http://sourceforge.net/projects/cfirproject/

Azril Azam on Facebook

http://www.facebook.com/people/Azril-Azam/1128729650

REAPER is an interesting forensics distro that aims to automate the gathering of documents from a host machine.

Rapid Evidence Acquisition Project for Event Reconstruction (REAPER) – Open Source forensic environment for the complete automation of the digital investigation process. At its core is Debian Live and the Open Computer Forensics Architecture (OCFA).

http://sourceforge.net/projects/reaperforensics/

http://cybercrimetech.com/projects/reaper/reaper.php

Here are a few screens I took from a VM.

I have been working on a Linux distribution that penetration testers can utilize in their VoIP testing and have come up with VAST (VIPER Assessment Security Tools).
VIPER tools included:

• UCSniff
• VideoJak
• ACE
• VoipHopper

This distribution will be a vital part of any VoIP penetration tester’s arsenal. The tools included on the dvd are an important part of VIPER assessments. Along with the VoIP tools, it will also include basic penetration testing tools such as NMAP and the password brute force application, Hydra. VIPER will be constantly adding more features such as an open source PBX, sipXecs, and other network penetration tools and vulnerability scanners. VIPER is also providing a class which will cover VoIP assessment methodology and tool usage. There will also be a lab portion of the training where students will have the chance to use the tools in a simulated corporate environment just as they would encounter in a VoIP vulnerability assessment.

VAST is built on Ubuntu 9.04 framework and has the option to install to a hard drive or USB.

I found it on sourceforge and took a few screens in VirtualBox:

Homepage:

http://www.viperlab.net

SF:

http://sourceforge.net/projects/vipervast/

A zero-day vulnerability in the ColdFusion FCKeditor rich text editor enables users to compromise websites and view and edit files, Adobe said in its Adobe Product Security Incident Response Team (PSIRT) blog. The rich text editor is installed with ColdFusion 8. It is also used in earlier versions. A patch is expected to be released next week, Adobe said.

The SANS Internet Storm Center reported last week that attackers have been exploiting websites which have older installations of some ColdFusion applications.

“The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server,” wrote Bojan Zdrnja, a SANS ISC handler.

Zdrnja said a common application that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion.

The application development platform was acquired by Adobe in 2005. It is used in many websites that use rich forms to collect and share data. It supports Ajax applications and frameworks and integrates with dynamic PDF documents. Popular websites run by Simon & Schuster Inc., Crayola LLC and FAO Schwarz Inc. are run using ColdFusion.

The software maker issued a workaround until a fix is released.

* Disable connectors by setting config.Enabled to false in the editor/filemanager/connectors/cfm/config.cfm file.

* Remove unused cfm files under editor/filemanager/connectors/cfm directory of the FCKeditor.

* Inspect FCKeditor directories for content that has already been uploaded. The uploaded files go under the directory specified in the config.UserFilesPath set in config.cfm.

via Adobe ColdFusion websites being compromised.

… And to make sure that somebody sees these ads it goes pretty far. For example, it opens the changelog webpage (full of ads of course) on every single update of the extension, even though the NoScript FAQ claim that it happens only on major updates (yes, if you dig into it you will find the preference to disable this behavior – but how many people do that?). And updates coming roughly each week ensure that this page is opened fairly often. A problem is of course that NoScript will usually disable scripting and consequently also most advertising. That problem is being worked around by putting NoScript’s domains, Google AdSense and a few others on NoScript’s default whitelist (again, the overwhelming majority of users won’t go hunting for bogus entries in their whitelist). Given that NoScript proudly calls itself a security extension this means putting users at risk — for example, a while ago I demonstrated how an XSS vulnerability on a NoScript domain can be used to run JavaScript from any website, despite NoScript. This was countered by implementing anti-XSS measures rather than removing anything unnecessary from the whitelist.

As a web guy with more than a few ads, I can fully understand where the NoScript guys are coming from. What I don’t understand is the lengths they are going to make money here. They aren’t paying for the extension download bandwidth, in fact the only costs they are incurring are from forcing the update page to load…. Basically, they are just being greedy here.

And it gets worse:

What followed was a small war — the website would add various tricks to prevent Adblock Plus with EasyList from blocking ads, EasyList kept adjusting filters. Then, a week ago a new NoScript version was released. A few days later I noticed first bug reports — apparently, Adblock Plus “glitches” were observed with this NoScript version, especially around NoScript’s domains (but not only those). When I investigated this issue I couldn’t believe my eyes. NoScript was extended by a piece of obfuscated (!) code to specifically target Adblock Plus and disable parts of its functionality. The issues caused by this manipulation were declared as “compatibility issues” in the NoScript forum, even now I still didn’t see any official admission of crippling Adblock Plus. Clearly, NoScript is moving from the gray area of adware into dark black area of scareware, making money at user’s expense at any cost.

NoScript released an update as I wrote this:

v 1.9.2.6
NoScript now automatically removes the controversial “NoScript Development Support Filterset” deployed with NoScript 1.9.2.3 and above on startup, permanently and with no questions asked.

Amazing what a few hundred Diggs will do for your cause, eh?

The next generation of optimized .htaccess protection has been released. Jeff from Perishable Press just announced the availability of his highly optimized 4G Blacklist.

Description:

The 4G Blacklist is a next-generation protective firewall that secures your website against a wide range of malicious activity. Like its 3G predecessor, the 4G Blacklist is designed for use on Apache servers and is easily implemented via HTAccess or the httpd.conf configuration file.

I’ve used many forms of .htaccess protection, but most were either incomplete or too bulky to give decent performance. Coming in at just 130 lines (incl. comments), the 4G is just a fraction of the size of other blacklists/combinations of lists I have laying around. Give it a try today.

Dave from Security Ninja shows how you can easily bruteforce a certain parameter to allow access to any user’s Facebook photo album using Burp Suite. Here are the basics:

Access to albums in Facebook is controlled by three parameters of a URL, you can see them here:

http://www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9c

aid=-3 (-3 for every public profile album)
id=0123456789 (Obtained by searching for the user and hovering over the add friend button)
l=? (all we know is its 5 characters from the 0123456789abcdef range)

Dave uses Burp Suite, but there are many ways you can go about it. I think a dictionary of possible values might be marginally faster (untested) so I’ll use that.

First is one of my favorite methods, w3af’s Fuzzy Requests and Clustered Response tools.

GET http://www.facebook.com/album.php?aid=-3&id=targetsid&l=$[l.strip() for l in file('fbhex.dic').readlines()]$ HTTP/1.0
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/312.1 (KHTML, like Gecko) Safari/312
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded


Here’s the dictionary (1.1MB, zipped), extract it to your w3af directory.

After the run is finished, run the Cluster tool and wait. The valid page should show up far away from the rest of them.

Another tool that could be used for this is Edge Security’s WebSlayer:
URL:
http://www.facebook.com/album.php?aid=-3&id=targetsid&l=FUZZ
Set it to ignore lines so you can find your valid request faster. Currently, the error page contains 71 lines, but this may be different for you. Just run the scan for a few seconds and look at the number of lines that each error page contains, then stop the scan, enter the number in the ignore lines box and start again.

Other useful features of WebSlayer are the ability to control the rate and set proxy options.

There are likely MANY other tools that you can use to accomplish this task, but these seem to be the simplest.
Good luck, and remember:

Check out Dave’s post for the Burp Suite method he uses to generate the needed parameter.

Firefox 3.0.7 is now available.
Notable improvements:

Fixed missing cookies bug (I hated that)
Official releases for the Estonian, Kannada, and Telugu languages are now available.
Misc stability and security improvements.

Known Vulnerabilities Fixed
Other Release Notes
Complete List of Fixes

Tools and Projects

jeriko – a set of scripts which help with the automation of common penetration testing tasks. (gnucitizen)

osg2 – OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project.

Webshag – multi-threaded, multi-platform web server audit tool written in Python.

SEAT 0.3 – uses search engine databases and other public resources to scan a site for vulnerabilities.

Bonsai – Andres Riancho (of w3af fame) provides professional information security services and training.

MMM… FUD

SSL Screwed
Twitter Twitdown

Recently Hacked

Hotmail
Paypal
Zone-h
F-Secure
Gears
You?

What could make BackTrack better? How about making it Debian based with a repository chock full of security tool goodness? Maybe even use Ubuntu’s repos for regular system updates? Well that’s just what the team at Remote Exploit have done with the fourth incarnation of their infamous live pentesting distribution:

Now based on Debian core packages and utilizing the Ubuntu software repositories, BackTrack 4 can be upgraded in case of update. When syncing with our BackTrack repositories, you will regularly get security tool updates soon after they are released.

New Features

• Kernel 2.6.28.1 with better hardware support.
• Native support for Pico e12 and e16 cards.
• Support for PXE Boot
• SAINTexploit
• MALTEGO
• Custom rtl8187 patches
• Broader wireless injection support
• Unicornscan
• RFID support
• Pyrit CUDA
• Other new and updated tools

Screenshots

BT4 is available as a DVD ISO [854MB] or VMware Image [1GB]
Download
Hint: Use a download manager or something with resume. Their mirrors are getting hit pretty hard as you can imagine.