danielkennedy74 - Slashdot User

Submission + - JUNOS (Juniper) Flaw Exposes Core Routers to Kerne (praetorianprefect.com)

Submitted by danielkennedy74 on Wednesday January 06, 2010 @11:01PM

danielkennedy74 writes: A report has been received from Juniper at 4:25pm under bulletin PSN-2010-01-623 that a crafted malformed TCP field option in the TCP header of a packet will cause the JUNOS kernel to core (crash). In other words the kernel on the network device (gateway router) will crash and reboot if a packet containing this crafted option is received on a listening TCP port. The JUNOS firewall filter is unable to filter a TCP packet with this issue. Juniper claims this issue as exploit was identified during investigation of a vendor interoperability issue.

Comment What a load of nonsense (Score 1) 206

by danielkennedy74 on Saturday December 19, 2009 @01:24AM (#30496714) Attached to: DECAF Was Just a Stunt, Now Over

The tool didn't send data to decafme, didn't open any backdoors, isn't really disabled for anyone with half a brain, and was a stunt but never a hoax: Reactivate DECAF in two minutes: http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/

Submission + - Reactivating DECAF in Two Minutes (praetorianprefect.com)

Submitted by danielkennedy74 on Friday December 18, 2009 @11:46PM

danielkennedy74 writes: Two nonsensical premises are filling the InterTubes, that DECAF is fully deactivated and that it was all a non-working hoax. Neither are true, the tool does perform actions based on detecting COFEE and can be re-enabled. Praetorian Prefect explains the whole thing.

Submission + - You’ve been SHODAN’d (praetorianprefect.com)

Submitted by danielkennedy74 on Wednesday December 02, 2009 @09:32PM

danielkennedy74 writes: SHODAN (Sentient Hyper-Optimized Data Access Network) was the fictional artificial intelligence bad girl of the computer game System Shock who, once she was hacked and her ethical restrictions removed, destroyed or subverted all around her with the exception of her hacker. IT Administrators responsible for the servers whose listening services are showing up in the search results of the new SHODAN Computer Search Engine should pray that the ethical restrictions of those ‘shodanning’ (googling counterpart?) or searching remain intact. Or even better, they should start the implementation of countermeasures (close unnecessary ports, etc).

The service, developed by John Matherly, is a search engine for servers, routers, load balances, computers: basically Internet facing devices that can be port scanned. It has been coined “Google for hackers”.

Submission + - Remote SMB Exploit: Crashing Windows 7 and Server (praetorianprefect.com) 1

Submitted by danielkennedy74 on Wednesday November 11, 2009 @05:44PM

danielkennedy74 writes: Python code was posted today by Laurent Gaffie on his blog, demonstrating a much too easy way to remotely crash a Windows 7 or Windows Server 2008 machine. The crash is caused by sending a NetBIOS header which specifies that the SMB packet is 4 bytes smaller or larger than it actually is.

In this code sample, you can see that the header has the length of the packet set to 9a rather than 9e (4 bytes smaller).

On Open BSD, Mac OSX, and Linux 2.6 workstations, we ran the python code and had it listen on port 445. I would have had a Windows server run the listening server, but SMB on Windows already listens on port 445 and for the purpose of the demonstration it was easier to run it on machines that do not listen on this port by default. From the Windows 7 and Windows Server 2008 victim machines, we simply attempt any type of SMB connection to the bad hosts listening with the Python code. This can be done by simply doing a directory command (dir) to a non-existent share (dir \\ip-address\share).

The screenshot below shows the command window with the dir command used to attempt a connection to a host (172.17.20.139) which is running the Python code, ready to send that SMB packet over. As soon as the connection is attempted, the whole machine freezes. I had resource monitor and task manager running and every counter, even the ticking of uptime, stopped dead. In some cases, I left the machine in this state for a significant amount of time. Also, the host was no longer pingable, so once the crash occurred, it was off the network and no longer attempting any more SMB traffic.

Submission + - The Barack Obama Donations Site was Hackederr, no (praetorianprefect.com)

Submitted by danielkennedy74 on Monday October 26, 2009 @11:30PM

danielkennedy74 writes: This morning a security researcher identified that he was able to carry out a successful SQL Injection attack against donate.barackobama.com, the official campaign donation site of current President Barack Obama, and gain access to credentials such as user names and passwords for persons who have donated to the Obama campaign, as well as administrative user credentials. On his blog he goes on to postulate the further attack possibilities with admin access such as web site defacement, uploading phpshells, and so forth. The problem is that the researcher Unu didn’t find an SQL injection site on donate.barackobama.com, he found one on a calendar application at Roosevelt University. In the process of finding out how that would be possible, a real web site vulnerability on the Obama web site reveals itself.

Submission + - NSA.gov Site Defacement (praetorianprefect.com)

Submitted by danielkennedy74 on Friday October 16, 2009 @07:23PM

danielkennedy74 writes: It appears, according to the site defacement archive hosted at Zone-H, that on or around October 5th an NSA web site application was the victim of an SQL injection exploit resulting in a web site defacement. A web application loading a list of recruitment events at colleges was compromised on the careers section of nsa.gov. The attacker, using the handle SQL_Master, is attributed on Zone-H to site defacements of Google Tokelau (a territory in New Zealand) and a Microsoft property in Korea. He has been associated with the Jurm team, a Moroccan hacker group known primarily for web site defacements of the Isreali version web sites of major companies, for example Kia, Sprite, and Fanta.

Submission + - Facebook's Faith: A New Scareware Attack (praetorianprefect.com)

Submitted by

danielkennedy74

on Thursday October 01, 2009 @05:34PM

danielkennedy74 writes: "On Thursday morning AVG researcher Roger Thompson, after sourcing some spyware attacks to Facebook, noted a few hundred profiles showing up with the same profile image but different profile information. The home video link on Faith / Emily / whoeverâ(TM)s profile points to the site: netmedtest.com/index.php?affid=30500 which opens up a browser dialog box suggesting the user has viruses on their PC, suggests a systemâ(TM)s check and opens up a scareware (software sold via the perception of a usually non-existent threat to the user that is usually non-functional or malicious) dialog."

Bookmark Facebook's Faith: A New Scareware Attack (praetorianprefect.com)

by danielkennedy74 on Thursday October 01, 2009 @05:32PM

Submission + - Breaking Twitter Authentication (praetorianprefect.com)

Submitted by

danielkennedy74

on Friday September 25, 2009 @10:01PM

danielkennedy74 writes: "25,086 attempts thus far before we got bored watching it, so a little over 7 hours and the whole 200,000+ dictionary word list would be done, and likely any account using a common dictionary based password would be accessed. How Twitter passwords can still be brute forced, even after implementing CAPTCHA on their login screen."

Submission + - SPAM: ROFL this you on here? The latest Twitter Worm

Submitted by

danielkennedy74

on Friday September 25, 2009 @04:02AM

danielkennedy74 writes: "At 2pm on Wednesday 9/24, wide scale reports started showing up on Twitter that a new Twitter worm sends you a direct message with the content âoerofl this you on here? [spam URL stripped]â. The link opens a Twitter style log in page (albeit Twitterâ(TM)s previous version of this page, they have a new one) which, except for being an old version and a stray angle bracket is convincing. Upon logging in the userâ(TM)s credentials are stolen, and presumably direct messages are sent to each follower that user has.

The URL in question is hosted in Beijing, China according to GeoIP, the host is listed as Chinanet Yunnan Province Network which is China Telecomâ(TM)s (3rd biggest mobile telecom provider in China) internet service. The e-mail address used in the registration, lixing688@gmail.com, links this up to similar phishing sites for Twitter and MySpace identified in the malwaredomainlist forums back in July. That time around the site url was: [spam URL stripped]. MySpace was cloned at rnyspece.com.

Another URL, Faecibook.com, with the same e-mail address for registrar is a phishing site that appears to prey on users in a way very similar to the Twitter attack, posting comments on Facebook such as this: âoeseen this really bad blog about you? [spam URL stripped]â."
Link to Original Source

Submission + - Senate to Reconsider Wiretap Immunity (wired.com)

Submitted by

bughunter

on Friday September 25, 2009 @12:00AM

bughunter writes: "According to Wired Threat Level, "Lawmakers are considering key changes to the Patriot Act and other spy laws — proposals that could give new life to lawsuits accusing the nation's telecommunications companies of turning over Americans' electronic communications to the government without warrants. On Oct. 1, the Senate Judiciary Committee likely will consider revoking that immunity legislation as it works to revise the Patriot Act and other spy laws with radical changes that provide for more government transparency and more privacy protections." This is big. Now would be a great time to donate $20 to the EFF, since it appears they will be heading back to court on our behalf."

Submission + - Wolverine's nemesis: Data Leakage (praetorianprefect.com)

Submitted by

danielkennedy74

on Friday May 01, 2009 @01:52AM

danielkennedy74 writes: "As widely reported, the major motion picture opening today, X-Men Origins: Wolverine, was leaked on March 31st to major BitTorrent trackers and within twenty four hours had been downloaded some 75,000 times. The problem, a total lack of strategy around the prevention of data leakage. http://praetorianprefect.com/archives/2009/05/wolverines-nemesis-data-leakage/"

Submission + - Snort is Tweeting (praetorianprefect.com)

Submitted by

danielkennedy74

on Thursday April 30, 2009 @12:22AM

danielkennedy74 writes: "Network engineer Leon Ward of SourceFire has taken the unusual step of publishing his intrusion detection system (IDS) alerts over Twitter, the popular microblogging platform. If you are so inclined, you can monitor his IDS along with your own, by following @SnortIDS on Twitter. http://praetorianprefect.com/archives/2009/04/snort-is-tweeting/"

Submission + - RickRoll Everyone with BlueCoat (praetorianprefect.com)

Submitted by

danielkennedy74

on Tuesday April 28, 2009 @06:20PM

danielkennedy74 writes: "The Bluecoat SGOS can do a fair amount of stuff just like any web-proxy should, but my favorite is to RickRoll the whole company. ( People spend to much time on youtube as is ). In this example users are authenticated with NTML back ended by Windows Active Directory. See the docs from Bluecoat on how to set this up. Definitions Conditions Conditions allow you to control when things should happen. They do nothing by themselves, but get put together later to preform some real fun. The first definition here matches only member of the group DOMAINpxy_rickrolld. You could make this users or just about that think you would like. I choice the group method to make it simple to add and remove effected users. define condition group_to_be_rickrolled realm=active_directory group=DOMAINpxy_rickrolld end The second definition just matches does a REGEX to match the domain "youtube" and looks for the string "watch" in the url path. The use of REGEX really is not the best way to do this, but I figured showing both methods of matching was worth the slight performance hit. define condition match_url_to_rickroll url.host.regex="youtube" url.path.substring=watch end Definitions Actions Actions are define something to do with a request. In this case we are going to rewrite the request and change the video to the "oHg5SJYRHA0". define action youtube_change_to_rickroll rewrite( url, "(http://.*/watch?v=)([^&]+)(.*)", "$(1)oHg5SJYRHA0$(3)" ) end Given the initial url of "http://www.youtube.com/watch?v=OBghD0XBN5M&feature=related". The rewrite functions second argument is a REGEX that stores the following: "http://www.youtube.com/watch?v=" in variable "$(1)". "&feature=related" in variable "$(3)". The third argument is the Newly created url that simply puts the data back together with our selected Video ID. Proxy Section Now that you have everything defined you need to put it all to use. condition=match_url_to_rickroll condition=group_to_be_rickrolled action.youtube_change_to_rickroll(yes) This will pull all the define from above to select when to preform the rewrite function. Putting this in place is fun, but it really does make people mad for some reason. Completed Fun define condition group_to_be_rickrolled realm=active_directory group=DOMAINpxy_rickrolld end define condition match_url_to_rickroll url.host.regex="youtube" url.path.substring=watch end define action youtube_change_to_rickroll rewrite( url, "(http://.*/watch?v=)([^&]+)(.*)", "$(1)oHg5SJYRHA0$(3)" ) end condition=match_url_to_rickroll condition=group_to_be_rickrolled action.youtube_change_to_rickroll(yes)"

Slashdot Top Deals