Security Archive


New Malware Targeting Password Managers


Cyber criminals have started targeting the password managers that protect an individual’s most sensitive credentials by using a keylogger to steal the master password in certain cases, according to research from data-protection company IBM Trusteer.

The research found that a configuration file, which attackers use to tailor the Citadel trojan for specific campaigns, had been modified to start up a keylogger when the user opened either Password Safe or KeePass, two open-source password managers. While malware has previously targeted the credentials stored in the password managers included in popular Web browsers, third-party password managers have typically not been targeted.

While the current impact of the attack is low, the implications of the attacker’s focus is that password managers will soon come under more widespread assault, Dana Tamir, director of enterprise security for IBM Trusteer, told Ars Technica.

“Once the malware captures this master key, then they can use that master key to exercise complete control over the machine and any of the user’s online accounts,” she said.

Read the rest of this entry »


Has your email address and password been leaked?

Pwn: from the verb own, as meaning to appropriate or to conquer, compromise or control.

Screen Shot 2013-12-16 at 4.08.19 PM

It seems like a month doesn’t go by where we don’t hear about another account breach at a major organization.  Well some clever guys over at set it up so that you can check your email address against a database of accounts associated with security breaches.   The site will immediately tell you whether you’re at risk for your email/password being in the hands of bad guys, or you’re safe…for now.

Currently, the site contains leaked user data from the breaches at Adobe earlier this year, the Yahoo Leak in 2012, Sony’s cluster @$%^ in 2011, Start for from the same year, and the Gawker security breach in 2010.  They plan on adding more to the list when more breaches happen in the future.  Note that I said when, not if…

So, this just bears prudence to the idea that you shouldn’t reuse the same password at different places.


Review: BackTrack 5 Wireless Penetration Testing Beginner’s Guide


Backtrack 5 Wireless Penetration Testing Beginner’s Guide

An amazing book. This one wastes no time with a long pre-amble or justifying why you’d need to know how to pen-test; it just tells you what you need to know. You’re sniffing wireless traffic right from the start, injecting packets by page 40 or so, and then you’re off spoofing MAC addreses, cracking WPA (even shared authentication), and doing man-in-the-middle attacks.

This is not a book that explains a lot of theory and then expects you to figure out how to apply it. It’s a finely-tuned set of clear, intentional tutorials that explains how to use the tools, how to get results, and then explains what happened and why. It covers some of the basics (like ifconfig, iwconfig, ping, and a little bit about packet specifications), and then moves on to the heavy-lifters like airmon, aireplay, airodump, wireshark, and others.

Read the rest of this entry »


Review: Metasploit: The Penetration Tester’s Guide


Metasploit: The Penetration Tester’s Guide

Metasploit is an open source framework for penetration testing. The Metasploit 4.0 framework is currently available for free download for Windows, Linux and Unix.

“Metasploit The Penetration Tester’s Guide” is authored by Kennedy, O’Gorman, Kearns and Aharoni and is published by No Starch Press just this year 2011.The book opens with a short and sweet introduction to penetration testing and security. But worry not, this introduction won’t keep the anxious beginner waiting too long, and won’t bore the experienced. In the next few chapters the authors provide a copious amount of screenshots, ensuring that the reader can always follow along.
The authors then run us through some Metasploit basics and it’s not long before we’re already looking the source for a basic port scanner program.

Read the rest of this entry »


Configure Remote Access on Windows Server 2008 R2

This video looks in remote access connections on Windows Server 2008 R2. This includes NAT, internet connection sharing (ICS), remote access service, VPN Protocols, Network Policy server and Radius.


Say Avast like a pirate, arrrgh

Welcome aboard, me hearties:

This year, switch avast! to “Pirate English” to keep yer ship safe from treacherous malware and you in a good pirate mood. There’s more to Talk Like a Pirate Day than sayin’ arrr! and putting the Black Spot on a scurvy sea dog. Just click here.

Why talk like a pirate?

“Talking like a pirate is fun,” write Talk Like a Pirate Day founders at “It adds a zest, a swagger, to your everyday conversation. Do you need another reason?”
At AVAST Software, that’s reason enough for us. And since Blackbeard was not looking for booty on his laptop, we’ve kept the pirate element in avast! to a fun level. We’re not going to maroon you on a distant isle.

What’s avast got to do with pirates?

Avast means “stop” or “stand still” in sailor-talk. It has been used since the 17th century and was likely derived from houd vast in Dutch.
We’ve been stopping malware with our avast program for over twenty years. Starting out as an acronym for “Anti-virus – Advanced Set”, the first avast program went to market in 1989. Today’s avast! 5.0 now has 130 million registered users on the high seas, sailing everywhere between the Pitcairn Islands to Norway’s Svalbard archipelago.

Bringing “Pirate English” aboard your ship is simple.
If you don’t have avast! Installed:
Click here to get the latest version.

Get it on deck!

If you have avast! and want to get your computer speakin’ proper “Pirate English”, update your avast! Application with the following steps:

1. Open the avast! application.

2. Go to Maintenance tab and click on Program Update.

click to enlarge

3. Go to settings menu on the top right corner. Chose language, click on Pirate Talk and wait for installation.

click to enlarge

4. Well done. Your avast! is ready to Speak Like a Pirate.


Dan Kaminsky Releases ‘Phreebird’ For Easy DNSSEC

Renowned researcher Dan Kaminsky at Black Hat Abu Dhabi today will release a free toolkit that lets organizations test-drive DNSSEC deployment and also demonstrates his claims that the protocol is simple to implement.

Download Phreebird from Black Hat here:

“I’ve been making a lot of claims and promises about what DNSSEC is capable of and why the security industry should care. This is the argument I’ve been putting forth, in code form. This is for real,” says Kaminsky, who will make the Phreebird Suite 1.0 kit available today on the Black Hat website. Kaminsky gave a sneak peek demonstration of Phreebird at Black Hat USA in July.

Phreebird Suite 1.0 is a real-time DNSSEC proxy that sits in front of a DNS server and digitally signs its responses. “This is a collection of technologies [that show how] DNSSEC can be very easily deployed on the server side and trivially on client side,” he says. The code is not for operational use, he says, but for testing out the technology.

Read the rest of this entry »


Firesheep: Hacking Facebook and other social media sites for amateurs

Firesheep, an amateur hacking tool, has been downloaded more than 104,000 times a mere 24 hours after its launch, according to TechCrunch.

Firesheep is a Firefox add-on programmed by Seattle-based software developer Eric Butler, who says he designed the extension to demonstrate the HTTP vulnerability in certain websites (such as Twitter, Facebook, Flickr, Tumblr, and Yelp). The extension basically allows people to view information traded over a public network, in the form of cookies — when someone logs on to one of the 26 sites in Firesheep’s database, their information is vulnerable to being swiped.

Firesheep is available for Mac OS X and Windows.

Before privacy hawks freak out, it’s not quite as bad as it sounds. Because Firesheep uses information swiped from cookies, it won’t reveal passwords to any snoopers –just a person’s username and session number ID. So, while people might be able to see sensitive information (say, the person’s Facebook account), they can’t do anything that requires the password (for example, in Amazon, they won’t be able to purchase anything or access credit card information).

Read the rest of this entry »


Review: ESET NOD32 Anti-Virus – 25% off

Eset Nod32 Antivirus is a great desktop security solution, complete with effective protection and advanced features. Eset Nod32 is particularly useful for home users looking for a simple “down-to-earth” security software that they can simply install and let the software do the work for them. Eset has proven to be one of the best overall performing antivirus software, and continues the trend with their most recent installment, Eset Nod32 Antivirus 4.

Scope of Protection:

Eset Nod32 Antivirus certainly isn’t as far-reaching as the upgraded Smart Security, but the scope is definitely on par with other leading antivirus competitors. Eset Nod32 is equipped with all the essential technologies and features to keep your PC protected from traditional threats (viruses, worms, Trojans, spyware, and even rootkits), but is also fully armed to completely protect you while you’re online. Eset works behind the scenes to deliver protection from dialers, adware, and keyloggers.

Eset Nod32 integrates email protection to scan email (inbound and outbound) for viruses and other malware. The antivirus software also protects users from auto-running external media (like USB jump drives) by scanning files when the external medium is plugged in.


While Eset Nod32 isn’t the most effective, the software is consistently near the top in independent antivirus tests. Eset certainly holds its own with competitors for efficacy and efficiency. In the recent test from Virus Bulletin, Eset performed right on par with most of the competitors for overall reactive and proactive antivirus scanning, and came away without any false positives.

The recent evaluation from AV Comparatives showed some false positives (12), but Eset still scored at the top of the class for overall detection rates (with an impressive 97.2%), and garnered an overall A+ (Advanced Plus), the highest rating from AV Comparatives.

Read the rest of this entry »


WaveSecure Review: Secure your Android phone

Last week while at McAfee’s FOCUS Conference, I almost had to learn a hard lesson on cell phone security.  On Tuesday morning everyone at the conference packed in to hear Dave DeWalt, McAfee’s CEO, give his keynote speech.  After the keynote I made my way to the first session I was going to sit in for the day.  It took me about five minutes to realize that my Nexus One was not in my possession, which I had to pay full price for only a few months ago.  My heart nearly skipped a beat at the thought that it may have grown legs and walked away, because I knew that I had it at the keynote.

I began to retrace my steps and came up empty.  I went back to my seat where I listened to DeWalt.  Nothing.

Read the rest of this entry »


Cell Phone Security



Is your machine a part of a botnet? Find out with BotHunter

Ever wonder if a piece of malware has made your machine a part of a botnet?  I saw this a few months ago on the midnight blogs, but i forgot to post about it. They have made a live cd to correlate traffic patterns of malware on a network. They then report on it by severity, event log pointers, and names of infections. Time to stop procrastinating and check it out…

BotHunter is the first, and still the best, network-based malware infection diagnosis system out there. It tracks the two-way communication flows between your computer(s) and the Internet, comparing your network traffic against an abstract model of malware communication patterns.(1) Its goal is to catch bots and other coordination-centric malware infesting your network, and it is exceptionally effective.

BotHunter will help you catch malware infections that go regularly undetected by antivirus systems and completely ignored by traditional intrusion detection systems. Let’s find out who really owns your network.


Password Protect notes in OneNote 2010

Password protection in Microsoft OneNote 2010 is designed to help keep your notes safe from prying eyes. Whether you use OneNote for class notes at school, for meeting notes at work, or for storing personal information at home, passwords play a crucial part in controlling access to those notes.

The most common scenarios for using passwords to help control access to the information in your notebooks include the following:

Personal privacy Your notebook may include a dedicated section or folder that contains personal data, such as your home address, telephone numbers, Social Security number, bank and credit card account numbers, Web site login credentials, and similar information. In this age of rising identity theft, leaving this type of information unprotected is risky business. OneNote encrypts protected notebook sections to help keep your personal information secure.

Flexible security If you use OneNote to document your life at school, at work, and at home, you’re likely to set up separate sections for each. Depending on how you want to share such information with others, you can assign different passwords to different sections.

Secured mobility Unlike a computer password, which controls access to your computer but doesn’t protect the individual files stored on it, a OneNote section password remains with your notebook file. It helps secure sections of your notebook even if your notebook file is copied to another computer or a file server, or if your computer is lost or stolen.

Read the rest of this entry »


Dump hashes from SAM files remotely with NMAP and pwdump

While on a penetration test it is sometimes necessary to pull hash files from windows systems to crack weak passwords.  You could easily do this with a Metasploit meterpreter session, but sometimes I like to do it without exploiting the box.  Also doing it remotely over the network without a user’s knowledge is always a big plus.  This method isn’t always usable and available, but in the right situation we can use an NMAP script called pw-dump.nse to do this.  The downside is that it requires an account on the box, and right now it needs to be a Windows Server 2000 or Server 2003 OS to be able to pull the local accounts.

First, we obviously need NMAP installed.  For this tutorial I’ll be using Backtrack4-R1, which currently has NMAP 5.35DC1 installed.  If you look in the directory /usr/share/nmap/scripts you’ll see all sorts of scripts that do some really helpful things on a test.

What we’re going to use is the one called smb-pwdump.nse.  If you don’t have that script you’ll need to download it and put it into the scripts directory.  The only place I could find the script was in a slightly older version of NMAP, version 5.00.

Read the rest of this entry »


Nessus plug-in now available in Metasploit

Dark Operator announced a plug-in for Nessus that’s available in the dev branch of metasploit.  This is something I’ve personally been waiting for for quite a while.


Zate Berg has contributed this week the a plug-in for controlling Nessus from inside msfconsole. I do have to say he has put a lot of work in a very small amount of time learning Ruby and coding this plugin in only a few weeks. The plug-in is now part of the Development Brach of the project and several patches have been summited by him and progress has been quick.

First thing is to get the new plugin is to “svn up” to the latest development version of the project and do make sure that your Nessus server is up and running. One note do you must have already created Policies in you server and have them available to the account you will use to login to the Nessus Server.

Lets load the plugin and get and output of the commands available:

Read the rest of this entry »


How to install the Metasploit Framework 3.4.1 on Ubuntu 10.04

First, download the framework from  I chose for a 32 bit install of Ubuntu 10.04.

From a command shell, cd to the location of the downloaded file and run the following command.

sudo sh ./

It will ask you where to install metasploit, the default being in /opt/metasploit3.  Just accept the default unless you want it somewhere else.

It will then ask you if you want to automatically update, which I highly recommend answering yes to this.

Then you can choose to update it now.

After it’s installed you can manually update it by running

sudo msfupdate

To start metasploit

sudo msfconsole


Set a static IP address in Backtrack 4

First you’ll need to make sure the networking service is started:

/etc/init.d/networking start

Then you can set the static IP address:

ifconfig eth0 netmask up

Set the default gateway:
BackTrack 5 Wireless Penetration Testing Beginner’s Guide

route add default gw

Set your dns servers and search suffixes:

nano /etc/resolv.conf

Add the following lines for your environment:

domain internaldomain.local
search internaldomain.local

That’s it.  You should have network connectivity.



SHODAN – The Computer Search Engine

SHODAN is basically a search engine for nmap scans of the internet.  Right now it’s primarily covering Web servers, FTP server, SSH servers, and Telnet servers.  That’s ports 21, 22, 23, and 80, respectively.

You can search for things like web server versions:


You can also narrow down the results using the following search parameters:

  • country:2-letter country code
  • hostname:full or partial host name
  • net:IP range using CIDR notation (ex: )
  • port:21, 22, 23 or 80

I imagine this thing will get huge once it takes off….