Day by day…

I am not a lawyer, not an internet privacy guru and not a university expert in history of conspiracy, but one thing is obvious for me when I read new policy of Google – they found nice and simple way to answer all darkest, scariest and going-further concerns by just saying “Yes, we can! And what You wanna do about it?”.

If You read classic novells, have a look at The Visit by Friedrich Dürrenmatt.

For details, look at Google

After Mempodipper was discovered by zx2c4 and PoC was available, it became mandatory to patch the kernel.
For Fedora – make sure You have kernel-2.6.41.10-3.fc15 for F15 or kernel-3.2.1-3.fc16 on F16
For Ubuntu – see here and here for details, run update

p.s. in case You interested, how it works, look for CVE on Youtube

p.p.s. have a smooth weekend, make sure You not pwned Monday morning!

Last meeting – used parts of Chris Nickerson model to visualise the security situation for client. Working indeed. Just make sure You not overwhelm the pressure – it’s Your responsibility that client stay alive and well.

List of Incedent response disks You may use in case of virus outbreak in Your office. Download, burn and boot.

Kaspersky Rescue Disk 10

F-Secure Rescue CD

DrWeb live CD

TrendMicro Rescue CD

Avira AntiVir Rescue System

AVG rescue CD

Bitdefender Rescue CD

VBA32 Rescue

Pctools Alternate Operating System Scanner – malware, but useful.

Links checked, only free tools, no key required. Ranged by effectiveness

Have a look on 0×4553 Intercepter

BTW – not checked personally, just had a conversation with one of thankful users

Simple task, actually, but to save time surfing the web for next time:
Make sure boot partition is not encrypted, and can be mounted.
I got Ubuntu server 9.10 with data on it.
Lets move on:
1. connect disk to other system (in my case – Fedora)
2. mount if not automated.
3. became root on Your system [me]$ su -
4. change directory to mounted partition [me]#  cd /media/s0m3-crap/
5. backup shadow file [me]# cp etc/shadow etc/shadow.back
6. check user in shadow file [me]# cat etc/shadow
string You looking looks like this:
username:$6$EgsOcNRlkNCp$ufeKgMH1KfdvCQelJQZMMOUP0afdi8gpBOsk3/gSEOAzBe6LpNS6X6vPuuHyaQPsw0kePY9Eu6vVPGtmLqUnH.:15170:0:99999:7:::
7. check encryption algorithm that used: [me]# cat etc/login.defs
look for string ENCRYPT_METHOD SHA512
Here we have SHA512
Nice
8. Generate new password, lets say “access”, salt the same?
there are many ways, but crossplatform, IMHO, is the best. So – python:
[me]$ python -c “import crypt, getpass, pwd; print crypt.crypt(‘access’, ‘\$6\$EgsOcNRlkNCp\$’)”
and get the result
$6$EgsOcNRlkNCp$PDSU/duOjb2rK8qHaGU6E8AfY/ELlQwYlvwLJorW/Tfwpv8J3FQWxmYIbVAYKvGHhhXc.uTZi8tgG92MALVlA.
9. Now – let’s edit shadow file:
[me]# nano etc/shadow
find string with username we need and insert new hash instead of old one:
username:$6$EgsOcNRlkNCp$PDSU/duOjb2rK8qHaGU6E8AfY/ELlQwYlvwLJorW/Tfwpv8J3FQWxmYIbVAYKvGHhhXc.uTZi8tgG92MALVlA.:15170:0:99999:7:::
10. Save. Exit. Unmount. Boot. Check new password.
p.s. Not working? recheck the steps.

Aluc talk on 28c3

Actually, all talk is repeating summary. Important is a structure, that allow You threat pentesting as a job, not as an art of acting. Plus – correct way to communicate with client. Recommended.

Thx Aluc, btw, for link to Chris Nickerson talk last year on BruCON. Missed one.

Well, after megaupload plugged off, new participants:
filesonic.com – File sharing function disabled.
uploaded.to blocked access to US customers – message “Not Available: Our service is currently unavailable in your country. Sorry about that.”

fileserve.com – “FileServe can only be used to download and retrieve files that you have uploaded personally. Please login …”

Update: Who else?

Update2: Fileserve added

This pic appear when enter megaupload.com

By the way, pic placed at http://usdoj.s3-external-1.amazonaws.com/banner.jpg

See Google for more details )

update1: Looks like community fight back? opMegaupload etc. Why closed, BTW?

update2: Official release of FBI here - reason why closed. Online copyright. Where it was registered, interesting.. GoDaddy?

update3: Pic path changed to megaupload.com/banner.jpg .. Dotcom arrested, got access to servers?))