The Metasploit Project creator, HD Moore, and one of the developers, Egypt, now got a full time job working on and developing the Metasploit Project. HD in the position of Chief Architect of Metasploit and Egypt as a core developer of Metasploit at Rapid7.

If you read this blog often you probably noticed that I’m a big supporter of the Metasploit Project. I use it on a daily basis, preforming penetration tests and exploit development while at work or at home for fun. As you may guess, my feelings about the acquisition are mixed. On one side this is a good thing, this is a big step for the Metasploit Project. Now it’ll grow and develop faster and rapidly and us, the users, will get a better, faster, more advanced and less buggy program, and I believe we’ll start seeing faster release cycles. But on the other side, now the Metasploit Project which was a free, open source, community driven project, is managed by a commercial company. I think the worst case scenario will be if Rapid7 decide to make Metasploit a commercial product, which will be a sad thing. This won’t be the first time it’ll happen to a good security product. The best example here is the Nessus vulnerability scanner which was acquired by Tenable Network Security back in 2005.

I hope the fate of the Metasploit Project won’t be the same as Nessus. HD Moore stated on the Metasploit blog that the project will remain free and open source. So, if that’s the case and long as the Metasploit Project will stay that way I think the users should be happy about it. I will continue to support the Metasploit Project and develop exploits and other modules for it and contribute in every way I can.
I guess all there’s left to say is congratulations to HD Moore and Egypt for the acquisition, keep on rocking.

References:
>> Metasploit Rising – HD Moore write about the acquisition on the Metasploit blog.
>> Rapid7 Acquires Metasploit – The Metasploit acquisition by Rapid7 CEO.
>> Rapid7 Acquisition FAQ – Questions and answers about the acquisition.
>> Metasploit + Rapid7 shakes up pen-test landscape – Ryan Naraine write about the penetration testing market changes followed by the acquisition.

• SSL & Trasport Layer Security Protocol by cp77fk4r
• Manual Unpacking by Zerith
• Virus Loading Techniques by cp77fk4r
• RFID Hacking by cp77fk4r
• Port Knocking by cp77fk4r
• Kerberos v5 Protocol by cp77fk4r
• DNS Cache Poisoning by cp77fk4r

You can download it here – Digital Whisper issue #2.

Have a great reading.

As stated on Bezeq Int SafeNet page (and details), this service cost 13.90 NIS a month and should be some kind of content filtering system, providing users protection from Malware (viruses, worms, trojan horses, spyware), HTML exploits, malicious Activ-X and JAVA code, Fishing web sites and more (note I deliberately misspelled the definitions, that’s how it’s wrote on the SafeNet service specification page).

Well, after running a series of tests I can surly say Bezeq Int SafeNet service provide non of these protections what so ever. In fact, it doesn’t provide any sort of active protection. The only protection SafeNet service provides is blocking supposedly malicious web sites using an out-of-date domain names blacklist.

For example, trying to access Packet Storm Security web site will result in a redirection to a Bezeq Int domain, displaying this SafeNet message:

Click to enlarge.

The SafeNet service blacklist doesn’t include milw0rm and other hacking related web sites. I even ran test against active Malware serving pages, Phishing web sites and rouge Anti-Virus sites, non of which have been blocked by Bezeq Int SafeNet service.

Furthermore, the SafeNet service domain blacklist function can be bypassed rather easily. It is possible to access blacklisted domains using their IP addresses:

Click to enlarge.

In conclusion, Bezeq Int SafeNat service provide users no affective protection against any kind of threat and Bezeq Int doesn’t provide their customers any of the promised functions stated on the SafeNet service specification.
In my opinion, Bezeq Int SafeNet service is a total rip-off and if you are registered to it I recommend you’d cancel the service immediately.

• Windows Privilege Escalation by cp77fk4r
• Manual Packing by HLL
• Introduction to Artificial Intelligence by UnderWarrior
• Lock Picking by cp77fk4r
• WEP Encryption by Hertzel Levi
• Introduction to Recursion in C by UnderWarrior
• HTTP Attacks – Response Splitting by cp77fk4r

If anyone is willing to contribute, submit an article or give a feedback, contact Digital Whisper crew here – editor[AT]digitalwhisper.co.il

The convention will be held on 24/05/2009 at the American Zionist House in Tel Aviv and will include:

• Hacking lectures.
• Information security lectures.
• Hacking Wargames.
• Book Crossing.
• Pizzas!

Go sign up! For further information check out IL.Hack 2009 web site (Hebrew), or the IL.Hack 2009 English information page.
You can also approve attendance at the convention Facebook event.

Note that more sponsors are needed, so if some of the readers can arrange something, please contact Yaniv Miron – info@ilhack.org.

Hope to see you there :-)

Basically, the argument states:

• Security vulnerabilities have high value and finding them is hard work and cost a lot of money. And there’s a market out there for them.
• Vendors relays on security researchers to choose the “responsible disclosure” way and report bugs they find (for free).
• Reporting security vulnerabilities is a risky business, legally and professionally.
• Reporting security vulnerabilities without any legal agreements pretty much sucks.
• Reporting security vulnerabilities for free – sucks too.

In my opinion, vendors should have a pre-made agreement, written by the company CSO/security manager, backed up by the company CEO and the company lawyer, for vulnerability disclosure and rewarding methods. Price can be calculated by the vulnerability severity and probability level (CVSS style) and the technical details and further work the security researcher provide. For example, the researcher wrote a PoC exploit code – low value. Researcher wrote a reliable universal exploit code – high value.
This way, security researchers will have more than enough reason to disclose vulnerabilities to vendors and get reward for it as it should be, instead of choosing other way (and in my opinion, the wrong way) to gain profit, either money or just fame.

The opinions about the “no more free bugs” argument around the world are mixed. Ross Thomas of SophosLabs thinks the security industry sunk in to a new level of lameness. Adam O’Donnell say there’s nothing to be excited about and there were never such a thing as free bugs.

I think there is nothing new under the sun. Vendors won’t rush to make vulnerability disclosure rewarding agreements just because three top security researchers state the party is over and no bugs will be given away for free any more. Security researchers and bug hunters are still stuck with the dilemma of the actions to take after finding a bug – responsible disclosure, full disclosure, selling it to whoever are willing to pay or doing nothing with it.

Phrack Magazine #64

“As long as there is technology, there will be hackers. As long as there
are hackers, there will be PHRACK magazine. We look forward to the next
20 years”

That’s how Phrack #63 Introduction ended. Phrack magazine is revived with a new staff calling them selfs “The Circle of Lost Hackers”. Phrack is (was?) the best online hacking magazine in the world and a lot of people say that it can never be revived. The new issue, although it doesn’t have the regular amount of technical articles in it, seems like a good start. But to determine rather Phrack will continue to be the best, true underground hacking magazine or not, only time will say…

• Phrack Magazine
• Phrack #64

Uniformed vol.7
Three great articles on the latest vol of Uniformed:
Reducing the Effective Entropy of GS Cookies, and a Memalyze – Dynamic Analysis of Memory Access Behavior in Software by skape.
The last article by |)roid is about Mnemonic Password Formulas witch discuss easy and advanced ways for creating mnemonic passwords and its weaknesses.
If you never heard of mnemonic passwords, I strongly suggest you read the following research – Human selection of mnemonic phrase-based passwords (pdf).

• Uniformed
• Uniformed vol.7

the Month of ActiveX Bugs
May was announced to be the Month of ActiveX Bugs (MoAxB). You won’t find a lot of interesting vulnerabilities there.. most of them was found in 3rd party application.
Last year H D Moore presented some fuzzing techniques that disclosed more then 100 bugs in Windows XP default ActiveX controls. Of course not all of the bugs are exploitable but the point is that finding ActiveX bugs it’s not that big of a deal.
H D Moore also started the Month of [somthing] Bugs with the Month of Browser Bugs (MoBB) back on June 2006. Followed by the Month of Kernel Bugs (MoKB) on November and the Month of Apple Bugs (MoAB) on January this year, both by LMH.
Later on, on March, Stefan Esser who retired from the PHP Security Response Team because of slow response time to security holes (one of many reasons. Read more at Stefan’s blog), announced the Month of PHP Bugs (MoPB), in which he disclosed a lot of serious security issues in PHP core along with some bonus bugs in Mod Security and the Zend Platform.
On April, two weird dudes – Mondo Armando and M?¼staschio announced the Month of Myspace Bugs, Yuss! (MoMBY) which mostly included XSS vulnerabilities, different HTML Injections bugs and more, nothing fancy.
This month is the Month of Search Engine Bugs (MOSEB) which we’ll sum up at the end of the month.

Google Security Blog
Google launches a new, homemade security blog. Nothing much to see there for now except a paper regarding the dangerous in virtualizations. Very interesting subject, not so interesting paper (read with 90% caffeine in blood).

• Google Online Security Blog
• On virtualization paper (pdf)

BSD Rootkits
Joseph Kong published his first book Designing BSD Rootkits. I ordered a copy and I can’t wait to read it.
I think it’s about time someone publish this kind of book, this subject suffers from a serious lack of resources on the web.
Some of you might know Joseph from his article on Phrack #63 Games With Kernel Memory – FreeBSD Style.
Anyway, I’ll review the book when I finish reading it.

That’s it for now, have a great month!

• On the security of e-passports
• Review: GFI LANguard Network Security Scanner 8
• Critical steps to secure your virtualized environment
• Interview with Howard Schmidt, President and CEO R & H Security Consulting
• Quantitative look at penetration testing
• Integrating ISO 17799 into your Software Development Lifecycle
• Public Key Infrastructure (PKI): dead or alive?
• Interview with Christen Krogh, Opera Software’s Vice President of Engineering
• Super ninja privacy techniques for web application developers
• Security economics
• iptables – an introduction to a robust firewall
• Black Hat Briefings & Training Europe 2007
• Enforcing the network security policy with digital certificates

Very interesting stuff! Download (IN)SECURE issue 11.

Also, you might want to check out this interview of Jeremiah Grossman about Web Application Security: