The hackers gained ‘full functional control’ as this article describes:

NASA Hacked

Its no wonder… “Bin Laden” Google searches have increased 1 million percent in recent days, according to Google.

This virus poses as photos of Osama but actually contain an emailing, password-stealing Trojan horse program called “Banload”.

Going even further cyber-terrorists have tried to get search engines to index such material so that, when certain searches are performed, what appear to be legitimate results are really pages that are chalk full of malware.

Opportunistic. Sneaky.

Beware.

As of 2/7/2011 there are zero occurrences of this word on Google. Yes, I made it up. But the word makes sense and today we will use it in conjunction with our ability to use Social Engineering to break into a business.

As with all such articles this is designed to help you protect your business and close doors and windows that may be currently open in both your IT infrastructure and within the people you trust to protect your companies assets, secrets and proprietary technology.

The bottom line (and the point of this article) is that the human voice does not need to be altered very much to trick an individual on the other end of a telephone line into thinking that you are somebody else.

Using a combination of a decent headset/microphone combination, Skype (www.skype.com) and a product called MorphyVOX Pro from Screaming Bee (www.screamingbee.com) you can easily and automatically disguise your voice with no effort on your part.

To set this up:

1. Download the trial version of MorphyVOX Pro and install it.
2. Launch MorphyVOX Pro.
3. The Audio Settings section within the Options window of Skype allows you to change the source for your microphone. Change the source to ‘Microphone (Screaming Bee Audio)’.
4. Switch back to the active MorphyVOX Pro application.
5. Click the Morph and Listen buttons.
6. Alter your voice through the use of the granular tools or by clicking on a voice ‘personality’.
7. As you speak into the headset you’ll hear how your voice is altered.
8. When you have found a mix of settings that work for you, initiate the call via Skype and the person who answers the phone will be hearing your altered voice.

Some hints:

1. Speak very naturally.
2. Think about words, phrases and expressions that are peculiar to you and avoid using these as they may give away your identity.
3. Practice a few times before making any calls.
4. Stay calm.

Ellinikagnosia can be achieved even with people you work with on a daily basis if you use the above techniques in conjunction with tactics that coerce individuals to disclose private information out of a sense of fear or stress.

I now have access to your CRM/lead management system. As we say in my country we now ‘own’ you.

Within this web application I now have unfettered access to every:

- first name
- last name
- address
- credit card type (not important)
- credit card number
- credit card expiration date
- CVV code (important)

… that has been stored in your third-parties lead management system since you procured their services.

I check with my friend, also in Europe, to check on the latest “data supermarkets” that sell stolen credit card numbers for a fixed price.

The BBC reported that the black market prices for such info can go for up to $300 USD yet I know that this is an inflated price. From one professional to another the press would like to agrandize, dramatisize and romantisize such transactions but the fact is that such data is notoriously hard to come by.

Researchers who track the IRC servers where this sort of shady affairs take place typically report on the lowest advertised prices of credit card numbers.

Yes, they have been falling in recent years but I am confident that I can get at least $40 for each stolen card.

Given that Gorman and his company have stored no less than 5,000 such cards with relevant expiration dates leads me to believe that I can quickly turn this weeks effort into my typical $200,000 paycheck.

Of course this may take months to evolve into hard currency. A 30-50% discount will occur through nominal channels of less than legal currency pipelines.

In the meantime I will pick at those 5,000 cards and identify those that are at the very least, Platinum in nature, White colored, Black colored, Chairmans, Ultra Elite, Royal, Celebrity.

So what happened?

I knew a few things. Engaged a vendor as representing a legitimate business and a legitimate user account there within.

I pulled strategically on the human stress anxiety lever. I backed up my claims with information gathered through easy channels.

I leveraged this information to steal relevant credit card data from a single car dealership.

I then levered connections (albeit somewhat hard to establish) to take this stolen data and sell it quickly on the black market.

- Create a nested directory structure as close to ‘a’ as possible with hundreds of thousands of iterations of directories.

- Make all the names dictionary plausible.

- Include the entire Apache HTTP Server Version 2.0 Documentation in each directory. With hundreds of threads running simultaneously this will bog down DirBuster.

This is a running list. If you have further ideas please email me…

According to Google’s Chrome Releases blog, one of the vulnerabilities is rated critical while two are high-risk. In keeping with their bounty reward program, Google awarded Aki Helin from Finland’s Oulu University Secure Programming Group $1000 for each of his high-risk vulnerabilities:

- Use-after-free in image loading.
- Crashing when printing in PDF event handler.

The update’s only critical vulnerability was an audio bug, a race condition in audio handling, found by contributors to the social news site Reddit while trying to play the HTML5 game Z-Type.

The rest of the vulnerabilities, rated low, ranged from sandbox leaks to minor browser crashes.

Chrome’s recent update also includes support for a fairly new technology, WebGL, which brings new 3D graphics to the browser along with Chrome Instant, a feature that begins loading pages as you type the URL.

Additionally, all users of Chrome now have the ability to access the Chrome Web Store.

As Google looks to expand their focus on web apps, recent problems with Apple’s Mac App Store and even Google’s own Android Market suggests it won’t necessarily be clear sailing.

Within the framework of security testing, a Google dork is something you can type into Google to return results that can be used to exploit targets. During the information gathering phase of pen-testing we can employ the manual use of Google dork commands.

Google dork commands can help us to discover domains, sub-domains, software that is installed on servers, if verbose debugging is turned on, if vulnerabilities exist on servers and even point us directly to pages that are susceptible to SQL injection.

The “bible” of Google dork commands is the Google Hacking Database (GHDB) which was created by http://johnny.ihackstuff.com/. The GHDB breaks down dork commands into a number of different categories. I will highlight the ones that I use below since it would be atypical for a pen-tester to being able to utilize all the available dork commands due to time constraints.

Warning

There exists software products out there that will take a target url and blast Google with an outrageous number of requests. These products should be avoided as they will fast track you to being banned by Google (a very bad thing).

The Better Dork Commands

With a short amount of time available to manually tap Google for information I would recommend the execution of the following subset of dork commands. These will help catch low hanging fruit and discover a number of useful things about the server[s] you are pen-testing:

Looking for indexed pages

- site: [url] (no need to start with http://. This will return all pages that are indexed.)
- robtex [url] (Not really a dork command but I mention it here for reference as it can be a great tool for finding sub-domains. This takes you to the Robtex report for the domain which often lists out many sub-domains. Click the tabs within Robtex to get a full picture of its data).

Looking for errors

- site: [url] intitle: “error” (finds pages with the word error in the title)
- site: [url] “error” (finds pages with errors whether they be DB errors or script errors. This one is very useful. Will catch any indexed pages that contain IIS web server error messages, internal server errors, mysql, oracle, mssql db errors/query errors, syntax errors, php/asp/.net/coldfusion errors, etc)
- site: [url] “sql” (finds pages with the word sql on them. Could be sql output or errors that we do not catch in the last dork)
- site: [url] “ora” (finds pages with oracle debug/error data)
- site: [url] “syntax” (finds pages with incorrect syntax errors)
- site: [url] “illegal” (finds pages with illegal character errors)
- site: [url] “warning” (finds pages with lots of different types of errors including PHP cannot modify header info)
- site: [url] “connect” (finds pages that contain the word connect, a word often used in db connection strings)
- site: [url] “id=” (finds pages that contain the GET variable called id. Useful for looking for pages to test for SQL injection vulnerabilities.
- site: [url] “odbc” (finds pages with database information)
- site: [url] “admin” (finds pages with admin access)
- site: [url] “username” (finds pages with login access)
- site: [url] “password” (finds pages with login access)
- site: [url] “protected” (finds pages with login access)
- site: [url] “secure” (finds pages with login access)

Looking for confidential files

- site: [url] filetype:xls (finds indexed xls files, often with financial data)
- site: [url] filetype:doc (finds doc files, often with confidential information)
- site: [url] filetype:php (substitute asp, jsp, aspx, cfm, etc here. This is a really good test to see if these type of files exist on a web server that is not set up to process them. Therefore it would spit code out to the browser. This is common within companies that have changed web server technologies, built new pages, but have left old pages intact. These can sometimes give away database connection information and other invaluable pieces of data.

Final Thoughts

The above dork commands are extremely useful but if you are testing a domain with less pages that the number of dork commands above you may simply want to execute a single site: [url] and then review all the results manually. There is nothing that the above dorks will give you than reviewing site: [url] will not. Of course the dorks will “filter” the results. But, again, that would only be useful if you are testing a server with lots of indexed pages.

Happy dorking!

It only affects Windows 7 and the new R2 release of WS 2008.

The flaw was found in the Canonical Display Driver (cdd.dll), which is used by desktop composition to blend the Windows Graphics Device Interface (GDI) and DirectX drawing.

Microsoft reports that it has activated its security response process and will provide a patch once investigations are complete.

From the MSRC blog.

5 minute setup:

1. Download the latest version of sqlmap.
2. Download and install Active State Perl.
3. Scan through the thorough documentation of sqlmap at install_path/doc.

Now we are ready to go. We are going to send sqlmap a list of URLs within the vulnerable site based on which ones are indexed by Google and contain GET (?var=value) parameters. There is no need to scan through the site using this method. No need to parse through forms, tamper with URL’s, etc. In fact this is a great numero uno method of testing any new site that comes your way as a security professional…

All you need to do is to feed sqlmap a Google dork command and it is this simple. From the command prompt and within the sqlmap directory execute this command:

perl sqlmap.pl -g “site:yourdomain.com”

sqlmap will hit Google up for any URLs within this domain that contain parameters and then attempt to tamper each URL that Google returns.

You still have a lot of control here. You can choose to try to exploit each URL that sqlmap finds on Google or to ignore it. If a URL can be tampered with you can choose to enact this tampering. If a vulnerability can be exploited you control how it is exploited.

Using the many command line parameters you can take a vulnerable URL and run it through many paces per the documentation (stacked tests, time tests, union tests, fingerprinting, etc).

In protect the organizations that I work for I have found this tool to be a great way to find vulnerabilities on target sites who are indexed by Google.

Note that this should not replace exhaustive testing where all URL activity back and forth between the browser and web server is logged and examined. There is obviously a large disparity between what Google finds or is allowed to find and what a site and its protected pieces may contain.

If you are looking for a way to find the lazy mans entry into exploitable areas of your web servers then look no further than sqlmap.

Now go report your SQL injection vulnerabilities and enjoy your weekend!