OWASP OWTF – Offensive Web Testing Framework

OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.

OWASP OWTF - Offensive Web Testing Framework

The purpose of this tool is to automate the manual and uncreative parts of pen testing. For example, Figuring out how to call “tool X” then parsing results of “tool X” manually to feed “tool Y” and so on is time consuming.

By reducing this burden we hope pen testers will have more time to:

  • See the big picture and think out of the box,
  • Find, verify and combine vulnerabilities efficiently,
  • Have time to Investigate complex vulnerabilities like business logic, architectural flaws, virtual hosting sessions, etc.
  • Perform more tactical/targeted fuzzing on seemingly risky areas
  • Demonstrate true impact despite the short time-frames we are typically given to test.



This tool is however not a silver bullet and will only be as good as the person using it. Understanding and experience will be required to correctly interpret the tool output and decide what to investigate further in order to demonstrate the impact.

Features

  • Web UI. Now configure and monitor OWTF via a responsive and powerful interface accessible via your browser.
  • Exposes RESTful APIs to all core OWTF capabilties.
  • Instead of implementing yet another spider (a hard job), OWTF will scrub the output of all tools/plugins run to gather as many URLs as possible.
  • Scan by various aggression levels: OWTF supports scans which are based on the aggressiveness of the plugins/tools invoked.
  • Extensible OWTF manages tools through ‘plugins’ making it trivial to add new tools.
  • OWTF has been developed keeping Kali Linux in mind, but it also supports other pentesting distros such as Samurai-WTF, etc.
  • Tool paths and configuration can be easily modified in the web interface.
  • Fastest Python MiTM proxy yet!
  • Crash reporting directly to Github issue tracker
  • Comprehensive interactive report at end of each scan
  • Easy plugin-based system; currently 100+ plugins!
  • CLI and web interface

You can download OWASP OWTF here:



Or read more here.


via http://ift.tt/2dpJqsK

(IN)SECURE Magazine issue 51 released

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Issue 51 has been released today.

(IN)SECURE Magazine issue 51

Table of contents

  • Hacking is the new espionage
  • New hyper-evasive threats are killing sandboxing as we know it
  • How to choose a perfect data control solution for your enterprise
  • What can Microsoft Patch Tuesday tell us about security trends in 2016?
  • Security experts are from Mars, business owners are from Venus
  • Report: Black Hat USA 2016
  • Build your own endpoint security stack
  • Securing your spot at the top: How to collaborate and when to compete
  • Shift from detection to response requires rethinking security infrastructure
  • Is your business still HIPAA complaint after the 2016 federal changes?
  • Encryption for the Internet of Things
  • Preparing for new EU cyber-security rules and regulations.

via http://ift.tt/2cIYmjt

The massive Yahoo hack ranks as the world’s biggest — so far

When Yahoo said on Thursday that data from at least 500 million user accounts had been hacked, it wasn’t just admitting to a huge failing in data security — it was admitting to the biggest hack the world has ever seen. Until Thursday, the previous largest known hack was the 2008 breach that hit almost 360 million MySpace accounts, according to a ranking by the "Have I been pwned" website.

via http://ift.tt/2deEZ58

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

Yahoo says it was the victim of state-sponsored hackers who stole information associated with 500 million accounts.

Yahoo CISO Bob Lord said the attack happened on the company’s network in late 2014; he did not name the country responsible.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Lord said in a statement. “The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”

Yahoo, which said law enforcement is investigating the breach, believes the attackers are no longer on its network. The confirmation of the attack comes as Verizon continues its $4.83 billion acquisition of Yahoo’s core business. It’s unknown how the news of the attack will impact the deal going forward.

Affected users are going to be notified via email and Yahoo will force a password reset and also urge the use of multifactor authentication, including its Yahoo Account Key. Yahoo has also invalidated unencrypted security questions and answers for affected accounts, and recommends that all users change their passwords if they haven’t done so since 2014.

“An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries,” Lord said. “Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”

Yahoo’s confirmation comes after an Aug. 1 report that said a cache of 200 million Yahoo user credentials were put up for sale on a dark web site called The Read Deal by a hacker who goes by the handle “Peace” or “peace_of_mind.” The asking price was 3 Bitcoin, or about $1,800 USD.

Initially, it was believed that the data stolen in the attack dated back to 2012. Given that users will reuse passwords over and over for different accounts online, the stolen credentials can give the attackers access to multiple accounts belonging to the same victim.

Already this year, a number of high-profile websites have had user account information and credentials dumped online. Most of those leaks, however, have been data accumulated from a number of locations online stolen in a number of older breaches.

The Yahoo breach represents the largest number of stolen credentials to date this year (a collection of 470,000 MySpace credentials was put online earlier this year).

LeakedSource, an subscriber-based aggregator of personal data found online, told Threatpost that two files containing Yahoo credentials have been available for years, including a sample text file containing 5,000 credentials, and an encrypted file containing 40 text files claiming to be from Yahoo. “We have both of them as well as the decryption key for the 40 text files which we determined to be fake,” LeakedSource said. “The 5,000 sample however may be real and provide enough evidence for Yahoo to begin resetting passwords.”

via http://ift.tt/2cGuSRh

Free PowerPoint Add-In Helps You Create Timelines

Office Timeline Power Point add-inIf you’re a user of Microsoft PowerPoint, here’s a great add-in which makes it really easy to create timeline slides.

You mean you don’t know what a timeline is? It’s a line across the slide which represents a period of time. You then put little pieces of text or icons along that line to indicate events that will, might, did, or didn’t happen. Timelines are great for project planning, documenting a child’s progress, and loads of other things too.

The add-in you need is called Office Timeline, which you’ll find at http://ift.tt/Jcex5j as a free download of around 12 MB. The file is malware-free according to VirusTotal and Web of Trust. You install it just like any other software, after which you’ll find an Office Timeline menu available in PowerPoint, and some demo presentations also installed to help you understand how it works.

The Pro version of Office Timeline, at around $50 per year, includes some additional templates, but the free version is still very useful and usable. If you already use PowerPoint, give it a try.

via http://ift.tt/2cD7shB

Data hoarding site LeakedSource could make hacking easier

A site that’s been warning the public about data breaches might actually be doing more harm than good.

Enter LeakedSource, a giant repository online that can potentially make hacking easier. Your email address and the associated Internet accounts — including the passwords — is probably in it.

Tags: 

via http://ift.tt/2cngOjv

Mamba Ransomware Encrypts Hard Drives Rather Than Files

Just when we thought ransomware’s evolution had peaked, a new strain has been discovered that forgoes the encryption of individual files, and instead encrypts a machine’s hard drive.

The malware, called Mamba, has been found on machines in Brazil, the United States and India, according to researchers at Morphus Labs in Brazil. It was discovered by the company in response to an infection at a customer in the energy sector in Brazil with subsidiaries in the U.S. and India.

Renato Marinho, a researcher with Morphus Labs, told Threatpost that the ransomware is likely being spread via phishing emails. Once it infects a machine, it overwrites the existing Master Boot Record with a custom MBR, and from there, encrypts the hard drive.

“Mamba encrypts the whole partitions of the disk,” Marinho said. “It uses a disk-level cryptography and not a traditional strategy of other ransomware that encrypts individual files.”

The malware is a Windows threat, and it prevents the infected computer’s operating system from booting up with out a password, which is the decryption key.

The victims are presented with a ransom note demanding one Bitcoin per infected host in exchange for the decryption key and it also includes an ID number for the compromised computer, and an email address where to request the key.

Mamba joins Petya as ransomware targeting computers at the disk level. Petya encrypted the Master File Table on machines it infected. Mamba, however, uses an open source disk encryption tool called DiskCryptor to lock up the compromised hard drives.

Petya was a game-changer among ransomware families. It spread initially among German companies targeting human resources offices. Emails were sent that contained a link to a Dropbox file that installed the ransomware. The malware showed the victim a phony CHKDSK process while it encrypted the Master File Table in the background.

Researchers quickly analyzed Petya’s inner workings and by understanding its behavior, were able to build a decryptor shortly after the first infections were disclosed.

More than a month after Petya surfaced, a variant was found that included a new installer. If the installer failed to install Petya on the compromised machine, it installed a less troublesome ransomware strain known as Mischa. Petya included an executable requesting admin privileges that caused Windows to flash a UAC prompt; if the victim declined at the prompt, the malware would install Mischa instead of Petya.

Mischa behaves like most of the ransomware many are familiar with. Once the victim executes link sent in a spam or phishing email, the malware encrypts local files and demands a ransom of 1.93 Bitcoin, or about $875 to recover the scrambled files.

via http://ift.tt/2cFo7RQ

Identity and personal data theft account for 64% of all data breaches

Data breaches increased 15% in the first six months of 2016 compared to the last six months of 2015, according to Gemalto.

Breach Level Index

Worldwide, there were 974 reported data breaches and more than 554 million compromised data records in the first half of 2016, compared to 844 data breaches and 424 million compromised data records in the previous six months. In addition, 52% percent of the data breaches in the first half of this year did not disclose the number of compromised records at the time they were reported.

Breach Level Index

The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful.

According to the Breach Level Index, more than 4.8 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. For the first six months of 2016, identity theft was the leading type of data breach, accounting for 64% of all data breaches, up from 53% in the previous six months. Malicious outsiders were the leading source of data breaches, accounting for 69% of breaches, up from 56% in the previous six months.

“Over the past twelve months hackers have continued to go after both low hanging fruit and unprotected sensitive personal data that can be used to steal identities,” said Jason Hart, VP and CTO for Data Protection at Gemalto. “The theft of user names and account affiliation may be irritating for consumers, but the failure of organizations to protect sensitive personal information and identities is a growing problem that will have implications for consumer confidence in the digital services and companies they entrust with their personal data.”

Healthcare data breaches increase 25%

Across industries, the healthcare industry accounted for 27% of data breaches and saw its number of data breaches increase 25% compared to the previous six months. However, healthcare represented just 5% of compromised data records versus 12% in the previous six months.

Government accounted for 14% of all data breaches, which was the same as the previous six months, but represented 57% of compromised records.

Financial services companies accounted for 12% of all data breaches, a 4% decline compared to previous six months, but accounted for just 2% of compromised data records.

Retail accounted for 11% of data breaches, and declined 6% versus the previous six months, and accounted for 3% of compromised data records.

Education accounted for 11% of data breaches and represented less than one percent of all compromised records. All other industries represented 16% of data breaches and 16% of compromised data records.

In terms of top three geographic regions for reported data breaches, 79% were in North America, 9% were in Europe, and 8% were in Asia-Pacific.

Breach Level Index

Not all data breaches are equal

As data breaches continue to grow in frequency and size, it is becoming more difficult for consumers, government regulatory agencies and companies to distinguish between nuisance data breaches and truly impactful mega breaches,” said Jason Hart, VP and CTO for Data Protection at Gemalto. “News reports fail to make these distinctions, but they are important to understand because each have different consequences. A breach involving 100 million user names is not as severe as a breach of one million accounts with social security numbers and other personally identifiable information that are used for financial gain.”

“In this increasingly digital world, companies, organizations and governments are storing greater and greater amounts of data that has varying levels of sensitivity. At the same time, it is clear that data breaches are going to happen and that companies need to shift from a total reliance on breach prevention to strategies that help them secure the breach. That is why more focus needs to be understanding what really constitutes sensitive data, where it is stored, and using the best means to defend it. At the end of the day, the best way to protect data is to kill it. That means ensuring user credentials are secured with strong authentication and sensitive data is protected with encryption so it is useless to the thieves.”

via http://ift.tt/2cqENwH

Chinese researchers hijack Tesla cars from afar

Tesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.

The vulnerabilities were discovered by researchers from Tencent’s Keen Security Lab, and responsibly disclosed to Tesla. The company’s Product Security Team confirmed them, and implemented fixes in the latest version of the firmware.

Tencent’s researchers understandably didn’t reveal details about the flaws, but have provided a video demonstration of the attacks:

VIDEO

They have managed to remotely open various Tesla cars’ sunroof, turn on the blinkers, move the car seat, and open doors, all while the cars were in parking mode. But they have also managed to control windshield wipers, fold the side rearview mirrors, open the trunk, and manipulate the brakes from 12 miles away.

“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars. We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected,” they noted.

“The issue demonstrated is only triggered when the web browser is used (web browser functionality not enabled in Australia). Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly,” a Tesla spokesperson told ZDNet.

The software update fixing the flaws has already been deployed over-the-air, so details about them should soon be revealed.

via http://ift.tt/2cro7F6

BBQSQL – Blind SQL Injection Framework

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

BBQSQL - Blind SQL Injection Framework

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

Features

The most important thing to note about BBQSQL is that it doesn’t care about the data or database, whilst most SQL Injection tools are built with specific databases or languages in mind.

  • Exploits Blind SQL Injection Vulnerabilities
  • Semi-Automatic
  • Database Agnostic
  • Versatile
  • Utilises Two Search Techniques (binary_search & frequency_search)
  • Concurrent HTTP requests
  • Config Import/Export
  • Custom Hooks
  • Fast

Usage

Similar to other SQL Injection tools you must provide certain request information for the tool to work, for BBSQL this is:

  • URL
  • HTTP Method
  • Headers
  • Cookies
  • Encoding methods
  • Redirect behavior
  • Files
  • HTTP Auth
  • Proxies

Then specify where the injection is going and what syntax we are injecting.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

root@darknet:~# bbqsql

    _______   _______    ______    ______    ______   __      

   |       \ |       \  /      \  /      \  /      \ |  \      

   | $$$$$$$\| $$$$$$$\|  $$$$$$\|  $$$$$$\|  $$$$$$\| $$      

   | $$__/ $$| $$__/ $$| $$  | $$| $$___\$$| $$  | $$| $$      

   | $$    $$| $$    $$| $$  | $$ \$$    \ | $$  | $$| $$      

   | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$      

   | $$__/ $$| $$__/ $$| $$/ \ $$|  \__| $$| $$/ \ $$| $$_____

   | $$    $$| $$    $$ \$$ $$ $$ \$$    $$ \$$ $$ $$| $$     \

    \$$$$$$$  \$$$$$$$   \$$$$$$\  \$$$$$$   \$$$$$$\ \$$$$$$$$

                     \$$$                \$$$

 

                   _.()._

                .‘         ‘.

               / ‘or ‘1‘=’1  \

               |‘-…___…-‘|

                \    ‘=’    /

                 `‘._____.’`

                  /   |   \

                 /.‘|’.\

              []/‘-.__|__.-‘\[]

                      |

                     []

 

    BBQSQL injection toolkit (bbqsql)        

    Lead Development: Ben Toews(mastahyeti)        

    Development: Scott Behrens(arbit)        

    Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K)    

    SET is located at: http://http://ift.tt/2d5nDTV

    Version: 1.0              

    

    The 5 Ss of BBQ:

    Sauce, Spice, Smoke, Sizzle, and SQLi

    

 

 

Select from the menu:

 

   1) Setup HTTP Parameters

   2) Setup BBQSQL Options

   3) Export Config

   4) Import Config

   5) Run Exploit

   6) Help, Credits, and About

 

  99) Exit the bbqsql injection toolkit

 

bbqsql>

HTTP Parameters

BBQSQL has many http parameters you can configure when setting up your attack. At a minimum you must provide the URL, where you want the injection query to run, and the method. The following options can be set:

  • files
  • headers
  • cookies
  • url
  • allow_redirects
  • proxies
  • data
  • method
  • auth

You specify where you want the injection query to be inserted by using the template ${injection}. Without the injection template the tool wont know where to insert the query.

You can download BBQSQL here:

bbqsql-v1.1.zip

Or read more here.

via http://ift.tt/2d5meg6