Sunday, December 28, 2008

Wednesday, December 24, 2008

MIT students to help Boston secure subway fare system

Three MIT students who were sued by the Massachusetts Bay Transit Authority over their research into subway card vulnerabilities are now working with the transit authority to improve the fare collection system. Read more...

Tuesday, December 23, 2008

IMF Hacked

Another major international financial institution has had its computer system attacked by unknown cyber-hackers, FOX News has learned. Read more...

Monday, December 22, 2008

Hacking The Hill

How the Chinese -- or someone -- hacked into House of Representatives computers in 2006, and what it will take to keep out the next electronic invader. Read more...

Tuesday, December 16, 2008

Serious security flaw found in IE

"Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed." Read more...

Tools/Info:ICMP Types

ICMP TYPE NUMBERS

(last updated 2008-02-13)

Registries included below:
- ICMP Type Numbers
- Code Fields
- ICMP Extension Objects Classes


The Internet Control Message Protocol (ICMP) has many messages that
are identified by a "type" field.

Type Name Reference
---- ------------------------- ---------
0 Echo Reply [RFC792]
1 Unassigned [JBP]
2 Unassigned [JBP]
3 Destination Unreachable [RFC792]
4 Source Quench [RFC792]
5 Redirect [RFC792]
6 Alternate Host Address [JBP]
7 Unassigned [JBP]
8 Echo [RFC792]

More can be found in IANA

Friday, December 12, 2008

McAfee Virtual Criminology Report

"First, cybercrime isn’t yet enough of a priority for governments around the world to allow the fight against it to make real headway worldwide. Added to that, the physical threat of terrorism and economic collapse is diverting political attention elsewhere. In contrast, cybercriminals are sharpening their focus. Recession is fertile ground for criminal activity as fraudsters clamour to capitalize on rising use of the Internet and the climate of fear and anxiety. Are we in danger of irrevocably damaging consumer trust and, in effect, limiting the chances of economic recovery?

Second, cross border law enforcement remains a long-standing hurdle to fighting cybercrime.
Local issues mean laws are difficult to enforce transnationally. Cybercriminals will therefore always retain the edge unless serious resources are allocated to international efforts.

Third, law enforcement at every level remains ad hoc and ill-equipped to cope. While there has been progress, there is still a significant lack of training and understanding in digital forensics and evidence collection as well as in the law courts around the world. The cyberkingpins remain at large while the minor mules are caught and brought to justice. Some governments are guilty of protecting their in-country offenders. The findings suggest there is an ever greater need to harmonize priorities and coordinate police forces across physical boundaries.

The report concludes with a look at suggested steps at both the local and international level to make the fight against cybercrime more effective."

Read the full report at http://www.mcafee.com/us/local_content/reports/mcafee_vcr_08.pdf

Tuesday, December 9, 2008

Tools: Nmap Book is Out

"After promising you a book on Nmap for years, I'm delighted to finally announce the release of Nmap Network Scanning! It contains everything I've learned about network scanning from more than a decade of Nmap development, plus some bad jokes and (over Time Warner's written objections) pictures of Trinity hacking the Matrix :)." - Fyodor


Order at Amazon.com now!!!

Monday, December 8, 2008

DNS Pharming Attacks Using Rogue DHCP

"Following Dan Kaminsky’s research on DNS insecurities, we saw attackers racing with their DNS servers to hijack network connections. It was only a matter of time before the bad guys decided that racing against DNS was not enough." Read more...

Hackers Hijacked Large E-Bill Payment Site

"Hackers on Tuesday hijacked the Web site CheckFree.com, one of the largest online bill payment companies, redirecting an unknown number of visitors to a Web address that tried to install malicious software on visitors' computers, the company said today." Read more...

Tuesday, December 2, 2008

Vietnamese security firm: Your face is easy to fake

"I've been impressed by this new way to log in and have found it to be so much more convenient than the fingerprint reader of my Dell XPS 1330. The finger scanner is a pain when my finger is wet or dirty. Unfortunately, on Tuesday I discovered that this new and exciting technology may not be such an effective security measure". Read more...

Apple is recommending that Mac users install antivirus software

"But don't read this as an admission that the Mac operating system is suddenly insecure. It's more a recognition that Mac users are vulnerable to Web application exploits, which have replaced operating system vulnerabilities as the bigger threat to computer users." Read more ...

Friday, November 28, 2008

Web Site Advisors

I've been using McAfee's site advisor and recently ran to Norton's Safe Web services. Both tools are pretty good. Both services can analyze Web sites and be able to give you information on how they will affect your computer.

Wednesday, November 26, 2008

More MS08-067 Exploits

"Early last week we blogged about MS08-067 exploits. At that time, the number of exploits in the wild was still low and they were mostly targeted attacks. However, during the weekend we started receiving customer reports for new malware that exploits this vulnerability. During the last two days that malware gained momentum and as a result we see an increased support call volume. The SHA1 hash of the malware is 0x5815B13044FC9248BF7C2DBA771F0E6496D9E536 and we detect it as Worm:Win32/Conficker.A." Technet.com

"At McAfee Avert Labs we have seen a few proof-of-concept binaries using the exploit code that was released into the wild to attack this Windows Server Service vulnerability; the latest is W32/Conficker.worm. According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000." Avert Labs

Why going nuclear on thumbdrives won't win the cyber war

"Last week, the Pentagon confirmed that Defense Department networks were under attack by a computer worm. "We are aware of a global virus for which there are some public alerts, and we've seen some of these on our networks, and we are taking steps to identify and mitigate the virus," Pentagon spokesman Brian Whitman said in a statement on Nov. 21." Read more...

Friday, November 21, 2008

Tips: TCPDump

TCPDump prints our the headers of packets on a network interface that match the boolean expression. You can also use with option -w to save the packet data to a file for later analysis. You can also save the file with the .pcap extension so you can use either wireshark or other packet sniffing program.

TCPDUMP.org

Examples: tcpdump -i eth1 -XxvvnneS host 192.168.1.1 -w host_168.1.1.pcap

-i followed by sniffing interface name (eth0, eth1 , etc.)
-X when printing in hex, print ascii too
-x Print each packet in hex
-vv even more verbose output
-nn do not resolve host name and port service
-e Print the link-level header on each dump line
-S Print absolute, rather than relative, TCP sequence numbers


Few tips from TaoSecurity...


Understanding Tcpdump's -d Option, Part 2

In September I referenced a post by libpcap guru Guy Harris explaining outfrom from Tcpdump's -d switch. After looking at the original 1992 BSD Packet Filter (.pdf) paper and the subsequent 1999 BPF+ (.ps) paper, I understand the syntax for the compiled packet-matching code generated by the tcpdump -d switch. For example:

fedorov:/usr/local/etc/nsm# tcpdump -n -i em1 -d tcp

tcpdump: WARNING: em1: no IPv4 address assigned

(000) ldh [12]

(001) jeq #0x86dd jt 2 jf 4

(002) ldb [20]

(003) jeq #0x6 jt 7 jf 8

(004) jeq #0x800 jt 5 jf 8

(005) ldb [23]

(006) jeq #0x6 jt 7 jf 8

(007) ret #96

(008) ret #0


Here is what each instruction means:

  • 000 says load (using 'ldh') the "half word" or two bytes starting at offset 12 of the Ethernet header. Since we begin counting at 0, bytes 0 to 5 are the destination MAC address and bytes 6 to 11 are the source MAC address. The name of the two bytes beginning at offset 12 differs according to the Ethernet format used.

  • 001 compares the two bytes loaded in 000 with the value 0x86dd. That is the Ethertype of IPv6. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 002. If false, jump ('jf') to 004.

  • 002 loads the byte found at offset 20. If we are evaluating this instruction we are in an IPv6 header. Offset 20 holds the "next header" value.

  • 003 compares the byte loaded in 002 with the value 0x6. This is the IP protocol code for TCP. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 007. If false, jump ('jf') to 008.

  • 004 compares the byte loaded in 000 with the value 0x800. That is the Ethertype of IPv4. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 005. If false, jump ('jf') to 008.

  • 005 loads the byte found at offset 23. If we are evaluating this instruction we are in an IPv4 header. Offset 20 holds the "protocol" value for the protocol following the IP header.

  • 006 compares the byte loaded in 005 with the value 0x6. That is the protocol value for TCP. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 007. If false, jump ('jf') to 008.

  • 007 is the equivalent of "TRUE", meaning that the indicated number of bytes (96) of packet data will be copied to the calling application (in this case, Tcpdump). You reach this point if the packet being inspected is TCP, either using IPv4 or IPv6.

  • 008 is the equivalent of "FALSE", meaning zero bytes of packet data will be copied to the application. You reach this point if the packet being inspected is not TCP.


Understanding this syntax is a way to troubleshoot BPFs that don't behave as you expect. You can run 'tcpdump -d' and inspect the code as explained above to see if it performs as you want.

For those of you wanting a definition of a packet filter, here is what I've come up with based on the original paper, The Packet Filter: An Efficient Mechanism for User-level Network Code (.pdf): a packet filter is a kernel-resident packet demultiplexer that provides a way for userland processes to tell the kernel what packets they want. For more detail, I recommend reading the three papers mentioned in this story. Guy Harris also posted a message to tcpdump-workers explaining BPF.

Tools: PsExec

PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. Download now...

Tools: Process Explorer

Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. Download now...

Wednesday, November 19, 2008

Sunday, November 16, 2008

The future of fighting fraud

In the days when all hacking was done via a fixed phone line, the first skill a novice learnt was how to get free calls. Without that their exciting new hobby was likely to prove too expensive. Read more...

Friday, November 14, 2008

Wednesday, November 12, 2008

Monday, November 10, 2008

Friday, November 7, 2008

Protect Yourself from Fake Anti-Virus Software

Be aware of fake anti-virus/rogue applications. These rogue applications or scare wares looks like the real ones, if you are not going to pay close attention on banners and pop-up ads, your PC can easily be infected. Below are some links from F-secure and ScamBusters.

http://www.f-secure.com/weblog/archives/00001508.html

http://www.scambusters.org/fakeantivirus.html

Thursday, November 6, 2008

Yahoo for Sale!

After rejecting Microsoft's offer last May, CEO Jerry Yang is willing to sell the company. "To this day the best thing for Microsoft to do is buy Yahoo," according to Mr Yang. Furthermore, Google pulled out of an internet advertising partnership with Yahoo. Read more...

Tuesday, November 4, 2008

Tips:Linux:Yum

*Update all packages in your system - yum update
*Update individual packages - yum update mysql
*Install a package - yum install mysql
*Search for available package - yum search mysql
*Remove a package - yum remove mysql
* Yum cleanup command - yum clean all (this command will remove old packages that your system is no longer using. This will also take care of cached files that are no longer in use).

Installation example of ClamAv.

# yum install clamav
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
core 100% |=========================| 1.1 kB 00:00
updates 100% |=========================| 1.2 kB 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for clamav to pack into transaction set.
clamav-0.88.7-4.fc6.i386. 100% |=========================| 20 kB 00:00

Saturday, November 1, 2008

Trojan virus steals banking info

The details of about 500,000 online bank accounts and credit and debit cards have been stolen by a virus described as "one of the most advanced pieces of crime ware ever created".Read more...

Wednesday, October 29, 2008

OpenOffice 3

For those of you who loves or uses Open Office, version 3 is now available. Download now!

Tuesday, October 28, 2008

Google Settles Book-Scanning Lawsuit

Google will pay at least $45 million, at $60 a book, to copyright holders! Read more...

TSA tests PDA, cell-based electronic boarding passes

Domestic airline travelers soon will be able to flash electronic boarding passes from their cell phones, BlackBerries and other devices at U.S. airports under a program being tested by the Transportation Security Administration. Read more...

Wednesday, October 22, 2008

Loudoun library goes live with countywide wiki

"The site has a list of topic areas for contributions, such as education, day care resources, sports and recreation, health and government information" . Loudounpedia

Tuesday, October 21, 2008

Who is the SPAM KING?

Dan Tynan (PCWORLD) has an article that will give you the top spammers and their profiles. He also included their alias, current status, and spam royalty ranks. Read more and decide who is the Spam King....

Monday, October 20, 2008

Cybercriminals steal money from French president's personal bank account

"According to reports, 'small sums' are said to have been taken from the French President's bank account after the fraudsters gained access to Sarkozy's online passwords". Read more

Storm Worm is Dead?

Storm worm appears to have died off per Washington Post. Read more

Thursday, October 16, 2008

OISF Receives Funding for Open Source Next Generation IDS/IPS

Great news!! The OISF has been chartered and funded to build a next-generation intrusion detection and prevention engine. Read more...

Tuesday, October 14, 2008

World Bank Servers Have Been Attacked a Half-Dozen Times in the Last Year

"The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year" more..

Thursday, October 9, 2008

Serious Computer Theft

"Victor Papagno plead guilty in federal court today to stealing items worth over $120K in a period between 1997 and 2007 to benefit Papagno and his friends from the U.S. Naval Research Laboratory in Washington, DC. ". Read more about it.

Tuesday, October 7, 2008

Independent AV Testing Latest Results

Independent testing body has released the results of major Anti-virus products. Find our more.

Fast-Flux Botnet Observations

"Botnets themselves provide a rich platform for financial gain for the botnet master, the use of the infected hosts as webservers can provide an additional botnet use."

http://honeyblog.org/junkyard/paper/fastflux-malware08.pdf

Hack the Box Blue

https://arcy24.medium.com/hack-the-box-blue-f5ae5b602a5c