Backtrack5 on Motorola ATRIX!!!

 Backtrack-linux.org update the picture of Backtrack5 again. Now it's not only on Xoom but it's on Motorola Atrix too.!!!! Wow!!!

Source: http://www.backtrack-linux.org/xoom/photo.jpg

Loggy The Log Management in the Cloud

Loggly is a cloud based logging service. With Loggly, you can collect logs from your servers and then quickly search them with an intuitive user interface.

Loggly helps you collect, index, and store all your log data and then makes it accessible through search for analysis and reporting. All this is done without having to download or install anything on your servers. It’s like magic

Log Collection

Logs from any data source, operating systems, middleware, Web servers, database servers, and applications themselves are collected in one single place to allow cross-correlation of all of the data.

• Simple setup and configuration. No need to dive into complicated configuration files to make the solution work with your environment. A few settings in the user interface suffice.
• Data source agnostic. No parsers needed. Any textual data from any vendor can be indexed, stored, and analyzed.
• Secure data transport. Loggly speaks both syslog and HTTP. Syslog can be sent over UDP or TCP, but also via SSL. HTTP Posts are accepted either plain text or secured via HTTPS.

Log Storage and Retention

All collected logs are stored in a distributed data store and maintained for as long as the user needs them to be stored.

• Loggly manages all the data and provides access control for the log records.
• Storing your logs with Loggly guarantees the integrity of your log records, allowing you to prove the originality of log records in compliance and security related scenarios.

Log Search

Once the logs are collected, Loggly creates a full-text index of all of the data. There is no need for parsers or connectors that understand the data format. The nature of applying a full-text index takes care of any data format. The indexes then guarantee quick data access across all of the collected data. The cloud-based architecture allows for large indexes and fast search times across all of the data.

• An easy and intuitive user interface helps the user get his job done.
• Search is extremely fast across all of the user’s data due to an extremely reliable, cloud-scale infrastructure.
• A shell-like search experience makes your developers feel at home and allows them to quickly and easily pivot and search the data.

API Access

The logging platform provides a RESTful API. Using HTTP requests, the user can query their data, and read, create, update, and delete any resource in the system. All the data returned by the APIs is formatted in JSON, making it easy to incorporate Loggly into third-party and customer applications.

• A rich set of RESTful APIs can be used to query and manage the data from any external application.
• Loggly supports oAuth authentication for third-party applications to access your data.
• Read more about our API here.

Source: http://www.vulnerabilitydatabase.com/2011/04/exclusive-say-hello-to-loggy-the-log-management-in-the-clou/

To mount ours honeypot with Netcat

One of first that comes to us at the top is the backdoorizada version of ProFTPD 1.3.3c that was detected at the end of the past year. In order to know how as he is to banner of the service we can, for example, to look for in Shodan servants with near versions.

With these data, we have left to cause that Netcat writes banner in each connection and keeps log with the connections. We can do it with following script:

#!/bin/bash

buff= " 220 ProFTPD 1.3.3c Server (ProFTPD) \ r \ n "

while [1]; do
    I throw $buff | netcat - v - l - p 21 >> /var/log/honeylog.log 2>> /var/log/honeylog.log
it donates

We use a curl because netcat will finish listening when the connection finalizes, possibly with other versions of netcat we could improve it.

If we scanned with Nmap the service it detects the version to us of vulnerable FTP:

$ nmap - sT - sV - p 21 192.168.1.2

Starting Nmap 5,21 (http://nmap.org)

Nmap scan report for 192.168.1.2

Host is up (0.0051s latency).

PORT   STATE SERVICE VERSION

21/tcp open FTP     ProFTPD 1.3.3c

Service Info: OS: Unix

Service detection performed. Please report any incorrect results AT http://nmap.org/submit/.

Nmap donates: 1 IP address (1 host up) scanned in 0,57 seconds

And if we watched log of honeypot:

$ cat honeylog.log

listening on [any] 21…

connect to [192.168.1.2] from desktop.local [192.168.1.3] 33303

listening on [any] 21…

By all means, also we can be connected, although the functionality is minimum:

$ FTP localhost

Connected to localhost.

220 ProFTPD 1.3.3c Server (ProFTPD) \ r \ n

Yam (localhost: asd):

Source: http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=http%3A%2F%2Fwww.securitybydefault.com%2F2011%2F04%2Fmontar-nuestro-honeypot-con-netcat.html&lp=es_en&btnTrUrl=Translate

Resolver! DNS Lookup Tool

Resolver is a windows based tool which designed to preform a reverse DNS Lookup for a given IP address or for a range of IP’s in order to find its PTR. Updated to Version 1.0.3 added dns records brute force

If you want to download, Please go to the Source.
Source: http://sourceforge.net/projects/exploitresolver/

Vulnerability In Skype For Android Is Exposing Your Name, Phone Number, Chat Logs, And A Lot More

How Does This Work?

Inside the Skype data directory is a folder with the same name as your Skype username, and it’s here where Skype stores your contacts, your profile, your instant message logs, and more in a number of sqlite3 databases.

# ls -l /data/data/com.skype.merlin_mecha/files/jcaseap
-rw-rw-rw- app_152  app_152    331776 2011-04-13 00:08 main.db
-rw-rw-rw- app_152  app_152    119528 2011-04-13 00:08 main.db-journal
-rw-rw-rw- app_152  app_152     40960 2011-04-11 14:05 keyval.db
-rw-rw-rw- app_152  app_152      3522 2011-04-12 23:39 config.xml
drwxrwxrwx app_152  app_152           2011-04-11 14:05 voicemail
-rw-rw-rw- app_152  app_152         0 2011-04-11 14:05 config.lck
-rw-rw-rw- app_152  app_152     61440 2011-04-13 00:08 bistats.db
drwxrwxrwx app_152  app_152           2011-04-12 21:49 chatsync
-rw-rw-rw- app_152  app_152     12824 2011-04-11 14:05 keyval.db-journal
-rw-rw-rw- app_152  app_152     33344 2011-04-13 00:08 bistats.db-journal

Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them. Not only are they accessible, but completely unencrypted.

But how do we find this directory from another app if we don’t know the username? Well, Skype stored the username in a static location, we can parse this file, get the username and find the path to Skype’s stored data.

# ls -l /data/data/com.skype.merlin_mecha/files/shared.xml
-rw-rw-rw- app_152  app_152     56136 2011-04-13 00:07 shared.xml
# grep Default /data/data/com.skype.merlin_mecha/files/shared.xml
      <Default>jcaseap</Default>

The most interesting file one can gain access to is main.db. The accounts table in this database holds information such as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.
The Contacts table holds similar information, but on friends, family and anyone else in your contact list (that is, more than Skype exposes on other users publicly). Moving further along, looking into the Chats table, we can see your instant messages – and that’s just the tip of it. Scary.
This means that a rogue developer could modify an existing application with code from our Proof of Concept (without much difficulty), distribute that application on the Market, and just watch as all that private user information pours in. While the exploit can’t steal your credit card info, the data it’s harvesting is still clearly very private (chat logs linked back to your real name, address, and phone number).

How Can Skype fix this

First, they can use proper file permissions, second, they should probably implement some type of encryption scheme, and third, they need to have their applications reviewed for security issues prior to release.

NOTE: Android Police has published this information regarding a specific security vulnerability in the "Skype" app for Android in good faith, as a matter of general public concern. The "Proof of Concept app" is provided only for demonstrative purposes.

You can see just how wide-open your private data is by downloading this proof of concept application, which will display some (note: not all) of the information that the vulnerability would allow a less than savory individual to gather:

If you want to download Proof-Of-Concept App, Please go to the Source.
Source: http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/

DNS hacks with added value

The internet's name resolution system is more flexible than many think. Some hacks currently demonstrate some nice tricks with Twitter and DNS. In one, a service from any.io queries Twitter through DNS. For example, the command

host -t txt codepope.twitter.any.io

will retrieve the most recent status tweet from the user codepope. The trick is simple. The answer to the DNS query is returned as a text snippet embedded in the TXT record. The name server for twitter.any.io takes the requested host name and parses it as the user "codepope"; it then retrieves that user's last tweet and sends it back as a DNS response. To query identi.ca users just ask the authoritative server for identica.any.io for say "codepope.identica.any.io". You can perform a similar trick with Wikipedia over DNS from Windows:

nslookup -type=txt cheese.wp.dg.cx

The useful part is that many fee-based Wi-Fi networks will allow DNS queries to pass through even though the network may be closed to other traffic.


The concept is not new though. Over ten years ago, Julien Oster and Florian Heinz demonstrated the Name Server Transfer protocol (NSTX) which allowed an entire IP connection to be tunnelled through DNS. To provide such a service though, one must configure a name server for a particular domain and configure it so that it correctly interprets requests and delivers the appropriate responses.

Source: http://www.h-online.com/security/news/item/DNS-hacks-with-added-value-1227656.html

Wikipedia over DNS

if you want to see all detail and download the slide of workshop, Please go to the Source.

It has advantages too, it gets cached at your nameserver and it also has slightly lower latency than HTTP (because there's no need to setup a TCP session).
Here's an example:
$ host -t txt foo.wp.dg.cx
foo.wp.dg.cx descriptive text "Foo may refer to: Foo, bar, and baz: metasyntactic variables, \"Fool\", as a nonstandard spelling to indicate a nonstandard pronunciation, Foo Fighters, a post-grunge group formed by Dave Grohl, Foo fighters, a World War II term for various UFOs or mysterio\" \"us aerial phenomena seen in the skies over Europe and the Pacific theatre, Foo, also a known surname or last name of a... http://a.vu/w:Foo"
Using it from Perl is fairly easy too, with a little help from Net::DNS:

use Net::DNS;
my $res = Net::DNS::Resolver->new;

sub wikipedia {
  my($name) = @_;
  my $q = $res->query("$name.wp.dg.cx", "TXT");
  if($q) {
    for my $rr($q->answer) {
      next unless $rr->type eq "TXT";
      return join "", $rr->char_str_list;
    }
  }
}

print wikipedia($ARGV[0]);

Unicode should be supported, all DNS queries are expected to be in UTF-8 (this assumes your resolver is happy with 8 bit characters, some aren't---I might support IDN one day). See the example below (the perl is just there to unescape the escaping dig does). The result is returned in UTF-8, which everything can handle. For example:


$ dig +short txt '新疆.wp.dg.cx' | perl -pe's/\\(\d{1,3})/chr $1/eg'
"Xinjiang (Uyghur: , Shinjang\; \; Postal map spelling: Sinkiang) is an autonomous region (Xinjiang Uyghur Autonomous Region) of the People's Republic of China. It is a large, sparsely populated area (spanning over 1.6 million sq. km) which takes up about on" "e sixth of the country's territory. Xinjiang borders the Tibet Autonomous Region to the south and Qinghai and Gansu... http://a.vu/w:Xinjiang"

Source: https://dgl.cx/wikipedia-dns

Download with resume from file sharing websites | Rapidshare, hotfile, fileserve hack

Rapidshare, Megaupload, Hotfile, fileserve, filesonic, Megaupload are some most popular file sharing websites. But the main problem is that none of these websites support downloading with resume capability. Today i am going to write a new trick on how you can download files with resume capability from these websites.


Follow these Steps:

1. Go to http://foxleech.com/
2. Paste the link in the Link box.
3. Hit the Download button.
4. Click the “Download Now” button. A popup window will open which will start leeching. Do not close it and let it leech. After some time download will start with resume capability. 

Source: http://www.hackingtricks.in/2011/03/download-with-resume-from-file-sharing.html#more

RawCap sniffer for Windows released

If you want to download this software, Please go to the Source

We are today proude to announce the release of RawCap, which is a free raw sockets sniffer for Windows.
Here are some highlights of why RawCap is a great tool to have in your toolset:

• Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
• RawCap.exe is just 17 kB
• No external libraries or DLL's needed
• No installation required, just download RawCap.exe and sniff
• Can sniff most interface types, including WiFi and PPP interfaces
• Minimal memory and CPU load
• Reliable and simple to use

Usage
RawCap takes two arguments; the first argument is the IP address or interface number to sniff from, the second is the path/file to write the captured packets to.

C:\Tools>RawCap.exe 192.168.0.23 dumpfile.pcap

You can also start RawCap without any arguments, which will leave you with an interactive dialog where you can select NIC and filename:

C:\Tools>RawCap.exe
Network interfaces:
0.     192.168.0.23    Local Area Connection
1.     192.168.0.47    Wireless Network Connection
2.     90.130.211.54   3G UMTS Internet
3.     192.168.111.1   VMware Network Adapter VMnet1
4.     192.168.222.1   VMware Network Adapter VMnet2
5.     127.0.0.1       Loopback Pseudo-Interface
Select network interface to sniff [default '0']: 1
Output path or filename [default 'dumpfile.pcap']:
Sniffing IP : 192.168.0.47
File        : dumpfile.pcap
Packets     : 1337

For Incident Responders
RawCap comes in very handy for incident responders who want to be able to sniff network traffic locally at the clients of the corporate network. Here are a few examples of how RawCap can be used for incident response:

1. A company laptop somewhere on the corporate network is believed to exfiltrate sensitive coporate information to a foreign server on the Internet by using a UMTS 3G connection on a USB dongle. After finding the internal IP address on the corporate network the Incident Response Team (IRT) use the Sysinternals tool PsExec to inject RawCap.exe onto the laptop and sniff the packets being exfiltrated through the 3G connection. The generated pcap file can be used to determine what the external 3G connection was used for.
2. A computer is suspected to be infected with malware that uses an SSL tunnelling proxy (stunnel) to encrypt all Command-and-Control (C&C) communication. The data that is to be sent into the tunnel is first sent unencrypted to localhost (127.0.0.1 aka loopback interface) before it enters the encrypted tunnel. Incident responders can use RawCap to sniff the traffic to/from localhost on the Windows OS, which is something other sniffing tools cannot do.
3. A corporate laptop connected to the companies WPA2 encrypted WiFi is found to have suspicious TCP sessions opened to other computers on the same WiFi network. Incident responders can run RawCap locally on any of those machines in order to capture the WiFi network traffic to/from that machine in unencrypted form.

For Penetration Testers
RawCap was not designed for pen-testers, but I realize that there are some situations where the tool can come in hany when doing a penetration test. Here are some examples:

1. After getting remote access and admin privileges on a Windows XP machine the pen-tester wanna sniff the network traffic of the machine in order to get hold of additional credentials. Sniffing tools like dumpcap, WinDump and NMCap can unfortunately not be used since no WinPcap or NDIS driver is installed. RawCap does, however, not need any special driver installed since it makes use of the Raw Sockets functionality built into Windows. Pen-testers can therefore run RawCap.exe to sniff traffic without installing any drivers.
2. After getting admin on a box the pen-tester wanna sniff the network traffic, but box uses a WiFi network so traditional sniffing tools won't work. This is when RawCap comes in handy, since it can sniff the WiFi traffic of the owned machine just as easily as if it had been an Ethernet NIC.

Source: http://www.netresec.com/?page=Blog&month=2011-04&post=RawCap-sniffer-for-Windows-released

Learn IPv6 On Linux

After I read  IPv6 Crash Course For Linux , I summary about it.

1. You must specific interfaces that you will check or use every times.
2. It's hard to remember but not hard to understand about how to calculate the address.
3. Some commands can use with IPv6 but some commands can't use.

and this is some path of the article.

IPv6 Advantages

What does IPv6 offer over IPv4? Well, aside from the fact that we're more or less out of new IPv4 addresses, IPv6 has a number of additional advantages.

• No more private address collisions.
• Network address translation (NAT) is optional, rather than a necessity.
• Simplified routing.
• Say good-bye to DHCP.

One major drawback to IPv6 is unwieldy long hexadecimal addresses. IPv4 dotted quads are easy to remember. Eight clumps of hexadecimal numbers are a lot harder, at least for my old brain.

Does My Linux System Support IPv6?

How do you know if your system supports IPv6? Simple:

$ cat /proc/net/if_inet6
000000000000000000000000000000 01 01 80 10 80       lo
fe80000000000000020b6afffeef7e 8d 02 40 20 80     eth0

This means yes. Most modern distros should support IPv6 out of the box.

Pinging IPv6

If you want to ping IPv6 addresses, you'll need the ping6 command. This pings localhost twice:

$ ping6 -c2 ::1
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.043 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.054 ms

--- ::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.043/0.048/0.054/0.008 ms

::1 is shorthand for 0000:0000:0000:0000:0000:0000: 0000:0001. Any one unbroken sequence of consecutive zeros can be shortened to a pair of colons, and any quad of all zeroes can be condensed to a single zero, like 0.0.0.0.0.0.0.1.

LAN Discovery

If you want to see this subject, Please go to the Source.

Using Hostnames

We'll get to the proper "leet" network administrator method of assigning hostnames in a future installment; for today let's use good old reliable /etc/hosts. Let's say you have three PCs in your little link-local LAN: fatfreddy, phineas, and franklin. You can use these fine hostnames over IPv6 as easy as pie. You'll make identical entries in the /etc/hosts file of each PC, like this:

fe80::20b:6aff:feef:7e8d  fatfreddy
fe80::221:97ff:feed:ef01  phineas
fe80::3f1:4baf:a7dd:ba4f  franklin

Now you can ping6 by hostname:

$ ping6 -I eth0 phineas
PING phineas(phineas) from fe80::221:97ff:feed:ef01 eth0: 56 data bytes
64 bytes from phineas: icmp_seq=1 ttl=64 time=17.3 ms

SSH and SCP

SSH and SCP both speak IPv6. Warning: there are some syntax gotchas, so pay attention. You can log in and copy files on your ad-hoc IPv6 link-local network just like on your old-fashioned IPv4 network. If you have IPv6 name services set up then you don't do anything differently. For example, you can login via ssh as a different user in the usual way, ssh user@remotehost. Copying a file is also exactly the same: scp filename user@remotehost:/home/username/directory/.
It gets tricky using your IPv6 link-local addresses. This is how you establish an SSH session:
ssh phineas@fe80::221:97ff:feed: ef01%eth0
Again, you must specify the network interface name on your PC, and you must do it as shown, appended with a percent sign and no spaces. scp has its own fiendish syntax quirks:

$ scp test.txt phineas@\[fe80::221:97ff:feed: ef01%eth0\]:
phineas@fe80::221:97ff:feed: ef01%eth0's password:
test.txt 100%   19     0.0KB/s   00:00 

The IPv6 address must be enclosed in square braces, including the interface name, and the braces must be escaped.

What is My IPv6 Address?

The ifconfig -a command displays complete information on all of your network interfaces, both physical and virtual. When you know which interface to query you can quickly narrow it down with grep:

$ ifconfig eth0 |grep "inet6 addr:"

          inet6 addr: fe80::20d:b9ff:fe05:25b4/64 Scope:Link 

If you want to see all of this article. Please go to the Source.

Source: http://www.linux.com/learn/tutorials/428331:ipv6-crash-course-for-linux

CVE-2011-0611 Flash Player Zero day

If you want to see all detail of this exploit Please go to the Source.

Source: http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system.

Linksys WRT54G Password Disclosure

This vulnerability I got from the "packetstormsecurity.org"

Source: http://packetstormsecurity.org/files/view/100287/linksyswrt54g-disclose.txt

Environment: Linksys WRT54G - Firmware Version: v7.00.1 


Default settings of Linksys WRT54G allows to get FTP without password:


rafal@localhost ~ $ lftp 192.168.1.1
lftp 192.168.1.1:~> dir
  size          date       time       name
--------       ------     ------    --------
  956756    Jan-01-2003  02:13:12   ap61.sys          
  224664    Jan-01-2003  02:13:24   igwhtm.dat        
   28528    Jan-01-2003  02:13:26   langpak_en        
   28482    Apr-08-2011  15:36:44   igwpricf.dat      
    2520    Apr-08-2011  15:11:02   nvram.cfg         
    2046    Dec-24-2001  00:02:42   calibra.dat       

lftp 192.168.1.1:~> 


It is possible to download igwpricf.dat file (and another) where plain-text password to web access and wireless network are keeping.


rafal@localhost ~ $ strings igwpricf.dat
Linksys
IntotoSoft
192.168.50.3
...
Aadmin
PASSWORD
test
best
...
WIRELESS_PASSWORD
...
default
langpak_en
TELNET
HTTP
SMTP
POP3


-----------------
RaFD

Source: http://packetstormsecurity.org/files/view/100287/linksyswrt54g-disclose.txt

Microsoft PowerPoint TimeCommandBehaviorContainer Remote Code Execution Vulnerability

ZDI-11-123: April 12th, 2011

CVE ID

CVE-2011-0655

CVSS Score

9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

Affected Vendors

Microsoft

Affected Products

Office PowerPoint

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10822. For further product information on the TippingPoint IPS:

http://www.tippingpoint.com

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office PowerPoint. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the ppcore.dll module responsible for parsing PowerPoint (ppt) files. When parsing a malformed TimeCommandBehaviorContainer structure the process raises an exception that causes an object in memory to be freed prior to being fully parsed. Due to the lack of a check that this object has been freed, a later function references an invalid pointer element. This can be leveraged by a remote attacker to execute arbitrary code under the context of the user running PowerPoint.

Vendor Response

Microsoft has issued an update to correct this vulnerability. More details can be found at:

http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx

Disclosure Timeline

2010-09-24 - Vulnerability reported to vendor 2011-04-12 - Coordinated public release of advisory

Credit

This vulnerability was discovered by: Anonymous

Source: http://www.zerodayinitiative.com/advisories/ZDI-11-123/

Learning the Importance of WAF Technology – the Hard Way

After Barracuda Networks was hacked last night. This is the response messages from Barracuda Networks and I just want to ask you guys (not seriously) "do you believe this response?" :)

Wow.  What a weekend.  In case you haven’t heard, Barracuda Networks was the latest victim of a SQL injection attack on our corporate Web site that compromised lead and partner contact information.  The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords.  However, all active passwords for applications in use remain secure.

So, the bad news is that we made a mistake.  The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8 ) after close of business Pacific time.  Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling our Web site in search of unvalidated parameters.  After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market.  As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees.  The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later.  We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.
This latest incident brings home some key reminders for us, including that:

• You can’t leave a Web site exposed nowadays for even a day (or less)
• Code vulnerabilities can happen in places far away from the data you’re trying to protect
• You can’t be complacent about coding practices, operations or even the lack of private data on your site – even when you have WAF technology deployed

Before responding prematurely to the press or to anyone else, we wanted to make sure we had time to sift through our logs and do a bit of communication.  We’re glad that the impact will be very minimal, but we’re not happy about the amount of bandwidth we’ve spent assessing what happened, responding to affected parties and putting in place the steps to prevent it in the future.
We are working to notify everyone whose email addresses were exposed, and we apologize for the inconvenience.

Source: http://www.barracudalabs.com/wordpress/index.php/2011/04/11/learning-the-importance-of-waf-technology-the-hard-way/

New Adobe Flash zero day in the wild - infects through MS Word documents

This news is from Sophos and I think it'll be use in the wide.

Adobe has issued a security advisory concerning a new zero day flaw (CVE-2011-0611) in Adobe Flash Player 10. As usual this also means that other applications that support Flash content like Adobe Reader and Microsoft Office are also affected.

Brian Krebs wrote a blog post earlier today describing some targeted attacks using a Microsoft Word attachment that had an embedded Flash object used to exploit this flaw.
Mr. Krebs notes that the samples in the wild were largely being used in spear phishing attacks targeting the US Government and related contractors and agencies.

Adobe's advisory notes that Adobe Reader X utilizes a sandbox which prevents this exploit from working in Adobe Reader X on Windows. Windows machines with Flash installed are still vulnerable through their browsers and other applications.

The vulnerability impacts Adobe Flash Player 10 (all Operating Systems) and Adobe Reader 9 and X for Windows and Macintosh. It does not affect Adobe Reader for Android, Unix or Adobe Reader/Acrobat 8.
The only mitigation at this point is to remove Flash entirely and be sure you are using Adobe Reader 8/Adobe Reader X (Windows only).

Adobe mentioned they are working to release a fix for all affected software as soon as possible, with the exception of Adobe Reader X for Windows.
This is the same stance they took with the last Flash vulnerability that was mitigated through the use of Adobe Reader X's sandbox.

Personally I find this approach distasteful, and it was one of the concerns I had when Adobe had announced their sandbox technology. It's great that the sandbox is working against some of these exploits, but it suggests it is ok to consume malicious code because you have "protection".

It would be better to release security fixes with the same priority regardless of the version of the software.
The observed attack currently only targets Windows users, but once a fix is made available by Adobe I recommend everyone update to the latest Flash software.

Source: http://nakedsecurity.sophos.com/2011/04/12/new-adobe-flash-zero-day-in-the-wild-infects-through-ms-word-documents/

Barracuda Networks Hacking via SQL Injection !

Barracuda Networks’ product portfolio includes: Barracuda Spam & Virus Firewall, Barracuda Web Filter, Barracuda IM Firewall, Barracuda Web Application Firewall, Barracuda SSL VPN, Barracuda Load Balancer, Barracuda Link Balancer, Barracuda Message Archiver, Barracuda Backup Service, and the BarracudaWaresoftware portfolio. Combining its own award-winning technology with powerful open source software, Barracuda Networks solutions deliver easy to use, comprehensive security, networking, and data protection products. Barracuda Central, an advanced 24x7 operations center manages data centers for all service-based offerings and works to continuously monitor and block the latest Internet threats.

LIST OF DATABASES:

new_barracuda 

information_schema 

Marketing

barracuda 

black_ips 

buniversity 

bware 

co-op 

collections 

cuda_car 

cuda_stats 

dev_new_barracuda 

igivetest 

igivetest_bk1_aug10

igivetestsucks 

kb_solutions 

leads 

mysql 

new_barracuda

new_barracuda_archive

php_live_chat

phpmyadmin

If you want to see all information leak from the site. Please go to the Source.
Source: http://www.thehackernews.com/2011/04/barracuda-networks-hacking-via-sql.html

"Add URL" to Google.com Captcha Bypass

This Captcha bypass allow to spammer to submit number (that May be more than 1000 Website) of websites to Google crawl by writing simple program in any programming language.

Original link (With captcha): http://www.google.com/addurl/?continue=/addurl 
Bypass captcha link POC: http://www.google.com/addurl?q=www.hacker.com&hl=&dqq= 

If you execute the above URL in the browser then it will add the new website to Google crawl database. Following Program can be used to submit a large amount of website at a time.

Source: http://seclists.org/fulldisclosure/2011/Apr/160

Dropbox authentication exploit, dbClone

After reading this article on dereknewton.com about Dropbox’s insecure design, sablefoxx: a resourceful young coder on the forum created a python application to exploit the insecure design of the most popular file synchronisation tool Dropbox.

Download dbClone from the Source.

[1] Find a victim machine running Dropbox, insert your USB drive
[2] Run dbClone.exe, data will be saved in a .txt file
[3] On your own computer install the Dropbox client and run “dbClone.exe -i”
[4] Paste in the ‘hostid’ from the .txt file into the ‘hostid’ prompt, enter /any/ email
[5] Start up the Dropbox client, and sync all the files!!!

If you want any detail of this attack, please go to the Source.
Source: http://www.itsecuresite.com/network-security/dropbox-authentication-exploit-dbclone.html

Backtrack5 and Metasploit on Xoom

This picture was published by Backtrack-Linux.org and I'm so excited about it. Wait for the release of Backtrack5 and installation on Motorola's Xoom tablet.

** Update more pix and Source.

Picture Link: http://www.offensive-security.com/backtrack/backtrack-5-on-a-motorola-xoom/

SecurityTube Boxee Support

I received this message from my twitter and I want to share it to you guys if you want to support it, please vote yes.

Securitytube.net is the big portal of information security video.

I emailed support@boxee.com asking them to enable support for securitytube.net, their reply was the following:

Quote:

Please promote this great idea at http://forums.boxee.tv/forumdisplay.php?f=12 the more votes the higher the priority.

Here was my original message: (slightly edited)

Quote:

Please could you support http://www.securitytube.net in your Bookmarklet or preferably from the RSS Feed App. The videos are embedded with an <iframe> tag rather than the <embed> or <object> tag the Bookmarklet and RSS Feed App searches for.

Please vote 'Yes' so we can get securitytube.net working on Boxee!

Source: http://forums.boxee.tv/showthread.php?t=33355

How to Disable Geolocation in Specific Programs

Geolocation is a rather secret feature of some browsers and toolbars. It allows the creator of that program to get a fix on the location of your computer to within a few meters of where you actually live.


If you want to see how to disable geolocation on Twitter, Thunderbird,Internet ExplorerX, Apple Safari , GMAIL , etc. Please go to the Source. 

- Facebook (initially just for the iPhone client):

• Goto Privacy Settings
• Click ‘Custom’
• Click ‘Custom Settings’
• Disable ‘Places I check in’
• Disable ‘People here now’
• Disable ‘Friends can check me in to places’

 - Google Chrome:
• Goto the ‘Customize and control Google Chrome’ icon (the little blue wrench on the top right)
• Goto ‘Options’
• Goto ‘Under the Bonnet’
• Choose ‘Content Settings’
• Choose ‘Location’
• Check ‘Do not allow any site to track my physical location’

- Mozilla Firefox:
• Type ‘about:config’ in the address bar (without the ‘’)
• Discard the warning by hitting ‘yes’
• [1] Scroll down until you reach ‘geo.enabled’ or you can simply search for 'geo.enabled'
• Doubleclick the item and it will change from its default value ‘True’ to ‘False’
• [2] Scroll down until you reach ‘geo.wifi.uri’or you can simply search for 'geo.wifi.uri'
• Rightclick the Value of ‘geo.wifi.uri’ and click ‘Modify’
• Type in ‘localhost’ and hit ‘OK’

Source: http://no-geolocation.blogspot.com/2010/08/01-what-is-geolocation_08.html