary menu with main features as
1. Dispensing all Cash in ATM
2. Upload data to a chip on cotroller card

Conficker : one of most dreaded worm of 2008

2009-06-11T19:30:00.000-07:00

Conficker
(also known as Downup, Downadup and Kido)
targets Microsoft Windows operating system, first detected in November 2008.
Believed to be the largest computer worm infection since the 2003 SQL Slammer.

If got infected try it:
Microssoft's Live Online Scan
or
download and run this utility on your infected machine

Its Nature:
* Extracts all of its files to the %System% directory with random DLL file names, which can wreak havoc on your computer.
* Deletes the user's Restore Points.
* Registers a services called Netsvcs
* Creates scheduled tasks that execute all of the DLL files.
* Creates it's own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
* Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.
* Connects to external sites to download additional files.

This exploits vulnerability called MS08-067 in Windows 2000, XP, and Server 2003.
Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.

Click Image To Enlarge It

For Detailed Information : Click Here

Spreading:	very low
Damage:	very high
Size:	22kB
Discovered:	2008 Nov 28