++codemasters

Defcon 18, best of White/Gray/Black Hat security papers :)

c0demasters — Wed, 16 Feb 2011 17:25:44 +0000

Here is a small article with some links of white/gray/black-papers from Defcon 18..

0×01) Scada and ICS for Security Experts: How to Avoid Cyberdouchery http://www.defcon.org/images/defcon-18/dc-18-presentations/Arlen/DEFCON-18-Arlen-SCADA-Cyberdouchery.pdf

0×02) Non-Executable Stack ARM Exploitation http://www.defcon.org/images/defcon-18/dc-18-presentations/Avraham/DEFCON-18-Avraham-Modern%20ARM-Exploitation-WP.pdf

0×03) Exploiting SCADA Systems http://www.defcon.org/images/defcon-18/dc-18-presentations/JBrown/DEFCON-18-Brown-SCADA.pdf

0×04) Function Hooking for OSX and Linux http://www.defcon.org/images/defcon-18/dc-18-presentations/Damato/DEFCON-18-Damato-Function-Hooking.pdf

0×05) Exploiting Internet Surveillance Systems http://www.defcon.org/images/defcon-18/dc-18-presentations/Decius/DEFCON-18-Decius-Exploiting-Internet-Surveillance-Systems.pdf

0×06) Katana – Portable Multi-Boot Security Suite http://www.defcon.org/images/defcon-18/dc-18-presentations/Dunning/DEFCON-18-Dunning-Katana.pdf

0×07) Hacking and protecting Oracle Database Vault http://www.defcon.org/images/defcon-18/dc-18-presentations/Martinez-Fayo/DEFCON-18-Martinez-Fayo-Oracle-Database-Vault.pdf

0×08) Mastering the Nmap Scripting Engine http://www.defcon.org/images/defcon-18/dc-18-presentations/Fyodor-Fifield/DEFCON-18-Fyodor-Fifield-NMAP.pdf

For more about Defcon, you can visit the official site: http://www.defcon.org/

SourceForge.net Attack: Full Report

c0demasters — Wed, 02 Feb 2011 12:28:00 +0000

As we’ve previously announced, SourceForge.net has been the target of a directed attack. We have completed the first round of analysis, and have a much more solid picture of what happened, the extent of the impact, our plan to reduce future risk of attack. We’re still working hard on fixing things, but we wanted to share what we know with the community.

We discovered the attack on Wednesday, and have been working hard to get things back in order since then. While several boxes were compromised we believe we caught things before the attack escalated beyond its first stages.

Our early assessment of which services and hosts were impacted, and the choice to disable CVS, ishell, file uploads, and project web updates appears to have prevented any further escalation of the attack or any data corruption activities.

We expect to continue work on validating data through the weekend, and begin restoring services early next week. There is a lot of data to be validated and these tests will take some time to run. We’ll provide more timeline information as we have more information.

We recognize that we could get services back online faster if we cut corners on data validtion. We know downtime causes serious inconveniences for some of you. But given the negative consequences of corrupted data, we feel it’s vital to take the time to validate everything that could potentially have been touched.

Attack Description

The general course of the attack was pretty standard. There was a root privilege escalation on one of our platforms which permitted exposure of credentials that were then used to access machines with externally-facing SSH. Our network partitioning prevented escalation to other zones of our network.

This is the point where we found the attack, locked down servers, and began work on analysis and response.

Immediate Response

Our first action response included many of the standard steps:

* analysis of the attack and log files on the compromised servers
* methodically checking all other services and servers for exploits
* further network lockdown and updating of server credentials

Service shutdown

Once we knew the attack was present, we locked down the impacted hosts, so that we could reduce the risk of escalation, from those servers to other hosts, and prevent possible data gathering activities.

This strategy resulted in service downtime for:

* CVS Hosting
* ViewVC
* New Release upload capability
* ProjectWeb/shell

Password invalidation

Our analysis uncovered (among other things) a hacked SSH daemon, which was modified to do password capture. We don’t have reason to the attacker was successful in collecting passwords. But, the presence of this daemon and server level access to one-way hashed, and encrypted, password data led us to take the precautionary measure of invalidating all SourceForge user account passwords. Users have been asked to recover account access by email.

Data Validation

It’s better to be safe than sorry, so we’ve decided to perform a comprehensive validation of project data from file releases, to SCM commits. We will compare data agains pre-attack backups, and will identify changed and added. We will review that data, and will will also refer anything suspicious to individual project teams for further assessment as needed.

The validation work is a precaution, because while we don’t have evidence of any data tampering, we’d much prefer to burn a bunch of CPU cycles verifying everything than to discover later that some extra special trickery lead to some undetected badness.

Service Restoration

Now that most of the analysis is done, we’ve started the next stage of our efforts, which includes the obvious work of restoring compromised boxes from bare metal, and implementing a number of new controls to reduce likelihood of future attack.

We will of course also be updating the credentials which reside on these hosts and performed quite a few steps to further lock down access to these machines.

We are in process of bringing services back one by one, as data validation is completed, and we get the newly configured hosts online. We expect that data validation will progress through the weekend, and we’ll really start getting swinging on service restoration early next week.

File Release Services

Many folks have suggested that the most likely motivation for an attack against sourceforge would be to corrupt project releases.

We’ve found no evidence of this, but are taking extrodinary care to make sure that we don’t somehow distribute corrupted release files.

We are performing validation of data against stored hashes, backups, and additional data copies.

We expect to restore these services first, as soon as data validation is completed.

Project Web

One attack vector that impacts our services directly is the shared project web space. So, let’s talk about that in a bit more detail.

Sourceforge.net has been around a long time, and security decisions made a decade ago are now being reassessed. In most cases past decisions were made around the general principle that we trust open source developers to work together, play nice, and generally do the right thing. Services were rolled out based on widespread trust for the developer community. And that philosophy served us well.

But in the years since then, we’ve evolved from hundreds of sf.net users to millions, and in many cases it’s time to re-asses the balance between widespread trust and security. Project Web is a prime example of this, and we’ve been working at a deliberate pace to isolate project web space, and have begun rolling out the new “secure project web” service to many of our projects.

This new secure project web includes a new security model that moves us away from shared hosting while preserving the scalability we need for mass hosting.

Because of this attack we’ll be accelerating the rollout of Secure Project Web services as part of the process of bringing the project web service back online. This will allow us to provide both improved functionality, and better secruity.

CVS

CVS service is one of SourceForge.net’s oldest services and, due to limitations in CVS itself, cannot readily live on our scalable network storage solution. Validation of this data is going to require several days and we anticipate that this service will be restored sometime in the later part of week.

We are also considering the end-of-life of the CVS service and hope to have user support in migrating CVS users to Subversion in coming months. Subversion generally provides parity to CVS commands, and many of our users have made this transition successfully in the past.

From SVN, projects can move to Git if desired.

Looking forward

We are very much committed to the ongoing process of improving our security, and we will continue making behind the scenes improvements to our infrastructure on a regular basis. This isn’t a one time event, it’s a process, and we’re going to stay fully engaged over the long term.

I’d like to end with a more personal note, I’ve been working with our Ops team a lot this week, and I think we can all say that the patience and support that we’ve received from the community has been the best part of a very bad week.

Thanks again for all the support and encouragement.

source: http://sourceforge.net/blog/sourceforge-attack-full-report/

Hackers sell access to military and government academic websites

c0demasters — Mon, 24 Jan 2011 20:25:38 +0000

Dozens of military, government and education websites have been hacked and are up for sale, according to researchers from Imperva’s Hacker Intelligence Initiative (HII). The firm’s HII – hacker intelligence initiative – has unearthed evidence that dozens of sites are up for sale, including defence and state sites in the US and Europe.

According to a team led by Noa Bar Yosef, Imperva’s senior security strategist, high-profile sites such as the official Italian government website (http://itcgcesaro.gov.it), the Department of Defense Pharmacoeconomic centre (http://pec.ha.osd.mil/) and even the US Army, Communications-Electronics Command (CECOM) (http://cecom.army.mil ) are available.

In a security blog posting, Rob Rachwald of Imperva says that the hacker has put up a range of sites for anything between $55 and $499.

Imperva’s research team also claims to have discovered that the hacker was also offering personal information from the hacked websites at $20 per 1000 records.

“ The hacker is also selling info personally identifiable information from hacked sites, for $20 per 1K records”, says the blog, citing an example of “ a list of UConn staff”.

Imperva’s post is complete with screenshots, which the hacker claims as a proof of access.

According to Rachwald, the victim sites’ vulnerabilities were probably obtained by an SQL injection vulnerability automatic scanner and exploited in automated manner, as the hacker published his methods in a post in some hacker forum.

“ In the screen shot [here] we can see IRC chat between the SQLi “ master” = @evil which issues the scanning commands and the exploiting “ x0owner” which performs the commands”, says the Imperva blog.

“ In this specific case @evil issues command for to x0wner to obtain DB tables names (!tbls) from vulnerable link (www.site.gr/athlete.php?id=…) x0wner reports its findings – the tables ‘activities’,'admin’,” the blog notes.

Security researcher Brian Krebs picked up Imperva’s research over the weekend, detailing a lot of the site information that Rachwald chose to block out in his blog.

In his security blog, Krebs said that he finds it ironic that one of these sites allegedly for sale is the Department of Defense Pharmacoeconomic Center, which is a DoD site tasked with ‘improving the clinical, economic, and humanistic outcomes of drug therapy in support of the military health system’.

“ In all likelihood, if access to this site is purchased, it will be by someone looking to plant links to rogue online pharmacies of the sort frequently advertised in junk e-mail”, said Krebs.

“ People who get paid to promote these rogue pharmacies typically do so by hacking legitimate websites and including links back to fly-by-night pharma sites, and they particularly like dot-mil, dot-gov and dot-edu sites because search engines tend to treat links coming from those domains with more authority than random .com sites”, he added.

Krebs also noted that the ‘Undetected Private Java Driveby Exploit’ that the hacker is selling is “ none other than the social engineering trick I blogged about last week.”

Microsoft releases free secure development tool

c0demasters — Sun, 23 Jan 2011 16:22:52 +0000

Microsoft on Monday announced the free availability of a new software verification tool designed for coders, as well as IT professionals.

Announced at this week’s Black Hat conference in Washington, D.C., the tool, called Attack Surface Analyzer, helps determine when poorly designed applications widen the attack surface of a Windows system.

The tool is used to “ highlight the changes in system state, run-time parameters and securable objects on the Windows operating system,” according to a Security Development Lifecycle blog post. It identifies altered or new files, registry keys, services, ActiveX controls, listening ports, access control lists and other components that could increase an attack surface.

“ The tool takes snapshots of an organization’s system and compares these to identify changes,” the post said, citing a product description. “ [It] does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.”

The tool also produces a report detailing the changes that a particular application may have made to a system.

The Attack Surface Analyzer can be downloaded here.

Source: http://www.scmagazineus.com/microsoft-releases-free-secure-development-tool/article/194470/

IT director gets jail term for hacking former employer’s site

c0demasters — Mon, 01 Nov 2010 10:34:11 +0000

IDG News Service – A man fired as IT director for a Richmond, Virginia, seller of telecom equipment has been sentenced to 27 months in prison for hacking into his former employer’s website and deleting files, the U.S. Department of Justice said.

Darnell Albert-El, 53, pleaded guilty to one count of intentionally damaging a protected computer without authorization on June 29. He was sentenced Friday in U.S. District Court for the Eastern District of Virginia and, in addition to the prison time, ordered to pay US$6,700 in restitution to Trans Marx, which sells discounted telecom equipment and supplies.

Albert-El, of Richmond, worked at Trans Marx from February to June 2008, according to court documents. Before he was fired, Albert-El had access to the Trans Marx computer network, including the company website hosted in Georgia, the DOJ said.

On July 25, Albert-El used a personal computer and an administrator account to access the computer hosting the company’s website, and he deleted about 1,000 files related to the Trans Marx website, the DOJ said.

In his plea agreement and an earlier interview with U.S. Federal Bureau of Investigation agents, Albert-El said he deleted the files because he was angry about being fired, the DOJ said.

Albert-El later told Trans Marx employees where backup tapes were located and offered to assist them in restoring the files, said his lawyer, Mary Maguire, while arguing in court documents for a lenient sentence.

Source: http://www.computerworld.com/s/article/9194027/IT_director_gets_jail_term_for_hacking_former_employer_s_site

Adobe warns of 0-day hole in Flash Player

c0demasters — Tue, 14 Sep 2010 00:42:48 +0000

Adobe Systems on Monday warned of a 0-day hole in Flash Player that reportedly is being exploited in the wild and could allow an attacker to take control of a computer.

The critical vulnerability affects Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Mac, Linux, Solaris, and Android. It also affects Adobe Reader 9.3.4 and earlier version for Windows, Mac, and Unix and Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac. Adobe is not aware of any attacks exploiting the hole against Adobe Reader or Acrobat, the company said in its security advisory.

Adobe is finalizing a fix for the hole and expects to provide an update for Flash Player for Windows, Mac, Solaris, and Android during the week of September 27, the advisory said. Updates for Adobe Reader are expected during the week of October 4.

Adobe is moving up the date of its next quarterly security update for Adobe Reader and Acrobat and will also release a patch the week of October 4 for a critical zero-day hole in Adobe Reader and Acrobat that was disclosed last week and is being exploited in attacks on. As a result, there will be no updates on October 12, which was the next scheduled quarterly release date.

In the meantime, Microsoft has a tool that can help block the attacks on Adobe Reader and Acrobat on Windows machines.

Source: InSecurity Complex

Microsoft Releases Advisory On XP Help Vulnerability

c0demasters — Tue, 15 Jun 2010 15:20:32 +0000

Microsoft has released a formal security advisory for the vulnerability disclosed today in the Windows XP and Windows Server 2003 help systems.

The first link downloads an .MSI file which runs a very short wizard. Tell it to proceed and then it’s done and you get an option to tell them what you think of it. The second link runs a different .MSI which undoes the fix. Note this link, because after the patch is available and you apply it you’ll want to run the undo Fix it so that you can use your help system again.

Using these links is a far better option than manual registry hacking. Windows XP users, start Fix iting.

Bugs in Help System Makes Windows XP Vulnerable From Web

c0demasters — Fri, 11 Jun 2010 11:09:56 +0000

This morning Tavis Ormandy, a security researcher for Google, posted a vulnerability report to the Full-Disclosure mailing list detailing a vulnerability in Windows XP and, as it turns out, Windows Server 2003. Later versions of Windows are unaffected.

The flaw is in the Help and Support Center, a relic of the time when Microsoft was trying to make everything on the computer a browser app. Help, Control Panel, Windows Update and other components were browser or browser-like apps. In order to access remote help, the Help and Support Center supports remote links to help using hcp:// addresses. Windows XP SP2 introduced a model whereby the program, when run with the /fromhcp parameter, runs in a special restricted mode where only links from addresses on a special whitelist can have privileged access. Ormandy’s vulnerability is a an implementation error which allows bypass of the whitelist. Read the FD posting if you want all the gory details, but the end result is arbitrary code execution from links on the web. Ormandy notified Microsoft about this bug on June 5, the Saturday before this last Patch Tuesday.

This afternoon the Microsoft Security Response Center responded with a blog entry. They criticize Ormandy for releasing the information without giving them a fair chance to evaluate it and then provide a registry hack to remove all hcp support. This blocks the vulnerability as well as useful hcp links, such as those in the Control Panel.

Ormandy also created an unofficial hotfix of his own and linked to it from his posting. A Secunia analysis of the issue claims that the hotfix does not sufficiently address the problem.

If you run Windows XP (and that’s your first mistake) you will be much better off following Microsoft’s registry mitigation technique, although I think you could probably get away with renaming the key rather than deleting it. This should make it easier to undo when the patch is available.

Ormandy posted the vulnerability report using his personal e-mail and probably considers that he is acting here in a private capacity, but don’t expect Microsoft to see it that way. Microsoft’s initial report on the bug refers to Ormandy as “ a Google security researcher” and the tweet announcing it says “ Information on the Windows Help vulnerability disclosed by Google.” People can have reasonable disagreements about the limits of full disclosure vs. “ responsible” disclosure, but I doubt Google would take kindly to a Microsoft researcher blind-siding them like this. For Ormandy to expect turnaround like this during a heavy Patch Tuesday is not reasonable. In fact, even Ormandy may be reconsidering the wisdom of his move.

Source from Here

The all truth about programmers… with a little python :)

c0demasters — Wed, 21 Apr 2010 17:19:05 +0000

#Newbie programmer
def factorial(x):
    if x == 0:
        return 1
    else:
        return x * factorial(x - 1)
print factorial(6)

#First year programmer, studied Pascal
def factorial(x):
    result = 1
    i = 2
    while i <= x:
        result = result * i
        i = i + 1
    return result
print factorial(6)

#First year programmer, studied C
def fact(x): #{
    result = i = 1;
    while (i <= x): #{
        result *= i;
        i += 1;
    #}
    return result;
#}
print(fact(6))

#First year programmer, SICP
@tailcall
def fact(x, acc=1):
    if (x > 1): return (fact((x - 1), (acc * x)))
    else:       return acc
print(fact(6))

#First year programmer, Python
def Factorial(x):
    res = 1
    for i in xrange(2, x + 1):
        res *= i
    return res
print Factorial(6)

#Lazy Python programmer
def fact(x):
    return x > 1 and x * fact(x - 1) or 1
print fact(6)

#Lazier Python programmer
f = lambda x: x and x * f(x - 1) or 1
print f(6)

#Python expert programmer
fact = lambda x: reduce(int.__mul__, xrange(2, x + 1), 1)
print fact(6)

#Python hacker
import sys
@tailcall
def fact(x, acc=1):
    if x: return fact(x.__sub__(1), acc.__mul__(x))
    return acc
sys.stdout.write(str(fact(6)) + '\n')

#EXPERT PROGRAMMER
from c_math import fact
print fact(6)

#BRITISH EXPERT PROGRAMMER
from c_maths import fact
print fact(6)

#Web designer
def factorial(x):
    #-------------------------------------------------
    #--- Code snippet from The Math Vault          ---
    #--- Calculate factorial (C) Arthur Smith 1999 ---
    #-------------------------------------------------
    result = str(1)
    i = 1 #Thanks Adam
    while i <= x:
        #result = result * i  #It's faster to use *=
        #result = str(result * result + i)
           #result = int(result *= i) #??????
        result = str(int(result) * i)
        #result = int(str(result) * i)
        i = i + 1
    return result
print factorial(6)

#Unix programmer
import os
def fact(x):
    os.system('factorial ' + str(x))
fact(6)

#Windows programmer
NULL = None
def CalculateAndPrintFactorialEx(dwNumber,
                                 hOutputDevice,
                                 lpLparam,
                                 lpWparam,
                                 lpsscSecurity,
                                 *dwReserved):
    if lpsscSecurity != NULL:
        return NULL #Not implemented
    dwResult = dwCounter = 1
    while dwCounter <= dwNumber:
        dwResult *= dwCounter
        dwCounter += 1
    hOutputDevice.write(str(dwResult))
    hOutputDevice.write('\n')
    return 1
import sys
CalculateAndPrintFactorialEx(6, sys.stdout, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL)

#Enterprise programmer
def new(cls, *args, **kwargs):
    return cls(*args, **kwargs)

class Number(object):
    pass

class IntegralNumber(int, Number):
    def toInt(self):
        return new (int, self)

class InternalBase(object):
    def __init__(self, base):
        self.base = base.toInt()

    def getBase(self):
        return new (IntegralNumber, self.base)

class MathematicsSystem(object):
    def __init__(self, ibase):
        Abstract

    @classmethod
    def getInstance(cls, ibase):
        try:
            cls.__instance
        except AttributeError:
            cls.__instance = new (cls, ibase)
        return cls.__instance

class StandardMathematicsSystem(MathematicsSystem):
    def __init__(self, ibase):
        if ibase.getBase() != new (IntegralNumber, 2):
            raise NotImplementedError
        self.base = ibase.getBase()

    def calculateFactorial(self, target):
        result = new (IntegralNumber, 1)
        i = new (IntegralNumber, 2)
        while i <= target:
            result = result * i
            i = i + new (IntegralNumber, 1)
        return result

print StandardMathematicsSystem.getInstance(new (InternalBase, new (IntegralNumber, 2))).calculateFactorial(new (IntegralNumber, 6))

Κάτι που όλοι πρέπει να έχουν….

c0demasters — Mon, 19 Apr 2010 08:47:13 +0000

Αυτό το link πιστεύω ότι όλοι πρέπει να το έχουν.. είναι κάπως παλιό αλλά τώρα το βρήκα στα αρχεία μου και είπα να το προσθέσω και εδώ..

http://www.phenoelit-us.org/dpl/dpl.html

Έχει λίστα με default passwords! Use it as you think better