Implementing Intrusion (Cyber) Kill Chain -A Plenary Overview

Implementing an Intrusion (Cyber) Kill Chain 

The Intrusion (Cyber) Kill Chain is a phrase popularized by infosec industry professionals and introduced in a Lockheed Martin Corporation paper titled; “ Intelligence Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”. 

The intrusion kill chain model is derived from a military model describing the phases of an attack. The phases of the military model are: find, fix, track, target, engage, and assess. The analyses of these phases are used to pinpoint gaps in capability and prioritize the development of needed systems. The first phase in this military model is to decide on a target (find). Second, once the target is decided you set about to locate it (fix). Next, you would surveill to gather intelligence (track). Once you have enough information, you decide the best way to realize your objective (target) and then implement your strategy (engage). And finally, you analyze what went wrong and what went right (assess) so that adjustments can be made in future attacks.

Lockheed Martin analysts began by mapping the phases of cyber attacks. The mapping focused on specific types of attacks, Advanced Persistent Threats (APTs) - The adversary/intruder gets into your network and stays for years– sending information, usually encrypted – to collection sites without being detected. Since the intruder spent so much time in the network, analysts were able to gather data about what was happening. Analysts could then sift through the data and begin grouping it into the military attack model phases. Analysts soon realized that while there were predictable phases in cyber attacks, the phases were slightly different from the military model.  The intrusion (cyber) kill chain shown below, describe the phases of a cyber attack.

The chain of events or activities are as follows:

  

Link in the Chain	Description
1.  Reconnaissance	Research, identification and selection of targets- scraping websites for information on companies and their employees in order to select targets.
2.  Weaponization	Most often, a Trojan with an exploit embedded in documents, photos, etc.
3.  Delivery	Transmission of the weapon (document with an embedded exploit) to the targeted environment.  According to Lockheed Martin's Computer Incident Response Team (LM-CIRT), the most prevalent delivery methods are email attachments,websites, and USB removable media.
4.  Exploitation	After the weapon is delivered, the intruder's code is triggered to exploit an operating system or application vulnerability, to make use of an operating system's auto execute feature or exploit the users themselves.
5.  Installation	Along with the exploit the weapon installs a remote access Trojan and/or a backdoor that allows the intruder to maintain presence in the environment
6.  Command and Control	Intruders establish a connection to an outside collection server from compromised systems and gain 'hands on the keyboard' control of the target's compromised network/systems/applications.
7.  Actions on Objective	After progressing through the previous 6 phases, the intruder takes action to achieve their objective.  The most common objectives are:  data extraction, disruption of the network, and/or use of the target's network as a hop point.

Lockheed Martin's analysts also discovered while mapping the intruder's activities, that a break (kill) in any one link in the chain would cause the intrusion to fail in its objective. This is one of the major benefits of the intrusion kill chain framework as security professionals have traditionally taken a defensive approach when it comes to incident response. This means that intrusions can be dealt with offensively too.

Lockheed Martin's case studies reveal that knowledge about previous intrusions and how they were accomplished allow analysts to recognize those previously used tactics and exploits in current attacks.  For example, mapping of three intrusions revealed that all three were delivered via email, all three used  very similar encryption, all three used the same installation program and connected to the same outside collection site. All of the intrusions were stopped before they accomplished their objective.

How did they do this? How can my company utilize this approach?

Monitoring and mapping is the key.

The following list contains some of the necessary components (not in any particular order) needed to do intrusion mapping and setting up the kill.

·         Network Intrusion Detection (NIDS)

·         Network Intrusion Prevention (NIPS)

·         Host Intrusion Detection (HIDS)

·         Firewall access control lists (ACL)

·         Full packet inspection

·         A mature IT asset management system

·         A mature and comprehensive Configuration Management Database (CMDB)

·         Device and system hardening

·         Secure configurations baselines

·         Website inspection

·         Honeypots

·         Anti-virus and anti-malware

·         Verbose logging – network devices, servers, databases, and applications

·         Log correlation

·         Alerting

·         Patching

·         Email and FTP inspection and filtering

·         Network tracing tools

·         Information Security staff trained in tracking and mapping events end-to-end

·         Coordination and partnering with IT, Application Owners, Database Administrators, Business Units and Management both in investigation and communicating the mapped intrusions.

In short, in order to implement intrusion kill chain activity a company needs to have a mature inter-operating and information security program. Additionally, they need trained staff that can investigate, map and advise 'kill' activities, keep a compendium of mapped intrusions, analyze and compare old and new intruder activity, code use, and delivery methods to thwart current and future intrusions.

The intrusion (cyber) kill chain is not an endeavor that can be successfully implemented in place of a comprehensive Information Security Program, it’s another tool to be used to protect the company's data assets.

The good news is if your company doesn't have a mature information security program there is a lot you can do while making plans to introduce an intrusion kill chains in your department's arsenal.

·         Educate your employees to watch for suspicious emails. For instance, emails that seem to be off – such as, someone in accounting receiving an invitation to attend a marketing conference. Let them know that they shouldn't open attachments included in email like this.

·         Make sure you have anti-virus and anti-malware software installed and up to date.

·         Start an inventory of your computing devices, laptops, desktops, tablets, smartphones, network devices and security devices.

·         You have an advantage over intruders. You know your network and what is normal and usual, they don't.  Notice user behavior that is not usual and look into it.  For example, a login at 2am for someone who works 9 to 5. Or an application process that normally runs overnight that is kicking off during the day.

·         Keep your security patches up to date.

·         Create and monitor baseline configurations.

·         Write, publish and communicate information security policies and company standards.

·         Turn on logging and start collecting and keeping logs. Start with network devices and firewalls and then add servers and databases.  Set up alerts for things such as repeated attempts at access.

·         Spend some time using search engines from outside your network to see how much information can be learned about your company from the Internet.  You'd be surprised how much you can find including sensitive documents.

All of these practices and activities give you more information about your computing environment and what is normal and usual. The more you know about your environment, the more likely it is that you will spot the intruder before any damage is done.

Disclaimer:- Before conclusion, on behalf of Team VOGH, I would like to personally thank Mr. Adrian Stolarski for sharing this remarkable article with our readers. I would also like to thank Ryan Fahey  of Infosec Institute for his spontaneous effort. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Implementing Intrusion (Cyber) Kill Chain -A Plenary Overview "https://www.voiceofgreyhat.com/2014/02/implementing-intrusion-cyber-kill-chain.html</a>

BBC Server Compromised! Russian Hackers Broke Into FTP & Tried to Sell Unauthorized Access

BBC Server Compromised! Russian Hackers Hacked Into FTP & Tried to Sell Unauthorized Access on The X-Mass Evening 

Earlier we have seen world renowned media houses like CNN, NBC, Fox News, Washington Post, NY Times, NDTV and so on have fallen victim to hackers and cyber criminals. Now it was the turn for world’s largest and oldest broadcaster -British Broadcasting Corporation, widely known to us as BBC. Sources revealed that cyber criminals have managed to breach the security system of BBC and secretly took over a computer server at the BBC and then launched a Christmas Day campaign to convince other cyber criminals to pay him for access to the system. The attack was first identified by a cyber security firm named Hold Security LLC, in Milwaukee that monitors underground cyber crime forums in search of stolen information. However, it is still not clear whether the hacker stole any information or data or caused any damage to the site. In conversation with press Alex Holden, founder and Chief Information Security Officer of Hold Security told -"So far Hold Security researchers have found no evidence the conversations led to a deal or that data was stolen from the BBC.” So far the identity of hacker has not been confirmed, but the firm researchers observed a notorious Russian hacker known by the monikers "HASH" and "Rev0lver," attempting to sell access to the BBC server on December 25. However, BBC's security team managed to secure the site on Saturday, claims a person close to clean up efforts. One of the BBC spokesman refused to comment on the issue, he said, “We do not comment on security issues.” On the other hand, Justin Clarke, a principal consultant for the cyber security firm Cylance, said that while "accessing that server establishes a foothold within BBC's network which may allow an attacker to pivot and gain further access to internal BBC resources.” So far Hold Security researchers have found no evidence the conversations led to a deal or that data was stolen from the BBC. But we all know that  ftp systems are typically used to manage the transfer of large data files over the Internet. That's why the chances of data breach cant not be denied at this time. For updates on this piece of news and other hot information of the cyber & tech world stay tuned with VOGH. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href="> BBC Server Compromised! Russian Hackers Broke Into FTP & Tried to Sell Unauthorized Access "https://www.voiceofgreyhat.com/2014/01/bbc-ftp-server-hacked-by-russian-hackers.html</a>

Microsoft Azure Cloud Starts Supporting Linux (Hybrid Cloud)

Microsoft Azure Cloud Starts Supporting Linux (Hybrid Cloud)

If you love both Microsoft and Linux parallely then we have a great news for you and that is Microsoft is now offering Linux-based operating systems on its Windows Azure cloud service. The software giant has announced the release of a new preview version of the platform which will add Infrastructure-as-a-Service (IaaS) capabilities to it. As well as Windows Server 2008 and the release candidate of Windows Server 2012, Microsoft will be supporting openSUSE 12.1, SUSE Linux Enterprise Server 11, Ubuntu 12.04 and CentOS 6.2 on the Hyper-V virtual machines that power Azure.

Some of the Highlights:- 

• Windows Azure Virtual Machines— Virtual Machines give you application mobility, allowing you to move your virtual hard disks (VHDs) back and forth between on-premises and the cloud.   Migrate existing workloads such as Microsoft SQL Server or Microsoft SharePoint to the cloud, bring your own customized Windows Server or Linux images, or select from a gallery.    As a common virtualization file format, VHD has been adopted by hundreds of vendors and is a freely available specification covered under the Microsoft Open Specification Promise.
• Windows Azure Virtual Network— Virtual Network lets you provision and manage virtual private networks (VPNs) in Windows Azure as well as securely extend on-premises networks into the cloud.  It provides control over network topology, including configuration of IP addresses, routing tables and security policies and uses the industry-standard IPSEC protocol to provide a secure connection between your corporate VPN gateway and Windows Azure. 
• Windows Azure Web Sites —Build web sites and applications with this highly elastic solution supporting .NET, Node.js, and PHP while using common deployment techniques like Git and FTP.  Windows Azure Web Sites will also allow easy deployment of open source applications like WordPress, Joomla!, DotNetNuke, Umbraco, and Drupal to the cloud with a few clicks. 
• New tools, language support, and SDK—Windows Azure SDK June 2012 includes new developer capabilities for writing code against the latest service improvements with updated support for Java, PHP, and .NET, and the addition of Python as a supported language on Windows Azure.  Additionally, the SDK now provides 100% command line support for both Windows and Mac.
• Availability in New Countries— Availability of Windows Azure is being expanded to customers in 48 new countries, including Russia, South Korea, Taiwan, Turkey, Egypt, South Africa, and Ukraine.  Roll-out will be complete later this month, making Windows Azure one of the most widely available cloud platforms in the industry with offerings in 89 countries and in 19 local currencies.  

These new capabilities simplify building and bringing applications of all kinds to the cloud and enable flexibility in the following areas:

• Increased datacenter capacity through secure VPN connections to the cloud
• Easy operations and management from an improved Windows Azure Management Portal, with powerful operational capabilities for deploying and managing your cloud applications – with similar management support from the command line
• Cloud scale for building websites with ASP.NET, PHP, and Node.js
• Support for additional Operating Systems and OSS language libraries for building cloud applications
• Scale on demand by migrating existing applications to the cloud using portable, industry standard VHDs -- delivering global scale with maximum control
• Secure connectivity between cloud and on-premises applications
• Ability to develop, test and configure new applications in the cloud, and then deploy on-premises for production

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Microsoft Azure Cloud Starts Supporting Linux (Hybrid Cloud)"https://www.voiceofgreyhat.com/2012/06/microsoft-azure-cloud-starts-supporting.html</a>

FreeBSD 8.3 Released With Gnome 2.32.1, KDE 4.7.4 & Many More

FreeBSD 8.3 Released With Gnome 2.32.1, KDE 4.7.4 & Many More 

Earlier in this year we got FreeBSD 9 and now FreeBSD Release Engineering Team announced the availability of FreeBSD 8.3. This is the fourth release from the 8-STABLE branch which improves on the functionality of FreeBSD 8.2 and introduces some new features. Some of the highlights:

• usb(4) now supports the USB packet filter

• TCP/IP stack now supports the mod_cc(9) pluggable congestion control framework

• graid(8) GEOM class added to support various BIOS-based software RAID controllers (replacement for ataraid(4))

• ZFS subsystem updated to SPA version 28

• Gnome version 2.32.1, KDE version 4.7.4

FreeBSD 8.3 can be installed from bootable ISO images or over the network. Some architectures (currently amd64 and i386) also support installing from a USB memory stick. The required files can be downloaded via FTP or BitTorrent as described in the sections below. While some of the smaller FTP mirrors may not carry all architectures, they will all generally contain the more common ones such as amd64 and i386. For a complete list of new features and known problems click here.

To Download FreeBSD 8.3 Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">FreeBSD 8.3 Released With Gnome 2.32.1, KDE 4.7.4 & Many More"https://www.voiceofgreyhat.com/2012/04/freebsd-83-released-with-gnome-2321-kde.html</a>

OmniOS -Open Source Operating System for the Solaris Community

OmniOS -Open Source Operating System for the Solaris Community 

At the DTrace Conference, OmniTI announced OmniOS, an open source operating system for application developers in the Solaris community looking for reliable, innovative, data-intensive application deployment.
Brief About OmniOS:- OmniOS is a continuation of the OpenSolaris legacy and aims to address the longstanding issues that occurred when Oracle decided to discontinue open development of the operating system. OmniOS builds on Illumos to make a complete OS. OmniOS provides users with a traditional, Solaris-like installable operating system with a minimal package set to ease regulatory compliance. It delivers a self-hosting environment with simplified processes for ongoing maintenance. Most importantly, it brings third-party software components up-to-date within OmniOS. Third-party software has been a problem with previous attempts to evolve OpenSolaris, as some have not been updated in a decade. It served as a key driver behind OmniTI’s interest to develop OmniOS. Users can expect OmniOS to have a Solaris look and feel with an updated compiler tool chain (gcc 4.6.3), the latest OpenSSL (1.0.1) and a more consistent, dual instruction set support (x86 and x86-64). In addition, there are four key technologies that OmniTI included within OmniOS to bring significant business advantage to customers.
Key Features:-

• Solaris containers: combination of system resource controls and the boundary separation provided by zones.

• Crossbow: provides the building blocks for network virtualization and resource control by virtualizing the stack and NIC around any service (HTTP, HTTPS, FTP, NFS, etc.), protocol or container.

• ZFS file system: combined file system and logical volume manager with superior data integrity protection and scalability.

• DTrace: provides increased visibility and aids in troubleshooting on any level of the application stack.

To download OmniOS click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">OmniOS -Open Source Operating System for the Solaris Community"https://www.voiceofgreyhat.com/2012/04/omnios-open-source-operating-system-for.html</a>

Metasploit 4.2.0 Released With IPv6 Support & Virtualization Target Coverage

Metasploit 4.2.0 Released With IPv6 Support & Virtualization Target Coverage

Earlier we haev discussed many times about one of the most famous and widely used exploitation framework named Metasploit. Yet again the Rapid 7 released another updated version of Metasploit. This update brings Metasploit to version 4.2.0, adding IPv6 support and virtualization target coverage. You'll also notice a new Product News section and update notification for our weekly updates. Since the last major release (4.1.0), added 54 new exploits, 66 new auxiliary modules, 43 new post-exploitation modules, and 18 new payloads. 

Brief About Metasploit:- 

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.

Module Changes:-

•     Novell eDirectory eMBox Unauthenticated File Access

•     JBoss Seam 2 Remote Command Execution

•     NAT-PMP Port Mapper

•     TFTP File Transfer Utility

•     VMWare Power Off Virtual Machine

•     VMWare Power On Virtual Machine

•     VMWare Tag Virtual Machine

•     VMWare Terminate ESX Login Sessions

•     John the Ripper AIX Password Cracker

•     7-Technologies IGSS 9 IGSSdataServer.exe DoS

•     Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion

•     DNS and DNSSEC fuzzer

•     CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure

•     CorpWatch Company ID Information Search

•     CorpWatch Company Name Information Search

•     General Electric D20 Password Recovery

•     NAT-PMP External Address Scanner

•     Shodan Search

•     H.323 Version Scanner

•     Drupal Views Module Users Enumeration

•     Ektron CMS400.NET Default Password Scanner

•     Generic HTTP Directory Traversal Utility

•     Microsoft IIS HTTP Internal IP Disclosure

•     Outlook Web App (OWA) Brute Force Utility

•     Squiz Matrix User Enumeration Scanner

•     Sybase Easerver 6.3 Directory Traversal

•     Yaws Web Server Directory Traversal

•     OKI Printer Default Login Credential Scanner

•     MSSQL Schema Dump

•     MYSQL Schema Dump

•     NAT-PMP External Port Scanner

•     pcAnywhere TCP Service Discovery

•     pcAnywhere UDP Service Discovery

•     Postgres Schema Dump

•     SSH Public Key Acceptance Scanner

•     Telnet Service Encyption Key ID Overflow Detection

•     IpSwitch WhatsUp Gold TFTP Directory Traversal

•     VMWare ESX/ESXi Fingerprint Scanner

•     VMWare Authentication Daemon Login Scanner

•     VMWare Authentication Daemon Version Scanner

•     VMWare Enumerate Permissions

•     VMWare Enumerate Active Sessions

•     VMWare Enumerate User Accounts

•     VMWare Enumerate Virtual Machines

•     VMWare Enumerate Host Details

•     VMWare Web Login Scanner

•     VMWare Screenshot Stealer

•     Capture: HTTP JavaScript Keylogger

•     Oracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION

•     Asterisk Manager Login Utility

•     FreeBSD Telnet Service Encryption Key ID Buffer Overflow

•     Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow

•     Java Applet Rhino Script Engine Remote Code Execution

•     Family Connections less.php Remote Command Execution

•     Gitorious Arbitrary Command Execution

•     Horde 3.3.12 Backdoor Arbitrary PHP Code Execution

•     OP5 license.php Remote Command Execution

•     OP5 welcome Remote Command Execution

•     Plone and Zope XMLTools Remote Command Execution

•     PmWiki <= 2.2.34 pagelist.php Remote PHP Code Injection Exploit

•     Support Incident Tracker <= 3.65 Remote Command Execution

•     Splunk Search Remote Code Execution

•     Traq admincp/common.php Remote Code Execution

•     vBSEO <= 3.6.0 proc_deutf() Remote PHP Code Injection

•     Mozilla Firefox 3.6.16 mChannel Use-After-Free

•     CTEK SkyRouter 4200 and 4300 Command Execution

•     Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow

•     Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute

•     HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution

•     Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control

•     Java MixerSequencer Object GM_Song Structure Handling Vulnerability

•     MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution

•     MS12-004 midiOutPlayNextPolyEvent Heap Overflow

•     Viscom Software Movie Player Pro SDK ActiveX 6.8

•     Adobe Reader U3D Memory Corruption Vulnerability

•     Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow

•     BS.Player 2.57 Buffer Overflow

•     CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow

•     Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow

•     McAfee SaaS MyCioScan ShowReport Remote Command Execution

•     Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow

•     MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow

•     Ability Server 2.34 STOR Command Stack Buffer Overflow

•     AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow

•     Serv-U FTP Server < 4.2 Buffer Overflow

•     HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow

•     XAMPP WebDAV PHP Upload

•     Avid Media Composer 5.5 - Avid Phonetic Indexer Buffer Overflow

•     Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow

•     HP Diagnostics Server magentservice.exe Overflow

•     StreamDown 6.8.0 Buffer Overflow

•     Wireshark console.lua Pre-Loading Script Execution

•     Oracle Job Scheduler Named Pipe Command Execution

•     SCADA 3S CoDeSys CmpWebServer <= v3.4 SP4 Patch 2 Stack Buffer Overflow

•     Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57

•     OpenTFTP SP 1.4 Error Packet Overflow

•     AIX Gather Dump Password Hashes

•     Linux Gather Saved mount.cifs/mount.smbfs Credentials

•     Multi Gather VirtualBox VM Enumeration

•     UNIX Gather .fetchmailrc Credentials

•     Multi Gather VMWare VM Identification

•     UNIX Gather .netrc Credentials

•     Multi Gather Mozilla Thunderbird Signon Credential Collection

•     Multiple Linux / Unix Post Sudo Upgrade Shell

•     Windows Escalate SMB Icon LNK dropper

•     Windows Escalate Get System via Administrator

•     Windows Gather RazorSQL Credentials

•     Windows Gather File and Registry Artifacts Enumeration

•     Windows Gather Enumerate Computers

•     Post Windows Gather Forensics Duqu Registry Check

•     Windows Gather Privileges Enumeration

•     Windows Manage Download and/or Execute

•     Windows Manage Create Shadow Copy

•     Windows Manage List Shadow Copies

•     Windows Manage Mount Shadow Copy

•     Windows Manage Set Shadow Copy Storage Space

•     Windows Manage Get Shadow Copy Storage Info

•     Windows Recon Computer Browser Discovery

•     Windows Recon Resolve Hostname

•     Windows Gather Wireless BSS Info

•     Windows Gather Wireless Current Connection Info

•     Windows Disconnect Wireless Connection

•     Windows Gather Wireless Profile

For additional information click Here. To Download Metasploit version 4.2.0 for windows & Linux click Here.

 -Source (rapid7)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Metasploit 4.2.0 Released With IPv6 Support & Virtualization Target Coverage"https://www.voiceofgreyhat.com/2012/02/metasploit-420-released-with-ipv6.html</a>

Serv-U FTP Server Added In RHEL Catalog As A Secure File Transfer Application

Serv-U FTP Server Added In RHEL Catalog As A Secure File Transfer Application & Will Also Support  Ubuntu, OpenSUSE, Mint

Red Hat enhancing more security in RHEL. After RhinoSoft joined the Red Hat partner program as an independent software vendor soon Serv-U FTP Server was added to the official Red Hat Linux product catalog as a secure file transfer application. Not only Red Hat Enterprise Linux (RHEL), Serv-U will also supports Fedora, Ubuntu, OpenSUSE, Mint, CentOS and the Amazon Linux AMI for its EC2 cloud computing deployment.

"When we ported Serv-U to Linux last year it gave Linux administrators new capabilities like web-based administration, mobile transfers and integration with third-party portals," said RhinoSoft President Mark Peterson. "This year we reaffirmed our commitment to the Linux community by aligning with its largest platform provider."

"Our solutions make secure file transfer affordable to businesses, especially those facing budget challenges," said RhinoSoft VP of Product Management Jonathan Lampe. "Supporting Serv-U on a wide variety of platforms helps our customers save money through reduced training and overhead costs."

Brief About RhinoSoft:-

RhinoSoft is the global leader in affordable file transfer, with more than 90,000 business customers, including nine of the Fortune 10, in 90 different countries. Its award-winning and U.S. Department of Defense-certified Serv-U FTP Server and FTP Voyager client products support FTP, SFTP, FTPS and web-based HTTP/S transfers over FIPS 140-2 validated channels while continuing to incorporate emerging technologies such as mobile computing, IPv6, native 64-bit computing and UTF-8/Unicode internationalization.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Serv-U FTP Server Added In RHEL Catalog As A Secure File Transfer Application"https://www.voiceofgreyhat.com/2012/02/serv-u-ftp-server-added-in-rhel-catalog.html</a>

FTP Server of Horde Breached, Hackers Installed Back-door in Horde Groupware & Webmail

FTP Server of Horde Breached, Hackers Installed Back-door in Horde Groupware & Webmail

Horde faced cyber attack. Developpers at Horde open source community confirmed that one of their FTP server has been breached. Attacker also infected various files stored on that ftp server. In their official statement Horde said :- "A few days ago we became aware of a manipulated file on our FTP server. Upon further investigation we discovered that the server has been hacked earlier, and three releases have been manipulated to allow unauthenticated remote PHP execution," they explained. "We have immediately taken down all distribution servers to further analyze the extent of this incident, and we have worked closely with various Linux distributions to coordinate our response."

The three files that were modified to include a backdoor are Horde 3.3.12, Horde Groupware 1.2.10 and Horde Groupware Webmail Edition 1.2.10., and users who have downloaded any of those since the start of November 2011 until February 7 (when the breach was discovered) are advised to download new, clean versions and reinstall their machines, or to upgrade to the more recent versions. For those who would like to be sure whether they were affected, the developers advise searching their Horde directory tree for the following signature: $m[1]($m[2]). Horde 4 users can breathe safely, as that file has not been manipulated. The developers also made sure to point out that they have replaced all the FTP and PEAR servers, and uploaded clean files.

-Source (Horde & Net-Security)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">FTP Server of Horde Breached, Hackers Installed Back-door in Horde Groupware & Webmail"https://www.voiceofgreyhat.com/2012/02/ftp-server-of-horde-breached-hackers.html</a>

Hackers Hit DreamHost, Password Changes Made Mandatory After The Breach

Hackers Hit DreamHost, Password Changes Made Mandatory By The Company After The Breach

Yet another victim targeted by hackers. This time the target was Los Angeles-based hosting provider DreamHost, a provider of shared and dedicated hosting. The company isn’t divulging much information as to the nature of the hack, beyond that they “don’t have evidence that customer passwords were taken at this time”. Still, they’re requiring password resets for all Shell/FTP accounts (read: not the account that DreamHost customers use to login to the billing/backend system, but the user accounts they use to access and maintain their actual websites.) for what seems to be all DreamHost customers. If you find yourself having trouble logging into your DreamHost FTP accounts today, it’s because your password has already been disabled.
Unfortunately, DreamHost is not alone among an epidemic of intrusions by hackers in recent days; shoe retailer Zappos had an intrusion issue about a week ago where user information was exposed. Also if you dig the decent history you will find big data breaches, security breaches and many more.

According to DreamHost’s Status Blog:-

"Last night we detected some unauthorized activity within one of our databases. While we don’t have evidence that customer passwords were taken at this time, we’re forcing a change out of caution. Please login to our web panel and change any passwords you may have with us. We’ll keep this post updated as we get more information."

According to their last official update DreamHost said that the security issue has been resolved. Brian H official authority of DreamHost said "We’re going to set this post to resolved. We have been sending out update emails to every account owner we have, letting them know what happened, and how to proceed from here on out. As a precaution, we advise every user to change all email passwords as well. We are not forcing this change, however, so make sure you take care of that ASAP."

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Hackers Hit DreamHost, Password Changes Made Mandatory After The Breach"https://www.voiceofgreyhat.com/2012/01/hackers-hit-dreamhost-password-changes.html</a>

Patator -A Multi-Purpose Brute-Forcer

Earlier we have several times talked about Brute forcer tool like THC-Hydra, Cain & Abel, Rainbow Crack and many more. Today we will discuss about Patator is a multi-purpose brute-forcer, written in pyton language, with a modular design and a flexible usage. Can be modified and rewritten as per our environment requirement. Patator is licensed GPLv2.

Modules Supported:-
ftp_login : Brute-force FTP
ssh_login : Brute-force SSH
telnet_login : Brute-force Telnet
smtp_login : Brute-force SMTP
smtp_vrfy : Enumerate valid users using the SMTP VRFY command
smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
http_fuzz : Brute-force HTTP/HTTPS
pop_passd : Brute-force poppassd (not POP3)
ldap_login : Brute-force LDAP
smb_login : Brute-force SMB
mssql_login : Brute-force MSSQL
oracle_login : Brute-force Oracle
mysql_login : Brute-force MySQL
pgsql_login : Brute-force PostgreSQL
vnc_login : Brute-force VNC
dns_forward : Forward lookup subdomains
dns_reverse : Reverse lookup subnets
snmp_login : Brute-force SNMPv1/2 and SNMPv3
unzip_pass : Brute-force the password of encrypted ZIP files
keystore_pass: Brute-force the password of Java keystore files

Features of Patator:-

• No false negatives, as it is the user that decides what results to ignore based on:

• status code of response

• size of response

• matching string or regex in response data

• Modular design

• not limited to network modules (eg. the unzip_pass module)

• not limited to brute-forcing (eg. remote exploit testing, or vulnerable version probing)

• Interactive runtime

• show verbose progress

• pause/unpause execution

• increase/decrease verbosity

• add new actions & conditions during runtime in order to exclude more types of response from showing

• Use persistent connections (ie. will test several passwords until the server disconnects)

• Multi-threaded

• Flexible user input

• Any part of a payload is fuzzable:

• use FILE[0-9] keywords to iterate on a file

• use COMBO[0-9] keywords to iterate on the combo entries of a file

• use NET[0-9] keywords to iterate on every host of a network subnet

To Download Patator Click Here 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Patator -A Multi-Purpose Brute-Forcer"https://www.voiceofgreyhat.com/2012/01/patator-multi-purpose-brute-forcer.html</a>

45K Facebook Login Details Stolen & Also More Than 800K Machines Were Infected By Ramnit Worm

Stories of Facebook accounts getting hacked is not attall uncommon. But this time a worm named Ramnit is responsible for stealing more than 45000 facebook login details. Actually worm that was originally designed to compromise bank systems has been repurposed and is now stealing Facebook login credentials. 

Security company Seculert has been actively keeping track of the worm Ramnit, which was originally discovered in April 2010. Microsoft, meanwhile, has explained that the worm is "a family of multi-component malware that infects Windows executable files, Microsoft Office files and HTML files. Win32/Ramnit spreads to removable drives, steals sensitive information such as saved FTP credentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker."

Basically, Ramnit is capable of bypassing two-factor authentication systems, which means it's been able to gain remote access to financial institutions. Seculert has discovered that approximately 800,000 machines were infected with Ramnit between September and December. On top of that, a variant of the worm has stolen the login information for over 45,000 Facebook accounts.

For More Information Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">45K Facebook Login Details Stolen & Also More Than 800K Machines Were Infected By Ramnit Worm"https://www.voiceofgreyhat.com/2012/01/45k-facebook-login-details-stolen-also.html</a>

Anonymous Exposed The Private Information of The Special Agent, Officers, Cyber Crime Investigators Of Department Of Justice

The hacktivists claim to have hacked into Baclagan's Gmail account and to have accessed his voicemails and SMS message logs using unspecified techniques as part of their ongoing campaign against law enforcement officials and their "allies" in the computer security industry.

The email dump, released as a torrent last Friday in part of what has become the group's regular FuckFBIFriday release, is also said to contain personal information including Baclagan's home address and phone number. The cache of emails – which according to AntiSec are from the account of Fred Baclagan, a retired special agent supervisor of the Californian Department of Justice – includes 38,000 emails detailing various computer forensic techniques and cybercrime investigation protocols. 

Baclagan told that he was nobody special in the Justice Department ... which is what he would say, of course. He said that he had specialised in identity theft before he retired last year. "I'm really just a nobody," he told the Post, "just a local investigator, not involved in anything dynamic or dramatic

In the Press Release Anon Said:-

################################################################################

#        ANTISEC LEAKS DOJ SPECIAL AGENT SUPERVISOR'S PRIVATE EMAILS,         #

#               IACIS CYBERCRIME INVESTIGATOR COMMUNICATIONS                              #

#         care of the #OCCUPYWALLST CRACKDOWN RETALIATION TASK FORCE         #       

################################################################################

Greetings Pirates, and welcome to another exciting #FuckFBIFriday release.

As part of our ongoing effort to expose and humiliate our white hat enemies, we

targeted a Special Agent Supervisor of the CA Department of Justice in charge of

computer crime investigations. We are leaking over 38,000 private emails which

contain detailed computer forensics techniques, investigation protocols as well

as highly embarrassing personal information. We are confident these gifts will 

bring smiles to the faces of our black hat brothers and sisters (especially 

those who have been targeted by these scurvy dogs) while also making a mockery 

of "security professionals" who whore their "skills" to law enforcement to 

protect tyrannical corporativism and the status quo we aim to destroy.

We hijacked two gmail accounts belonging to Fred Baclagan, who has been a cop

for 20 years, dumping his private email correspondence as well as several dozen 

voicemails and SMS text message logs. While just yesterday Fred was having a 

private BBQ with his CATCHTEAM high computer crime task force friends, we were 

reviewing their detailed internal operation plans and procedure documents. We 

also couldn't overlook the boatloads of embarrassing personal information about 

our cop friend Fred. We lulzed as we listened to angry voicemails from his 

estranged wives and ex-girlfriends while also reading his conversations with 

girls who responded to his "man seeking woman" craigslist ads. We turned on his 

google web history and watched him look up linux command line basics, golfing 

tutorials, and terrible youtube music videos. We also abused his google 

voice account, making sure Fred's friends and family knew how hard he was owned.

Possibly the most interesting content in his emails are the IACIS.com internal

email list archives (2005-2011) which detail the methods and tactics cybercrime 

units use to gather electronic evidence, conduct investigations and make 

arrests. The information in these emails will prove essential to those who want 

to protect themselves from the techniques and procedures cyber crime 

investigators use to build cases. If you have ever been busted for computer 

crimes, you should check to see if your case is being discussed here. There are 

discussions about using EnCase forensic software, attempts to crack TrueCrypt 

encrypted drives, sniffing wireless traffic in mobile surveillance vehicles, how 

to best prepare search warrants and subpoenas, and a whole lot of clueless 

people asking questions on how to use basic software like FTP. In the end, we

rickrolled the entire IACIS list, causing the administrators to panic and shut

their list and websites down.

These cybercrime investigators are supposed to be the cream of the crop, but we

reveal the totality of their ignorance of all matters related to computer

security. For months, we have owned several dozen white hat and law enforcement

targets-- getting in and out of whichever high profile government and corporate

system we please and despite all the active FBI investigations and several

billion dollars of funding, they have not been able to stop us or get anywhere

near us. Even worse, they bust a few dozen people who are allegedly part of an

"anonymous computer hacking conspiracy" but who have only used 

kindergarten-level DDOS tools-- this isn't even hacking, but a form of

electronic civil disobedience. 

We often hear these "professionals" preach about "full-disclosure," but we are

sure these people are angrily sending out DMCA takedown notices and serving

subpoenas as we speak. They call us criminals, script kiddies, and terrorists, 

but their entire livelihood depends on us, trying desperately to study our 

techniques and failing miserably at preventing future attacks. See we're cut 

from an entirely different kind of cloth. Corporate security professionals like

Thomas Ryan and Aaron Barr think they're doing something noble by "leaking" the

public email discussion lists of Occupy Wall Street and profiling the "leaders"

of Anonymous. Wannabe player haters drop shitty dox and leak partial chat logs

about other hackers, doing free work for law enforcement. Then you got people 

like Peiter "Mudge" Zatko who back in the day used to be old school l0pht/cDc 

only now to sell out to DARPA going around to hacker conventions encouraging 

others to work for the feds. Let this be a warning to aspiring white hat 

"hacker" sellouts and police collaborators: stay out the game or get owned and 

exposed. You want to keep mass arresting and brutalizing the 99%? We'll have to 

keep owning your boxes and torrenting your mail spools, plastering your personal 

information all over teh internets.

Hackers, join us and rise up against our common oppressors - the white hats, the 

1%'s 'private' police, the corrupt banks and corporations and make 2011 the year 

of leaks and revolutions! 

We are Anti-Security,

We are the 99%

We do not forgive.

We do not forget.

Expect Us!

For More information Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Anonymous Exposed The Private Information of The Special Agent, Officers, Cyber Crime Investigators Of Department Of Justice"https://www.voiceofgreyhat.com/2011/11/anonymous-exposed-private-information.html</a>

X-Scan A Free Network Vulnerability Scanner

X-Scan is a general scanner for scanning network vulnerabilities for specific IP address range or stand-alone computer by multi-threading method, plug-ins are supported. This is an old tool (last update in 2005), but some people still find it useful and there are certain situations where it can be useful (especially in those jurassic companies using old kit). It supports Nessus NASL plugins for vulnerability scanning – which makes it pretty useful. It also has both a GUI and command line version for scripting.

Features :-

•     Remote OS type and version detection,
•     Standard port status and banner information,
•     SNMP information,
•     CGI vulnerability detection,
•     IIS vulnerability detection,
•     RPC vulnerability detection,
•     SSL vulnerability detection,
•     SQL-server,
•     FTP-server,
•     SMTP-server,
•     POP3-server,
•     NT-server weak user/password pairs authentication module,
•     NT server NETBIOS information,
•     Remote Register information, etc.

The results of the scan are saved in /log directory, and are title index_ip_address.htm (if you used the GUI) or ip_address if you used the command line option. These can be directly browsed by any normal WebBrowser. Basic user and password lists are supplied to carry out a basic attack on certain services, (above), if found enabled on the host. 

To Download X-Scan Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">X-Scan A Free Network Vulnerability Scanner"https://www.voiceofgreyhat.com/2011/11/x-scan-free-network-vulnerability.html</a>