gmane.comp.security.dailydave

zeus plug-in

2012-05-22T04:11:45

Has anyone here analyzed the Leprechaun(sp?) plug-in for Zeus?

--dan

Tool of the day!

Dave Aitel — 2012-05-21T19:13:02

So every sub-genre of hacker has their own set of specialized knowledge.
And in the sub-genre that "sees a lot of mailspools" (which you could
label "Unix Hackers") you often have this problem where you have a lot
of email, and you want to quickly distill it down to "files that are
interesting". Of course, emails come in all shapes and sizes and are all
decoded differently and it's a bit annoying to figure out how to decode
them all.

The best tool in my experience for this is Frank Pilhofer's UUDeview
(http://www.fpx.de/fp/Software/UUDeview/) . You just point it at a
directory of mail, and "it does the right thing", offering prompts up
when it needs to. Simple, easy, and effective.


-dave

Howard Schmidt

Dave Aitel — 2012-05-18T14:01:26

"As for getting into the power grid, I can't see that that's realistic,"
Schmidt said. <http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/>


Likewise as that Threat Point article from the start of his time in the
White House points out: 


"People have to recognize that when we close the door and go home, we
are just normal netizens like anyone else," Schmidt said. "I've been in
the internet from the very beginning. We don't want to see it changed to
where it is no longer available and we don't have the ability to do
things *anonymously* as we choose to in certain realms."


Also in that article you can see the initial tension between the NSA and
the office of the Cyber Security Coordinator. And the last few weeks
have been dominated by the NSA and White House togethertrying (and
failing)
<http://www.whitehouse.gov/blog/2012/01/26/legislation-address-growing-danger-cyber-threats?utm_source=related>to
push forward legislation that regulates the security of critical
infrastructure (such as the power g

Ten years.

Dave Aitel — 2012-05-17T14:28:51

Immunity is ten years old now - and like any ten year old, it is
interested mostly in shiny things that bleep and bloop. :>

But also like any ten year old we are growing and always hungry, and so
if you're interested in working in the new DC office or Miami Beach HQ,
please let me know. We only have one perk and that is this: We'll keep
you entirely focused on breaking into things in one way or another.

-dave

New INFILTRATE 2012 Movie is up! With surpriseintroduction by Halvar!

Dave Aitel — 2012-05-14T19:07:39

OH: "So....static analysis! Let's talk about it!" (Long pause follows.)

That's pretty much straight out of most parties I go to! Luckily, there
are a few people who can go into static analysis to great levels of
depth, and some of them give talks at INFILTRATE. :>

http://www.immunityinc.com/infiltratemovies/movies/JulienVanegue.mp4

-dave

Re: Mobile Phone Security Survey

Hamid — 2012-05-11T18:47:45

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


There were some issues regarding some optional questions that has been
marked as mandatory mistakenly. Thanks to quick feedbacks they are
fixed now.

Hamid
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPrV7RAAoJEJdNrGOKdZcqp0kIAKdRp5MTJxGBZEHd7YB06kqF
OHc724eRFHF7uLEpI8OmXFaZNithtnT2RRFBQB6OVtDDcdng1iV4kj3A4U2wnUoM
DZw8WfelZ1XPCsIulR10lxDY/E7mTRGQzO24ZvlGCXGoU8+L2qin6lBrxKUNR8sp
5X/QxVpCWKTnkct3j1oaF31ZTVKcO6pygB4QC7/0yNBl4/xUs3wNsBj//bSn6DMW
7Y84pWuaAp+bHwY4rdBMkA15tXzpC4mla+4vd1A7/BV9rvENQ6V3OsBJBGpI1Hvp
1Bh2yTDOV3G0puh0MNEH5sQAIEUSfBXuoEMkant/YjYMaiQ143hh2GW66eEE4Uc=
=D9tu
-----END PGP SIGNATURE-----

Mobile Phone Security Survey

Hamid — 2012-05-11T18:13:37

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello DD!

Few weeks ago I had a writeup about (in)security trends in mobile phones
and now I've reached to a point that I need results of a survey to
validate and confirm some facts that are going to be covered in paper.

I would appreciate your help by participating in this survey, or be even
more awesome and spread it among your friends that are not security geeks!

Survey link:

http://goo.gl/pQO02


Thank you!
Hamid
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPrVbRAAoJEJdNrGOKdZcqg8YH/inKMCaa6MMwscLb0DRtvBz8
12GvtSaWq1Vx1xaqSuJfUU50JeCYBCO8+spzuL8abDgcmORUeisHAoGb1q1AkOg8
k3okbtnbCWkOWlMsLqclBnq49aple1E5LkTkeRbRwAmwxECgehQsTPifMbBHEivx
h7FCDRiBWmoDPkthkdRBDrkX615EwzY5CPgM7O40fjao6zpqalu6CVPG+9yN331C
Xou/LnzfTcSNBAZnGsfHBuT4SV0H7yJbmNJvmyh09CqCm9pU8gXL6woEKYcP3lTG
4FEg4Y3DmGbyjvORIBiz6embNR47GyEgk3sCdJmFRVTNZXnMpGUK4wqCMPyIigw=
=Lk6c
-----END PGP SIGNATURE--

With a real team, it's not about the numbers

Dave Aitel — 2012-05-01T14:05:41

I find articles like the recent one in Forbes <http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/> quite funny in a way - and likewise talks about "rootite" and bug mining and so forth. Part of this is because philosophically I know that teams who focus on the money tend to lose. Obviously you need a lot of money to get things done in this industry, but I think it's a slippery slope from that to looking for where the money really is, which is defense <http://immunityinc.com/infiltratemovies/movies/andrewcushman_keynote.mp4>. 

And when you're doing defense, you're not writing exploits, you're creating "security tests". You're not as concerned with "where will this exploit get me" so much as meeting this month's exploit quota. "How many checks do you have?" is the kind of customer you're competing for.

This month CANVAS released one exploit. And that one exploit in Samba is worth more to me than a hundred "security tes

72 hours

Shari Bermudez — 2012-04-26T20:49:24

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just a reminder that there are only 72 business hours remaining before
registration closes for the WebHacking and Master training classes.
Sign up today. Call 786-220-0600 or email training< at >immunityinc.com.
The 20% discount offer for re-tweeting still stands.

http://immunityinc.com/education-currentschedule.shtml

- --
INFILTRATE 2013 is being held at the famous Fontainebleau Hotel in
Miami Beach, FL from April 11-12, 2013.  Do not miss out.  Early
registration is now open.
http://infiltratecon.com/


Shari Bermudez
Project Manager
Immunity Services LLC-a division of Immunity Inc.
1130 Washington Ave.8th FL
Miami Beach, FL 33139
(p) 786-220-0600 (f) 786-513-8100
(e) shari< at >immunityinc.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk+ZtNQACgkQTAtnp8341PUF0wCgx5GDKoCAQtxJaqV2zqoCPDfM
lewAniLlntYAHhO1LDpTNjvI1UP7exli
=O6Pe
-----END PGP SIGNATURE-----

Spooked at RSA 2012

Dave Aitel — 2012-04-26T13:55:11

So we put my RSA 2012 talk up, along with the comments from the viewers that RSA collected. 

I 100% agree with every comment in the feedback form, which include such bon mots such as "You reek of pride". Frankly, I am quite proud of what the offensive community has been able to do over the last ten years. And I was a bit hurried during the actual talk (the one below is from my 6am-dry-run-in-hotel-room since they didn't record the talk itself) - I got spooked by the 20-minutes-left sign like a novice.  
 
http://partners.immunityinc.com/movies/RSA2012.mov
https://immunityinc.com/downloads/RSA2012.pdf

What's happening at SyScan'12 Singapore

Thomas Lim — 2012-04-19T05:36:32

Dear Dailydave readers

Do you know what's going to happen at SyScan'12 Singapore next week?

BEER, BEER, BEER, BEER, BEER, BEER, BEER, BEER....

13 AWESOME SPEAKERS:
a. Stefan Esser (i0n1c)
b. Chris Valasek (nudeaberdasher)
c. Tarjei Mandt (kernelpool)
d. Alex Ionescu
e. Edgar Barbosa (0pC0de)
f. Jon Oberheide
g. Brett Moore (antic0de)
h. James Burton (Jayji)
i. Seung Jin Lee (Beist)
j. Ryan MacArthur (Backpacker)
k. Loukas (snare)
l. Aaron LeMasters (AaXon)
m. Paul Craig

BEER, BEER, BEER, BEER, BEER, BEER, BEER, BEER....

11 INCREDIBLE PRESENTATIONS, 7 BRAND NEW ONES:
a. Heaps of Doom (Brand NEW)
b. De Mysteriis Dom Jobsivs (Sub New)
c. Owning entire organisations with regional software..(Brand NEW)
d. I/O, You own (Brand NEW)
e. Entomology: A case study of rare and interesting bugs
f. Exploiting the Linux Kernel
g. ACPI 5.0 Rootkit Attacks against Windows 8 (Brand NEW)
h. iOS Kernel Heap Armageddon (Brand NEW)
i. Post Exploitation Process Continuation
k. iOS Applications - Different Developers, Same Mist

Save yourself 20% by tweeting

Shari Bermudez — 2012-04-23T19:16:16

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Want to come to our June Master or WebHacking class but do not want to
pay full price?  You can save yourself 20% in ~5 minutes by following
these simple steps:

(1) If you are not already doing so, follow us on Twitter < at >immunityinc
and/or < at >infiltratecon.

(2) ReTweet this tweet from today: "RT and receive 20% off June
training classes when you sign up before 4/27! ow.ly/asvSG e-mail
admin< at >immunityinc for info!"

(3) Email training< at >immunityinc.com to sign up for your class at 20%
off of the listed price!

- --
INFILTRATE 2013 is being held at the famous Fontainebleau Hotel in
Miami Beach, FL from April 11-12, 2013.  Do not miss out.  Early
registration is now open.
http://infiltratecon.com/


Shari Bermudez
Project Manager
Immunity Services LLC-a division of Immunity Inc.
1130 Washington Ave.8th FL
Miami Beach, FL 33139
(p) 786-220-0600 (f) 786-513-8100
(e) shari< at >immunityinc.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuP

TIME IS RUNNING OUT

Shari Bermudez — 2012-04-20T14:19:53

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Time is running out to sign up for our June WebHacking and Master
Training Classes.   If you are thinking about reserving your seat but
have not done so, the time to sign up is now.

_June 4-6, 2012 - WebHacking Class:  _
Immunity's WebHacking course focuses on understanding common web
hacking techniques by having students exploit vulnerable systems.
Security professionals with some hands on web hacking experience will
get the most out of this course.
_
June 4-8, 2012 - Master Class:_
The Master class focuses on SMT, kernel exploitation and vulnerability
findings. Intermediate to advanced exploit development skills are
recommended for students wishing to take the Master class.

Please email training< at >immunityinc.com to sign up, obtain a copy of the
prerequisite test or for additional information.

We hope to see you in Miami Beach soon!

- --
INFILTRATE 2013 is being held at the famous Fontainebleau Hotel in
Miami Beach, FL from April 11-12, 2013.  Do not miss ou

RIT!

Dave Aitel — 2012-04-18T16:12:14

Chris and Miguel are heading up to RIT today and will be around tomorrow
recruiting for Immunity. If you're at or near RIT and you want to hear
about the fun stuff they're working (which you can help work on!) then
send admin< at >immunityinc.com <mailto:admin< at >immunityinc.com> a quick email
and they'll vector you in! I hear there will be real wings served the
way only upstate NY knows how. I miss those wings, I have to say.

Down here in Miami Beach, Shuckers <http://shuckersbarandgrill.com/> has
the best wings. And it's reachable by boat!

-dave

Re: CISPA == MAPP

Richard Bejtlich — 2012-04-17T20:26:10

Hi Allison,

I have a different view -- I'll try not to step on too many toes. :)


The problem is people are approaching this as a technical problem.
It's a trust problem.


The incentive is to not share.  There is no incentive for a company to
tell anyone that they've been breached.


The bill in question doesn't say the government is entitled to your
information.  They're trying to improve the incentives for companies
to tell the government that they've been compromised so that the
problem is better understood.

I regularly speak to significant intrusion victims, and my company
helps them recover.  If you think I'm biased, I am biased towards
experiencing this problem on a sadly too frequent basis, over the last
14 years.

I don't think any legislation is perfect, or maybe even required,
since "intel sharing" between government and the private sector isn't
going to have as much impact as the legislators think.  However,
having met Chairman Rogers and been in several private and public
meetings with the p

Hack Cup 2012

Nicolas Waisman — 2012-04-18T13:33:25

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Immunity is excited to announce our third annual Hack Cup this year in
Las Vegas! As always, it will be held on the first day of DefCon (July,
27th).

Anyone interested in playing indoor soccer is welcome to join! The
dynamic will be the same as previous years:

 o The tournament will go from 9:00-13:00.

 o We will have 12 teams of five players each, playing 15-minute matches
in four different groups. We recommend that you have at least 2-5
substitutes as it's a very fast field and you may have had a few beers
the night before. Last year, several teams absorbed people who came
without a team, so if you don't know five other soccer players, all is
not lost. You'll make new friends!

Last year the Spanish team FOCA won the tournament.  Can they defend
their victory title or will another team cause an upset?

We just opened the team subscription page which can be found here:
http://www.hack-cup.com/add-your-team

Keep in mind that there are only 12 spots and it's

DC Saturday night drinks!

Dave Aitel — 2012-04-17T19:55:48

So Justine and I will be bar hopping somewhere near Dupont Circle
Saturday night (possibly for only one hop :>). If you want to hang out
and discuss the intricate details of Buffy the Vampire Slayer, then
catch me on Twitter (< at >daveaitel) and I'll vector you in.

    *Oz*: We should figure out what kinda deal this is. I mean, is it
    a-a gathering, a shindig or a hootenanny?
    *Cordelia*: What's the difference?
    *Oz*: Well, a gathering is brie, mellow song stylings; shindig, dip,
    less mellow song stylings, perhaps a large amount of malt beverage;
    and hootenanny, well, it's chock full of hoot, just a little bit of
    nanny.

Re: CISPA == MAPP

allison nixon — 2012-04-17T18:16:59

Every truly meaningful resource of shared knowledge we use- public
blacklists, CVE, open source tools- none of them came about due to a law
mandating them.

Swift coordination between companies to respond to new threats is a
technical problem and not a legal problem. The incentive to share is there,
and sharing systems are getting better over time without government "help".

I welcome any information sharing from the government but I don't trust any
mandate stating the government is entitled to your information if you(or a
company you use) got compromised.

-a

On Tue, Apr 17, 2012 at 1:34 PM, Dave Aitel <dave< at >immunityinc.com> wrote:

CISPA == MAPP

Dave Aitel — 2012-04-17T17:34:50

So votes are coming up for CISPA
<http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act>
and I think it's a good time to look into the state of the "Cyber
Politico Arena". In other words, Lieberman had a bill that actually
SOLVED A PROBLEM. It was focused on critical infrastructure protection,
gave DHS the ball, and told everyone to help them run with it.

That said, it was one of those "immensely expensive" things, and people
don't really have much faith in DHS to carry technical balls around, so
it failed completely. Probably also worth mentioning that the
Republicans are going to vote on an administration bill only at gunpoint
this year. McCain in particular took a bee in his bonnet about how it
didn't give the NSA enough power.

Now we're left with CISPA, which is essentially Microsoft MAPP
<http://www.microsoft.com/security/msrc/collaboration/mapp.aspx> for the
US Government. That's it. It's pretty simple, and the reason Symantec
dropped their Huawei partnership
<http://www.nytimes.

Rooted in darkness.

Dave Aitel — 2012-04-13T21:02:47

    Buffy: Yeah, I prefer the term Slayer. You know, killer just sounds
so...
    Dracula: Naked?
    Buffy: Like I... paint clowns or something. I'm the good guy, remember?
    Dracula: Perhaps, but your power is rooted in darkness. You must
feel it.

    So a couple days ago Immunity released our exploit for the new Samba
vulnerability to CANVAS Early Updates
<http://www.immunityinc.com/ceu-index.shtml>. [1]

    Likewise, the new INFILTRATE 2013 <http://infiltratecon.com/> page
is up! That means you can buy tickets, and you should all do that until
we sell out. :>

    -dave
    [1] We have a movie of this if you want to see it, but it's "by
request only".

Early Registration for INFILTRATE 2013 is now open

Shari Bermudez — 2012-04-13T21:00:23

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Exciting News!  Starting today early registration for our 3rd annual
INFILTRATE Conference is now open.  Register now to take advantage of
the lowest conference prices offered.

INFILTRATE 2013 is being held at the fabulous Fontainebleau Miami
Beach from April 11 - 12, 2013.  The conference hotel room pricing is
unbelievable so reserve your room early before the room block disappears.

Do not forget about our training classes!  We will be offering
WebHacking, Unethical Hacking and Master Training Courses at
INFILTRATE 2013.  Training seats are offered on a first come first
serve basis so reserve your seat today!

To register or for additional information about INFILTRATE 2013 please
visit:  http://infiltratecon.com/

We look forward to seeing you there!

- --

Shari Bermudez
Project Manager
Immunity Services LLC-a division of Immunity Inc.
1130 Washington Ave.8th FL
Miami Beach, FL 33139
(p) 786-220-0600 (f) 786-513-8100
(e) shari< at >immunityinc.com



-----BEGIN P