Archive for October, 2012

TCHead is software that decrypts and verifies TrueCrypt headers. TCHead supports all the current hashes, individual ciphers, standard volume headers, hidden volume headers and system drive encrypted headers (preboot authentication).

Brute-force TrueCrypt : However, TrueCrypt passwords go through many iterations and are strengthened. Cracking them takes time. Very strong passwords will not be cracked. Also, in addition to trying multiple passwords an attacker must try each password against each combination of hash and cipher (assuming they do not know what these are beforehand). System encrypted hard drives use only one hash and cipher, so attacking those is faster.

Testing TCHead: Create a TrueCrypt volume using the default hash and cipher (RIPEMD-160 and AES), set the password to “secret”, then run TCHead against it like this and it will decrypt the header (provided that the word “secret” is in the word list)
Command : TCHead -f -P words.txt

Decrypt hidden volumes:
Command : TCHead -f -P words.txt –hidden

Multiple passwords (brute-force): Create or download a list of words in a text file (one word per line) using words that you think are likely to decrypt the header, then run TCHead against it like this. If the correct password is found, the header will be decrypted:
Command : TCHead -f -P words.txt


Infected skype users spamming their contact lists with messages in both English and German. sending a message like:

“lol is this your new profile pic? h__p://{BLOCKED}5q1sx?img=username”


“moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://{BLOCKED}5q1sx?img=username”

The URL sent in the message redirects the user to to download an archive named “” containing a namesake executable file.

Rik Ferguson, director of security research and communication at Trend Micro, in a blog post explained:

“The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF or WORM_DORKBOT.DN respectively. On installation, this worm may initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet.

These Dorkbot variants will also steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. They can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation. ”

The malware is completed, it has a large number of features that make very versatile the malicious code, it is able to spy on victims and to transform them in offensive agents to use in a DDoS attack. The agent appears really dangerous, it is able to infect victims transforming them in a bot and it is able to install also a ransomware that throws out the user requesting $200 in 48 hours to avoid the file destruction.

The malware opens a backdoor to allow a remote control of the attacker communicating with a remote server via HTTP. According to Sophos post on execution the malware copies itself to

%PROFILE%\Application Data\Jqfsfb.exe and sets the autostart entry as below: entry_location = “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” entry = “Jqfsfb” description = “Skype ” publisher = “Skype Technologies S.A.” image = “c:\documents and settings\support\application data\jqfsfb.exe” launch_string = “C:\Documents and Settings\support\Application Data\Jqfsfb.exe”

Dorkbot malware is not new, last year it have been detected several variants spread via common social network platforms such as Facebook or via USB sticks and various instant messaging protocols.

Skype is an excellent vector to spread a malware due its large diffusion especially in workplaces, the machines in this kind of environment are privileged targets because they could be used for cyber espionage and for botnet composition during times not working.

Windows 8 is the first operating system from Microsoft to support alternative non-biometric authentication mechanisms such as Picture Password and PIN. A vulnerability discovered by a password security vendor – “Passcape” in Microsoft’s Windows 8 operating system that it saves a log on password in plain text and allows any user with admin rights to see the password details.

In September, though, some drawbacks of the new authentication method were reported by Passcape Software. The picture password had seemed invulnerable, because whoever tries to guess it must know how and what parts of the image to choose, and in addition, the gesture sequence. However, security experts from Passcape discovered that such a unique password is based on a regular account.
A user should first create a regular password-based account and then optionally switch to the picture password or PIN authentication. Notably, the original plain-text password to the account is still stored in the system encrypted with the AES algorithm, in a Vault storage at %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.
“Briefly, Vault can be described as a protected storage for user’s private data. Windows Vault emerged with the release of Windows 7 and could store various network passwords. In Windows 8, Vault has extended its functionality; it has become a more universal storage but at the same time lost its compatibility with the previous versions. Thus, the ‘old’ Vault implements a custom password protection. While in Windows 8, it seems, this feature is frozen and it uses DPAPI-based protection only. Windows Vault is used by other applications as well. For example, Internet Explorer 10 uses it to store passwords to websites.” described by researchers.
Any local user with Admin privileges can decrypt the text passwords of all users whose accounts were set to a PIN or picture password. In this regard, the picture/PIN login cannot be considered the sole reliable means of ensuring data security against cracking.
Experts warned that users should not only rely on the security of the picture password. It is difficult to break, they agreed, but it is necessary to take additional measures to protect the original text password.

Skype faced a wave of SPAM that spreads a dangerous Trojan called Worm.NgrBot (variant of the Dorkbot). Leading antivirus vendors Kaspersky Lab and Doctor Web confirmed the existence of a threat.

On Friday, many Skype users started receiving a malicious link created with the help of service from their authorized contacts like close friends and relatives.

Virus infection occurs after clicking on the link, which usually says: “Lol, is this your new profile pic? “ Once following the link, the system boots ZIP-archive with malicious executable file. Then virus immediate adds the infected computer to a botnet. It can later use the machine to run DDoS-attacks.

Reports says most users also get so called Ransomeware that locks the computer completely.

In addition Dorkbot steals passwords from file-sharing services, email accounts, and social networks. It can block access to antivirus and other computer security websites.


Skype - Advanced settings

Skype – Advanced settings

It is important to stop the spread of a dangerous virus. To do this, turn off the management of other programs’ access to Skype. This feature can be found at the bottom of Skype Advanced Settings menu.


In addition to sending messages via Skype, Worm.NgrBot may spread through the messages in Facebook and Twitter.

There is no confirmed information on the scale of infection, but by its characteristics Dorkbot can be a real epidemic. It is believed that it started in the CIS countries in Eastern Europe

Experts warn users not to click any suspicious links, even if they come from well-known people. It is best not to use short links at all.

It is recommended to immediately update your antivirus database and run complete system scan.


This week, the ad industry blasted Microsoft’s use of a privacy feature called “Do Not Track” in Internet Explorer 10, threatening to override it entirely to barrage your browser with targeted ads. But you know what? It doesn’t matter. A little-known privacy feature in Internet Explorer means that Microsoft, and Web users, have already won this battle.

Ryan Gavin, Microsoft’s senior director of Internet Explorer, reminded ReadWriteWeb that both IE9 and IE10 contain a privacy feature called “Tracking Protection,” which prevents user information from being passed to a website. While Do Not Track is a more gentlemanly request for anonymity, Tracking Protection simply shuts your browser’s mouth, as it were, and refuses to say almost anything.

Microsoft has said previously that IE10, which will make its first appearance in Windows 8, will ship with Do Not Track on by default – in other words, your browsing activity won’t be tracked by advertisers right out of the box. That has left advertisers fuming, since user information is exactly what the advertiser needs to provide high-value, targeted ads. Those targeted ads typically cost more, generate higher revenue and provide a more useful advertising experience than a generic ad designed for the Internet at large, advertisers say.

On Monday, the Association of National Advertisers sent Microsoft chief executive Steve Ballmera letter claiming that  the ANA believes “that if Microsoft moves forward with this default setting, it will undercut the effectiveness of our members’ advertising and, as a result, drastically damage the online experience by reducing the Internet content and offerings that such advertising supports”.

In other words, according to the ANA’s executive vice president of government relations, Dan Jaffe, less ad revenue means the Web’s “free,” ad-subsidized services may go away, replaced by paid subscriptions or other methods. “And if you get less revenue for websites, it threatens to have less information that’s available to consumers for free,” Jaffe said in an interview. “And [site operators] start to put up paywalls, and some of these paywalls as you read in the press have not always turned out well for consumers.”

The ANA has its own voluntary advertising opt-out service at, which automatically scans your machine for cookies and other trackers, then gives you the option to opt out. Still, that works only for a given browser and computer (since opting out is stored in a cookie) and only for the “participating” companies. The ANA advises that you periodically revisit the site and opt out again and again.

What Is Do Not Track?

The Do Not Track movement surfaced in 2007, when the FTC was petitioned to create a list of websites that would not be permitted to collect information from a user’s Web browser, somewhat similar to the “Do Not Call” list used by home phones. Mozilla developers added a custom plug-in to the browser than enabled DNT about a year later. Then, in 2009, Firefoxbegan implementing it, even on mobile devices. Google’s Chrome will add DNT support by the end of the year, a company spokesman confirmed, and IE, of course, will enable it in IE10. Opera already includes DNT support.

DNT is an HTTP header that “asks” Web sites to not collect user data. But compliance is voluntary, and far from widespread. So far, only 1 of 211 top Web sites surveyed adheres to DNT principles.

Microsoft’s perspective is that customers should get what they pay for, and that includes privacy. “Competing on privacy is a good thing,” Gavin said. “Consumers win when you have a point of view, as we do, that someone paid us money for Windows. Part of that is Internet Explorer, and – it’s called Windows Internet Explorer, incidentally – and giving them choice and control over privacy is a good thing, and we have incentive to support and respect our paying customers.”

Microsoft’s moves haven’t been well-received by some. Apache, which powers a substantial number of the world’s Web servers, has already said that it won’t honor IE10 Do Not Track requests, precisely because turning it on violates consumer choice, in Apache’s view. Or, as Jaffe puts it: “What Microsoft is doing is claiming it’s preserving consumer choice, but what it’s doing is imposing its choice on consumers.”

Tracking Protection

To enable Tracking Protection in IE9, go to the Settings>Safety>Tracking Protection menu, then enable your personalized list via the “enable” button in the bottom right-hand corner. You can also set up the list by telling IE how many times you wish an ad to be displayed before it gets axed. (CNET has a video tutorial if you want more.)

That enables what Microsoft’s rivals call a “draconian” measure, blocking the website or tracker from getting any information about you. But Microsoft’s response is that if the sites themselves aren’t honoring DNT requests, then it has a right to enforce the consumer’s will.

“Our job is to really just to say we’re going to keep consumers safe and protected online,” Gavin said. “Do Not Track doesn’t actually do much, unless… someone’s honoring that signal. I don’t have a crystal ball for when that may or may not happen, and when there would be conformance or not.

“But we have a thing called Tracking Protection in IE10. Tracking protection is something we enabled with IE9, and instead of, where DNT sends a signal to a website saying, ‘Mark does not wish to be tracked,’ Tracking Protection actually stops tracking from happening at the browser,” Gavin added. “We can actually go through and subscribe to what’s called the TPL or Tracking Protection List, that can be curated by any number of groups, or individuals – you can even have one that’s built dynamically, based on sites you’re going to, and we actually don’t send signals. So when you’re in that list, we say, ‘Ah! So-and-so’s ad network is looking to add a single pixel tracker,’ so we can actually stop that. We can stop the tracking from happening.”

You won’t find Tracking Protection, or its equivalent, in any of the other browsers. But ad-blocking plugins exist for Firefox and Chome, which simply prevent the ads from being shown in the first place. The ANA’s right in that blocking ads prevents websites – including this one – from displaying the ads that generating the revenue needed to keep the site up and running. On the other hand, if it’s true that major websites are ignoring consumer requests to prevent tracking them, it’s hard to argue with Microsoft’s logic.

Source : article by 

Block NMAP Scan using iptables

Posted: October 6, 2012 in Analysis
Tags: ,
# To run this file, first give the permission +x and execute this program
# --# chmod +x
# --# ./

# Enable IP Forward

echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush semua rules
/sbin/iptables -F
/sbin/iptables -t nat -F

# Block

/sbin/iptables -t filter -A INPUT -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -p ICMP -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -m state --state INVALID -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ACK,FIN FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ACK,PSH PSH -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ACK,URG URG -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS scan: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL ALL -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "pscan 2: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL SYN,FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID: "
/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST: "

reference :

Cisco just recently introduced an updated version of its security management tool CSM.  The new release brings with it some nice new features and functionality to the tool.  If you haven’t heard of Cisco Security Manager (CSM) before, in a nutshell it is Cisco’s consolidated GUI for management, monitoring, reporting and troubleshooting of its VPN, Firewall and IPS product lines. Cisco Security Manager, with version 4.3, now includes a suite of automated capabilities including health and performance monitoring, software image updates, auto-conflict resolution, and ticketing integration.

Cisco Security Manager manages the Cisco security environment, including Cisco ASA 5500 Series Adaptive Security Appliances, Cisco IPS 4200/4300 Series Sensor Appliances, the Cisco AnyConnect Secure Mobility Client, and Cisco Secure Routers.

Features now supported in CSM 4.3:

1.     Proactive health and performance monitoring:  The latest release of Cisco Security Manager – 4.3, has added the capability to provide insight into the health and performance of your network and devices. CPU metrics, memory utilization, firewall traffic patterns, VPN tunneling issues and network performance priblems can be monitored and alerts can be set to make sure these exceptions are caught and resolved in a timely manner. Due to resource constraints, companies might not have dedicated manpower to monitor these cases, but CSM allows you to pre-define such alerts and send them to concerned parties when these thresholds are encountered. This highly reduces the operational downtime, lowers the time to resolution and eventually reduces costs by pro-actively monitoring security threats.

2.    ASA software image upgrades: Today enterprises have 100s of firewalls deployed in their network environments and it is practically impossible to update each device individually. Cisco Security Manager 4.3 helps to deploy commonalities between the various firewall configurations and push updates, security policies and rules across the entire environment. You can create specific bundles catering to specific scenarios; for example, the basic ASA OS image can be bundled with an AnyConnect image and efficiently deployed across the network. This reduces the time needed to deploy upgrades, minimizes the scope for potential errors, adds consistency during the upgrades and highly improves scalability.

3.    Northbound API access:  Cisco security Manager has a lot of valuable information pertaining to the network and security deployment. It has data on device configurations, security policies, deployment rules and administrator changes that are made to the security environment. The latest release provides APIs that partnes such as Algosec, Tufin and Skybox can use to optimize policy/object definitions, perform advanced security analysis and also test if these changes are in sync with corporate compliance policies.

4.    Ticketing management:  Cisco Security Manager 4.3 provides a feature to integrate with ticketing softwares within your organization. If an administrator makes changes to the environment configurations or policies as part of a resolution, it can become cumbersome to back-trace the modifications. The ticketing integration support allows us to get insight into such modifications and simplifies the audit process.

5.    Granular Role-based access control:  Pre- Cisco Security Manager 4.3 releases integrated with ACS 4.2 version for granular role-based access control to check which firewalls can be accessed by whom and if they were authorized to do so.  The new management release provides this capability natively and one does not need to integrate with external tools such as ACS. This provides a simpler and faster method to deploy granular policies across the network.

6.    Auto-conflict detection:  When new rules are introduced into the environment, Cisco Security Manager performs an analysis to make sure that these new rules do not conflict with the existing set of defined rules. This improves compliance and also minimizes potential errors due to rule conflicts and mismatch. Also a hit count analysis can be run to check which rules are being executed most frequently. This is a powerful tool to keep a check on the proliferation of rules and efficiently manage the rule table, thereby reducing complexities and rule management overheads.


7.    Event Management and Logging: Integrated event management helps the administrators to view real-time and historical events, and provide rapid navigation from events to defined source policies. In addition to this, logs from various devices – ASAs, IPS – can directly be sent to the Cisco security management tool where one can perform analysis and troubleshooting. These usability enhancements with aggregated event logging in various formats such as CSV, PDF and troubleshooting allow you to access detailed and relevant information with ease and flexibility.


Also relatively new with CSM is the appliance based offering.  So along with the traditional Software form factor, CSM now is available in a UCS hardware Bundle.

Cisco Security Manager UCS Bundles Include:

  • Cisco Security Manager software
  • Cisco UCSTMC210 M2 General-Purpose Rack-Mount Server
  • Windows Server 2008 Enterprise R2 Operating System

The nice thing is that all components are pre-tested and pre-loaded to ensure compatibility, eliminating guesswork and speeding time to deployment.


For more information go to