Social Icons

Sunday, September 20, 2015

Online Malware Analysis Tools : Listed with links

1.   Typically analyzing malware requires a great deal of knowledge in computers and expects basic knowledge of terminal commands,configuring the tool correct and right usage of advanced tools. As seen in my last post about Cuckoo usage and configuration,it is actually complex and confusing at times,now what if one can use Cuckoo without doing anything like that..no installation,no configuration,no testing and bugging...one can directly use Cuckoo directly for a sample file analysis.As we realize the power online tools,its becomes actually easier for anyone to analyze a file’s behavior by simply uploading the file to the free on-line services for automated analysis and review the detailed and yet easy to understand report.This way not only the analyst gets a quick report and analysis but more importantly he gets a variety of reports which can be compared and analyzed further leading to expedited pace of understanding and clarity of the malware architecture and working.Here I list out my choices of best on-line file/malware analyzers that can be used for free with address and screenshots of sample usage....

ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias. 


3.   Wepawet at http://wepawet.iseclab.org/

Wepawet is a free service, for non-commercial organizations, to detect and analyze web-based threats. It currently handles Flash, JavaScript, and PDF files.But the upload size of the file is limited to 2 Mb and below.

4.   IObit Cloud at http://cloud.iobit.com/

IObit Cloud is an advanced automated threat analysis system. It uses the latest Cloud Computing technology and Heuristic Analyzing mechanic to analyze the behavior of spyware, adware, trojans, keyloggers, bots, worms, hijackers and other security-related risks in a fully automated mode


5.   Comodo Instant Malware Analysis at http://camas.comodo.com/

Comodo Instant Malware Analysis is one of the easier to use and understand online sandbox service wherein no submission form is required nor an email address nor solving a CAPTCHA code. Simply browse the file that you want to analyze in Comodo sandbox, tick the box to agree with their terms and click the Upload file button. The file will then be analyzed in real time and the report page will continuously refresh by itself until the analysis has been completed.




6.     ViCheck at https://vicheck.ca/

Vicheck.ca is an advanced malware detection engine designed to decrypt and extract malicious executables from common document formats such as MS Office Word, Powerpoint, Excel, Access, or Adobe PDF documents. ViCheck will detect the majority of embedded executables in documents as well as common exploits which download malware from the internet.ViCheck is a free service designed to help the public detect new sophisticated malware which is often difficult to detect with common commercial anti-virus programs.


  7.   Anubis at https://anubis.iseclab.org/

Anubis is another popular online service to analyze unknown Windows executable files. Four report formats (HTML, XML, PDF and Text) are available to download once the analysis has been complete.



8.   GFI Threattrack at http://www.threattracksecurity.com/

GFI SandBox is meant for OEM or cloud providers and fortunately they’ve created a webpage that offers free analysis called ThreatTrack which uses their sandbox technology. ThreatTrack supports analyzing any Windows executable file, office documents, PDF files and even flash ads that is mostly not accepted by other online sandboxes.


 9.   Joe sandbox cloud at https://www.file-analyzer.net/

Joe Sandbox is the automated malware analysis system which implements any state of the art program analysis technology from coarse to fine grained including dynamic, static and hybrid. Joe Sandbox’s analysis spectrum enables to discover any behavior including hidden or obfuscated parts.


10.   EUREKA:An Automated Malware Binary Analysis Service at http://eureka.cyber-ta.org/

Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic.


11.   XecScan   at http://scan.xecure-lab.com/

The Xecure Lab Scanner (XecScan) gives the security community and general public on-demand analysis of any suspicious document file where no installation or registration is required to enjoy the service. Though it’s free, XecScan is capable of finding advanced malware, zero-day, and targeted APT attacks embedded in common file formats.

12.    Malwr at https://malwr.com/submission/ [Based on Cuckoo]

Malwr is a free malware analysis service and community launched in January 2011. One can submit files to it and receive the results of a complete dynamic analysis back.Malwr is operated by volunteer security professionals with the exclusive intent to help the community. It's not associated or influenced by any commercial or government organization of any sort.Malwr is mainly based on an open source malware analysis tool called Cuckoo Sandbox as explained in my last post at http://anupriti.blogspot.in/2015/09/cuckoo-sandboxautomatic-malware.html



In fact as you google,you will find thousands of links and websites offering free online malware analysis but one has to be careful too while submitting any file to such sites.......so happy analyzing for now.....

Saturday, September 19, 2015

Cuckoo SandBox:Automatic Malware Analysis Tool

1.   Cuckoo Sandbox is a malware analysis system tool which allows you to throw any suspicious file at it and in a matter of seconds it will provide you back some detailed results outlining what such file did when executed inside an isolated environment.It is written 100% in Python, the architecture is very interesting and it is based on a virtualisation engine like Virtual box to maintain a “fresh” pc always at hand to run the malware called the client, inside this client it is run as an agent that is also written 100% in Python to monitor the different calls that the malware do to the dll’s, host that try to connect, etc.The connection between the Server and the client is done through an isolated network set up by virtual box, it is configured that way in order to avoid the propagation of the malware and to communicate effectively between the client and the server to send the analysis report, infected binaries, etc.This post ahead brings you a step by step screenshot to download and configure this excellent tool,will be good for beginners in cyber security/penetration testing to play with and see results immediately.Though from the looks of this post below,the procedure looks cumbersome and complex,but I have made attempts for a naive to understand and follow up screenshot wise,any queries still will be most welcome :

WHAT IT DOES PRECISELY?

2.   Cuckoo can produce the following types of results:

- Files being created, deleted, and downloaded by the malware during its execution
- Network traffic trace in PCAP format(as we get with wireshark and ethreal)
- Traces of win32 API calls spawned by the malware
- Memory dumps of the malware processes
- Screenshots of the Windows desktop as it happens during execution of the malware
- Full memory dumps of the machines

KINDS OF FILES FOR ANALYSIS

3.   The following kinds of files can be analysed and put for check in cuckoo :

- DLL files
- Windows executables ie .exe
- Microsoft Office docs
- URLs
- Typical PDF documents
- PHP scripts
- Anything actually!!!

More about Cuckoo at the video below and http://www.cuckoosandbox.org/

PRELIMS TO SETUP YOUR SYSTEM 

4.   Be ready with the following :

-  Linux OS as parent OS
- Virtual Box installed with Windows 7/Xp
- Adequate RAM around 4 GB in all with the parent machine.
- i3 processor and above will help u lessen wait and make u patient

5.   Python comes preinstalled with the Ubuntu Desktop,but we need some extra python libraries  as follows :

Pydeep
Sqlalchemy
Bson
DPKT
Yara
MAEC Python bindings
Jinja2
Magic
Chardet
Pymongo
tcpdump
mongodb
Volatility
Libvirt
Bottlepy
Django
Pefile

Step 1

Firstly we will install all the above mentioned libraries vide a single command.You need to slect the below text and paste as it is in the terminal

    | sudo apt-get install mongodb python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet tcpdump -y


Besides above,there are other python libraries that need PIP for installation.Pip is an alternative to Easy Install for installing Python packages and is largely recommended when used in virtual environments.

|   sudo apt-get install python-pip python-dev libxml2-dev libxslt-dev
|   sudo pip install django cybox 
|   sudo pip install MAEC

another important library tcpdump is required to be configured to allow Cuckoo to make use of it without requiring root.

|  sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump 

Two additional software Yara and Pydeep too need to be installed and the cuckoo documentation states these need to be installed separately, however Yara is provided in the Ubuntu universe repository. but before installing Pydeep , we need to install some dependencies with the following command line to install the following :

Build-essential
Git
Libpcre3
Libpcre3-dev
Libpcre++-dev

sudo apt-get install build-essential git libpcre3 libpcre3-dev libpcre++-dev

Cuckoo requires Yara 1.7 or higher and to install yara,run the following command

sudo apt-get install yara -y

Pydeep depends on ssdeep 2.8+ and ssdeep needs to be compiled from source and likewise for Pydeep. Before doing so, a few packages are needed. The following commands will work :

|   sudo apt-get install build-essential git python-dev -y
|   wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.12/ssdeep-2.12.tar.gz/download -O ssdeep.tar.gz

|   tar -xf ssdeep.tar.gz
|   cd ssdeep-2.12
|   ./configure
|   make
|   sudo make install
|   ssdeep -V

|   2.12(output for above)


We also need to install “git’:

sudo apt-get install git

Now cd to the directory Download, clone the pydeep project and install manually:

git clone https://github.com/kbandla/pydeep.git

cd pydeep

sudo python setup.py install

Install Yara

sudo apt-get install libtool automake

Then download yara form the git repository and install it:

cd && cd Downloads

wget https://github.com/plusvic/yara/archive/2.1.0.tar.gz

tar -xvzf 2.1.0.tar.gz

cd yara-2.1.0

chmod a+x build.sh

./build.sh

sudo make install

Now we need to install yara-python with the following commands:

cd yara-python

sudo python setup.py install

Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, Seven, 8, 8.1, Server 2012, and 2012 R2 but in recent past now on supports Linux memory dumps in raw or LiME format and include 35+ plugins for analyzing 32- and 64-bit Linux kernels from 2.6.11 - 3.16 and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake.VOLATILITY is to be installed next,we need the following commands:

cd && cd Download

wget wget http://volatility.googlecode.com/files/volatility-2.3.1.zip

Once u download this, extract it and install it:

unzip volatility-2.3.1.zip

cd volatility-2.3.1

sudo python setup.py install

Installation time now for  Cuckoo

First we need to clone the git directory wherever we want to install Cuckoo, and we install it in /opt directory with the following commands:

cd /opt

sudo git clone https://github.com/cuckoobox/cuckoo.git

sudo chown -R user:usergroup cuckoo

Where user:usergroup is the user used to login to the ubuntu machine and the group is the group to which user belong

Now we shift our attention to configuring networks for Virtual Box and parent machine.So I assume you have installed Windows 7 in virtual box with Adobe,Microsoft Office and a Mozilla/Chrome browser.



 Configure as shown next below :






Vide the above,the two IP addresses I have configured to ping are :

Parent/Host OS : 192.168.56.1
Virtual Windows Machine : 192.168.56.101

Just ping from each IP to other,if they ping all is set now to work ahead.

and one important step that remains is to configure the conf files in the cuckoo configuration,Few important configuration files that we effect to work with are mentioned below with brief functionality:

cuckoo.conf : This configuration file contains information about the general behavior and analysis options in Cuckoo Sandbox.
machinemanager.conf : This file holds the information about your virtual
machine configuration: Depends on the name of virtualization that we used.
processing.conf : This file is used for enabling/configuring the processing of modules.
reporting.conf : This file contains information about reporting methodologies.

There are a few things required to be changed in the configuration files as follows:
[I used gedit to edit and make amends to these conf files]

/opt/cuckoo/conf/cuckoo.conf

[cuckoo]

memory_dump = on

[resultserver]

ip = [ip address of the vboxnet0 interface, to check it issue on terminal ifconfig vboxnet0, usually 192.168.56.1]

/opt/cuckoo/conf/virtualbox.conf

[cuckoo1]

label = [Name of the Windows guest virtual machine as configured on VirtualBox]

ip = [ip address configured i the windows guest]

snapshot = [the name of the snapshot taken with virtual box]

/opt/cuckoo/conf/memory.conf 

[basic]

delete_memdump = yes

/opt/cuckoo/conf/processing.conf 

[memory]

enabled = yes

[virustotal]

enabled = yes

key = [key of the virus total API, could be obtained registering in http://www.virustotal.com

/opt/cuckoo/conf/reporting.conf 

[maec40]

enabled = yes

[mongodb]

enabled = yes

Now we can run Cuckoo after all the hardwork :

run the command as shown below  and you should get the screen as below :

sudo python /opt/cuckoo/cuckoo.py



Now we need to do a submission of a file vide a script as shown below :

python /opt/cuckoo/utils/submit.py —package PACKAGE PATH_TO_FILE

or as I type for my screen shot command :

python /opt/cuckoo/utils/submit.py /home/cuckoo/Desktop/cuccccck/shared/malware.pdf


or there is a way for a web interface too :

cd /opt/cuckoo/utils and then run ./web.py as shown below :




Now you r ready to analyse with the Cuckoo installed....next post will focus on analyzing the files with Cuckoo...........

Friday, September 18, 2015

1 millions plus Profile Views

1. When you look at your profile on Google, you can see your total number of views that means you can tell how many times your content has been seen by other people, including your blog posts and profile page.When you look at someone else’s profile or page, you can also see their total number of views. 

2. Just crossed a Million plus views on my page.....incl blog...thought to share.Not a big deal though viz a viz established techno blogs who have hits in billions....


 

Saturday, September 12, 2015

vCard Vulnerability : WhatsApp

1.     WhatsApp,the exceedingly renowned application that has actually swung around the way we all chat, talk, share and do so many things has so many PROs but over this small period of time since its inception it has also been the quarry of cyber criminals. With a user base as strong as 900 million active users in Apr 2015,any vulnerability in the architecture cosmos is destined to be a remunerative lure for any cyber criminal. A recent vulnerability in the form of simply sharing a vCard with other user discovered by Check Point security researcher Kasif Dekel has come to the fore. It involves simply sharing the seemingly guileless vCard with the victim and as the victim clicks the vCard, his task his over since rest will be done in the background by the malicious code terra incognita to the user. This vCard actually exists as an executable file and gets into action the moment it gets clicked by the user in the application. 
 
 

RESOLVED by update from WhatsApp 

2.   WhatsApp affirmed and recognized the security egress and have released the fix in all versions greater than 0.1.4481 and blockaded that especial lineament. 

How it Happens? 

3.   To activate the code, Kasif Dekel ascertained an attacker could just inject the command to the name attribute of the vCard file, separated by the ‘&’ character. When executed, it will attempt to run all lines in the files, including controlled injection line. Once such a contact is made, all an attacker has to do is share it via the normal WhatsApp client. 

What made the application Vulnerable? 

4.    WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.Thus the default action runs for the vCard for running the code whilst being understood as sharing the contact details. 
 
What can it do ?
 
Once the code is activated,it is bound to take complete control over the target machine and will definitely monitor the user’s activities and use the target machine to spread malicious malwares and viruses ahead.

Timelines by CHECKPOINT on the vulnerability 
 
    August 21, 2015 – Vulnerability disclosed to the WhatsApp security team.
    August 23, 2015 – First response received.
    August 27, 2015 – WhatsApp rolls out fixed web clients (v0.1.4481)
    September 8, 2015 – Public disclosure 

Thanks CHECKPOINT

Monday, August 17, 2015

Kali Linux 2.0 : The new release has arrived

Kali Linux ,is a well known Penetration testing distro and also contains a plethora for digital forensics, is widely used by ethical hacker community across the globe and is maintained and developed by the organization known as “Offensive Security”. It comes with over 650 tools pre-installed that help  perform tasks like network analysis, ethical hacking, load & crash testing etc. It is powered by Linux kernel 4.0 and has enhanced support for different graphics cards and desktop environments.The most recent version of Kali has just been released few days back and here I bring you the installation step by step screen shot being installed in Virtual Box.








 Choose Install above



















The desktop boots to the following screen...thats it... You are ready to go....

Wednesday, August 12, 2015

Green Computing and Security Aspects

Green computing is a buzzing word in the IT sector in past few years for a  substantially serious reason that abridges with futurity that may turn to be a perturbing factor for the succeeding generations if not planned and given due concern today. Given the quantity of indisputable E-waste being generated across globe, the concern is actually flagitious. Any reader amply clear on green computing may not be able to relate of what Information security domain has got to do with green computing, but alas there is a connect as I decipher ahead in this article which got published in CSI Communications journal by Computer Society of India in this months issue.The link to the article is http://www.csi-india.org/communications/CSI%20Aug.%2015%20Combine.pdf


Sunday, July 05, 2015

Whatsapp Chat History : How to avoid chat backing up?

1.    WhatsApp has been one of the revolutionary social networking application on the lines of various past hits like Facebook,one time orkut etc and today has a huge user base in billions exchanging all kinds of official,unofficial,personal chat kind of communications.Off course keeping a backup of all these chats is sometimes essential and in few cases for whatever reasons of the user base it is not required....the users wanna refrain from backing up anywhere any kind of history..no tell tale signs to be recovered...Although I have seen people ensuring themselves deleting the chat as it happens but that’s not a technically sound way to ensure nothing is being backed up

2.   For those who want to ensure a back up ...Daily at 0400 am the Whatsapp Auto backup is taken by the app itself so no need to worry for this and if you switch off or activate flight mode at night then one might need to take manual backup.For those who do not want any backup , a simple procedure as shown below will ensure a blank backup.

3.   Goto your Android application screen and search for MyFiles :

Choose the location where you have the default whatsapp files..in my case the default saving location is internal sd card.Click this and you look for the Whatsapp folder.

Further go inside Whatsapp folder and look for Databases....delete every thing inside this before 0400 cycle comes again.That should work....here the 0400 cycle backups the entire thing but defacto there is nothing to upload and backup.



Sunday, June 21, 2015

BITWHISPER: Hidden Channel between Air Gapped Computers using Thermal Manipulations

1.   Any Cyber Security Policy in an organisation makes a clear and confident mention of the term AIR-GAP to reduce any kind of breach between a corporate Intranet PC/Standalone PC and the Internet.Sadly and surprisingly no more it is safe.Yes...the AIR-GAP is possible to be breached.Researchers at the Ben-Gurion University of Israel have recently developed a relatively new method of siphoning classified data off of air-gapped systems called “BitWhisper.” 

2.   The team has developed a method of using CPU load modulation to regulate a victim computer's thermal radiation. By monitoring this fluctuation in temperature via a surrounding system’s pre-existing thermal sensors  allows for a covert channel to be established between the two machines, and thus infiltration into a system previously believed to be secure.

Extract below from "Infiltration of Air-Gapped Systems via Thermal Emissions " by Alex W Luehm, Student, CprE 431" 

The vulnerability of an air-gapped system is the common airspace surrounding the target and attacking computers. By using this common medium, it has been found possible to establish a covert channel between the two machines.BitWhisper, a method established by Israeli researchers,utilizes this common medium to transfer thermal “pings” between the two machines in a predetermined protocol, allowing for the transmission of classified data.

The exploitation is based on two basic principles of modern-day computer systems. 

- The first principle is that physical hardware components of a computer generate and disperse heat. This heat can be generated by various sources such as the power supply, the motherboard, the graphics card, and the CPU.Typically, these thermal emissions are vented away from the computer via a system of rotating fans and ducting in the computer housing. Importantly, these fans are controlled by a series of thermal sensors mounted throughout the computer housing. Under normal circumstances, these sensors ensure that no critical components become too hot and cause damage to surrounding hardware or themselves.
 
- The second principle is that the amount of thermal energy generated and emitted by these components is directly related to the current workload of the computer in question. A system doing more intense calculations over a longer period of time produces a larger increase in the amount of heat emitted.

What the researchers have found, is that by installing a malicious program on the target machine, information could be quite literally emitted by the target in the form of thermal pulses. In addition, these thermal pulses could be detected by a surrounding computer's internal thermal sensors and, by the very same malicious program, decoded into the transmitted data. If one of these systems were connected to the internet, then it would be quite feasible to pass classified data from an air-gapped system to an internet-accessible system for further transmission.These pulses typically were detected as either a raising or lowering of temperature, by 1 – 4 degrees Celsius over a period of time. The spanning distance, arrangement, and type of case of the concerned systems caused varying degrees of transmission rate.

Source of Info : 

3.   Original paper "BitWhisper: Covert Signaling Channel between Air-Gapped Computers using Thermal Manipulations" by Mordechai Guri Matan Monitz, Yisroel Mirski, Yuval Elovici available at http://arxiv.org/abs/1503.07919

Wednesday, June 10, 2015

Cloud Forensics: Challenges Only Ahead

1.   Cloud Computing is emerging amongst all the bombilate words of acclivitous technologies as the most prodigious maturations in the chronicles of computing. As it still takes time to settle, a new egressing challenge as felt whilst its implementation across has been a relatively more newfangled field known as Cloud Forensics. Today as Cloud still needs time to mature and offer its full exploitation, the even newer subfield Cloud Forensics is a carking cause to negate immediate acceptance of cloud computing with open arms. The research in this field is still in parturient stages to say from perspective of the way cases and incidents are being handled on ground today. 

2.   My paper got published in "Cyber Times International Journal of Technology & Management".The "Cyber Times International Journal of Technology & Management" (CTIJTM) was launched in 2007 by "Cyber Times - PRESS" in order to promote Latest Research and innovations in the Area of Technology & Management.The"Cyber Times International Journal of Technology & Management" (CTIJTM) is Bi-Annual, Double Blind Peer Reviewed, International Journal with International Serial Standard Number which is available in print and online versions. It provides the new paradigms in the embryonic fields of Technology, Management, Science, Electronics, Law, Economy etc. and visualizes the future developments in the respective areas. It is meant to publish High Quality Research Papers with innovative ideas, inventions, and rigorous research which will ultimately interest to research scholars, academicians, industry professionals, etc.The paper is available at the following links :

http://journal.cybertimes.in/?q=Vol8_A_P1_01


and also for viewing at scribd as below :

Sunday, June 07, 2015

Career in CYBER SECURITY : Where to start ?

1.  I get a lot of queries on my blog posts related to cyber security courses and any time I am in some forum or discussion from all range age  groups regarding serious career scope in India in the field of Cyber Security.Is it worth taking a plunge in a field which currently only has more of a keen interest value rather then offering  lucrative pay packet job?The younger age group which generally has young engineering graduates look little restless of taking the risk but the field is pretty exciting for those who are passionately interested in it.

2.  The field is immense and huge to start with.For a fresher it would be pretty cumbersome to find where to start from.The moment any typical search is made for a cyber security course on google,the results are too huge and confusing to get started on.For a novice guy who doesn’t  have any background in this field but keen to start a career in this field, I would submit few first steps to start before ways and career road automatically starts guiding ahead.

3.   Firstly,make it very clear in your mind that this field is very dynamic...you have to be continuously on your toes to be updated around what’s happening in this field.Millions of cyber incidents are happening,thousands of zero days are being discovered,thousands of case studies are being released about various cyber incidents and as you start understanding you need to prioritize of what all to grasp in detail .....follow up good tweets of cyber security experts.The courses you do in this field will not be like the typical graduation certification that you do once and will make you a B.Tech for the rest of your life without ever some one asking about the syllaabi.Most of the course and certification have a shelf life of 2-3 years after which you need to renew them to continue your professional standing in the market.

4.   The best thing about this field is that you can build your career and get your basics clear by putting in you hard-work along with the world of open-source that’s your window to knowledge bank.Be it the white papers or applications or Operating systems etc most of the entire gambit of tools is free....yes...for last about 8-9 years of my association with the field I have not bought or purchased any software or OS or toolkit to practice basic hacks and penetration tests.

5.   For a start in respect of courses....I would submit that most of the courses valued globally like CEH,CISSP etc by EC-COUNCIL are pretty costly and just doing them does not guarantee anything with respect to job.You have to be aware of lots besides these courses.For a start for a typical Indian novice fresher I would recommend to start with CCCSP,CCCS etc...links given below :

http://cdac.in/index.aspx?id=cyber_security for courses offered by CDAC on cyber security and forensics.



more listed at http://anupriti.blogspot.in/2012/12/cyber-security-courses-in-india.html ....though slightly old post...but everything holds good today...

6. Besides these courses which only give a very basic over view of the field,you should start getting conversant with LINUX flavors available viz UBUNTU, Fedora, OpenSuse, Linux MInt etc to mention a few....besides a horde of excellent security distros are available with all possible youtube videos and manuals on the net for helping from scratch.Get conversant and start playing with maximum tools available in these.Few of the distros that I would recommend are listed  below :

- ARCHASSAULT at https://archassault.org/

- Kali Linux at

- BackBox at

- BackTrack R3 at

- Knoppix STD

- Pentoo

- DEFT

- Parrot

- Caine

- Samurai Web Testing framework

- Matriux Krypton

- Bugtraq

- Node zero

- Cyb org

- Helix

- Network SEcurity Toolkit

- Wireshark(not an OS)

- GRML

- Chaos

- Katana

-  Damn Vulnerable Linux

- Auditor

and I must tell you these are only few to test before you start getting basic idea of what’s happening around.

7.   You have to be passionate enough to carry yourself successfully in this field.The moment you are out of touch for whatever reasons you have a lot to catch.Every thing is available on the net..be it the study material...be it any software to start.....you actually do not straight away enrol for a course..prepare yourself with the basics as available vide these distros...basic linux and then do some course to start building your documented profile.If you have reached reading here and you have queries you can get back to me here ....post a comment.

Wednesday, June 03, 2015

Get Hacked on just Opening a Image

Stegnography we all know is the technique of hiding messages inside a pic and exactly on the same lines a new malicious technique by the name of STEGOSPLOIT has arrived that allows malicious code and java script execution the moment an image is opened by the user.This image can be of anything that can interest a victim viz Political figure,Actors,Tempting models,Engineering drawings or anything that is a image.The technique has been discovered by security researcher Saumil Shah from India.The technique was demonstrated at the Amsterdam hacking conference Hack In The Box with a talk titled, "Stegosploit: Hacking With Pictures".The video of demonstration is shared below...just watch it...by the looks if it goes...looks simple.


The technology opens the door for attacks executed as simply as pointing users to sites containing a booby-trapped image or delivering the image via email. By virtue of simply viewing the image, the exploit code is triggered and can deliver malware on the victim's computer.The second video below is in continuation of the above video :

The way out for a typical user is to avoid opening any tempting forwarded image from any friend or acquaint,default image downloading disabled for mobiles and PC interface in email/Whatsapp etc application settings.
technique discovered by security researcher Saumil Shah from India. - See more at: http://thehackernews.com/2015/06/Stegosploit-malware.html#sthash.wBuIwSGj.dpuf

Sunday, May 24, 2015

Android Factory Reset : How trustworthy from a PRIVACY view?

1.  It is an accepted fact that one can remove all data from Android devices by resetting it to factory settings, or doing a "force reset." One can do so by either using the Settings menu to erase all your data or by using the Recovery menu.It is also understood that by performing a factory data reset, all data — like apps data, photos, and music etc will be wiped from the device.This reset in most of the cases will be required as a maintenance issue or when the user decides to sell his mobile to some other third guy.Now when he does a factory reset for ensuring himself that all his/her data is removed from the mobile,there is a sad angle recently revealed in a paper named "Security Analysis of Android Factory Resets" by Laurent Simon and Ross Anderson@University of Cambridge available at http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf  that proves with technical demonstrations to negate the fact that the data and all privacy of accounts goes with the reset.Read on further for brief details...

2.  Even with full-disk encryption in play, researchers found that performing a factory reset on Android smart-phones isn’t always what it’s assumed safe up to be.Researchers found the file storing decryption keys on devices was not erased during the factory reset and they were successfully able to access data “wiped” Android devices from a wide variety of sources, including text messages, images, video, and even third-party applications. What’s more, researchers were able to “recover Google authentication tokens”, thereby enabling them to sync up any data a user had tied to Google’s services, including private emails.The study unveils five critical failures:

- the lack of Android support for proper deletion of the data partition in v2.3.x devices;

- the incompleteness of upgrades pushed to flawed devices by vendors;

- the lack of driver support for proper deletion shipped  by  vendors  in  newer  devices  (e.g.  on  v4.[1,2,3]);

- the  lack  of  Android  support  for  proper  deletion  of  the internal  and  external  SD  card  in  all  OS  versions

- the fragility  of  full-disk  encryption  to  mitigate  those  problems up to Android v4.4 (KitKat)

RECOVERY DETAILS OF DATA BY RESEARCHERS

ATTRIBUTED REASON

3.   Smartphones  use  flash  for  their  non  volatile  memory storage  because  it  is  fast,  cheap  and  small.  Flash  memory is  usually  arranged  in  pages  and  blocks.  The  CPU  can read  or  write  a  page  (of  typically  512+16  to  4096+128 data+metadata  bytes),  but  can  only  erase  a  block  of  from 32   to   128   pages.   Each   block   contains   both   data,   and “out-of-band”  (OOB)  data.When  removing  a  file,  an  OS  typically  only  deletes  its name  from  a  table,  rather  than  deleting  its  content.  The situation is aggravated on flash memory because data update does not occur in place, i.e. data are copied to a new block to  preserve  performance,  reduce  the  erasure  block  count and  slow  down  the  wear.  This makes a vulnerable issue as realised here by both these researchers.

Monday, May 04, 2015

Hardware Trojans : Do we have a Solution or Clue to resolve?

1.    IT Security is an ever interesting field and those passionate about this field will always find surplus to read about so many happening things in the field.In the already chaotic environs of Cyber Security there comes another GIGANTIC issue...by the name of HARDWARE TROJANS and I use this word Gigantic not just to reflect my reaction on the subject...but for any first time reader on the subject this will be a huge issue in times to come and is already in for majors.The issue is yet unattended because no one has clue where to detect,how to detect and what to do to resolve?

2.   Electronic systems have proliferated over the past few decades to the point that most aspects of daily life are aided or affected by the automation, control, monitoring, or computational power provided by Integrated Circuits (ICs). The ability to trust these ICs to perform their specified operation (and only their specified operation) has always been a security concern and has recently become a more active topic of research. Without trust in these ICs, the systems they support cannot necessarily be trusted to perform as specified and may even be susceptible to attack by a malicious adversary.A new disruptive threat has surfaced over the past five years  , a hardware-based security threat known as the Hardware Trojan.Hardware Trojans are intentional,malicious modifications to electronic circuitry designed to disrupt operation or compromise security including circuitry added into Integrated Circuits (ICs). These ICs underpin the information infrastructure of many critical sectors including the financial, military, and industrial sectors.Consequently, hardware trojans pose a security risk to organisations due to the broad attack surface and specific organisations’ reliance on ICT infrastructure. Hardware trojans can be difficult to prevent and even more difficult to detect. Most of the current security protection mechanisms implicitly trust the hardware, allowing hardware trojans to bypass software or firmware security measures .Hardware trojans inserted during fabrication or design stages can become widely dispersed within an organisation and pose a systemic threat.

3.   Hardware Trojans are usually composed of a Trigger and a Payload.The trigger is the activation mechanism and the payload generates the effect. Prior to triggering, a hardware trojan lies dormant without interfering with the operation of any electronics.The trigger mechanism for our network hardware trojan is based on a communication channel in network packet timing, while the payload is an adjustable degradation level of the ethernet channel through noise injection into the ethernet controller’s clock.
4.  The ease with which Hardware Trojans can make their way into modern ICs and electronic designs is concerning. Modifications to hardware can occur at any stage during the design and manufacturing process, including the specification, design, verification and manufacturing stages. Hardware Trojans may even be retro-fitted to existing ICs post manufacture.

5.   With above as a preview it makes any one wonder upto what extents would one require to go for a 100 % secure IT attribute.Imagine the risk stake this would put on a typical country who is entirely dependent on global vendors for its own Defence and Consumer goods....or for that matter even developing countries would feel the pinch....no clue as to where to start from...or even if a frame work is desired to setup a standard for controlling this menace it would be prudent to only get dependent off shores since in most of the cases expertise would not exist only.......

Thanks to these two papers for giving me an over view on the subject.

Hardware Trojans – A Systemic Threat by John Shield, Bradley Hopkins, Mark Beaumont, Chris North

Hardware Trojans – Prevention, Detection,Countermeasures by Mark Beaumont, Bradley Hopkins and Tristan Newby

Sunday, March 29, 2015

Equation Group : Advanced Secretive Computer Espionage Group

The Equation Group is a highly advanced secretive computer espionage group, suspected by security expert Claudio Guarnieri and unnamed former intelligence operatives of being tied to the United States National Security Agency (NSA). Because of the group's predilection for strong encryption methods in their operations, the name Equation Group was chosen by Kaspersky Lab, which discovered this operation and also documented 500 malware infections by the group's tools in at least 42 countries.This presentation gives an over view in brief based on the Kaspersky Report.

Powered By Blogger