Iran Sites Open 2 Joomla -K-CMS Hacking

Iran Sites Open 2 Joomla -K-CMS Hacking

gAtO wAs – in the kitty box scratching and found some sites in Iran that have the same problem that Syria has. Outdated older Content Management systems like Joomla and KCMS_1.0[2] and many other sites have Microsoft Visual Studio.NET 7.0. These require more research as to vulnerabilities but we are working on that. But gAtO found you guessed it Joomla 1.5 CMS all over the place. The same vulnerabilities that Syria has they have

This is easy to do with any browser do a search on any search engine “site:.gov.ir” and you will get a list of all the .gov.ir sites everywhere. Now remember with a translate button(on your browser) you can read these site in any language you want. The other trick is once you get to any site on your browser just go to >>Edit>>Source Code. and lot’s of sites will tell you the content creation: All sites in any language the HTML is always in english.

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

If your smart and are doing this in a government site I would remove this information. Now besides Joomla 1.5 gAtO found lots of sites with KCMS_1.0[2] and you guessed it again they are older versions and have vulnerabilities.  So now gAtO will publish this list and update it as we find more and more vulnerabilities. Why doe gATo do this. It my way of showing the world that anyone can help, anyone with any talent can contribute to making this world a better world. I hope this informtion helps someone to be free- gAtO oUt.

Some site have this warning be careful :This site may harm your computer.

Research Notes:

IRAN site:.gov.ir

http://xforce.iss.net/xforce/xfdb/33437 Apr 4, 2007 – CVE-2007-2106: Directory traversal vulnerability in index.php in Kai Content Management System (K-CMS) 1.x allows remote attackers to ..

K-CMS (Kai Content Management System) could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request to the index.php script using the current_theme parameter to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server.

Many of Irans site use ArPortal 7.1.2 while many others us Microsoft Visual Studio.NET 7.0

<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management

[1] security tips for Joomla Websites http://www.itoctopus.com/10-security-tips-for-your-joomla-website

<META NAME=”GENERATOR” CONTENT=”ArianaPortal 7.1.2″>

[2] <meta name=”generator” content=”KCMS 1.0″ />

K-CMS (Kai Content Management System) index.php file include


<meta name=”generator” content=”KCMS 1.0” />


<meta name=”generator” content=“Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />


<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />


<meta name=”generator” content=”Expans! 1.5 – Open Source Content Management


<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By MamboLearn.com” />


<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />


<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Mambolearn.com” />


<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management. Developed By Navid Iranian Co. Ltd” />

Saman Information Structure



<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />


News – ????? ??? ????? ? ????? ???


This site may harm your computer.

Joomla 1.5.15 Released. The Joomla Project is pleased to announce the immediate availability of Joomla 2.5.0. This is a security release. Version 2.5.0 is is the

www.khodabandeh.gov.ir/ – Translate this page

Copyright © 2009 — Webdesign aus Tirol – All Rights Reserved. Template Demo Joomla 1.5 Template by pc-didi.. Translate By : Meisam Heidarzadeh | hotfa.ir.

www.sabtyazd.gov.ir/index.php?… – Translate this page

This site may harm your computer.

C:\Inetpub\vhosts\sabtyazd.gov.ir\httpdocs\libraries\joomla\session\session. php %PDF1.5 3 0 obj < > endobj 4 0 obj < > stream x?U?k A ?? ? 😕 ?Zz s




iten.behdasht.gov.ir – Site News


Protocol-Level Hidden Server Discovery -WRONG

sOrRy – AROGANT gAtO – Open letter to:zhenling – jluo -wkui – xinwenfu – at seu.edu.cn cs.uvic.ca cs.uml.edu  – I wrote to you and gave you a chace to reply so her it goes for everyone to see that you rigged your lab in real life it does not work like you claim — gATO OuT – may be wrong mAyBe Si -nO 


Protocol-Level Hidden Server Discovery

Since entry onion router is the only node that may know the real IP address of the hidden service— -note [3] The assumption was made in virtually all attacks towards the Tor network. This is reasonable because onion networks routers are set up by volunteers.

WRONG folks — So criminals work in these sterile structured surrounding – following rules and making assumptions that I’m stupid enough to not know how to control ENTRY and EXIT nodes into my Tor Website— COme on Dudes this is not school it’s the real world… otwxbdvje5ttplpv.onion here is my site now find my IP —

WHo am I – Richard Amores – @gAtOmAlO2 – I run http://uscyberlabs.com – I just finished a boot -“ The Deep Dark Web” Amazon New eBook -The Deep Dark Web – http://www.amazon.com/dp/B009VN40DU   Print Book – http://www.amazon.com/The-Deep-Dark-Web-hidden/dp/1480177598 :- I do a we bit of real life research and I disagree — I go thru a proxie and a VPN in EU… before I go into Tor so the chances that you will find my IP just went up a notch or too. But I’m a legit – Security Researcher – imagine if I run Silk Road — making a bunch of Bitcoins a DAY— how many layers do they have—

how about a basic BRIDGE RELAY — and there it goes – u can’t touch this — how about a simple modification of the torrc file with these
HiddenServiceAuthorizeClient AND – HidServAuth
with these few modification the Tor site is hidden unless you have the key (HiddenServiceAuthorizeClient) in your browser/- that was generated to match the HidServAuth)-of the server– I think that your chances of finding my mean ass hidden service ip address —are ZERO…

I like what you’ll did cool analyst and you explained it great – but this puts fear into people – dissidents will maybe not use Tor because of what you guy’s say and maybe they may get caught and killed… It’s not only CRIMINALS — I know that gets grants money — but Tor is used to communicate and it allows – Freedom of Speech in Cyberspace- I’m gonna write something about this and I want to be nice so please explain why — you can say from an educational place of knowledge and allow this – “in the box” thinking that is being hacked everyday because they say— we did everything they told us to do— this is wrong and not true —

If you could get the IP of Silk Road — or better yet – PEDO BEAR the largest PEDO directory in TOR — tell me the IP and I will take it down myself— but don’t come at me saying we are right and every hacker is wrong  — learn please our world is depending on your great minds —

RickA- @gAtOmAlO2 http://uscyberlabs.com

Here is the original paper —http://www.cs.uml.edu/~xinwenfu/paper/HiddenServer.pdf
A recent paper entitled Protocol Level Hidden Server Discovery, by Zhen Ling, Kui Wu, Xinwen Fu and Junzhou Luo.  Paper is starting to be discussed in the Tor community.  From my perspective, it is a nice attack to reveal the IP address of a hidden service.  It would require resources to actually implement effectively, but for Law enforcement trying to shutdown and arrest owners of illegal websites selling drugs, weapons, or child pornography and are hiding behind Tor, it is an option.  Of course that also means the capability to find anyone that might be doing something a government or large entity does not agree with. The paper is here.
This stuff reminds me of a statement a professor said to a class I was in once:  “Guns are not good or bad.  It depends on who is holding the gun and which end is pointed at you.”


Chuck Norris “The Programmer” Jokes

1. When Chuck Norris throws exceptions, it’s across the room.

2. All arrays Chuck Norris declares are of infinite size, because Chuck Norris knows no bounds.

3. Chuck Norris doesn’t have disk latency because the hard drive knows to hurry the hell up.

4. Chuck Norris writes code that optimizes itself.

“The Programmer” Chuck Norris

5. Chuck Norris can’t test for equality because he has no equal.

6. Chuck Norris doesn’t need garbage collection because he doesn’t call .Dispose(), he calls .DropKick().

7. Chuck Norris’s first program was kill -9.

8. Chuck Norris burst the dot com bubble.

9. All browsers support the hex definitions #chuck and #norris for the colors black and blue.

10. MySpace actually isn’t your space, it’s Chuck’s (he just lets you use it).

11. Chuck Norris can write infinite recursion functions…and have them return.

12. Chuck Norris can solve the Towers of Hanoi in one move.

13. The only pattern Chuck Norris knows is God Object.

14. Chuck Norris finished World of Warcraft.

15. Project managers never ask Chuck Norris for estimations…ever.

16. Chuck Norris doesn’t use web standards as the web will conform to him.

17. “It works on my machine” always holds true for Chuck Norris.

18. Whiteboards are white because Chuck Norris scared them that way.

19. Chuck Norris doesn’t do Burn Down charts, he does Smack Down charts.

20. Chuck Norris can delete the Recycling Bin.

21. Chuck Norris’s beard can type 140 wpm.

22. Chuck Norris can unit test entire applications with a single assert.

23. Chuck Norris doesn’t bug hunt as that signifies a probability of failure, he goes bug killing.

24. Chuck Norris’s keyboard doesn’t have a Ctrl key because nothing controls Chuck Norris.

25. When Chuck Norris is web surfing websites get the message “Warning: Internet Explorer has deemed this user to be malicious or dangerous. Proceed?”.


gAtO interview -Botnet’s in Tor -sI -Si

gAtO jUsT – finished an interview with Bill Donato from BotRevolt.com. I wanted to post this because these were good questions. My answers were a little lOcO gAtO but I tried anyway here is the Interview, at the bottom I included a conversation about Tor Controlled Botnet I found in HackBB in onion land, all I can tell you the code and how-to are out there –gAtO oUt


LinkedInMr Bill Donato has sent you a message.

Date: 7/26/2012

Subject: RE: Bot Revolt Blog

Hi Richard,
Here are 5 general questions we think our readers would find interesting. We greatly appreciate your feedback!

First Thank you Bill for this opportunity. I have 35 years in IT-and a little security goes with the territory but I’m no expert. I’m retired so I have the freedom to say what I want and I have chosen to support Freedom of Speech in cyberspace. You can find my rants and rages about security at http://uscyberlabs.com/blog I go by twitter @gAtOmAlO2 after my lionhearted cat “named- gato”. my 2 cents “be a critical reader, thinker and cyber user”. truet but verify

• We see a lot of cybercrime targeted at large companies, but how vulnerable is the average consumer in today’s cyber environment?

In todays economic climate cyber criminals see mass unemployment and use that to recruit shipping mules and money mules. Financial desperation and greed is a driving force in recruitment and the FBI is well aware of this a good money mule is hard to find and trust. Also Infection points for zombie computers to do the dirty work goes up and up with every new exploit. Last people don’t know how much information they leak out. With metadata just from the pictures in Facebook a criminal can gleam lot’s of information from the average Facebook update???.//

So to answer your question yes the average consumer needs to be very careful and have common sense. That lost Uncle from Nigeria did not leave you a billion dollars, trust me on this one.

• At the current level of cybercrime’s growth, if it is possible how long before the internet crashes?

Cyber crime is growing but CISPA is not the answer. PII (Personal Identifiable Information) that the government say’s it will not gather just your shopping and search cyber habits, nothing identifiable until you type in the wrong keyword, then your monitored. Then your footsteps in cyberspace will be monitored a bit more closely. The Judicial system now added the cyber forensic phycologist that can produce “minority reports- remember the movie – the though police…”. That’s scary..

Where were you last Tuesday @ 9:37 PM… they know, we are being monitored by the good guy in todays Internet. It’s normal to update my Facebook page or my Linkined profile, leaking data with the metadata from our pictures of our visit to the new office overseas. Can give criminals information for APT attacks.

As to the Internet crashing, I think it’s just beginning. We have Criminals after our data, government after our habits and we have ourself leaking information for everyone to know about me, me, me…. but it’s not crashing —> we have too many me..me..me..

• Cyber warfare is a hot topic, how will a cyber-war affect the countries average citizen?

Have you ever watch your daughter lose her cell phone 5 times in one year, 5 times not one backup. The effects of a cyber kinetic event in the US will happen. I see open scada system in the wild with no protection. Try and report this information that’s a joke and impossible. So many miss-configured scada all running windows OS, with no patch updates or management..// so they become more vulnerable everyday that they don’t upgrade.

Oh make that a tested Update because we (admin type) all stayed up late at nights un-installing an upgrade for -Windows OS- that made the Payroll system -Oracle- not work so NO paychecks….

In other words it will happened because we have a pretty bad security system built into these devices and they are to expensive to replace it’s worth the risk from a financial side so companies ROI return on investment… they did the cost analysis of an attack -they know they will get hacked…Power grid YeaH Baby and we have no backup — but we still come back… the average citizen has to ride it out we have no choice in warfare.
• You talk on your website, uscyberlabs.com, about the rise of botnets running on the tor .onion network, is the tor network a threat to people who do not access it? If so how do users protect themselves?

Botnets in Tor on Yeah! I’m doing some research into botnets in the Tor Black Market and it’s alive and kicking. The Tor hidden service and C&C servers goes hand in hand. You can’t find it, and it can’t be found. We also have i2p as an up and coming secure anonymized network so expect more and more from this area.

I included a post from HackBB-website in the onion network this discussion is about “Tor-Controlled Botnets” I included the code so in Tor there is talk from the hacker world on how to guides to Tor & bonnets. and it’s has a current timestamp.

I’t not just the code it’s also the infrastructure design.

Got to Tor HackBB [1]–  — http://clsvtzwzdgzkjda7.onion/

• On your blog titled “Online Security Basic -should I use encryption” you give some great information. What encryption programs, methods or tips do your recommend for some of the less computer savvy users?

Well first of all here [below] is my public key if you want to send me a message. I use FireVault and encrypt my hard drive, but I forgot my password – that’s my story and I’m sticking to it..;) I use GnuPG. Since I’m not doing skunk work, and I’m not a spy, I try to go open-source type programs, yes they are a little harder to learn but I feel safer with the open aspect of it. In security we have a motto – trust but verify – I can verify these open source program…./

One thing that the average user needs to do is to make their privacy a key part in their cyber life. When you start down the security rabbit hole it’s an active step in your cyber lifestyle.

Privacy is a personal thing, when I’m looking for Preperation H I don’t want Google, Yahoo or Amazon to know about this medical problem, it’s kinda personal, private. But when I’m trolling on Huffington Post it’s another world.



[1] Conversation online in HACKBB website.. about Tor Botnets


[1] Tor-controlled botnet

Re: Tor-controlled botnet

by BotCoder » Fri May 18, 2012 5:50 pm

Good news! I compiled TOR from source and there is no GUI or tray icon if you skip the installer step.

Here are the info to compile from source (you can skip the installer part and build a silent one yourself):



## Instructions for building Tor with MinGW (http://www.mingw.org/)


Stage One:  Download and Install MinGW.


Download mingw:


Download msys:


Download msysDTK:


Install MinGW, msysDTK, and MSYS in that order.

Make sure your PATH includes C:\MinGW\bin.  You can verify this by right

clicking on “My Computer”, choose “Properties”, choose “Advanced”,

choose “Environment Variables”, select PATH.

Start MSYS(rxvt).

Create a directory called “tor-mingw”.

Stage Two:  Download, extract, compile openssl


Download openssl:


Extract openssl:

Copy the openssl tarball into the “tor-mingw” directory.

Type “cd tor-mingw/”

Type “tar zxf openssl-0.9.8l.tar.gz”

(Note:  There are many symlink errors because Windows doesn’t support

symlinks.  You can ignore these errors.)

Make openssl libraries:

Type “cd tor-mingw/openssl-0.9.8l/”

Type “./Configure -no-idea -no-rc5 -no-mdc2 mingw”

Edit Makefile and remove the “test:” and “tests:” sections.

Type “rm -rf ./test”

Type “cd crypto/”

Type “find ./ -name “*.h” -exec cp {} ../include/openssl/ \;”

Type “cd ../ssl/”

Type “find ./ -name “*.h” -exec cp {} ../include/openssl/ \;”

Type “cd ..”

Type “cp *.h include/openssl/”

Type “find ./fips -type f -name “*.h” -exec cp {} include/openssl/ \;”

# The next steps can take up to 30 minutes to complete.

Type “make”

Type “make install”


Stage Three:  Download, extract, compile zlib


Download zlib source:


Extract zlib:

Copy the zlib tarball into the “tor-mingw” directory

Type “cd tor-mingw/”

Type “tar zxf zlib-1.2.3.tar.gz”


Make zlib.a:

Type “cd tor-mingw/zlib-1.2.3/”

Type “./configure”

Type “make”

Type “make install”



Stage Four: Download, extract, and compile libevent


Download the latest libevent release:


Copy the libevent tarball into the “tor-mingw” directory.

Type “cd tor-mingw”

Extract libevent.

Type “./configure –enable-static –disable-shared”

Type “make”

Type “make install”


Stage FiveBuild Tor


Download the current Tor alpha release source code from https://torproject.org/download.html.

Copy the Tor tarball into the “tor-mingw” directory.

Extract Tor:

Type “tar zxf latest-tor-alpha.tar.gz”

cd tor-<version>

Type “./configure”

Type “make”

You now have a tor.exe in src/or/.  This is Tor.

You now have a tor-resolve.exe in src/tools/.


Stage Six:  Build the installer


Install the latest NSIS:


Run the package script in contrib:

From the Tor build directory above, run:


The resulting Tor installer executable is in ./win_tmp/.


gAtOmAlO Public Key-


Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

Comment: GPGTools – http://gpgtools.org





































Profiling a Corporation -metadata attack vector

gAtO sEe – that in todays world getting a corporate profile for an attack plan has become easy thanks due to their own fault. This leads down the road to ruin corporate reputation, stolen IP-Intellectual property, competitive advantage and loss of data. Of course for social activist, criminals, competitor and national governments who use the technology against them to make available unhidden access to your networks. How? 

Metadata Information leaks by the corporation and their employees. According to retrieve information and the metadata in company documents 71% of Forbes 2000 companies may be using vulnerable and out of date version of Microsoft Office and Adobe software that allows hackers to Identify —>

Usernames – emails addresses network details and vulnerable software versions to implement a Advance Persistant Threat (APT).

Metadata in documents that your company distributes constitute information leaks and it can provide all kinds of information to any attacker. The high tech sector publishes more documents across websites than any other industry. Something else your employee on LinkedIn give all kinds of information about your company and your plans, even employment adds can help a potential hacker know what you are doing and maybe design the APT geared towards that subject.

Remember todays cyber attacker have support from lot’s of eye’s and ears, like hacktivist they have many people that can scan your website and look for information that can help the attack. You have 3 different attack vectors to worry about today:

  • IP based attacks
  • Web-Software attacks
  • Information Attacks

Corporate American take care of your metadata or it will bite you hard -gAtO oUt


AnonPaste is bull-caca

gAtO sAy’S -The anointment of anonpaste.tk is bullshit skidpaste.org has been around for a long time doing the same thing an no hoopla but add anonymous and https and it’s a new thing secure thing. Come on folks anonymous is using you to promote stuff and we swallow it hook line and sinker.

http://www.peoplesliberationfront.net/ is the backbone of this site and anon paste.tk is using Iframes to do it’s dirty works. Remember Commander X the homeless hacker is he really behind all this the marquee will have you believe that too.

They Anonpaste coder tell you that they are using  http://sebsauvage.net/wiki/doku.php?id=php:zerobin  PHP:ZEROBIN

ZeroBin is a minimalist, opensource online pastebin/discussion board where the server has zero knowledge of hosted data. Data is encrypted/decrypted in the browser using 256 bits AES. You can test it online.


Now Zerobin is good code and the People Liberration Front has an Islamic skew on things. GaTo does not like the smell of this and will continue to investigate but really. Oh before I forget both site PLF and Anonpaste use the same BITCOIN fUnNy—trust but verify -gAtO-oUt.

Info : http://www.peoplesliberationfront.net/


domain: peoplesliberationfront.com

reg_created: 2011-07-16 17:34:28

expires: 2013-07-16 17:34:28

created: 2011-12-30 23:42:17

changed: 2012-01-08 20:25:24

transfer-prohibited: yes

ns0: erin.ns.cloudflare.com



nic-hdl: RL2846-GANDI

organisation: ~

person: Reno Lee

obfuscated: Obfuscated by Gandi

address: (Gandi) 63-65 boulevard Massena

zipcode: (Gandi) 75013

city: (Gandi) Paris

country: (Gandi) France

phone: (Gandi) +33.170377666

fax: (Gandi) +33.143730576

email: 8425522c354f28b5cfa19f50f45512d1-1422957@contact.gandi.net

lastupdated: 2011-12-30 21:20:50


nic-hdl: RL2846-GANDI

organisation: ~

person: Reno Lee

obfuscated: Obfuscated by Gandi

address: (Gandi) 63-65 boulevard Massena

zipcode: (Gandi) 75013

city: (Gandi) Paris

country: (Gandi) France

phone: (Gandi) +33.170377666

fax: (Gandi) +33.143730576

email: 8425522c354f28b5cfa19f50f45512d1-1422957@contact.gandi.net

lastupdated: 2011-12-30 21:20:50


nic-hdl: RL2846-GANDI

organisation: ~

person: Reno Lee

obfuscated: Obfuscated by Gandi

address: (Gandi) 63-65 boulevard Massena

zipcode: (Gandi) 75013

city: (Gandi) Paris

country: (Gandi) France

phone: (Gandi) +33.170377666

fax: (Gandi) +33.143730576

email: 8425522c354f28b5cfa19f50f45512d1-1422957@contact.gandi.net

lastupdated: 2011-12-30 21:20:50


nic-hdl: RL2846-GANDI

organisation: ~

person: Reno Lee

obfuscated: Obfuscated by Gandi

address: (Gandi) 63-65 boulevard Massena

zipcode: (Gandi) 75013

city: (Gandi) Paris

country: (Gandi) France

phone: (Gandi) +33.170377666

fax: (Gandi) +33.143730576

email: 8425522c354f28b5cfa19f50f45512d1-1422957@contact.gandi.net

lastupdated: 2011-12-30 21:20:50




Cyber threats the joker and the thief

gAtO FoUnD– the continued threat of vulnerabilities within Web applications, mobile applications, and outlines specific vulnerabilities with cloud-based implications.  Also an alarming trend for security professionals, in the form of continued prevalence of critical application layer vulnerabilities, such as Cross Site Scripting (XSS) and SQL Injection. Though there are existing fixes for these well-known vulnerabilities, these flaws continued to dominate with XSS climbing to a staggering 38 percent of total Web vulnerabilities, increasing slightly from the second half of 2010. SQL Injection accounted for 15 percent of the total number of Web vulnerabilities.

Web vulnerabilities —  In the first two months of 2012, 59 percent of all reported security

vulnerabilities were Web vulnerabilities

—  In 2011, Cross Site Scripting (XSS) accounted for 38 percent of total

Web vulnerabilities

“As businesses worry about the next big security threat, they fail to realize the threats that are right in front of them,” said John Weinschenk, CEO of Cenzic. “From an industry-wide perspective, the fact that the amount well-known vulnerabilities continue to persist is a signal that education, diligence, and proper coding during the development phase are a necessity in today’s cyber world. Real change can only happen by adhering to these principles.”

Mobile vulnerabilities —  A total of 89 mobile vulnerabilities were made public in 2011 and so

far in 2012 (Jan-Feb) 11 mobile vulnerabilities have been made public.

—  Sensitive Information Disclosure (28 percent) and Session

Authentication and Authorization (28 percent) make up the bulk of the


In recent report it is also details the vulnerabilities related to cloud and mobile device usage, noting a total of 89 mobile vulnerabilities were made public in 2011, while out of a set of 1201 publically reported vulnerabilities 855 had cloud-based security implications. As mobile devices continue to be used to access online cloud computing platforms, emerging hybrid vulnerabilities haved developed as well.

Cloud vulnerabilities —  In 2011, out of a set of 1201 publically reported vulnerabilities 855

had cloud based security implications

—  Specific security vulnerabilities were found in cloud-based

applications including EyeOS, OrangeHRM, The Parallels Plesk Panel,

Oracle Fusion Middleware, Batavi E Commerce, deV!ls ClanPortal, and


The growing demand for cloud applications and mobile devices that access them is creating a unique problem. Each has its own set of security issues, but when used in tandem, they can produce hybrid vulnerabilities that compound threats and increase the complexity of secure coding. By exploiting vulnerabilities in a mobile application a hacker can open up an attack vector to a preexisting vulnerability on the cloud based application -gAtO oUt



Supply Chain Cyber Attack

gATO rEaDiNg – 2012 Maindiant “An Evolving Threat” and Trend-Micro LuckyCat ReDux reports. Great reading for any security geek but most important it’s about the business side of the hack. Take the old smash and grab of financial information and split town, process the financial windfall and party like it’s 2999. Now it’s more beneficial for the criminals to stay inside the victims servers and collect intelligence and espionage. Ok let the gAtO break it down for you, not as a criminal that’s easy, as a state actor I would go after AeroSpace, Energy, Shipping, Military Research, Engineering, India  and Tibetan Activist… Wait a minute a India, a Tibetan Activist group, oh yeah you know it’s China but this is to be expected from China. Now the new spin is why would they go into a banks and use advanced persistent threats (APTs) hacks, well as gAtO understands it the Chinese have a shit load of MONEY— follow the money is not only an american thing it’s for every player in the world.

We have to look at the data through 3 different set of eye’s (magnifying glass with gAtO’s old EyE’s) but it’s still the same – Your data (ALL- your little company secrets) needs protection.

Here is the Score-Card your Business — versus – Competition, Government, Criminals, Hacktavist, Economic Espionage, Nuisance Hackers. On top of all this 94% of victims were notified by an external entity that they were hacked. If that doesn’t send chills down every board member in every company in the world, nothing does.

Here you are doing your business and let’s be frank some business well they walk a thin line sometimes like dumping medical and radioactive waste on a beach in New Jersey ( I know Snooki lives there) . IS your company maybe polluting the ground water for a 100 mile radius of the plant. This is not the information that they want hackers, or the press to get a hold of. “Remmember Rudolf Murdock News Hacking Empire- hey hack anyone for a buck”

Protect Customer Data yeah companies and governments want to protect it, but their little illegal/legal stuff companies do like hiding the report of the of shore oil well that just blew up and spilled all kinds of stuff all over the Gulf coast. These are the real thing that keep business people up at night worrying about hackers, it’s plain and simple cover your ass and let’s get that no bid government contract after we pay off the senator and we better encrypt that information…..

Hackers come in all flavors but if you look at the LuckyCat crewz these are very unique. Not only real computer scientist but marketing campaign and project management. They dual tier C&C (Command and Control), they use the victims supply chain to move laterally across trusted networks in order to be more invisible. Invisible takes a new trend here these hacker hide their code in plain site, they used older malware as insertion points sometimes and of course social engineering to gain access.

Bottom line these new hackers- they  are business-men, -they are governments, -they are commercial criminals, -they are hacktivist or -they are a lone wolf hacker. Companies are finally getting the message. Protect your data, not just your customer’s data, but all your little secrets because if your online– someone is watching you and these can be a 15 year old kid or a Dual Master degree in computer technology that is unemployed or works for a government. Trust but verify takes on a new meaning now -gAtO oUt

lab notes – The report, which is based on hundreds of advanced threat investigations conducted over the past year, includes analysis, statistics and case studies that highlight how advanced and motivated attackers are stealing sensitive intellectual property and financial assets.

Malware Only Tells Half of the Story Organizations’ investments in malware detection and antivirus capabilities, while effective in detecting characteristics associated with common worms, botnets, and drive-by downloads, do little to help defend against targeted intrusions.

The use of these publicly available tools has added some complexity to identifying threat actors because when organizations identify a piece of publicly available malware they often cleanse the file and — in the process — obscure what could be a larger incident.

It’s unclear why banks wouldn’t already be looking for unusual settlement activity and conducting daily monitoring, but there it is. At any rate,  “high-risk” merchants generally handle the dicey and vicey types of online commerce, such as Internet gaming, adult Web sites, rogue anti-virus software sales and online pharmacies. Might be a good idea to keep an extra close eye out for these types of unauthorized charges over the next few days


Cyber-Criminals -You got to change your evil ways

gAtO rEaD – Cyber-criminals are slowing their web app attack and working there VoDoo with social networks and mobile devices. IBM’s semiannual report show’s interesting trends. On the Spam email attacks front +++ we are on the decline compare to 2010 but APT (Advance persistent Threats) were up. Commercial Criminals are quickly adapting to lateral and supply china intrusions. 

This is now true for the financial sector traditional Dump and run – the method of grabbing as much financial data and running now they put in time to stay persistent in the system shadows to draw out not just the CC (Credit Cards $$ data) but the PII (personal Identifiable Information) and the company’s intellectual property is becoming more lucrative than hard cash scams. IBM also found that 36% of the companies it compared previously identified vulnerabilities were still unpatched by the end of the year, compared to 43 percent in 2010.

** — “if the patches were maintained then they wouldn’t of hack the network”. always test your patch first with everything on your network or else your putting your company on the line. — **

Web applications are safer, with the number of applications vulnerable to cross-site scripting attacks down 50 percent compared with 2007. SQL injection attacks, in particular, continue to be a thorn in the side of Web applications due to the availability of automated tools. IBM also detected a 200 to 300 percent jump in so-called “shell injection” attacks from January to December. And toward the end of the year, IBM researchers noticed a spike in SSH password cracking attempts.

The decline in vulnerabilities belies the rise in security breaches, and raises the question: Are cyber-criminals getting smarter than the IT professionals charged with securing their company’s IT systems? Or maybe we’re just expecting too much from the security pros? It may be the latter. In February, security software firm LogRhythm declared that 75 percent of security professionals “lack confidence in their ability to address cyber threats.” The number is the result of an unscientific study of only 200 people who answered a questionnaire online. But it does hint at the existence of a skills gap when it comes to defending corporate IT systems.

Just as the tools and tactics are changing in the ongoing IT cyber war, so is the battleground. In the future, corporate security pros will need to focus a lot more on social media and mobile computing than they are now–especially as corporations continue to connect their core business systems to mobile devices and social networking tools.-gAtO oUt

For a copy of the X-Force 2011 Trend and Risk Report, see www.ibm.com/security/xforce


Hacking Cheat Sheet

gAtO fOuNd – this from bad store penn training e-book the fUnNy thing is— it is really a guide for DIY hacking project written in 2005 but still true today – Oh well here it is…“in the BoX

THIS IS TEST BOX FOR PENN TESTERS _  —If you really want to know where the vulnerabilities exist in BadStore.net, read on:

  •  Robots.txt directory disclosure (http://www.badstore.net/robots.txt).
  •  Apache platform attacks (run Nessus and Nikto.)
  •  SQL Injection in Search and Login functions – including DROP and UNION (try logging in as a
    normal user with joe’ OR 1=1 OR ‘mary as a simple example.)
  •  Blind SQL Injection in Supplier Login (try single quote (‘), OR 1=1, OR 1=1–, and other SQL
    commands and watch them fail, until you hit the “magic” combination.
  •  Cross-Site Scripting (XSS) in Guestbook, URL’s, Search (try alert(‘This is an XSS
  •  Credential Disclosure via proxy, XSS, and Brute Force (use proxy to decode the Base-64
    encoded SSOID cookie, try <script>alert(document.cookie)</script>, and run Brutus to force a
  •  Command Injection via Parameter Tampering.
  •  Privilege Escalation via Cookie and Hidden Field Tampering (what’s that Role parameter?)
  •  Ability to decode cookies and view sensitive information (use the proxy.)
  •  “Secret” Admin access via URL parameter (try ?action=admin in the URL.)
  •  Access to Supplier Portal through referer header manipulation, cookie, SQL Injection (use proxy
    to manipulate referer header and cookie, try logging in to the form using SQL Injection
  •  Denial of Service (DoS) to application and platform.
  •  Ability to obtain free or discounted merchandise (use the proxy to manipulate the CartID cookie.)
  •  Site Defacement (you can upload files from the Supplier Portal – can you also traverse
  •  MD5-hashed passwords, many of which are easily crackable (try John the Ripper.)
  •  PII- Personally Identifiable Information disclosure, including Credit Cards (in Previous Orders and
    Secret Admin Portal.)
  •  Ability to login without a known password (try SQL Injection and Brute Force.)
  •  Ability to view other’s orders and information (use proxy to manipulate cookie.)

This is a checklist that every admin should have in his back pocket – It’s all the “in the BoX” and outside— it’s a guide of what the bad guy’s are doing and thinking.
You add a little social engineering and a little spear phising to this bag of tricks and you got a good plan. This is from 2005 that’s 7 years ago —BEFORE  Twitter and Facebook were babies when this Cheat Sheet was created. The things that you find in the internet are amazing– gAtO oUt