Tag: bug

Mar 24

The Palinopsia Bug

The Palinopsia Bug

Is your VirtualBox reading your E-Mail? Reconstruction of FrameBuffers from VRAM

This document describes a method of reading and displaying previously used framebuffers from a variety of popular graphics cards. In all 4 tested laptops the content of the VRAM was not erased upon reboot. It is also possible to show that the content of the host VRAM can be accessed from a VirtualBox guest, thereby leaking possibly confidential information from a trusted host into an untrusted guest machine.

via The Palinopsia Bug.

Feb 13

Sysinternals Suite

The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and help files. It does not contain non-troubleshooting tools like the BSOD Screen Saver or NotMyFault.

The Suite is a bundling of the following selected Sysinternals Utilities:

AccessChk

AccessEnum

AdExplorer

AdInsight

AdRestore

Autologon

Autoruns

BgInfo

CacheSet

ClockRes

Contig

Coreinfo

Ctrl2Cap

DebugView

Desktops

Disk2vhd

DiskExt

DiskMon

DiskView

Disk Usage (DU)

EFSDump

FindLinks

Handle

Hex2dec

Junction

LDMDump

ListDLLs

LiveKd

LoadOrder

LogonSessions

MoveFile

NTFSInfo

PendMoves

PipeList

PortMon

ProcDump

Process Explorer

Process Monitor

PsExec

PsFile

PsGetSid

PsInfo

PsPing

PsKill

PsList

PsLoggedOn

PsLogList

PsPasswd

PsService

PsShutdown

PsSuspend

RAMMap

RegDelNull

Registry Usage (RU)

RegJump

SDelete

ShareEnum

ShellRunas

Sigcheck

Streams

Strings

Sync

Sysmon

TCPView

VMMap

VolumeID

WhoIs

WinObj

ZoomIt

via Sysinternals Suite.

Jan 20

Attacking Android Applications With Debuggers

Attacking Android Applications With Debuggers.

Dec 13

Une station espion de la NSA, en plein Paris | BUG BROTHER

Une station espion de la NSA, en plein Paris | BUG BROTHER.

Oct 28

Une entreprise de terrorisme médiatique (notamment) | BUG BROTHER

En matière de cryptographie, elle entraîna la création d’un Centre Technique d’Assistance (ou CTA) visant à permettre aux services de renseignement d’essayer de décrypter les mails chiffrés qu’ils auraient interceptés. La LSQ considéra par ailleurs l’utilisation de logiciels de chiffrement comme une circonstance aggravante, la loi prévoyant en effet de punir de trois ans d’emprisonnement et de 45 000 euros d’amende “le fait, pour quiconque ayant connaissance de la convention secrète de déchiffrement d’un moyen de cryptologie susceptible d’avoir été utilisé pour préparer, faciliter ou commettre un crime ou un délit, de refuser de remettre ladite convention aux autorités judiciaires ou de la mettre en oeuvre, sur les réquisitions de ces autorités”.

via Une entreprise de terrorisme médiatique (notamment) | BUG BROTHER.

Oct 28

Bug in Bash shell creates big security hole on anything with *nix in it [Updated] | Ars Technica

Bug in Bash shell creates big security hole on anything with *nix in it [Updated] | Ars Technica.

Jul 11

GostCrypt

The Gostcrypt project has been launched at the end of 2013 as fork of the (late) Truecrypt project. Snowden’s leaks have made clear more than ever that the massive use of encryption by citizens must become a reality. This is possible only if there is a vast, rich offer of trusted, open source products like Truecrypt, with the strong support of the hacker community. However, at that time we did not foresee the unprecedented upheaval of terrible shock with the recent Truecrypt disappearance. More than ever we all need more and more projects to replace it. Gostcrypt is one among (we hope) many others. The variety and richness of encryption solutions is THE solution.

But with Gostcrypt, we intend to go farther than ever. Since the late 70s, most of the algorithms used (not to say all) are UKUSA encryption systems that have been chosen, promoted and standardized under the control of the USA and its minions. It is more than likely that among the different levels of control, mathematical trapdoors are part of the game. We thus decided to used strong encryption systems (as far as we know and despite a few recent “manipulation papers” that have nothing to do with science and which are mistaken operational security with fantasy and which have been rejected recently again as non valid [Babenko & Maro, 2014]) which moreover were not invasive as UKUSA ciphers are (mostly AES) by now. The Gost cipher and hash functions are not everywhere, have not invaded our systems and have been designed by the former USSR for its own need. Aside the fact that it is indeed a very strong cipher (when correctly implemented and a suitable key management), this feature of non-aggressive technological expansion is a key point. GOST algorithms have never sought to spread and to impose on anyone. It has even been rejected from the ISO standardization process in 2012 as a consequence of fallacious, non-reproducible allegations of weakness.

Whatever may be the quality and features of a security project, it can be valid in the long run with trust only. Trust is only possible with open source code and above all with the active support of the hacking community, which will analyze the security, report bugs, make comments and contribute to the project. So welcome on board to everybody.

via GostCrypt.

Jul 08

50. Android (DRD) – java – CERT Secure Coding Standards

The following rules and guidelines are specific only to the Android platform. These do not apply to the development of Java or C programs for non-Android platforms. (The full set of Android -relevant rules and guidelines are here.) The term sensitive incorporates the Java glossary definition of sensitive data, as well as the Android concept of permission-protected.

DRD00-J. Do not store sensitive information on external storage (SD card) unless encrypted first

DRD01-J. Limit the accessibility of an app’s sensitive content provider

DRD02-J. Do not allow WebView to access sensitive local resource through file scheme

DRD03-J. Do not broadcast sensitive information using an implicit intent

DRD04-J. Do not log sensitive information

DRD05-J. Do not grant URI permissions on implicit intents

DRD06-J. Do not act on malicious intents

DRD07-J. Protect exported services with strong permissions

DRD08-J. Always canonicalize a URL received by a content provider

DRD09-J: Restrict access to sensitive activities

DRD10-J. Do not release apps that are debuggable

DRD11-J. Ensure that sensitive data is kept secure

DRD12-J. Do not trust data that is world writable

DRD13-J. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)

DRD14-J. Check that a calling app has appropriate permissions before responding

DRD15-J. Consider privacy concerns when using Geolocation API

DRD16-J. Explicitly define the exported attribute for private components

DRD17-J. Do not use the Android cryptographic security provider encryption default for AES

DRD18-J. Do not use the default behavior in a cryptographic library if it does not use recommended practices

DRD19-J. Properly verify server certificate on SSL/TLS

via 50. Android (DRD) – java – CERT Secure Coding Standards.

Jun 27

Sean-Der/fail2web · GitHub

a fail2ban GUI powered by fail2rest

fail2web

fail2web is a fail2ban GUI that communicates with a fail2ban instance via fail2rest

fail2ban allows you to administer the following

  • Failregex – Delete and add new failregexes
  • Banned IPs – Ban and Unban IP address
  • Per Jail Config – Configure find time, max retry and usedns per jail, and view the filelist per jail

with the following features planned in the future

  • Reporting – Expose the time that an IP address was banned, and show trends via visualizations
  • Alerting – Desktop notification when an IP address is banned
  • Regex Testing – Testing ignore+fail regexes on your current logs to quickly build and debug regexes
  • More Jail Controls – Create new jails and expose more settings for current jails

via Sean-Der/fail2web · GitHub.

Jun 23

Patch NOW: Six new bugs found in OpenSSL – including spying hole • The Register

Patch NOW: Six new bugs found in OpenSSL – including spying hole • The Register.