“Enforcing Python’s engines, I wrote a script that generates some nicely crafted unique Http requests, one after the other, generating a fair load on a webserver, eventually exhausting it of resources. this can be optimized much much further, but as a proof of concept and generic guidance it does its job. As a guideline, the main concept of HULK, is to generate Unique requests for each and every request generated, thus avoiding/bypassing caching engines and effecting directly on the server’s load itself.”

In order to confuse the target Web server as thoroughly as possible, Shteiman has included a number of different features in HULK, including the ability to hide the actual user agent and obfuscate the referrer for each request. In his own tests, Shteiman said that the attack tool had no trouble taking down a target server within a minute or so.

“Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host,” he said.

The framework has also recently received an update but, most important of all, has also received a very prominent backer: Microsoft.

“Even though many vendors have followed Microsoft’s lead in providing comprehensive security updates to customers, the formats vendors use vary. CVRF provides the entire industry with a way to share and present data in a coordinated and structured manner,” stated Mike Reavey, Senior Director with Microsoft Security Response Center, and announced that Microsoft has presented the latest monthly security updates (released on May 8) in the CVRF format.

Extolling the virtues of the format, Reavey pointed out that even though home-computer users or small businesses haven’t got much use for it, big businesses could do without continually “copying and pasting” Microsoft’s security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list.

“For these customers, this machine-readable format may enable more efficiency and automation. Faster and more efficient guidance for these customers means they can more quickly ensure protection, which is always our goal,” he wrote, and added that Microsoft’s bulletins will continue to be issued also in the current format for those who don’t require automation.

The steps to conduct similar attacks are:

• Collect a large number of URLs from the targeted website. Preferably big media files (jpg, pdf, mpeg and similar)
• Put these URLs in a Google feed, or just put them in a Google Spreadsheet
• Put the feed into a Google service, or use the image(url) command in Google spreadsheet
• Sit back and enjoy seeing Google launching a Slashdot-style denial of service attack against your target

Nasty.

Internet criminals are sidestepping the need to launch DDoS attack from large networks of malware-compromised bot PCs by using simpler server ‘booter shells’, mitigation firm Prolexic has warned.

America’s 10 most wanted botnets

‘Booter shells’ or plain ‘booters’ are simple PHP, .ASP or Perl script template files planted on compromised servers to direct Get/Post commanded HTTP floods to overload target servers.

As Prolexic explains in its advisory, the approach has several advantages over conventional botnet DDoS attacks, starting with technical simplicity. Even non-technical users can place them on hosted or compromised servers, building a bot from individual servers with up to 1,000 times the capacity of a single PC.

Internet criminals are sidestepping the need to launch DDoS attack from large networks of malware-compromised bot PCs by using simpler server ‘booter shells’, mitigation firm Prolexic has warned.

America’s 10 most wanted botnets

‘Booter shells’ or plain ‘booters’ are simple PHP, .ASP or Perl script template files planted on compromised servers to direct Get/Post commanded HTTP floods to overload target servers.

As Prolexic explains in its advisory, the approach has several advantages over conventional botnet DDoS attacks, starting with technical simplicity. Even non-technical users can place them on hosted or compromised servers, building a bot from individual servers with up to 1,000 times the capacity of a single PC.

What follows is a list of the best advice from security gurus, network administrators, and those responsible for securing company information. The lessons were passed down to them from real-world experience, a supervisor, an industry colleague, or in one case, a complete stranger.

Tip #1: Security must enable business, not prevent it

“I don’t know anything about what you do, for all I know, you are doing your job perfectly, but you have disabled my ability to do my job,” said a company executive to Stewart Allen, now an Information Security Consultant at Metrolinx.

Great list.

This adds up to a disturbing conclusion: China’s manufacturing rise has been illegally aided. Many advances are certainly due to the PRC’s own strengths; others stem from voluntary cooperation by foreign partners. But it is all too easy to find examples of Chinese theft that correspond well to spurts in manufacturing capability in advanced electronics, energy, autos, etc.

A Disturbing Trend

2001: Two people funded by state-owned Datang Telecom indicted for stealing secrets from Lucent.[1]

2002: Two people funded by Hangzhou city government indicted for stealing secrets from four firms.[2]

2003: PetroChina employee arrested for attempting to steal seismic imaging software from Silicon Valley firm (later pled guilty).[3]

2004: Canada’s Nortel discovers that China-based hackers have compromised its entire network.[4]

2005: Chinese national working at U.S. unit of Dutch firm AkzoNobel begins stealing material needed to replicate advanced industrial coating.[5]

2006: Two people indicted for stealing proprietary information from auto parts maker Metaldyne and seeking to pass it to Chinese firms.[6]

2007: Chinese national employed by Dow begins transferring trade secrets to Chinese government-controlled institutes.[7]

2008: Former DuPont employee picked by state-owned Pangang to make titanium dioxide, supposedly using DuPont production method (later pled guilty to espionage).[8]

2009: Ford Motor employee arrested for stealing trade secrets—later found guilty—supposedly on behalf of Beijing Auto.[9]

2010: Dozens of multinationals disclosed as targeted in China-based hacking of Google.[10]

2011: American Superconductor sues top Chinese turbine maker Sinovel for stealing software used to drive wind turbines.[11]

2012: NSA director acknowledges that China-based hackers compromised a company that provides computer security services to defense firms such as Lockheed Martin.[12]

---

[1]News release, “New Indictment Expands Charges Against Former Lucent Scientists Accused of Passing Trade Secrets to Chinese Company,” U.S. Department of Justice, April 11, 2002, at http://www.justice.gov/criminal/cybercrime/press-releases/2002/lucentSupIndict.htm (accessed April 9, 2012).

[2]News release, “Pair from Cupertino and San Jose, California, Indicted for Economic Espionage and Theft of Trade Secrets From Silicon Valley Companies,” December 4, 2002, at http://www.justice.gov/criminal/cybercrime/press-releases/2002/yeIndict.htm (accessed April 9, 2012).

[3]Rachel Konrad, “Chinese Man Sentenced to 2 Years for Silicon Valley Fraud,” Associated Press, December 18, 2004, at http://www.usatoday.com/tech/news/computersecurity/2004-12-18-corp-spy_x.htm (accessed April 9, 2012).

[4]CBC News, “Nortel hit by suspected Chinese cyberattacks for a decade,” February 14, 2012, at http://www.cbc.ca/news/world/story/2012/02/14/nortel-chinese-hackers.html (accessed April 9, 2012).

[5]Ann Woolner et al., “The Great Brain Robbery,” Businessweek, March 15, 2012, at http://mobile.businessweek.com/articles/2012-03-14/the-great-brain-robbery (accessed April 9, 2012).

[6]David J. Lynch, “FBI Goes on Offensive Against China’s Tech Spies,” USA Today, July 25, 2007, at http://www.usatoday.com/money/world/2007-07-23-china-spy-2_N.htm (accessed April 9, 2012).

[7]News release, “Chinese National Pleads Guilty to Economic Espionage and Theft of Trade Secrets,” October 18, 2011, at http://www.justice.gov/opa/pr/2011/October/11-crm-1372.html (accessed April 9, 2012).

[8]Karen Gullo, “Former DuPont Worker Pleads Guilty in Economic Espionage Case,” Businessweek, March 2, 2012, at http://www.businessweek.com/news/2012-03-02/former-dupont-worker-pleads-guilty-in-economic-espionage-case (accessed April 9, 2012).

[9]China Daily, “Ford Engineers Yuxiang Dong China Steal Secrets Jailed for 70 Months,” April 14, 2011, at http://www.china-daily.org/China-News/Ford-engineers-Yuxiang-Dong-China-steal-secrets-jailed-for-70-months/ (accessed April 9, 2012).

[10]Kim Zetter, “Google Hack Attack Was Ultra Sophisticated, New Details Show,” Wired, January 14, 2010, at http://www.wired.com/threatlevel/2010/01/operation-aurora/ (accessed April 9, 2012).

[11]Ed Crooks and Leslie Hook, “American Superconductor Sues Chinese Group,” Financial Times, September 15, 2011, at http://www.ft.com/intl/cms/s/0/df685246-df17-11e0-9af3-00144feabdc0.html#axzz1qvfY4yzA (accessed April 9, 2012).

[12]Jason Mick, “NSA: China Is Destroying U.S. Economy Via Security Hacks,” DailyTech.com, March 28, 2012, at http://www.dailytech.com/NSA+China+is+Destroying+US+Economy+Via+Security+Hacks/article24328.htm (accessed April 9, 2012).

It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), told Congress last week of an American company that had all of its data from a 10-year, $1 billion research program copied by hackers in one night. Gen. Keith B. Alexander, head of the military’s Cyber Command, called the continuing, rampant cybertheft “the greatest transfer of wealth in history.

Idea: any U.S. position that deals with sensitive IP should require that you can get a government clearance. And in order to get such a clearance you’d have to NOT be a threat for sharing information with any country that is known to be ACTIVELY and AGGRESSIVELY pursuing U.S. secrets via hire-and-steal tactics.

Problem addressed.

Racism? No. This is country and government based–not race. Japan? Fine. Korea? Fine. It’s China that’s the threat here, and if that were to stop then this would be lifted.

Until then, sorry. The people that lose their job opportunities as a result then become victims of the Chinese government–not ours. They’re playing dirty, and we must stop letting our politically correct tendencies hamstring us while our enemy watches with smiles on their faces.

On Friday, we heard the news that payments processor Global Payments was hit with a massive security breach involving MasterCard and Visa cardholders. At the time it was unclear the reach of the security issue, which was being investigated by the U.S. Secret Service. Tonight, Global Payments reports that those cards affected in the breach processing system were confined to North America and up to 1.5 million card numbers may have been exported. Visa had originally pegged that number at around 50,000 cards stolen.

In one of the flaws the researchers exposed, for example, not all websites confirmed that a verification coming from OpenID included all of the items the website asked to be confirmed, such as the first name, last name and email address. The researchers were able to access the request, delete one piece of requested information (the email address, for example) as it went to OpenID and simply re-insert it in the signed okay from OpenID. In this way, even a hacker who didn’t control the email address linked to the user’s account on the website in question could log in, and potentially make purchases, using that person’s account.

Amichai Shulman, co-founder and CTO of security firm Imperva, has told CBR that if Anonymous really wants to fight for freedom of speech it should attack the Chinese government.

In an interview with CBR back in February Shulman told us that even though most Anonymous activity is said to be driven by a cause, such as internet freedom and expression, some activity by the group makes him question if that is the real motivation behind Anonymous attacks.

“If you’re looking for freedom of speech go and hack the Chinese government or the Syrian government,” said Shulman.

Interesting approach.

Favored by hacktivists and financially motivated attackers alike, Havij automates bad guys’ SQL injection attacks by automatically detecting the database behind a targeted website, detecting whether it uses a string or integer parameter type, and testing different injection syntaxes on the target. Unlike a lot of penetration tools, Havij can not only point to potential vulnerabilities, it can also carry out data extraction and harvesting.

We’ve been working hard for the last 2 months since 5.61TEST4, and I’m pleased to announce the results: Nmap 5.61TEST5. This release has 43 new scripts, including new brute forcers for http proxies, SOCKS proxies, Asterisk IAX2, Membase, MongoDB, Nessus XMLRPC, Redis, the WinPcap remote capture daemon, the VMWare auth daemon, and old-school rsync. Better check that your passwords are strong! Some other fun scripts are nat-pmp-mapport, asn-to-prefix, url-snarf, and http-auth-finder. See the changelog entries below for a full list with descriptions. For this release, we also incorporated thousands of your OS detection and service detection submissions, dramatically improving the databases. Our IPv6 OS detection system became smarter as well. And we’ve incorporated a new “nsock engines” system which improves performance by using advanced I/O APIs (such as epoll on Linux) rather than always using select.

Man, nmap is becoming a metatool.

The research arm of the US military is putting a call out to developers to begin work on software applications that will allow a computer system to identify a user by analyzing the way they type, instead of using the traditional password method.

I’ve been working with vendors that do this for years. The problem isn’t theory, it’s practice. What happens when you’re drunk? What happens when you injure your hand? Enrollment is always an issue. That being said, I’m happy to see them have a go at it.

This Malware is estimated to affect between 10,000 and 30,000 phones on any given day. The malware, mostly found on Chinese phones, works by using GingerBreak, a tool that gives users root access to Android 2.3 Gingerbread. RootSmart is designed to escape detection by being named “com.google.android.smart,” which the same name as a settings app included by default with Android operating systems.

Mullaney explained that once the malware is installed on the Android phone, an outbound connection from the infected phone to a remote server is generated.“The malware posts some user and phone-specific data to the remote address and attempts to download and run an APK file from the server. The downloaded file is the second stage in the malware and is a Remote Administration Tool (RAT) for Android, detected as Android.Bmaster. This type of malware is used to remotely control a device by issuing commands from a remote server”.

No es bueno.

008
ABACHOBot
Accoona-AI-Agent
AddSugarSpiderBot
AnyApexBot
Arachmo
B-l-i-t-z-B-O-T
Baiduspider
BecomeBot
BeslistBot
BillyBobBot

Just to start at the top… Great resource.

The attack, know as the Man in the Browser method, works like this. Malicious code is first introduced onto the victim’s computer where it resides in the web browser. It will lay dormant until the victim visits a specific website—in this case, his bank’s secure website. Once the user attempts to log in, the malware activates and runs between the victim and the actual website. Often the malware will request that the victim enter his password or other security pass into an unauthorized field, in order to “train a new security system.” Once that happens, the attacker has full access to the account.

Pretty nasty, but still only valid for that session.

By extending the Burp Suite and integrating it with a CAPTCHA solving farm you can enable the automated bypassing of CAPTCHA within all burp tools; seamlessly replacing all CAPTCHA with their correct solutions.

One of the coolest Burp extensions I’ve ever seen.