Comment Re:Credibility anyone? (Score 1) 92
+1. I've been through this exact same thing with Paypal.
Submission + - Openwall Linux 3.0: no SUIDs, anti log spoofing (openwall.com) 2
solardiz writes: Openwall GNU/*/Linux (or Owl for short) version 3.0 is out, marking 10 years of the project. Owl is a small security-enhanced Linux distro for servers, appliances, and virtual appliances. Two curious properties of Owl 3.0: no SUID programs in default install (yet the system is usable, including password changing) and logging of who sends messages to syslog (thus, a user can't have a log message appear to come, say, from the kernel or sshd). No other distro has these. Other highlights of Owl 3.0: single live+install+source CD, i686 or x86_64, integrated OpenVZ (host and/or guest), "make iso" & "make vztemplate" in included build environment, ext4 by default, xz in tar/rpm/less, "anti-Debian" key blacklisting in OpenSSH. A full install is under 400 MB, and it can rebuild itself from source.
Comment Re:A new domain specific language is born (Score 2, Informative) 125
NSE isn't actually domain specific, it's the tried, tested, and fast Lua (with extensions to make it fit with the Nmap scanner). You get the speed of Nmap to find hosts/ports plus the NSE scripts backing it up to do deeper probes.
Wireshark, Snort, Nmap, and plenty of other tools use Lua for scripting, so it's a valuable language to learn. I recommend it!
Submission + - Nmap Developers release a picture of the Web (nmap.org)
iago-vL writes: The Nmap Project recently posted an awesome visualization of the top million site icons (favicons) on the Web, sized by relative popularity of sites. Once again proving that they're the kings of scanning, this project used the Nmap Scripting Engine, which is capable of performing discovery, vulnerability detection, and anything else you can imagine with lightning speed. We saw last month how an Nmap developer downloaded 170 million Facebook names, and this month it's a million favicons. I wonder what they're going to do next?
Submission + - ATM Makers Release Fixes for 'Jackpotting' Flaw (threatpost.com)
Trailrunner7 writes: Two ATM manufacturers have released software updates to address the remotely exploitable vulnerabilities in their machines' firmware that IOActive researcher Barnaby Jack demonstrated line on stage at the Black Hat conference last month. In response to the demonstration, in which Jack was able to bypass the authentication mechanism on the ATMs and then load a small rootkit that he wrote, ATM manufacturers Hantle and Triton have released new versions of their firmware that fix the vulnerability. Both manufacturers are recommending that ATM owners install the updates immediately.
Comment Cross breeding... (Score 4, Interesting) 435
I'm sure it doesn't help that the plants that are resistant to roundup will cross-pollinate with the weeds that are supposed to be killed with roundup, thereby making everything resistant. I remember people saying a long time ago that this would happen, and here we are!
Submission + - Identity Theft How-To (social-engineer.org) 1
An anonymous reader writes: The crew at social-engineer.org released a podcast today that is truly scary. They interviewed an identity thief and give a basic how-to into committing identity theft. The reasoning is that they want to protect the public by releasing dangerous information. They called it a 0Day for SE and I for one think that is accurate.
Comment Re:Multi-page article (Score 5, Informative) 55
Haha, I hadn't even thought of that!
I originally wrote it as a single page, but 60 images + that much text was too much, so I broke it into 4 pages. For what it's worth, I don't have any ads or anything so it's not like I'm profiting from it.
Submission + - Detecting critical Apple vulnerability with Nmap (cqure.net) 1
iago-vL writes: Patrik Karlsson, an Nmap developer, released a script today to detect a vulnerability in the Apple Filing Protocol (afp), CVS-2010-0533. This vulnerability is trivial to exploit and allows users to view files outside of public shares. He describes this vulnerability, which he discovered inadvertently while working on the Nmap Scripting Engine (NSE), as "strikingly similar to the famous Windows SMB filesharing vulnerability from 1995." Instructions on how to detect vulnerable systems using Nmap can be found in the post linked above.
Submission + - Taking apart the Energizer Trojan (skullsecurity.org)
iago-vL writes: Researchers at SkullSecurity have written a tutorial on how they reverse engineered the Energizer Trojan and generated an Nmap probe to remotely detect infections. The Energizer Trojan is a great educational tool because its inner workings are very simplistic and it makes minimal efforts to hide itself or conceal its purpose; it even lists what appears to be the author's name — "liuhong" — in the source! From infecting a test machine to debugging and disassembling the Trojan to writing the actual probe, this tutorial is a great introduction to malware analysis!
Comment Re:Detect it with Nmap (Score 2, Informative) 260
Yeah, the simple xor 'encryption' is pretty oldschool. I can't believe I didn't notice that right away myself. I didn't see it till I started looking at the send/recv functions.
As to the CLSID, good thought, but no -- the CLSID isn't a real CLSID, it's just a way of identifying its own commands. Basically, it's a list of if(!strcmpi(command, "clsid1")) { do_this() } elseif(!strcmpi(command, "clsid2")) { do_that() } etc.
It only has those 9 or so CLSID's included, and if it isn't on the list the command is simply discarded.
And for what it's worth, the initial "'\x00\x00\x00" that you're seeing is a length (0x27 = the length of the CLSID = ').
Comment Detect it with Nmap (Score 3, Informative) 260
I spent the morning reverse engineering the Trojan and wrote an Nmap script to detect if a remote system is infected. Hope it helps out: http://www.skullsecurity.org/blog/?p=563.
Ron
Submission + - Creating backdoors through DNS with dnscat (skullsecurity.org)
iago-vL writes: SkullSecurity released a tool this week called dnscat (documentation). Designed to tunnel connections through DNS in the style of NSTX, this can bypass virtually any firewall, provided a local DNS server exists. It supports file transfers, tunneled sockets, command shells, and more! The documentation even has an example of how to tunnel an SSH session through DNS!
Submission + - NetBIOS Design Allows Traffic Redirection (skullsecurity.org) 1
iago-vL writes: Security researchers at SkullSecurity released research demonstrating how the NetBIOS protocol allows trivial hijacking due to its design; they have demonstrated this attack in a tool called 'nbpoison' (in the package 'nbtool'). If a DNS lookup fails on Windows, the operating system will broadcast a NetBIOS lookup request that anybody can respond to. One vector of attack is against business workstations on an untrusted network, like a hotel; all DNS requests for internal resources can be redirected (Exchange, proxy, WPAD, etc). Other attack vectors are discussed here. Although similar attacks exist against DHCP, ARP, and many other LAN-based protocols, and we all know that untrusted systems on a LAN means game over, NetBIOS poisoning is much quieter and less likely to break other things.
Submission + - Security-enhanced Linux distro can rebuild itself (openwall.com) 3
iago-vL writes: Last week, the Openwall Project released the latest build of Openwall GNU/*/Linux (Owl for short) (announcement). This distribution, which has the ability to completely rebuild itself from source, is designed from the ground up to be secure. From source code audits of critical components to advanced privilege separation, secure defaults, and integration of OpenVZ container-based virtualization, Owl makes a great server platform!
