15 Best Free Packet Crafting Tools

Packet crafting is the process of manually creating or editing the existing data packets on a network to test network devices. Hackers and network admins use this process to test a network, check firewall rules, find entry points and test network device’s behaviors.

Network data packets contain various information include data, source address, destination address, version, length, protocol, and few other things depending on the protocol. In packet crafting, one creates a completely new packet or edits the existing packet to change the information packet contains. Then, this packet is sent to the network to see the response of network firewall. By changing values in packet, attackers try to find the entry point in the network to intrude.

I also want to point out that “packet crafting” and “packet spoofing” are not the same thing.

Packet crafting is not a simple task for beginners. It consists of following steps:

  1. Packet Assembly: Creating a new network packet or capture a packet going over the wire and edit the information as per requirement.
  2. Packet Editing: Editing the content of an existing packet
  3. Packet Re/Play: Send/Resend a packet in a network
  4. Packet decoding: Decode and analyze the content of the packet

Tools for all these different steps are available. In this post, I will write about tools used in these steps. Few tools are step-specific while few can be used for performing all steps. You can try few or all the given tools to see how these tools work.

I will also recommend you to read our existing article on Packet Crafting. In that article, we have explained packet crafting in detail with explanation of all four steps involved. We have also shown how to use a few packet crafting tools. That article will help you to understand the packet crafting the usage of those tools. Once you understand clearly, you can read this article to see the available packet crafting tools. Some tools are very old but still work fine. Other tools are actively in development, while still others are no longer in development.

I will also recommend you to learn about network packets, packet structure of different protocols and network layers. If you do not know these things, you will not be able to understand how to do packet crafting and how the things work with these tools. For learning purposes, you must understand the basics of networking before proceeding with the list of these tools. You must know about data packets of different protocols, different fields in packets, the meaning or purpose of those packet fields, and how those packets are used in the network communication. Once you know about those things, you will be able to change those values to see desired effect in the network. So, do not try these tools without learning the previously-mentioned skills. You will end up wasting your time and effort.

These are the 15 best but free packet crafting tools.

1. Hping

Hping is one of the most popular and free packet crafting tool available. It lets you assemble and send custom ICMP, UDP, TCP and Raw IP packets. This tool is used by network admins for security auditing and testing of firewalls and networks. Now this tool is also available within Nmap Security Scanner.

HPing is available for wide-range of platforms including Windows, MacOs X, Linux, FreeBSD, NetBSD, OpenBSD and Solaris.

Download Hping: http://www.hping.org/

2. Ostinato

Ostinato is an open source and cross-platform network packet generator and analyzing tool. It comes with GUI interface that makes it easy to use and understand. It supports Windows, Linux, BSD and Mac OS X platforms. You can also try using it on other platforms.

Best thing about the tool is that it supports most common standard protocols. See the list of supported protocols below

  • Ethernet/802.3/LLC SNAP
  • VLAN (with QinQ)
  • ARP, IPv4, IPv6, IP-in-IP a.k.a IP Tunnelling (6over4, 4over6, 4over4, 6over6)
  • TCP, UDP, ICMPv4, ICMPv6, IGMP, MLD
  • Any text based protocol (HTTP, SIP, RTSP, NNTP etc.)
  • Support to more protocol is also in work.

By using Ostinato, you can modify any field of any protocol easily. This packet crafting tool is also called complementary to Wireshark.

Download Ostinato: http://ostinato.org/

3. Scapy

Scapy is another nice interactive packet crafting tool. This tool was written in Python. It can decode or forge packets for wide range of protocols. This makes Scapy a worth to try tool. You can perform various tasks including scanning, tracerouting, probing, unit tests, attacks or network discovery.

Download Scapy: http://www.secdev.org/projects/scapy/

4. Libcrafter

Libcrafter is very similar to Scapy. This tool is written in C++ to make it easier the creation and decoding of network packets. It can create and decode packets for most of the general protocols, capture packets and match request or replies. This library was designed to me multithreaded allowing you to perform various tasks simultaneously.

Download Libcrafer: https://code.google.com/p/libcrafter/

5. Yersinia

Yersinia is a powerful network penetration-testing tool capable of performing attacks on various network protocols. If you are looking for packet crafting tools, I would like to recommend this nice tool too.

Download yersinia: http://www.yersinia.net/

6. packETH

packETH is another packet crafting tool. It is a Linux GUI tool for ethernet. It lets you create and send sequence of packets quickly. Like other tools in this list, it supports various protocols to create and send packets. You can also set number of packets and delay between packets. You can also configure various things in this tool.

Download packETH: http://packeth.sourceforge.net/

7. Colasoft Packet Builder

Colasoft Packet Builder is also a freeware tool for creating and editing network packets. If you are a network admin, you can use this tool to test your network against attackers and intruders. It comes for all available versions of Windows operating system.

Download Colasoft Packet Builder:http://www.colasoft.com/download/products/download_packet_builder.php

8. Bit-Twist

Bit-Twist is a less popular but effective tool for regenerating the captured packets in live traffic. It uses tcpdump trace file (.pcap file) for generating packets in network. It comes with trace file editor that lets you change the any specific field in the captured packet. Network admin can use this tool for testing firewall, IDS, and IPS, and troubleshooting various network problems. There are various other things for which you can try this tool.

Download Bit-Twist: http://bittwist.sourceforge.net/

9. Libtins

Libtins is also a nice tool for crafting, sending, sniffing and interpreting network packets easily. This tool was written on C++. By using the source code, C++ developers can extend the functionality of this tool make it more powerful. It performs its task very effectively. Now, it is up to you to use this tool.

Download Libtins: http://libtins.github.io/

10. Netcat

Netcat is also a popular tool that can read and write data in TCP or UDP network. This tool is reliable and easy to use. You can also develop other tools that can use this functionality of this tool. Best thing about the tool is that it can create almost any kind of network connection with port binding.

This tool was originally known as Hobbit and was released in 1995.

Download Netcat: http://nc110.sourceforge.net/

11. WireEdit

WireEdit is a full featured WYSIWYG network packets editor. That means, you can edit all layers of packets in a simple interface. This tool is free to use, but you will have to contact company to obtain the usage right. If you ask about the supported protocols, there is a long list. It supports Ethernet, IPv4, IPv6, UDP, TCP, SCTP, ARP, RARP, DHCP, DHCPv6, ICMP, ICMPv6, IGMP, DNS, LLDP, RSVP, FTP, NETBIOS, GRE, IMAP, POP3, RTCP, RTP, SSH, TELNET, NTP, LDAP, XMPP, VLAN, VXLAN, CIFS/SMB v1 (original), BGP, OSPF, SMB3, iSCSI, SCSI, HTTP/1.1, OpenFlow 1.0-1.3, SIP, SDP, MSRP, MGCP, MEGACO (H.248), H.245, H.323, CISCO Skinny, Q.931/H.225, SCCP, SCMG, SS7 ISUP, TCAP, GSM MAP R4, GSM SM-TP, M3UA, M2UA, M2PA, CAPWAP, IEEE 802.11, more to come.

It is a multi-platform tool. It comes for Windows XP or higher, Ubuntu Desktop and Mac OSX.

Download WireEdit: https://wireedit.com/downloads.html

12. epb – Ethernet Packet Bombardier

Epb, or Ethernet Packet Bombardier, is also a similar kind of tool but with simple working. It lets you send customized Ethernet packages. This tool does not offer any GUI, but it is easy to use.

You can read more about this tool here: http://maz-programmersdiary.blogspot.fi/2012/05/epb-ethernet-package-bombardier.html

13. Fragroute

Fragroute is a packet crafting tool which can intercept, modify, and rewrite network traffic. You can use this tool to perform most of the network intrusion attacks to check the security of your network. This tool is open source and offers command line interface to work with. It is available for Linux, BSD and Mac OS.

Download Fragroute: http://www.monkey.org/~dugsong/fragroute/

14. Mausezahn

Mausezahn is a fast traffic generator tool that lets you send every possible kind of network packet. This tool is used for penetration testing of firewalls and IDS but you can decide to how to use this tool effectively in your network to find security bugs. You can also use this tool to test if your network is secure against DOS attack. Notable thing about this tool is that it give you full control over NIC card. It supports ARP, BPDU, or PVST, CDP, LLDP, IP, IGMP, UDP, TCP (stateless), ICMP (partly), DNS, RTP optionally RX-mode for jitter measurements and Syslog protocols.

Download Mausezahn: http://www.perihel.at/sec/mz/

15. EIGRP-tools

This is EIGRP packet generator and sniffer combined. It was developed to test the security of EIGRP routing protocol. To use this tool, you need to know Layer 3 and EIGRP protocol. This tool is also an open source tool with command line interface. It is available for Linux, Mac OS and BSD platforms.

Download EIGRP-tools: http://www.hackingciscoexposed.com/tools/eigrp-tools.tar.gz

These are a few of the best free tools for packet crafting. I will recommend you to try all tools to check how these tools work. As I already mentioned, you must learn about networks, network packet layers, packet structures, headers and other necessary things before using these tools. If you know everything about these, you will be able to perform better attack and create better defenses against these attacks.

Packet crafting is one of the best ways to perform network penetration testing. You can try creating layer of security and then try again to break your own security. In this way, you will be able to prevent hackers to exploiting vulnerabilities in the security mechanism you created. Hackers always try to intrude into the internal network of companies. In recent months, we have seen so many attacks against big companies. In most of the cases, internal network hacked to access confidential information. Therefore, network security is one of the most important tasks in any business. So, learn packet crafting and learn these tools. The more you learn, the better security person you will become. All these tools are created for special purposes. You can try these tools to modify packets to test the firewall rules and break the security.

Note: We do not encourage use of these tools to test the security of a network without getting prior permission. Most businesses use proper security and tracking. If you caught attacking a network, you may be booked under cyber-crime laws in most countries. The purpose of this article make you aware of tools for learning purpose. If you use this for any illegal purpose, author or InfoSec Institute will not hold any responsibility.

Original Post: http://resources.infosecinstitute.com/15-best-free-packet-crafting-tools/

HORNET is New Tor-like Anonymity Network With Superfast Speeds

hornet-tor-fast-speed

The Deep Web is a place that is hidden from the ordinary world because the browsers used to access the Deep Web, continuously encrypt user data. Due to this constant data encryption, the browsing speeds are slow. Our beloved Tor network has more than 2 million daily users that slow down its performance. To counter this speed issue, five researchers have developed a new Tor-style anonymity network called HORNET: High-Speed Onion Routing at Network Layer.  

Compared to anonymity networks like Tor, the HORNET system is more resistant to attacks and it delivers faster node speeds. The researcher team writes, “unlike other onion routing implementations, HORNET routers do not keep per-flow state or perform computationally expensive operations for data forwarding, allowing the system to scale as new clients are added.”

This paper “Hornet: High-Speed Onion Routing at Network Layer” was written by researchers Chen Chen of Carnegie Mellon University, along with David Barrera, Enrico Asoni, and Adrian Perrig of Zurich’s Federal Institute of Technology, and George Danezis from University College of London. Here’s theresearch paper.

To achieve speeds higher than Tor, HORNET doesn’t encrypt data as often- instead it encrypts just the personal stuff. In Tor, anonymity comes at the price of speed. To provide anonymity, Tor takes data and passes it through series of computers before the final destination. Each time, it passes from one computer to the other, the encryption exists and IP addresses change. Thus, it forms a time-taking multilayer network (hence “The Onion Router”).

hornet-tor-fast-speedHORNET nodes process the anonymous traffic at more than 93Gb/s speed.

The basic architecture of Tor and HORNET is same(onion routing). HORNET creates an encryption key set along with the routing info (connection state) on your system. Thus, the intermediate nodes don’t need to build this information each time, as these keys and connection state info is carried within packet headers (anonymous header or AHDR).

According to the research paper, it makes the whole system more secure as the other intermediate computers don’t waste time playing with the senders and receiver’s packets. Thus, the whole process becomes more fast and secure.

It is worth mentioning that HORNET is not yet tested at a large scale, it’s just these 5 researchers. Thus, extensive peer review is needed to adopt systems like HORNET.

Original Post: http://fossbytes.com/hornet-is-new-tor-like-anonymity-network-with-superfast-speeds/

HowTo: Privacy & Security Conscious Browsing

Motivation

This guide was written in response to the continually growing creep of advertising companies and the constant threat of compromise and data loss that all users of the internet face.

For those unfamiliar with these threats, please familiarize yourself with tactics of advertising companies, such as “undeleting” cookies, scraping your browser history and here, building personal profiles of your activity without your consent, and more.

Recent articles, such as 20 Home Pages, 500 Trackers Loaded is a well done look into just how far advertising companies go in tracking you. The article Looking Up Symptoms Online? These Companies Are Tracking You, shows how much data is transmitted to tracking companies as you search health care related information.

Similarly, attacks on ordinary internet users has risen exponentially and led to waves of ransomware,identity theft, and financial losses.

When using browsers in their default mode, one wrong click in a search engine or one malicious advertisement loading on your favorite website is all that it takes to fully compromise your system.

By following the steps in this guide, you will severely reduce your exposure to such tactics.

Audience

This guide is written for computer users, both technical and non-technical, who wish to acheive privacy and security when performing a variety of web-based tasks. This document takes an “all out” approach, meaning that no shortcuts are taken and no technologies are spared. If it tracks you online or exposes you to risk then mitigations are needed.

This is document is meant to be accessible to users of all technical levels. If you feel that a section is too technically difficult and not clear to non-technical users then please let me know. You can also contribute your own changes. See the “How to Contribute” section for how to do so.

TL;DR?

If you do not wish to the read the whole document, but want to get value out of it, then read the sections on per-browser settings and required plugins. This guide recommends and provides guidance for Firefox and Chrome.

Updates

This document will be updated as new technologies emerge and as browsers and their plugins evolve. The bottom of this document will contain a changelog for major updates. Otherwise, you can check the git history log in order to see changes over time and who contributed them.

Technologies that Effect Security and Privacy

This section lists several technologies that prevent or effect efforts to perform secure and private browsing. These technologies and their issues are listed in this section while mitigations are described in the following sections.

If you want a deeper look at these technologies as well as others then check the documents here andhere.

HTTP (Non-SSL) Browsing

Rule 1: The internet is not a safe or friendly place.

By default, communication between your web browser and web servers that you contact are not encrypted (HTTP). This exposes all of your web traffic to:

  • Your ISP
  • Anyone at the cafe/library/university providing your internet access
  • Anyone that can monitor traffic between your provider and your destination server

It also allows anyone between you and your destination to modify your traffic, including injecting malicious content that can compromise your privacy and security.

HTTP is such a security issue that Mozilla is deprecating HTTP in favor of HTTPS.

To mitigate this issue and to enable secure, encrypted communication, HTTPS must be used. This encrypts communication between your web browser and the web servers that you contact.

HTTP(S) Cookies

Cookies are used by websites to track users for both legitimate and non-legitimate purposes. Legitimate uses include keep track of logged-in users, storing user preferences, and so on.

Non-legitimate uses include tracking users across the web by use of uniquely identifying cookie values. For large advertising networks, such as Google Analytics, which have tracking code installed on many websites, this unique cookie value allows for tracking and targeting you across nearly every website you visit.

A popular and effective method to tame advertisers that track you through cookies is to block 3rd-party cookies. 3rd-party in this context means websites that are loaded outside of the direct website you visit. For example, if you visit https://www.cnn.com, then CNN comes the first party. Advertisers that CNN dynamically loads will load from their own infrastrucutre (e.g., static.chartbeat.com). This seperate infrastructure is considered “3rd party”, and by setting your browser to block 3rd-party cookies, you can greatly reduce advertisers’ effectiveness. Guides exist on how to do this for Internet Explorer, Firefox, and Chrome.

Javascript

Javascript is used to dynamically create and deliver web content. Like HTTP cookies, Javascript has many legitimate uses, but it also provides the technology necessary for 3rd party ad networks to run as well as is a required component of many browser exploits.

Completely disabling Javascript greatly enhances both security and privacy, but prevents many websites from operating correctly. This guide will discuss how to work around this issue in several sections.

Flash

Rule 2: Adobe Flash is a security nightmare that should be avoided at all costs.

Adobe Flash is a popular technology installed on nearly every non-secure browser in the world. It is used to display Flash movies that websites use to display interactive media content. Flash is quickly being replaced by HTML5, but like most technologies, will be used long after its successor is available.

Unfortunately, Adobe Flash is also one of the most insecure pieces of technology in widespread use, and is very often targeted by malicious actors to remotely compromise users.

Flash “Cookies” (LSOs)

Flash local stored objects (LSOs), also known as “Flash Cookies”, are a feature of Adobe Flash that allows for Flash applications to store data on the user’s local system.

LSOs are an issue as many advertisers have abused Flash Cookies to track users, even if the users attempted to clean their information by deleting their HTTP cookies. Several (1, 2) lawsuits have been successfully won against advertising companies abusing LSOs in this manner.

LSOs are also a privacy concern as Flash places LSOs for every browser into the same location. This means that a Flash cookie set by an application in Internet Explorer can later be read by that application even if it is later loaded in Firefox or Chrome. Abuse of this cross-browser tracking has been the subject of privacy-related lawsuits as well.

You can find more information on security & privacy issues with LSOs here , here, and here.

HTML5 Local Storage

HTML5 is the latest version of the HTML specification. One of its features that has drawn privacy concerns, is the ability for websites to create “HTML5 Databases”. These databases are similar to HTTP cookies, but they are not kept in the same data stores and allow for much larger and more flexible amounts of data to be stored.

HTML5 also poses a risk to due the Canvas Fingerprinting issue. As will be discussed later, this is something that the Tor Browser Bundle specifically defends against that other browsers provide no defense for.

WebRTC

WebRTC is another new technology that allows for browser-to-browser interactions not previously possible with other standards.

Like other technologies, a serious privacy issue has been found in WebRTC. This issue allows for websites to enumerate the local IP address of a user. This has been observed in the wild and is a part of the Browser Exploitation Framework.

The ability for websites to determine the local IP address of a user is a major concern as that allows for unique identification of users behind NATs, VPN, and potentially Tor.

In non-technical terms, this means that instead of every member of a family appearing as coming from the same network (e.g., the in-home wireless router), advertisers can determine a very specific property of each user’s system in order to more uniquely track them.

You can check if your current browser is vulnerable by visitng this website. If you see your local IP or your VPN IP then you need to follow the advice in this guide.

Browser Choice

In this section, we will begin to describe how you can protect yourself from advertisers, attackers, and other malicious actors on the internet. To start, we will discuss the choice of which browser(s) to use and when they may be applicable.

Internet Explorer

Unless you are on a corporate system with no other choice, you should never use Internet Explorer.

It is a security and privacy nightmare, and its lack of a plugin/extensions API and community means that you cannot easily modify the browser to meet these needs. Its long history of having vulnerabilities is also a major concern.

Safari

Safari should also be avoided unless necessary to be used. It is built on a notoriously insecure code base, meaning that many vulnerabilities have been discovered, and it also does not provide a robust plugin/extension API. As will be discussed with the following browsers, plugins and extensions are necessary to fully modify the browser to be as secure and privacy conscious as possible.

Firefox

While Chrome provides the best security, Firefox is a much better choice for security and privacy than IE or Safari.

Be aware that Mozilla’s has recently embraced advertisers though, which has troubled many privacy-conscious people.

Firefox also has a much weaker security model than Chrome, but much of this can be tamed through extensions as we will see.

Chrome

For general purpose browsing, Chrome is the most ideal browser after being configured correctly (see the following sections on “Browser Settings” and “Required Browser Plugins”).

Chrome has a very mature security model (see here, here, and here), which often requires advanced exploitation and multiple vulnerabilities to fully compromise. No other browser comes close to this model.

This security models helps to protect both privacy and security of its users.

The Tor Browser Bundle

The Tor Browser Bundle (TBB) is the recommended browser to use when utilizing the Tor network. A full discussion of Tor is outside the scope of this document, but compared to connecting directly to the internet through your ISP, Tor provides substantial privacy for users. Before using TBB, I highly recommend reading the Tor documentation and FAQ. While Tor does provide anonymity in mostsituations, depending on your adversary and geolocation, there may be a higher chance of deanonymization while using it. If you are going to use Tor and/or TBB for anything besides the reasons listed in this document’s “Audience” section, then you MUST consult further Tor documentation before proceeding.

While you can use Tor with any modern browser, TBB is built and configured with both security and privacy in mind. Every concerning technology listed in “Technologies that Effect Security and Privacy” is accounted for in TBB as well as other privacy effecting technology. A full list of these protections and TBB’s design goals can be found in it’s design documents. This document is also the best available on current threats to browsing privacy, and is a must read for technical users.

In the “Browsing Strategies” section is extensive discussion on when TBB is best used for this document’s purposes.

Browser Settings

Chrome

By default, Chrome sends a substantial amount of data to Google. This includes URLs visited, “suspicious” files downloaded, misspelled words, and more. Luckily, Google documents all of this information on the Chrome Privacy Page, and describes how to opt-out of the “features”. To do so, simply follow the “Turn off a privacy setting” instructions on the privacy page.

To be fully safe, you should uncheck everything under “Privacy”, and then only check the “Send a ‘Do Not Track’ request with your browsing traffic” option. ‘Do Not Track’ is an option that tells websites not to track you. Unfortunately, major advertisers decided to ignore this feature, but some websites do honor it. By unchecking everything else under privacy you will ensure that Google is not collecting data on your every browser action.

Firefox

Firefox also documents how to disable its features that may reduce or eliminate user privacy. This information can be found here and here.

Required Browser Plugins

In order to achieve the maximum amount of privacy and security reasonably possible, browser extensions (often also called plugins), must be used. These extensions have substantial control over the browser and can provide layers of security not otherwise obtainable.

To start, we will discuss plugins for Chrome. We will then discuss how to achieve the same goals in Firefox. Many of the plugins mentioned support both browsers, but some require different plugins with similar or equivalent capability.

Required Browser Plugins – Chrome

To install extensions in Chrome, please follow this guide.

HTTPS Everywhere

HTTPS Everywhere is a Chrome extension by the EFF that forces connections to webservers to be performed over HTTPS (encrypted browsing). This means that if you attempt to browser to a site, such as http:// www.example.com, the extension will change your request to contact https://www.example.com. This will ensure you connect to the website over a secure channel. Similarly, when web pages try to load resources (think: images, javascript files, icons), these requests will occur over HTTPS as well.

Even if you install nothing else recommended by this guide, you should install HTTPS Everywhere.

Also, whether you use HTTPS Everywhere or not, before sending any sensitive or private data to a website you should verify that a secure SSL connection is established. Instructions for how to check an SSL connection are available for Internet Explorer, Chrome, and FireFox.

Privacy Badger

Privacy Badger is another project by the EFF that monitors websites’ behaviors in order to dynamically identify those that collect tracking information. You can then use the extension button in order to block offending websites. The button UI is very well done, and after visiting a few sites with heavy advertising (e.g., major news websites), you will have effectively blacklisted a majority of advertisers.

An Ad Blocker

From a security perspective, malicious advertising is one of the biggest threats to ordinary end users. From a privacy perspective, advertisers are the biggest threat to web-based privacy. They track every move you make across nearly every website and then correlate all your data in the background to build very personal profiles of your behavior and actions.

To prevent the security and privacy hazards that online ads present, you need to install an ad blocker.

The most popular of these is Ad Block Plus (ABP), but recent behavior by the company has caused concern among many web users. To make Ad Block Plus most effective, you must go into its ‘Options’ and uncheck “Allow some non-intrusive advertising”. Otherwise, Ad Block Plus will apply a filter that allows companies, such as Google and Taboola, to still serve ads. Such ads break the overall security model due to the tracking they enable.

Instead of ABP, many users are now moving to uBlock. It provides the same benefits as Ad Block Plus without the potentially questionable business practices — and also without allowing paid advertisers to bypass the filters.

Flash Control

As mentioned previously, Adobe Flash is one of the biggest threats to internet security. If you need to have it installed in your browser, then you MUST install a plugin, such as Flash Control, that will prevent Flash from auto-playing. Instead, these plugins make Flash “click to play”, meaning that the Flash object will not load unless you click to explicitly enable it.

By making Flash click-to-play, you significantly reduce the ability for malicious advertisers or websites to compromise your system with Flash exploits. Similarly, this prevents Flash-based ads from loading.

As a general security precaution, you can make all Chrome plugins click-to-play by following the instructions here. This prevents the need for an extension, but can be less flexible depending on your use case.

WebRTC Blocking

As discussed above, WebRTC has a major privacy issue in that it can be abused to leak the internal IP address of users. This is very useful for advertisers who wish to develop very unique identifiers for users. It can also be abused to deanonymize users that whom utilized VPNs and/or Tor (1, 2, 3) in order to hide their true identity.

To block WebRTC in Chrome you must install this plugin. The Chrome “official” fix is rather insane and requires manually editing a huge JSON file (bug tracker). Also, Chrome enables WebRTC by default, leaving users vulnerable to this issue. Hopefully this issue is treated better by the default Chrome in the future. This document will be updated if that occurs.

To test if the plugin is operating correctly, visit this website and make sure that your local IP address does not appear.

Required Browser Plugins – Firefox

To install plugins in Firefox, please use this guide.

The following plugins from Chrome are cross-compatible with Firefox and provide the same benefits:

  • HTTPS Everywhere
  • Privacy Badger
  • Ad Block Plus & uBlock

The following require Firefox specific plugins:

Flash Control

Flashblock for Firefox provides the same functionality as “Flash Control” for Chrome. It will block Flash by default, but with a click you can view the content.

WebRTC Block

To disable WebRTC in Firefox:

  • Enter “about:config” in the URL bar
  • Find the key of “media.peerconnection.enabled”
  • Set the value to “false”

What about Disabling Javascript?

Many technical readers may be wondering why I did not list NoScript for Firefox or its equivalent (ScriptSafe) for Chrome. The reason for this is that disabling Javascript simply “breaks” the web for too many people. If you feel that you can live without Javascript, then install either of the previosuly mentioned plugins.

To mitigate the threat in a different manner, along with mitigating other threats, please read the next section “Browsing Strategies”.

Browsing Strategies

Many users, including technical ones, perform all of their browser-based activity (web mail, banking, Facebook, “Bing searching”, reading the news, etc.) in one browser. While convenient, this is a HORRIBLE security practice, and should be avoided at all costs. In this section, we detail the issues with this approach and provide more secure and privacy conscious alternatives.

Problems with Using only One Browser

The problems with using only one browser for “everything” are numerous.

Scripting Attacks

Any scripting vulnerability in authenticated websites can lead to compromise of all data related to authenticated sessions. When using one browser for all activities, users will generally be logged into many services at once – greatly amplifying the effects of such vulnerabilities.

XSS

XSS, which is short hand for “Cross Site Scripting”, is an web-based attack technique that allows an attacker to control a victim’s browser’s actions on a particular website. In less technical terms, XSS allows for a malicious actor to perform actions in a user’s browser as if the attacker were controlling the user’s mouse.

Common malicious uses of XSS include forcing victims to perform banking actions (withdraw, transfer, etc.), resetting passwords to email accounts, or disabling security protections associated with online accounts. All of these can lead to loss of control of accounts as well as loss of very personal information. XSS is also a threat to businesses as attackers can leverage employees’ legitimate access to systems in order to steal data or backdoor corporate systems.

UXSS

UXSS or Universal XSS is a more dangerous form of XSS in that the attacker can force the user’s browser to perform actions on any website, and not just a vulnerable one.

CSRF

CSRF is another attack technique wherein an attacker can control actions of a user’s browser, including forging requests to online banking, social media, medical, and other authenticated sessions.

Preventing All Tracking is Nearly Impossible

By being logged into a number of services at once, it becomes nearly impossible to filter out data associated with trackers. Take for example a user that is logged into:

  • Gmail (email)
  • Facebook (social media)

By being logged into Gmail, you cannot effectively block Google analytics, Double Click (Google owned), as well as several other major advertising networks. This occurs as Google controls the entire ecosystem – search, YouTube, Maps, email, etc. This means every time you search a term, Google immediately knows who you are, what search term you entered, and any search results link(s) you may click. Similarly, if you plan your vacation route through Google Maps, Google then knows exactly where you are going. Besides, Google services, through DC and GA, Google tracks you throughout the entire web. Now they not only know everything about your search, email, and travel plans, they also know essentially every website you visit, how you got there, and where you will be going next.

Similarly, through Facebook’s Like Button, you are tracked throughout the web. Every time you visit a website (or individual page) with a “Like” button, Facebook sends the URL back to itself. If you are logged into Facebook at the time, then it also has your authentication information, which allows to it tie many of your browsing habits directly to your very personal user account. More info: 1, 2, 3

In this example, if we tried to block Facebook and Google properties, then we would certainly stop the tracking – but at the same time we would be breaking the sessions we have open to Facebook and Gmail.

While Google and Facebook were used in this example as they are two of the most popular services on the web, the same issues are faced when utilizing any service that combines ads with other features.

As we will see, using multiple browsers effectively alleviates this issue and provides the opportunity for true privacy.

Compromise Affects all of your Data

As you can likely deduce, using one browser is a major vulnerability as a compromise of the browser compromises all of your web data – and potentially all of your data in total. Using one of the following strategies will effectively fix this issue as well.

Using Multiple Browsers

To fix the previously described issues, one approach you can take it to use multiple web browsers on a single computer. This will greatly reduce the attack surface related to XSS, UXSS, etc., as well as allow true filtering of ad networks. This step is also much more achievable for less technical users than the virtual machine approached described in the next section.

Why

Using multiple browsers allows for compartmentalization of data. We will use this setup to limit tracking as well as the risk of XSS & its friends.

Setup

In this example, we will use one install of Firefox for authenticated sessions with tracking (Google, Facebook, etc.), one install of Chrome for online banking and other sensitive logins, and TBB for all non-authenticated browsing (reading Reddit, watching memory forensics talks, etc.). The Firefox and Chrome installs need to be configured as discussed above for both settings updates and required plugins.

As a side note – many security professionals use this exact setup.

Operation

When browsing, we must be sure to follow our compartmentalized flow. We cannot cross contaminate any browser with data from another one. One way you can train yourself to do this is use a plugin, such as Block Site, that allows you to whitelist and blacklist websites. In the Chrome browser, you would blacklist every site not related to online banking and your other sensitive logins. Likewise, in Firefox you would whitelist Google and Facebook, and blacklist everything else. This prevents data leakage.

Another option you can choose is to change your default browser to a non-browser application, such as Notepad. Then, if you accidently click a link in an email, Twitter client, etc. then it won’t load in any browser. Instead, you will need to copy the link and then paste it into the appropriate browser. This prevents accidental data leaks and security breaks.

The reason to use TBB for all non-authenticated browsing is that TBB is highly secure, and Tor provides a high level of anonymity. We can browse news sites, perform web searches, and many other tasks without fearing of being effectively tracked by every website on the internet. TBB’s security comes from its use of plugins and configuration settings that block Javascript (through NoScript), Flash, Java, and other 3rd party applets. Similarly, TBB also utilizes a number of techniques to avoid providing unique data that can be used to individually identify and track users. See the design documents for a complete list.

Security and Privacy Gained

By using this setup you:

  • Prevent cross-contamination of data and cross-browser data leakage
  • Stops the real power of XSS and UXSS as you aren’t logged into sensitive websites in a browser that visits untrusted websites
  • Prevents advertising based on your unique habits. TBB provides anonymous browsing, and by confining Google, Facebook, and other trackers only to their own services they cannot gather external data on you or your habits
  • The use of TBB on non-authenticated websites means thats untrusted websites will not be able to execute javascript or other vulnerable technology

Note: You need to very careful if you enable Flash as the cross-browser data reading can occur as explained previously in this document.

Note 2: For this mode to work effectively, you must train yourself to limit websites to their particular browswer. Using a plugin that whitelists and blacklists websites can greatly help with this effort and can save you if you make a mistake. You can also set strict NoScript (javascript) filters for websites you want to block in order to effectively stop their tracking.

Use of Virtual Machines

Why

While using multiple browsers provides substantial benefit over using one browser, using virtual machine guests to browse provides the highest level of security and privacy you can achieve on a single physical system.

Setup

To use virtual machines for browsing, a virtualization package must be chosen. Popular candidates are VMware Workstation and Fusion, as well as Virtual Box.

A base operating system must then be installed in a secure fashion. A good setup is base Debian install with GrSec/Pax enabled kernel and the Chromium (Chrome) browser with the setup and plugins described previously. For less technical users, a Windows operating system, such as Windows 7, can be virtualized.

Once a virtual machine guest is created with a base operating system and a properly configured browser, a secure, offline copy of it must then be made. It is advisable to use hashing and other file integrity techniques to ensure its security.

For the use of TBB, the TBB browser can also be installed in the image, or Tails, which is a virtual machine configured specifically for anonymous and private browsing, can be utilized. Tails is highly recommended in this scenario.

If you are going to use the virtual machine approach then you should consider and learn about Qubes OS.

Operation

To perform browsing, unique copies of the configured virtual machine guest must be created. The copies will mirror the browser setup from the previous section, except that instead of installing multiple browsers directly to the host operating system, each VM will run a browser with a specific purpose.

For example, one VM copy will be used for Facebook and Google, while another will be used for online banking, and another for logging into your hospital’s medical system. Installing multiple browsers to an OS can be difficult, but making copies of VMs is very straightforward.

For general browsing and search, Tails should be used.

After each session the Tails VM should be rebooted. Similarly, at least once a week, the VMs used for logging into services should be reverted to the original state. As discussed next, this will greatly time limit the exposure and time frame any potential attackers have in which to be active.

To help you keep browsing sessions into their correct VM, you may want to use visual cues. For example, set a different background for each VM and then associate that with a security level.

Security and Privacy Gained

Using VMs has the same benefit as multiple browsers as well as the added bonus of:

  • Limit the time your data is exposed. By using VMs and reverting them often, which brings them back to their original state, you are setting a defined time limit on which attackers or malware can be active before you instantly remove them. When revering a virtual machine you are bringing it back to the state it was in when you first installed it. If attackers want to get access to your VM again they then must re-exploit your browser. Similarly, if tracking companies have bypassed your filters, resetting while remove all tracking data.
  • Protection of browser exploitation. If one VM has a compromised browser, the data on the other VMs are not affected.** Reverting the VMs often can greatly close this time window. No other approach can save you if a browser is fully compromised. This approach saves your other web data as well as the rest of your personal data contained on the system.

** Technical Note: While guest->host escapes exist, they are quite rare compared to other software vulnerabilities, and are generally reserved for very targeted attacks.

Changing Your Search Engine

When moving to a posture of security and privacy, one thing you must often rethink is your search engine. Even if you use TBB, major search engines (you know who they are), still track your search terms and attempt to uniquely identify you by setting cookies and other data.

To remedy this you should use a privacy conscious search engine. A popular option is DuckDuckGoas well as StartPage.

Startpage does not log your IP or search and uses Google’s results to “enhance” its own results – meaning you get the power of Google search without the tracking.

Similarly, DuckGoGo does not log your searches in any manner that can be traced back to you.

FAQ

What about Private Browsing?

“Private Browsing” is a feature provided by all modern browsers in order to enhance privacy by not recording data to your local system (browsing history, cookies, etc.) as well as on the network when the browser is in private mode. Unfortunately, this browsing mode sounds more secure than it really is. For a well done, illustrated guide to these problems, please check the Private Browsing Myths website.

Why not use TBB or TAILs for all Browsing?

As you read this document, you may wonder why you shouldn’t use TBB for all of your browsing, including authenicated sessions. There are two problem with this approach.

The first is that malicious exit nodes, which are the last servers your data travels through on the Tor network before it reaches the outside internet, can maliciously sniff and alter your non-HTTPS traffic. Since many websites still allow for authenticated use without strict HTTPS, you are essentially trusting your account security to Tor exit nodes – which is something you shouldn’t do. There are a number of references here, here, and here on malicious exit nodes.

The second issue with authenticated Tor browsing is that when using Tor you can appear to be browsing from anywhere in the world. This is a great advantage from a privacy and anonymity perspective, but it will almost certainly cause lockouts on your banking, health, and other websites where sensitive data is stored. Similarly, it is a strong security measure for these websites to know which geographic regions you usually login from in order to detect when your account gets compromised by an attacker on the other side of the world.

General Security Best Practices

Use a Password Manager

Password Managers provide great password security as they generate strong passwords and then save them for all the websites you visit. This not only makes your password uncrackable after database dumps (related: Troy Hunt’s iampwned? project here), but it also means you will have a unique password on every website – a strong measure compared to most people’s security posture.

Keepass and Last Pass are popular password managers.

When using password managers remember the rules on compartmentalization.

Enable Two Factor Authentication Everywhere

On top of strong passwords, you should also enable two factor authentication (2FA) everywhere possible. Nearly every reputable service provides this option now, and if you have sensitive data in an account where 2FA is not possible then you should switch services and remove your data.

2FA is such a strong security measure as it requires not only your password to log in (one factor), but also a second factor that attacker’s cannot easily access – such as a code retrieved from a SMS to your phone or a code generated in a mobile application. This extra step mitigates attacks after your password is stolen or where attackers attempt to force you to log into a service through a scripting vulnerability.

The Two Factor Auth List lists a wide range of services and whether they support two factor authentication or not. Thanks to @malwareforme for the link.

Log only into Websites Currently being Used

When logging into sensitive websites, you must only log into one at a time. If you have multiple bank accounts at different companies, log into one, logout when you finish, and then log into the next. This prevents a scripting vulnerability in one banking website from compromising data or performing actions on your behalf on the other website. Apply the same logic to every other website that you don’t want your data stolen from.

Checking Your Setup

After creating your secure and private browsing setup, you then need to test that it works. To test your setup, visit BrowserLeaks, and click every option (leak method) on the sidebar. If you see data that shouldn’t be there or if you see data that you are not comfortable leaking in a particular context, then you need to fix it.

Closing Thoughts

As stated in the beginning, this guide is for those who want maximum privacy and security related to their web browsing sessions. Privacy is about preventing leakage of data and minimizing the damage of any future leak. Similarly, security is about reducing the chance of your your system being compromised as well as minimizing data that is accessible to any potential attacker. This guide helps you achieve this through blocking and modifying technologies that allow for web-based tracking and browser exploitation.

If you don’t take security and privacy seriously, then you will eventually lose data that is sensitive to you. You can’t then go back in time and fix what is already leaked – you need to secure it before catastrophe occurs.

Original Post: https://gist.github.com/atcuno/3425484ac5cce5298932

Undetected Phishing email with Password Protected PDF

The phishing email is simple and with a pdf file attached.

phishing email

The pdf file shows password protect, and you have to click to link and enter the password.

pdf

The embedded link on the pdf file is a shorten URL redirecting to a free web hosting service. Once the free web hosting stop the phishing website, the hacker can easily change the mapping of the shorten URL to new phishing website.

phishing site

Finally, you can get the “Purchase Order” pdf file, however it is an sample purchase order pdf of a invoicing software company.

final pdf

Summary

No malicious code, no malware used in this phishing campaign. Beware of phishing email, phishing website, especially shorten URL. For any of unclear email and website verify before open it or type in any credential.

6 DNS Services Protect Against Malware and Other Unwanted Content

Use one of these DNS services to protect your family or business from phishing sites and other unwanted intruders.

While many (but not all) users are familiar with the concept of security software, there are more basic ways to protect unwary surfers from phishing sites, botnets, intrusive advertising and other unwanted visitors: DNS services.

First, a quick primer for those who are unfamiliar with DNS: You utilize the Domain Name System (DNS) every time you surf the Web. Each time you type a site name into the browser, DNS is queried for the IP address corresponding to that particular domain, so the browser can contact the Web server to get the content. (The process of converting the domain name to its IP address is called domain-name resolution.)

There are actually two main types of DNS servers: recursive and authoritative. The ones that are used by most individuals and small companies (and that are covered here) are called recursive DNS and are the default services provided by most Internet Service Providers (ISPs). All the companies listed here offer recursive DNS services. Some of them, however, also sell authoritative DNS services, which allow website owners or hosts to define the Web server IP addresses that their domain names point to and to manage other DNS settings.

Since DNS servers are the middlemen between your browser and website content, there are many third-party DNS services that offer additional functionality for both users and network administrators. These tools can include:

  • Content filtering. This can be conveniently implemented to block adult sites and other unwanted content, while requiring no software on the computers and devices.
  • Malware and phishing blocking. This can be performed by the content filtering tool also, to block sites containing viruses, scams and other dangerous content.
  • Protection against botnets. This blocks communication with known botnet servers so your computer isn’t taken over.
  • Advertisement blocking. This is another type of content filtering, which some DNS services specifically concentrate on.
  • URL typo correction. For instance, if you typed gogle.com it would correct togoogle.com .

In this article, I identify and describe several of these services. Many — in fact, most — are either completely free of charge or offer a number of free features that might make it worth your while to take a look.

It’s easy to switch to a different recursive DNS service. Simply change the IP addresses for DNS in the Internet settings of your router to apply it to the entire network, or change the DNS settings on select computers or devices. Without further intervention, you’ll receive the DNS service’s preconfigured security or filtering protection. Some services also allow you to create an account to customize the level of protection and messages that appear when a site is blocked.

Remember, the speed, reliability and performance of DNS servers can vary. Slow or poor domain resolution can translate into slower and less reliable web browsing. You can run speed tests on DNS servers (I recommend namebench ) so that you can compare their performance at your particular location.

Comodo Secure DNS

Free for: Personal use only

DNS Addresses: 8.26.56.26 and 8.20.247.20

Comodo Secure DNS offers a simple free service for personal use. It is preconfigured to block harmful websites, such as those containing malware, spyware and phishing attempts. Additionally, it claims to offer a more reliable, faster and smarter DNS service than those provided by most ISPs.

Like Dyn, Comodo also sells services that include authoritative DNS services for websites and many other security solutions, such as SSL certificates, secure email services, antivirus and even PCI compliance services.

comodo secure dns
Comodo Secure DNS
When a site is blocked by Comodo Secure DNS, a warning page is displayed. It shows the reason why the page is blocked and allows the user to disregard and continue to the blocked site anyway. When a user continues to a blocked site, he or she can choose how long to allow access to the site.

In the case of nonexistent or unresponsive domains, users see a page called Comodo Secure DNS Search. Suggested search terms or phrases are displayed based upon the domain they’re trying to visit, in addition to a search field. One big downside of the search: Although the site says the results are powered by Yahoo, only sponsored links are given and are not true search results.

Keep an eye out for future updates from Comodo. Currently in beta, Comodo SecureDNS 2.0 offers customizable content filtering and is also being marketing towards businesses.

Dyn Internet Guide

Free for: Personal or business use

DNS Addresses: 216.146.35.35 and 216.146.36.36

Dyn Internet Guide is a free service offered to the general public for personal or commercial use. Its basic preconfigured service automatically blocks malware and phishing sites, and offers typo correction.

Dyn also offers authoritative DNS services: hostnames for remote access and full DNS solutions for websites.

dyn internet guide blocked
Dyn Internet Guide

In addition, Dyn offers customizable content filtering if you create an account. You can block up to 30 pre-defined content categories and create custom white- and blacklists. Although it offers an Internet Guide subscription the company says is free, to use it you must sign up for Dyn’s separate, fee-basedRemote Access (DynDNS) service. Pricing for Remote Access starts at $25/year (there is a 14-day free trial). Additionally, you must log in every 30 days to keep your free Internet Guide account active.

Dyn offers two other Internet Guide subscriptions: Pro at $10/year and Premium at $20/year; neither requires the Remote Access service if your Internet connection uses a static IP address. Both provide the same functionality — additional static or dynamic addresses, defense plans, whitelists and blacklists — with the more expensive option offering more of each. The Pro and Premium plans also provide access to phone and email support.

When a user tries to visit a site that’s been blocked by the content filtering settings of Internet Guide, an alert page is shown citing the reason why the page is blocked. When a site is detected as malware or phishing via the Internet Guide’s automatic protection, the user is allowed to bypass and continue to the site — unless that particular site or content category has been explicitly blocked via Internet Guide’s settings.

For nonexistent or unresponsive domains, users by default see the Internet Guide showing search results related to the non-working domain with a Google-like look and feel. If you create a free or premium account, you can optionally disable this Internet Guide feature.

FoolDNS

Free for: Personal or business use

DNS Addresses: 87.118.111.215 and 213.187.11.62

FoolDNS provides both free and commercial services, targeted towards home and small business use. It’s primarily designed to block online tracking, profiling and advertisements, but also blocks malware and phishing sites.

The premium services include additional functionality and are offered in two different versions. The Audit version adds reporting, logging and the ability to create white- and blacklists. The Business version adds filtering of 2 million unsafe domains, more reporting capabilities and the ability to customize filtering via 20 predefined categories.

fool dns
FoolDNS

When a page is blocked — for example, if there is malware detected — a very simple page is shown saying the domain is filtered. No landing page is displayed for nonexistent or unresponsive domains, allowing the Web browser to display its own default error page.

GreenTeam Internet

Free for: Personal or commercial use

DNS Addresses: 81.218.119.11 and 209.88.198.133

GreenTeam Internet provides both free and premium services for homes and small businesses. Its free preconfigured service automatically blocks malware and phishing sites, advertisements and adult-related content, including aggressive, violent and drug-related sites.

greenteam internet
GreenTeam Internet

When you create a free account you can customize the content filtering by choosing among three predefined protection levels and 47 predefined categories, and you can create custom whitelists and blacklists. Paid accounts, according to the company, provide “more control, further customization and a wider protection.”

When a site is blocked, the user is notified and told which category the site is classified as. On the blocked page, the user can report the page or send an email to GreenTeam asking to unblock it. Users can also enter their email to be notified if the page becomes unblocked. When using a free or premium account, the local network administrator can also include a customized message on the blocked page.

GreenTeam Internet doesn’t provide a landing page for nonexistent or unresponsive domains, allowing the Web browser to display its default error page in those instances.

Norton ConnectSafe

Free for: Personal use

DNS Addresses: Vary based upon desired protection

Norton ConnectSafe provides three preconfigured DNS servers, free for personal use with no account needed:

  • Security: The most basic service that automatically blocks malware, phishing and scam sites, and uses the DNS addresses of 199.85.126.10 and 199.85.127.10.
  • Security + Pornography: Adds blocking of sexually explicit material; uses the DNS addresses of 199.85.126.20 and 199.85.127.20.
  • Security + Pornography + Other: Adds blocking of other mature content, like alcohol, crime, drugs and gambling; uses the DNS addresses of 199.85.126.30 and 199.85.127.30.
norton blocked
Norton ConnectSafe

There is also a business service that requires a paid subscription and that offers the same first two levels (via different DNS addresses); the third level blocks P2P file sharing instead of other mature content.

When they hit a blocked site, users see a page saying it’s blocked and why, and there’s a link to email Norton to dispute its blocking. There are no third-party ads on the page, but an ad for Norton products does appear.

The page shown for nonexistent or unresponsive domains doesn’t contain advertisements, but offers a search field that will display results powered by Ask.com if the user decides to perform a search.

OpenDNS

Free for: Personal or business use for Enhanced DNS; personal use only for other home and family services

DNS addresses: 208.67.222.222 and 208.67.220.220 (“FamilyShield” DNS addresses: 208.67.222.123 and 208.67.220.123)

OpenDNS is one of the most popular third-party DNS providers around, offering both free and premium services for homes and businesses. Its most basic free service is called Enhanced DNS, which is provided via the company’s main DNS addresses and is preconfigured to block malware and phishing sites.

opends
OpenDNS

OpenDNS also offers different service options for personal home use:

  • OpenDNS FamilyShield: Similar to Enhanced DNS, but also preconfigured to block adult content.
  • OpenDNS Home: Similar to Enhanced DNS, but offers customizable filtering and security options, including white- and blacklists, customizable messages for blocked pages and basic logs and stats. It uses the same main addresses as Enhanced DNS but requires you to create an account.
  • OpenDNS Home VIP: Premium service similar to the Home service with usage stats and support, priced at $19.95 per year. It uses the same main addresses as Enhanced DNS and also requires you to create an account.

OpenDNS’ basic business service, called Umbrella, offers advanced security and management, useful for larger networks and enterprise environments. Umbrella Prosumer handles up to five users, while the Umbrella service, which caters to larger businesses, is offered in three different levels with varied advanced features and functionality.

When a webpage is blocked, users see a simple page saying it’s blocked and why. Network administrators who are using a free or paid account can add a note and contact form to the page so the user can request the website be unblocked. When using the Umbrella services on a business network, administrators can enter bypass codes to instantly unblock websites. Similar functionality is available when using the OpenDNS home services on a Netgear router (according to Netgear, most of its newer routers support it) with Netgear’s Live Parental Controls.

Users who try to access a nonexistent or unresponsive domain will see the browser’s default error page. OpenDNS’ free services used to have advertisements on this page, which OpenDNS called the Internet Guide. However, as of June 2014, all advertisements have been removed.

This story, “6 DNS Services Protect Against Malware and Other Unwanted Content ” was originally published by Computerworld.

Original Post: http://www.cio.com/article/2875919/malware/6-dns-services-protect-against-malware-and-other-unwanted-content.html

Understanding Malware Terminology for Beginners

Introduction
The world that we live in is constantly changing; it is always evolving. The sophistication of the technology at the disposal of both those who “wear” a white hat (the good guys) and those who wear a black hat (the bad guys) is increasing at a rapid rate. As new mitigation tools are released, new attack methods and malicious software are produced; we are constantly playing catch-up with the bad guys. Whether your occupation falls under the technology category or not, we all have read about–and likely have been infected at one time or another–with some type of malware.Someone with a technical background or that works in the field certainly has some inherent knowledge of the several different terms that are used to describe different types of malware, attacks, etcetera. For someone with little-to-no technological background, though, these same terms may seem like a foreign language. I wrote this article to address this issue; to briefly define several malware-related terms in an easy-to-understand manner. Disclaimer: The below definitions/descriptions have been derived from my knowledge; my understanding of each term.


Malware Classifications
Malware

Malware is essentially any software that performs actions that are not known and authorized by the user. While most of the malware that we read about in the news or on forums for the most part have damaging effects on the infected device, the term malware also encompasses less damaging software, such as PUPs.

Virus

Viruses are a type of malware that require user intervention to infect a device. What this means, is that the victim must actually run the software that contains the virus’ code. Viruses have often been spread via e-mail, i.e. through “chain e-mails” as attachments that are named as something else. Viruses are often spread as files that contain solely malicious code. This means that rather than spreading and masquerading as a legitimate application, viruses are often files that contain nothing but malicious code, which places the burden on the sender to convince their target to download and launch the malicious software.

There are several types of viruses, but one that I will mention are Macro viruses. Macro viruses are spread via Macro code (code that can be embedded inside a Microsoft Office document (e.g. Microsoft Word document, Microsoft Excel spreadsheets) that are launched when the document is opened. There are a very large quantity of Macro viruses still being spread in-the-wild today.

Trojan

Trojans are a type of malware that also require user intervention to infect a device. Like viruses, victims must run the software that contains the Trojan’s code in order for it to successfully compromise the victim’s device. However, Trojans (hence the name “Trojan Horse”) are different from viruses in the sense that they often appear to be a legitimate application that the victim may have been searching for. Often, the malicious code launched by a Trojan is actually appended to the end of a legitimate application to better deceive their targets.

Additionally, there are several types of Trojans. The three that I believe are worth mentioning are:

Trojan Downloader – A Trojan that, when launched, downloads additional file(s) that actually contain the final payload (e.g. ransomware, a DLL containing a backdoor).

Trojan Injector – A Trojan that, when launched, injects malicious code into another process, often a legitimate process, to evade detection.

Trojan Dropper – A Trojan that, when launched, drops an additional file (usually) containing the malware’s payload. Usually an executable file or DLL containing an additional payload (i.e. the final, most damaging payload) and/or used for persistence (maintaining access to the compromised device).

Worm

Worms are a type of malware that differ from Trojans and Viruses. Worms cause arguably the most damage to the device(s) that they compromise; this is because worms are self-replicating. Worms can spread without user intervention, and in effect, a single worm infection can spread to an entire network. Worms in the news includeStuxnet, Koobface, and Conficker. I set up a vulnerable device and let it run for a couple weeks and logged hundreds of unique Conficker variants within the first week on a brand new device. Worms are still out there, and Conficker isstill very active.

Ransomware

Ransomware has been around for quite some time, though it made national headlines a few years ago with the development and spread of CryptoLocker. As can be derived from the name, Ransomware is a type of malware spread by attackers with the goal of demanding a ransom from their victims; most often for financial gain.

Specifically, Crypto Ransomware will go through all of the directories, files and sometimes network shares and mapped drives of the victim’s device. It will open supported files (varies by variant) and then encrypt the contents of each supported file. This renders the files useless, and if the file contains pertinent data and no backup of it exists, this can be quite damaging to an individual or an organization as a whole. Ransomware authors generally demand a ransom payment in order restore affected files to their previous state, usually paid in Bitcoin. However, trusting criminals and funding their activity is never recommended.

Rootkit

Malware that is capable of evading all anti-malware utilities, the affected device’s operating system itself, and that may be extremely hard to remove. Rootkits often infect the MBR of the targeted device, and are distributed by attackers as a “hard-to-detect”, persistent method of accessing their targets. Rootkits often function as keyloggers, and their removal often requires the user to format their device; deleting the infected partition and re-partitioning the device is the most accepted remediation method.

Many people think that system restores are effective methods of restoring a compromised device. For one, they aren’t, but even more so in the case of a rootkit infection. Rootkits are generally installed as drivers; as new restore points are created, older ones are purged, and it’s important to remember that these restore points include copies of drivers and other configuration items. Meaning, eventually, the system restore points will become infected as well.

Keylogger

As the name states, keyloggers record keystrokes on the affected device, usually dumping all logged keystrokes to a file in a discrete location, to later be sent over to the attacker, often via SMTP (e-mail). Keylogging is an easy way for attackers to obtain usernames, passwords, and credit card numbers of their targets.

Remote Access Trojan (RAT)

A type of malware, specifically under the Trojan category, that allows a remote attacker to gain full control of an infected device.


Additional Terminology
Zombie (or “Bot”)

A zombie is a device that has been compromised with malware that listens for commands from a remote attacker (via a command-and-control server), that the remote attacker often has complete control of. Zombies comprise a botnet, and are most often leveraged when carrying out DDoS attacks.

Command-and-Control Server (or “C2 Server”)

A command-and-control server (or “C2 Server”) is a server dedicated to managing a botnet (network of zombies). While C2 servers can be dedicated devices set-up and configured by the attacker(s), legitimate websites with known vulnerabilities (commonly: websites running vulnerable versions of WordPress) have often been compromised by attackers and converted into C2 servers. It is not uncommon for an attacker to take control of a vulnerable website and implement the command-and-control functionality in the background, remaining undetected by the actual site owner for quite some time.

Exploit Kit

Many define exploit kits as a type of malware but I disagree. An exploit kit is a full software suite (usually a complete web application written in PHP) that is used to distribute malware in an automated fashion, leveraging exploits to install the malware on vulnerable devices without user intervention (other than browsing a specially crafted page).

Exploit kits serve a landing page that carries out the core functions; this page will scan the target to determine their browser, browser version, installed plug-ins, and other identifying information. Exploit kits have an arsenal ofcommonly-known vulnerabilities, and sometimes zero-day vulnerabilities. If the target is found to be vulnerable to one of the vulnerabilities in its arsenal, the exploit kit will then leverage the vulnerability to force the download and execution of malware onto the target system.

Zero-Day

A zero-day or zero-day vulnerability is a vulnerability that (was) not previously known to exist by the security community nor the vendor. Attackers exploit these previously unknown vulnerabilities to compromise even the most recently updated, hardened devices. Zero-days are often kept secret for as long as possible by attackers, and are sometimes even sold in “underground” markets.

Obfuscate

Often we see the term "obfuscated" when reading malware analysis reports, but what does this mean? Well, toobfuscate somethinig essentially means to hide something or make something illegible. Malware authors obfuscate their code to render it unreadable and hide its malicious nature; often you will see malicious JavaScripts files to be obfuscated, although in my experience, they’re not quite difficult to deobfuscate.

The obfuscation of code is often done not only to deem it illegible, but different obfuscation methods could lead to different file sizes, giving the file containing the obfuscated a code a different signature, to evade anti-virus detection.

Deobfuscate

Referencing the above definition of obfuscate, to deobfuscate is to do the obfuscate; to take illegible, masked code and turn it into code that can be understood and interpreted. Deobfuscation routines are used to deobfuscate code, and are included with obfuscated code in order to convert the code into a language that can be interpreted by the (host) device.

Packer

Packers are used to obfuscate code, in a sense. Essentially, a malware author will take a malicious binary file (executable, DLL, etc.) and scramble the code around to change the file’s signature, to evade anti-virus detection, increasing the rate of successful infection.


Final Thoughts
I hope that the above terms and their definitions are simple enough to supplement your current understanding of the several different types of malware and additional malware/analysis terminology. Remember, the above are only a subset of the terminology used in malware analysis and forensics. If you wish to see some terms added, or have a suggestion, feel free to chime in with your thoughts.
Original Post: https://www.ciphertechs.com/understanding-malware-terminology-for-beginners/

‘Hacking Team’ Gets Hacked! 500GB of Data Dumped Over the Internet

'Hacking Team' Gets Hacked! 500GB of Data Dumped Over the Internet

Yes, sometimes even the Hackers get Hacked.

Hacking Team, one of the most controversial spyware and malware providers to governments and law enforcement agencies all around the world, allegedly been hacked, with some 500 gigabytes of internal data leaked over the Internet.
The leaked data indicates that despite its denials, the spyware company did sell powerful spyware tools to oppressive regimes in Sudan, Bahrain, Ethiopia and Saudi Arabia.

Massive Data Breach at Hacking Team

The unknown hackers not only managed to make 500 GB of client files, financial documents, contracts and internal emails, publicly available for download, but also defaced Hacking Team’s own Twitter account, replacing the company’s logo to “Hacked Team.”
Hacking Team, also known as HT S.r.l, is an Italian company known for providing powerful surveillance software Remote Code System (RCS) to Governments and law enforcement agencies.
The company previously claimed to only deal with ethical governments, although they have never formally disclosed the list of names and businesses.
However, the data breach happened to Hacking Team appears to have revealed the list of its clients somehow.

Hacking Team’s Twitter Account Defaced

'Hacking Team' Gets Hacked! 500GB of Data Dumped Over the Internet
At the time of writing, the Twitter account linked to Hacking Team is currently compromised, with its new bio reads:

“Developing ineffective, easy-to-pwn offensive technology to compromise the operations of the worldwide law enforcement and intelligence communities.”

A tweet composed by unknown hackers reads, “Since we have nothing to hide, we are publishing all our emails, files, and source code,” with the link to around 500GB of data.

Leaked Data Posted Online

'Hacking Team' Gets Hacked! 500GB of Data Dumped Over the Internet
The leaked data has been uploaded to BitTorrent, allegedly including email communications, audio recordings, and source code. The data disclosed Hacking Team customers along with the dates of their purchasing the software.
A few hours later, the list of alleged Hacking Team customers, including the past and current clients, was posted on Pastebin. The most notable and previously unknown ones are the FBI, Spain, Australia, Chile, and Iraq, among others.

Hacking Team’s Christian Pozzi Twitter Account Hacked

hacker-hacking-team
The Twitter account of Christian Pozzi (@christian_pozzi), a Hacking Team representative who was personally exposed by the incident, is also get hacked few minutes ago.
Hacking Team has yet to verify that it has been breached and that the hacked information is legitimate. As it’s hard to say the leaked data is real without any confirmation from the company itself.
Original Post: http://thehackernews.com/2015/07/Italian-hacking-team-software.html

A TIMELINE OF GOVERNMENT DATA BREACHES

After it was revealed in June that two large-scale hacks at the Office of Personnel Management resulted in the theft of millions of employee personnel files and sensitive security-clearance information, members of Congress called a series of committee hearings to get to the bottom of the events that led to the hacks.

Those hearings landed OPM Director Katherine Archuleta in the hot seat, where she was grilled for her handling of the agency’s data security and IT practices in the lead-up to the breaches. In one heated exchange last week, Sen. John McCain struck out at Archuleta for withholding information about the breaches, and for not herself meeting with the FBI after the hack occurred. Just one day before, House Oversight Committee Chairman Jason Chaffetz accused Archuleta of lying outright about an OPM data breach early last year.

But lawmakers also spent a considerable amount of time at these hearings trying to clear up basic details about the hacks. Archuleta and her colleagues at the Homeland Security Department were repeatedly asked about the number, scale, and timelines of data breaches that affected OPM and two contractors that provided background-check services for the personnel agency.

The timelines below are based mainly on testimony from Archuleta and Andy Ozment, assistant secretary for cybersecurity and communications at DHS, supplemented by information from news reports.

USIS Security Breach

USIS was the largest contractor tasked with providing background-investigation services for OPM when its database was hacked. That hack, which likely came from China, resulted in the loss of more than 25,000 records belonging to DHS employees, and it led OPM to terminate its contracts with USIS. The contractor later went bankrupt.

First OPM Security Breach

Officials say that the first hack that targeted OPM itself didn’t result in the loss of employee records, but the attackers—likely China again—did make off with some documents about OPM servers.

Chaffetz called these documents “blueprints, essentially the keys to the kingdom,” but OPM and DHS officials pushed back on the “blueprint” characterization. Donna Seymour, the OPM’s chief information officer, said they were “outdated security documents about our systems and some manuals about our systems,” and Ann Barron-DiCamillo, a top DHS cybersecurity official, said they did not include “proprietary information or specific information around the architecture of the OPM environment.”

First KeyPoint Security Breach

After OPM’s contracts with USIS for background checks were terminated, they were shifted to KeyPoint, another large government contractor. But it wasn’t long before KeyPoint discovered that it, too, had been hacked. Nearly 50,000 DHS workers were notified that their personal information may have been exposed, but Barron-DiCamillo said her agency couldn’t confirm that any data was actually stolen.

After the breach, KeyPoint revamped its security systems, and OPM decided to continue its relationship with the contractor.

Second KeyPoint Security Breach

In June, it was revealed that another, separate data breach was discovered at KeyPoint at roughly the same time as the breach made public last year. Less is known about this hack, including when the breach began, but reports indicate that as many as 390,000 records may have been compromised.

Further, one of the two KeyPoint breaches appears to have led directly to the hack at OPM that began in October. Archuleta confirmed to lawmakers that the stolen security credentials of a KeyPoint employee were used to get into OPM’s servers in October, resulting in the theft of 4.2 million employee records.

Second OPM Security Breach

Government officials remain doggedly mum about the scope of this data breach, which involves sensitive security-clearance information on current and former federal employees. The breach began in May 2014, but a security update that rolled out in January curbed most of the hackers’ activity on the network, according to a DHS official—even though the breach would not be discovered for months.

Estimates of the size of this breach range widely. Reports place the potential damage as high as 18 million records, a number that Archuleta has repeatedly disputed without offering an official alternative. But Chaffetz, in last week’s contentious committee hearing, warned that the number could be even higher, pointing to the 32 million total records that OPM keeps as the upper bound of the possible extent of the data theft.

The personnel agency has not yet sent notifications to employees who may be affected by this breach, but it is expected to make an announcement about the scope of the hack as soon as this week.

Third OPM Security Breach

Although the White House has not officially attributed this breach to a foreign country or criminal group, it has all but acknowledged that Chinese hackers were behind the theft of 4.2 million employee personnel records. This data belongs to OPM, but it is held offsite on a server that belongs to the Interior Department. The hackers used a KeyPoint employee’s credential, gleaned from an earlier breach, to gain access to the data, which did not include any security clearance information.

CSID, a company that provides identity-theft protection services, has notified every affected federal employee. The company says that 500,000 people have signed up for an 18-month protection plan, offered free of charge by OPM, whichpaid about $20 million to cover affected individuals.

Paypal Phishing Anatomy

Phishing email with fake email display name “PayPal Support” and the subject “We’ve limited access to your PayPal account” to get your attention to the email.

2015-07-06_09h09_59

After you click on the link, will bring you to a phishing site which hosting at Godaddy.2015-07-06_09h18_58

2015-07-06_09h19_22

2015-07-06_09h21_06

Finally, the phishing site will re-direct you to real PayPal website.

2015-07-06_09h27_21

At the moment publish this post, the phishing URL has been detected by some of security vendors.

2015-07-06_12h00_36

Up ↑