Slash Reborn

 بِسْمِ اللّهِ الرَّحْمَنِ الرَّحِيْمِ

السَّلاَمُ عَلَيْكُمْ وَرَحْمَةُ اللهِ وَبَرَكَاتُهُ
رَبِّ اشْرَحْ لِىْ صَدْرِىْ وَيَسِّرْلِىْ اَمْرِىْ وَاحْلُلْ عُقْدَةً مِنْ لِسَانِىْ يَفْقَهُوْاقَوْلِى 
 
اَلْحَمْدُلِلّ اَللّهُ اَكْبَرُ I'm still here even though not active as I used to be. اِ نْ شَآ ءَ اللّهُ I will keep contributing to share small piece of knowledge I had, which I think acceptable by most people around the globe.

So yeah, like most people, it's a complicated thing to describe me. Some might say it's along the lines of being an "acquired taste." Others might more correctly classify it as, "somebody that some people are willing to tolerate." Most likely, I am just inimitable, like many others. But I'll do the best I can to describe myself with words.

I'd say that I am an eclectic amalgamation of many seemingly paradoxical things. This can be exemplified in both my seemingly endless persistence on many topics and arguments, as well as my careful cautiousness on other topics and arguments. This is largely due to how astute I am of the topic: more knowledge, more persistent; less knowledge, obviously more cautious.

Apparently, I may look something like a serial killer or terrorist. Sometimes I can turn and become somebody who like jokes, use my OpenSSH backdoor and pwned your servers, or I can be your personal and sexiest bodyguard depending how you look at me.

So why Slash The Underground
Slash The Underground was a name given by my linux guru, burn or lordburn. My friends called me 'slash' and sometimes 'nullbyte' which is a nickname for me. It's short, clever, derogatory and sometimes considered desirable, symbolising a form of acceptance, but can often be a form of ridicule.

Hunting C&C For Fun and Profit

This is a quick post to splainz the methodology behind how we were able to make fingerprints for the Hacking Team and Equation Group C&C infrastructure allowing remote identification of their servers, as shown in The Italian Job and Equation Smasher releases on Github.
Myself and March, the rootkit wizard, have been at this kind of thing for quite some time, and have had a great deal of success in enumerating and identifying C&C infrastructure based on various oddities in how they present themselves. A fine example of this was in our Hunting Red October work prior (which resulted in the “asdic.pl” and “sonar.py” scripts).
Basically, here is a TL;DR on how you, too, can hunt down shitbag spies and other such nasties.

Step 1: Get samples of the malware and/or IP’s of some still active C&C servers.

This is often trivial. Once someone publishes a report, or you get some nasty malware, identify the C&C server (run it in a sandbox or whatever and sniff those sweet, sweet pacotes).

Step 2: Muck about with the C&C server.

Next up, do a portscan of the C&C server(s). Of particular interest is the callback port. You want to fiddle with that port/service a bit and see if it returns a “weird” or unique banner or response, that you can chuck into shodan and try identify similar servers.

Step 3: Fuck with related hosts

The third step is fairly simple. Once you have a list of hosts that also act in the same fashion and “smell” the same (much of this is based on scientific jiggerypokery and general faffing about with them), you portscan those and look for further similarities. Most oftentimes, C&C infrastructure is “cloned” across hosts, so they all will be set up in the same fashion.

Optional Step 4: Scan the Planet

Optionally, here you can scan the entire planet with masscan or zmap looking for similar hosts that Shodan’s crawler might not have hit yet. This gives you a nice list of IP’s to compare against netflow logs and also to bang into online sandboxes/AV things to see if theres other samples out there calling back, so you can gather more information and link samples/campaigns together.

Optional Step 5: Hack the Planet

I have NOT engaged in this hypothetical step, and cannot legally advocate for it, however others such as Malware.lu in the case of APT-1 (warning: PDF link) have done so. Somehow procure a copy of the C&C software in question, fuzz the shit out of it, find some bugs, and own the spying bastards, preferably uninfecting their victims and burning their infrastructure to the ground. I include this step for completeness only, and to point out that there is some recourse to be had.
Good sources of ~~DDoS numbers~~ IP addresses/C&C hosts to initially target for, er, interrogation are reports from Citizen Lab and AV vendors on the latest and lamest surveillance campaigns. Also, because some espionage campaigns are cheapskates, obtaining copies of widely (ab)used RAT software sold/used by ~~APT’s~~ script kiddies (such as Poison Ivy/BlackShades/DarkComet) and analysing those examples is also a fine way to find new, exciting fingerprints (and vulnerabilities…) to go forth and ruin some attackers days.
Further note: If the malware uses a web based (say, written in PHP) web panel, you might be able to fingerprint on HTTP titles or figure out a google-dork or other way of identifying the panel. Think of web panels as vulnerable webapps and apply the same thinking to locating and finding vulnerabilities in them. Quite often the bit of the web panel (the “gate”) that the implant calls back to fails miserably at sanitizing inputs to databases or file outputs, so there are often some gloriously exploitable bugs there. See the Herpesnet teardown/ownage by malware.lu for some ideas on that :)

Have fun, and be safe. Remember kids - when fucking with C&C’s/malware, practice safe hex and wear your balaclavas!

Never trust a subcontractor

It all started with a phone call. "The whole network at [customer redacted] is down and they have no power - they need your help."

My blood ran cold. The engineer calling me sounded panicked, and for good reason. [Customer redacted] has an enormous natural gas facility in South Texas, too far from civilization to get enough power off of the grid. We designed and built an onsite natural gas power plant for them - a big one, capable of supplying 40+MW of power at peak load. They could run the facility for a short while without the power plant, but not long - and shutting down the facility meant losing 7 figures per hour. By the time I was informed, they had 6 hours until they had to shut down.

As the guy who had designed and installed said network, I was naturally the guy to call when it had problems, which had never happened before. It was a pretty simple network, honestly - just switches, cat5 cables and fiber. Since this was the network all the PLCs, relays, meters and whatnot ran on, it was airgapped & isolated, no routers. Not much to go wrong.

I quickly get on the phone and walk the guy on their end through plugging in a laptop and running
some simple tests. Check lights on things, ping this, ping that. Everything seems good, though. The network is emphatically not down. So I send him a remote app and take control of his laptop to see for myself.

Log into switches, check things, nope, the network's not down. When I log into the HMI system, though, I see a big red error message: "Network Error: Cannot connect to database". The database server is up, though. I log into the database server (Windows Server 2012 running MSSQL) and that's where I find the problem: SQL isn't running. I try to start it and it immediately shuts back off.

Hacking Team Uses UEFI BIOS Rootkit

The dissection of the data from the Hacking Team leak has yielded another critical discovery: Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.

They have written a procedure specifically for Insyde BIOS (a very popular BIOS vendor for laptops).  However, the code can very likely work on AMI BIOS as well.

A Hacking Team slideshow presentation claims that successful infection requires physical access to the target system; however, we can’t rule out the possibility of remote installation. An example attack scenario would be: The intruder gets access to the target computer, reboots into UEFI shell, dumps the BIOS, installs the BIOS rootkit, reflashes the BIOS, and then reboots the target system. We’ve found that Hacking Team developed a help tool for the users of their BIOS rootkit, and even provided support for when the BIOS image is incompatible.

Blocklist for Transmission

Transmission is, in my opinion, light and the best BitTorrent client for OS X so far [and did you know there’s even an unofficial Windows version too?]. Why? Because it’s super easy to use and configure and it’s not resource-hungry like some other BitTorrent client.

Looking for a nice and complete blocklist for Transmission can be a pain, especially if you’re not sure of which one to pick. In fact there are a ton of lists all for different purposes and no one will give you complete bad-peer protection since one will shield your client from spammers, one from the US Government [really?] and no one from all those things combined.

If you search on Google you will find people recommending this website, called iBlocklist, which collects various block lists but there are to many of them and they all have the same problem I said before: no complete 100% protection.

Luckly John Tyree, a user from quora.com, created a GitHub project which combines all those iBlocklist lists in to a single one and he hosted the result here. Simply add this URL in the Transmission preferences.

Good luck!

Magsukul Sapura (thank you Sapura)

السَّلاَمُ عَلَيْكُمْ وَرَحْمَةُ اللهِ وَبَرَكَاتُهُ and Good Afternoon,

بِسْمِ اللّهِ الرَّحْمَنِ الرَّحِيْمِ

اَلْحَمْدُلِلّهِ, today is my last day working at Sapura Secured Technologies as Systemic Security Manager for Sapura Defense Sdn Bhd. Once again, I've been given opportunity by Allah S.W.T. to share knowledge and experience for the industry and Information Warfare community. Although I have my own plan, but I know Allah also plans, and Allah is the best of planners. I know who I will be, and I know where I will be, but I know that Allah will choose what’s good for me.

I wanted to wish everyone happy trails. My colleagues have been nothing short of amazing, the knowledge, experience, and the quality of discussions is incredibly stimulating. In the last 7 years with Sapura, Allah S.W.T has shown me a form of great challenges which almost took me down to the ground and taught me a unique knowledge through people around me. I learned a great deal, building skills, relationships and challenges that I never think of.

How to use SSHFS

Introduction
In computing, SSHFS (SSH Filesystem) is a filesystem client to mount and interact with directories and files located on a remote server or workstation over a normal ssh connection.^[1] The client interacts with the remote file system via the SSH File Transfer Protocol (SFTP),^[2] a network protocol providing file access, file transfer, and file management functionality over any reliable data stream that was designed as an extension of the Secure Shell protocol (SSH) version 2.0.

In many cases it can become cumbersome to transfer files to and from proprietary and customized operating system. This can become quite a hassle in a very short period of time. Luckily there is a way to mount remote file system to local computer without NFS, SAMBA or other remote filler protocols. In this article, I will show you how to do exactly that.

HackingTeam become Hacked Team

An ‘enemy of the internet’ that helps governments spy on citizens has been hacked
The (ironically-named) Hacking Team is an Italian security firm with a history of supplying surveillance technology to governments around the world, including some unpleasant regimes. It’s now been hacked itself.

As CSO Online reports, the source of the hack isn’t clear yet, but a torrent file with 400GB of internal documents, product source code and email archives is now public. There’s no shortage of glee online about the development, particularly from privacy activists. Campaign group Reporters Without Borders lists Hacking Team on its Enemies of the Internet index. Most of the strong criticism directed at the company is down to its surveillance tool Da Vinci, which it says can be used to break encryption on emails, files and IP calls.

In the last, Hacking Company has denied any allegations of selling tools to the governments but the leaked emails show that company has done some pretty good business with the oppressive regimes in Sudan, Saudi Arabia, and Bahrain.

The unknown hackers have posted various file links on file sharing websites and replaced the company logo that read “Hacking Team” to “Hacked Team”  on Twitter. Many companies are known to develop highly sophisticated software and help the governments to monitor the people’s smartphones and personal computers.

Path MTU, IP Fragmentation and MSS

Last few weeks, I've been involved troubleshooting high latency on SATCOM and 3G infrastructure. Long story short, I found that when in UDP, the "Dont Fragment (DF)" bit is set to 1. Therefore, I would like to write about Path MTU discovery and IP Fragmentation in this post and the relation between them.

As per example topology above, if the host LINUX1 is sending a packet to LINUX3 device. Packet has to go through a path in which there are various MTU sizes involved.

Path MTU is; assume packet, which is leaving LINUX1 has total length of 1450 bytes. Because the link between LINUX1-LINUX2 has 1500 bytes limit, there is no problem. However, once LINUX2 receives the packet, it sees that the link that it must use to forward this packet has a lower maximum packet capacity than the packet it has. Under normal circumstances, LINUX2 sends back an ICMP notification to LINUX1 and says that “Hey dude, I can’t forward this packet as I have a link having 800 bytes MTU on the way, do something and lower your packet size”

LINUX1 gets this ICMP and lowers its further packets’ maximum sizes to 800 then the packets flow through. Why doesn’t it occur? This is what documents say if the next link MTU is lower than the packet being forwarded, packets are fragmented.

Now the Path MTU discovery comes in:

Enable USB installation in Bootcamp

Before you do anything, make a backup of Info.plist or the whole Boot Camp Assitant app so that you can go back if necessary. Rename it something like "Info old.plist" or "Original Boot Camp Assistant."

Mandatory steps:

• Add your model to DARequiredROMVersions
• Delete the word "Pre" from UEFIModels and add your model
• Delete the word "Pre" from USBBootSupportedModels and add your model
• Remove your model from Win7OnlyModels (if its there)

The last step is to do a code sign. Boot Camp Assitant will not run if it's been edited. You need to resign it. Open Terminal (use spotlight to find it) and type this:


sudo codesign -fs - /Applications/Utilities/Boot\ Camp\ Assistant.app

Good luck!

Story of Appreciation

One young academically excellent person went to apply for a managerial position in a big company. He passed the first interview, the director did the last interview, made the last decision. The director discovered from the CV that the youth's academic achievements were excellent all the way, from the secondary school until the postgraduate research, Never had a year when he did not score.


The director asked, "Did you obtain any scholarships in school?"

The youth answered "none".

The director asked, "Was it your father who paid for your school fees?"

The youth answered, "My father passed away when I was one year old, it was my mother who paid for my school fees.

#OpIsrael

Overview
#OpIsrael is an Anonymous-led raid to to protest Israel’s Operation Pillar of Defense by taking down Israeli government websites through distributed denial of service (DDoS) attacks.

Background
In early November 2012, the Israel Defense Forces took to Twitter to live-update about the status of the fight in Gaza. On November 14th, IDF killed Ahmed Jabari, the chief of Hamas’ military wing, in an airstrike. Being the highest ranking Hamas official to be killed by the IDF since the 2008 Gaza War, the news of Jabari’s assassination quickly escalated tensions between the two sides.

The IDF has begun a widespread campaign on terror sites & operatives in the #Gaza Strip, chief among them #Hamas & Islamic Jihad targets. — IDF (@IDFSpokesperson) November 14, 2012

5 Questions Great Job Candidates Ask

Great candidates ask questions they want answered because they're evaluating you, your company--and whether they really want to work for you.

Here are five questions great candidates ask:

What do you expect me to accomplish in the first 60 to 90 days?
Great candidates want to hit the ground running. They don't want to spend weeks or months "getting to know the organization." They want to make a difference--right away.

What are the common attributes of your top performers?
Great candidates also want to be great long-term employees. Every organization is different, and so are the key qualities of top performers in those organizations. Maybe your top performers work longer hours. Maybe creativity is more important than methodology. Maybe constantly landing new customers in new markets is more important than building long-term customer relationships. Maybe it's a willingness to spend the same amount of time educating an entry-level customer as helping an enthusiast who wants high-end equipment. Great candidates want to know, because 1) they want to know if they fit, and 2) if they do fit, they want to be a top performer.

Hackers obtained access to FreeBSD servers

On Sunday 11th of November, an intrusion was detected on two machines within the FreeBSD.org cluster. The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution.

We have found no evidence of any modifications that would put any end user at risk. However, we do urge all users to read the report available at http://www.freebsd.org/news/2012-compromise.html and decide on any required actions themselves. We will continue to update that page as further information becomes known. We do not currently believe users have been affected given current forensic analysis, but we will provide updated information if this changes.

As a result of this event, a number of operational security changes are being made at the FreeBSD Project, in order to further improve our resilience to potential attacks. We plan, therefore, to more rapidly deprecate a number of legacy services, such as cvsup distribution of FreeBSD source, in favour of our more robust Subversion, freebsd-update, and portsnap models.

Source: FreeBSD

Singaporeans get hard token baked into credit card

Two-factor authentication just got a whole lot more convenient for residents of Singapore, after Standard Chartered Bank's local outfit teamed with MasterCard to offer account-holders a credit card that is also a one-time-password-generating hard token.

MasterCard calls the device a 'Display Card' and says it includes “an embedded LCD display and touch-sensitive buttons”.

The hard token functionality seems not to have anything to do with the credit card, as Standard Chartered says it will be used with its online banking products when customers make “ higher-risk transactions such as payments or transfers above a certain amount, adding third party payees, or changing personal details.” If it behaves as other hard tokens do, punters enter a code with the keyboard, read the resulting one-time-password on the screen and then enter that code into the computing device they're using for online banking. Logon credentials for online banking service will still be required.

The card's been doing the rounds of Europe for a couple of years now, scoring a few wins with Turkish, Romanian and Belgian financial institutions.

But the win at Standard Chartered, a British outfit with global footprint, gives the technology useful profile.

Nagra ID security, the Swiss company behind the token-in-a-card, insists the device will sit happily in one's wallet and offers a three year warranty, which we believe makes it safe to sit on. The card is, in all other ways, a completely conventional credit card and can be embossed, branded and carry holographic security devices like any other credit card. ®

Source: TheRegister

SSH Forwarding

Abstract:
When Sun first produced systems, the common way for users to move around a network and to distribute workload was to leverage the Berkeley "r" tools, such as "rsh", "rlogin", "rexec", etc. under Solaris. As academics became professional, security concerns over passwords being passed in the clear were raised and SSH was born. SSH was built with a compatible superset to "rsh", but this was later removed with the second version of the protocol. This document discusses the implementation
of SSH under Solaris.

Global Configurations:
SSH uses several global configuration files, one for the client, and another for the server. Each of these config files document the default compiler flags under Solaris. The "ssh" client global configuration file can be tailored on a per-user basis while the "sshd" server global configuration file is managed at the global level.

SSH Server Daemon
Under Solaris 10, related OS's, and above - SSHD is started through the services infrastructure.

sunserver/user$ svcs ssh
STATE          STIME    FMRI
online         Aug_17   svc:/network/ssh:default

There are built-in compiled defaults and global defaults which are reviewed, upon startup, and connection.

The following error may occur due to incorrect configurations:

channel 5: open failed: administratively prohibited: open failed

Under Solaris 10, forwarding agent is disabled as a compile flag, and is documented in the global configuration file. If one makes a connection via SSH, and proxies a port - an error message will be produced upon the first connection attempt to the proxied port.

To allow for the port forwarding, edit the configuration file "/etc/ssh/sshd_config".

AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes

Restart the "sshd" service, the administrative message disappears.

sunserver/root# svcadm restart ssh

Board of Computing Professionals Malaysia

There are currently an initiative to establish a Board of Computing Professionals Malaysia (BCPM), which will function to accredit ICT academic programmes, as well as to promote, facilitate and regulate the profession (very much like the Board of Engineers for engineering, and the Bar Council for the legal profession, etc.). This initiative is under the purview of the Ministry of Science and Innovation (MOSTI) and led by the National ICT Human Resource Task Force under the Ministry of Higher Education (MOHE) and within the ICT Human Capital Development Framework.

They invited all ICT practitioners and those related to the profession to participate in an on-line survey that will be open for responses from Sunday 28 Oct 2012 to Sunday 4 November 2012 (24:00). The survey aims to solicit feedback from the ICT community to determine the overall suitability and general acceptance to the proposal for the establishment of the BCPM. The survey site is avialable here.

The introduction to the survey and the instructions for filling the questionnaire will be provided at the stated site, as well as a link to another site that provides the general context to the proposal. Although we do not foresee any problem that may occur at the said site, should there be difficulties, an alternative site will be made available here.

udc-hackssh-v3_bajaulaut-v1.2

udc-hackssh_bajaulaut is an openssh backdoor combined with reverse shell capability and part of udc-kolansong rootkit. The idea was to make use of openssh binary to control target and/or victim machines.

If you received something like "ssh_exchange_identification: Connection closed by remote host", this tool may make your life easy. Telnet to target machine and issue 'udc_gamai_magic' string. Once sent, sshd will then execute and connect to your 'client' machine on port 8080.

However, this patch has limitation. It can ONLY execute reverse openssh command to the machine where the telnet command execute from.

Download udc-hackssh-v3_bajaulaut-v1.2 here.

uDc-hackssh-v3_bajaulaut public version

Lately, I have a small project that required an encrypted communication sessions over a network like openssh. However, I found one machine which interest me more then the others which is placed at highly secured zone. So, I had this crazy idea similar to Sebastian Krahmer but with more capabilities.

The idea was to manipulate and make use of openssh, and without additional rootkit to control and maintain root access on the target machine including machines placed at other network zones.

Long story short, I am publishing a public version of this "toy" but without the other "crazy things" for security reasons ;). Actually, this public version is nothing new. It is a combination of known openssh backdoor and openssh reverse capabilities as I mentioned above. You can download them here.

 CHANGES:
- updated for openssh-5.x version
- add reverse capabilities based on openssh.reverse

FEATURES:
- use hardcoded DES cipher password
- ssh has the capablitiy to act as a server
- sshd has the capability to act as a client 

HITB - Keeping Knowledge Free for Over a Decade

Some of you might remember the first HITB conference at Cititel Hotel, Kuala Lumpur back in 2003. That year HD Moore spoke about Metasploit back when it was just the Metasploit Framework. That very conference also marked the last public appearance for LSD Group aka The Hackers Who Broke Windows. Sounds like a decade ago? Well, you are right. Believe it or not, it has been TEN YEARS since HITB CREW first conference and what a ride it has been – ten great years, three continents, hundreds of speakers, thousands of attendees and a lifetime of stories.

Other Conference Activities:
HackWeekDay
Following the success of HackWEEKDAY held for the first time last year at the HITB Security Conference in Kuala Lumpur, HITB2012KUL will see the introduction of HackWEEKDAY – Hack-to-Hack

An all new 36 hour hackathon which will will run alongside our 10th year anniversary conference kicking off on the evening of October 9th (training day 2).

Registration is COMPLETELY FREE and we have space for 50 developers in total comprising a mix of .edu and professional developers.

CommsecVillage
The HITB CommSec Village is our new Community and Security area dedicated to highlighting various security related projects from the open source community and from various hackerspaces. These communities will have their own playground and demonstration area to show off their projects and a chance to interact with the conference attendees.

Capture The Flag
To celebrate the 10th year anniversary of HITBSecConf, the CTF Overlords and CTF Crews 1.0, 2.0 and the all-new 3.0 will be coming together to work on a 32 HOUR NON STOP CAPTURE THE FLAG COMPETITION which we’re calling CTF Weapons of Mass Destruction – Fallout Apocalypse!

In our previous CTF Weapons of Mass Destruction, Teams had a set of daemons / services running on their machines and they had to exploit rival teams’ daemons to steal their flags. Submit the flags to obtain offensive points and also unlock nuclear weapons that can be launched against rival teams. For defensive points, all the team had to do was to keep their daemons up and running.