Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.
Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Here is your evidence file:
http://philosecurity.org/558/contest_01/evidence.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5
The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.
Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.
Email submissions to contest@philosecurity.org. Deadline is 9/10/09. Good luck!! 

Đến sau cũng là 1 lợi thế :))

a) Tội phát tán vi rút, chương trình tin học có tính năng gây hại cho hoạt động của mạng máy tính, mạng viễn thông, mạng Internet, thiết bị số (Điều 224)

Xem thêm: Pen code 2009

XFA form definition

• template – object 201
• dataset – object 301

dataset - decoded data

template object definition

The JBIG2Decode filter (PDF 1.4) decodes monochrome (1 bit per pixel) image data that has been encoded using JBIG2 encoding. JBIG stands for the Joint Bi-Level Image Experts Group, a group within the International Organization for Standardization (ISO) that developed the format. JBIG2 is the second version of a standard originally released as JBIG1.

JBIG2 encoding, which provides for both lossy and lossless compression, is useful only for monochrome images, not for color images, grayscale images, or general data. The algorithms used by the encoder, and the details of the format, are not described here. A working draft of the JBIG2 specification can be found through the Web site for the JBIG and JPEG (Joint Photographic Experts Group) committees at < http://www.jpeg.org >.

Also note that JBIG2Decode and JPXDecode are not listed in Table 4.44 because those filters can be applied only to image XObjects.

Data representing JBIG2 stream (after initial FlateDecode filter)

Decoded content of the template object

• 18D1BA224B4FAA2296362F93231B6C4E7E488D8FEFC5A5408FE078AD20A55C08
• b1543cd42d03a93b143737d91540b08efffe027219136a59463f80e83222e743

TTF font hidden under JBIG2 stream

• 05f64217ebc380a9c398d72ec7743beda29bffed5694671aebca78aa6c3b5822

Source: https://blog.avast.com/2011/04/22/another-nasty-trick-in-malicious-pdf/

The IC3 is warning the public to be wary of romance scams in which scammers target individuals who search for companionship or romance online. Someone you know may be "dating" someone online who may appear to be decent and honest. However, be forewarned: the online contact could be a criminal sitting in a cyber café with a well-rehearsed script that scammers have used repeatedly and successfully. Scammers search chat rooms, dating sites, and social networking sites looking for victims. The principal group of victims is over 40 years old and divorced, widowed, elderly, or disabled, but all demographics are at risk.
Scammers use poetry, flowers, and other gifts to reel in victims, the entire time declaring their "undying love." These criminals also use stories of severe life circumstances, tragedies, deaths in the family, injuries to themselves, or other hardships to keep their victims concerned and involved in their schemes. Scammers also ask victims to send money to help overcome a financial situation they claim to be experiencing. These are all lies intended to take money from unsuspecting victims.
In another scheme, scammers ask victims to receive funds in the form of a cashier's check, money order, or wire transfer, claiming they are out of the country and unable to cash the instruments or receive the funds directly. The scammers ask victims to redirect the funds to them or to an associate to whom they purportedly owe money. In a similar scheme, scammers ask victims to reship packages instead of redirecting funds. In these examples, victims risk losing money and may incur other expenses, such as bank fees and penalties, and in some instances face prosecution.
Victims who have agreed to meet in person with an online love interest have been reported missing, or injured, or in one instance, deceased. IC3 complainants most often report the countries of Nigeria, Ghana, England, and Canada as the location of the scammers. If you are planning to meet someone in person that you have met online, the IC3 recommends using caution, especially if you plan to travel to a foreign country, and, at the very least:
      Do not travel alone.

      Read all travel advisories associated with the countries you will visit. Travel advisories are available at http://travel.state.gov/.

WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.
WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.

Winpcap là một thư viện mã nguồn mở cho việc bắt gói (captrure paket) và phân tích mạng, trên nền tảng (platform) win32. Winpcap hổ trợ những chức năng sau:

• Thu thập những gói dữ liệu thô, một là ngay trên chính máy đang chạy truyền dữ liệu đi và một là sự trao đôi bởi những máy khác trên môi trường chia sẻ.

• Lọc gói dữ liệu theo những luật của người dùng trước khi chúng được truyền tới ứng dụng

• Truyền những gói dữ liệu thô tới mạng

• Thu thập thông tin thống kê lưu lượng mạng

Một tập các tính năng này được được cung cấp, khi mà bạn cài đặc nó như là một trình điều khiển thiết bị (device driver), và nó được cài đặt bên trong phần hoạt động mạng của phần nhân win32 (win32 kernel) cùng với một cặp thư viện động DLL.

WireShark có một bề dầy lịch sử. Gerald Combs là người đầu tiên phát triển phần mềm này. Phiên bản đầu tiên được gọi là Ethereal được phát hành năm 1998. Tám năm sau kể từ khi phiên bản đầu tiên ra đời, Combs từ bỏ công việc hiện tại để theo đuổi một cơ hội nghề nghiệp khác. Thật không may, tại thời điểm đó, ông không thể đạt được thoả thuận với công ty đã thuê ông về việc bản quyền của thương hiệu Ethereal. Thay vào đó, Combs và phần còn lại của đội phát triển đã xây dựng một thương hiệu mới cho sản phẩm “Ethereal” vào năm 2006, dự án tên là WireShark.
- WireShark đã phát triển mạnh mẽ và đến nay, nhóm phát triển cho đến nay đã lên tới 500 cộng tác viên. Sản phẩm đã tồn tại dưới cái tên Ethereal không được phát triển thêm.
- Lợi ích Wireshark đem lại đã giúp cho nó trở nên phổ biến như hiện nay. Nó có thể đáp ứng nhu cầu của cả các nhà phân tích chuyên nghiệp và nghiệp dư và nó đưa ra nhiều tính năng để thu hút mỗi đối tượng khác nhau.

Các giao thực được hỗ trợ bởi WireShark:

WireShark vượt trội về khả năng hỗ trợ các giao thức (khoảng 850 loại), từ những loại phổ biến như TCP, IP đến những loại đặc biệt như là AppleTalk và Bit Torrent. Và cũng bởi Wireshark được phát triển trên mô hình mã nguồn mở, những giao thức mới sẽ được thêm vào. Và có thể nói rằng không có giao thức nào mà Wireshark không thể hỗ trợ.

Thân thiện với người dùng: Giao diện của Wireshark là một trong những giao diện phần mềm phân tích gói dễ dùng nhất. Wireshark là ứng dụng đồ hoạ với hệ thống menu rât rõ ràng và được bố trí dễ hiểu. Không như một số sản phẩm sử dụng dòng lệnh phức tạp như TCPdump, giao diện đồ hoạ của Wireshark thật tuyệt vời cho những ai đã từng nghiên cứu thế giới của phân tích giao thức.

Giá rẻ: Wireshark là một sản phẩm miễn phí GPL. Bạn có thể tải về và sử dụng Wireshark cho bất kỳ mục đích nào, kể cả với mục đích thương mại.

Download ActivePerlActiveState Perl has binary distributions of Perl for Win32 (and Perl for Win64).

Download Strawberry Perl 

Strawberry Perl: A 100% Open Source Perl for Windows that is exactly the same as Perl everywhere else; this includes using modules from CPAN, without the need for binary packages. Help is available from other Windows Perl developers on the #win32 irc channel on irc.perl.org (see website for access through a browser).

Baidu, China's most popular search engine, has just been found guilty--in China--for violating copyright on music lyrics found on its service. But this is China, home of dodgy thinking about intellectual property: The fine was just $8,000.

The case centers on 50 tracks owned by China's MCSC record label, the lyrics of which Baidu was making available through its MP3 lyrics search system. MCSC contended Baidu didn't have the rights to do this, and took the search engine to court. A judge in the Haidian district of Beijing has just examined the case, and ruled in favor of MCSC.

The penalty is to remove the offending content--a pretty standard move, of course--and pay compensation. The amount is laughable though: It's just 50,000 Yuan or $7,300, and another 10,000 Yuan in court fees. Arguably the matter concerns just 50 tracks, and the content in question is merely the lyrics. But that MCSC-owned IP will have been served up by Baidu to potentially millions of users, magnifying the issue somewhat. Though we're not talking about serious music pirating here, it does seem somewhat ridiculous that such a small penalty has been levied against a big-business search engine.

$8,000-odd dollars seems even more ridiculous when you look at the size of fines enforced in the U.S. for piracy--the most obvious counter example being the ruling against Jammie Thomas-Rasset, who faced a $2.4 million fine for pirating just 24 music tracks.
But, the Baidu ruling has a bigger, slightly iconic significance. Though there are some legal shenanigans behind the case, it demonstrates that serious questions of IP violation can be successfully tried in China. The nation is absolutely notorious for rampant theft of IP, be it gadget design, look and feel of Web sites, imagery, and code--in 2007, the Office of the U.S. Trade Representative added China to its "priority watch list" for widespread violation of copyright. Though nobody's suggesting that the Baidu case means that the legal establishment has turned a corner, and copyright will be viewed with a new respect, it may be seen as a test case, with seriously positive implications for other rights holders who've seen their creations stolen inside China. Chinese e-publishers recently planning to sue Baidu for copyright violations will also be watching this ruling closely.

Source: http://www.fastcompany.com

Valued PlayStation(R)Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011,
certain PlayStation Network and Qriocity service user account
information was compromised in connection with an illegal and
unauthorized intrusion into our network. In response to this
intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full
and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our
network infrastructure by rebuilding our system to provide you
with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill
as we do whatever it takes to resolve these issues as quickly and
efficiently as practicable.
Although we are still investigating the details of this incident,
we believe that an unauthorized person has obtained the following
information that you provided: name, address (city, state, zip), country,
email address, birthdate, PlayStation Network/Qriocity password and login,
and handle/PSN online ID. It is also possible that your profile data,
including purchase history and billing address (city, state, zip),
and your PlayStation Network/Qriocity password security answers may
have been obtained. If you have authorized a sub-account for your
dependent, the same data with respect to your dependent may have
been obtained. While there is no evidence at this time that credit
card data was taken, we cannot rule out the possibility. If you have
provided your credit card data through PlayStation Network or Qriocity,
out of an abundance of caution we are advising you that your credit
card number (excluding security code) and expiration date may have
been obtained.
For your security, we encourage you to be especially aware of email,
telephone and postal mail scams that ask for personal or sensitive
information. Sony will not contact you in any way, including by email,
asking for your credit card number, social security number or other
personally identifiable information. If you are asked for this information,
you can be confident Sony is not the entity asking. When the PlayStation
Network and Qriocity services are fully restored, we strongly recommend that
you log on and change your password. Additionally, if you use your PlayStation
Network or Qriocity user name or password for other unrelated services or
accounts, we strongly recommend that you change them as well.
To protect against possible identity theft or other financial loss, we
encourage you to remain vigilant, to review your account statements and
to monitor your credit reports. We are providing the following information
for those who wish to consider it:
- U.S. residents are entitled under U.S. law to one free credit report annually
from each of the three major credit bureaus. To order your free credit report,
visit www.annualcreditreport.com or call toll-free (877) 322-8228.
- We have also provided names and contact information for the three major U.S.
credit bureaus below. At no charge, U.S. residents can have these credit bureaus
place a “fraud alert” on your file that alerts creditors to take additional steps
to verify your identity prior to granting credit in your name. This service can
make it more difficult for someone to get credit in your name. Note, however,
that because it tells creditors to follow certain procedures to protect you,
it also may delay your ability to obtain credit while the agency verifies your
identity. As soon as one credit bureau confirms your fraud alert, the others
are notified to place fraud alerts on your file. Should you wish to place a
fraud alert, or should you have any questions regarding your credit report,
please contact any one of the agencies listed below:
Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division,
P.O. Box 6790, Fullerton, CA 92834-6790
- You may wish to visit the website of the U.S. Federal Trade Commission at
www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania
Avenue, NW, Washington, DC 20580 for further information about how to protect
yourself from identity theft. Your state Attorney General may also have advice
on preventing identity theft, and you should report instances of known or
suspected identity theft to law enforcement, your State Attorney General,
and the FTC. For North Carolina residents, the Attorney General can be
contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone
(877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney
General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202;
telephone: (888) 743-0023; or www.oag.state.md.us.
We thank you for your patience as we complete our investigation of this
incident, and we regret any inconvenience. Our teams are working around the
clock on this, and services will be restored as soon as possible. Sony takes
information protection very seriously and will continue to work to ensure that
additional measures are taken to protect personally identifiable information.
Providing quality and secure entertainment services to our customers is
our utmost priority. Please contact us at 1-800-345-7669 should you have any
additional questions.
Sincerely,
Sony Computer Entertainment and Sony Network Entertainment
===================================
LEGAL
“PlayStation” and the “PS” Family logo are registered
trademarks and “PS3″ and “PlayStation Network” are
trademarks of Sony Computer Entertainment Inc.
(C) 2011 Sony Computer Entertainment America LLC.
Sony Computer Entertainment America LLC
919 E. Hillsdale Blvd., Foster City, CA 94404

The FBI has observed a trend in which cyber criminals —  using  the  compromised online banking credentials of U.S. businesses — sent unauthorized wire transfers to Chinese economic and trade companies located near the Russian border.   

Between March 2010  and April 2011, the FBI identified  twenty  incidents in which the online banking credentials of small-to-medium sized U.S.  businesses were compromised  and used to initiate wire transfers to Chinese  economic and  trade companies. As of  April 2011, the total attempted fraud amounts to approximately $20 million; the actual victim losses are $11 million.   

In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the  U.S.  business is compromised by either a phishing e-mail or by visiting a malicious Web site. The malware harvests the user’s corporate online banking credentials. When the authorized user attempts to log in to the user’s bank Web site, the user is typically redirected to another Web page stating the bank Web site is under maintenance or is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks  typically  located in New York. Account funds are then transferred to the Chinese economic and trade company bank account.  

Victims

Like most account takeover fraud,  the victims tend to be small-to-medium sized businesses and public institutions that have accounts at local community banks and credit unions, some of which use third-party service providers for online banking services.

Recipients

 The intended recipients of the international wire transfers are economic and trade companies located in the Heilongjiang province in the People’s Republic of China. The companies are  registered in port cities that are located near the Russia-China border

The FBI has  identified multiple companies that were used for more than one unauthorized wire transfer. However, in these cases the transfers were a few days apart and never used again. Generally, the malicious actors use different companies to receive the transfers. The companies used for this fraud  include the name of a Chinese port city in their official name. These cities include: Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. The official name of the companies also include the words “economic and trade,” “trade,” and “LTD.”

 The economic and trade companies appear to be registered as legitimate businesses and typically hold bank accounts with the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

 At this time, it is unknown who is behind  these unauthorized transfers,  if the Chinese accounts were the final transfer destination or if the funds were transferred elsewhere,  or why the legitimate companies received the unauthorized funds.  Money  transfers to companies that contain these described characteristics should be closely scrutinized.

 Unauthorized Wire Transfers

 The unauthorized wire transfers range from $50,000 to $985,000. In most cases, they tend to be above $900,000, but the malicious actors have been more successful in receiving the funds when the  unauthorized  wire transfers  were  under $500,000.  When the transfers went through successfully, the money was immediately withdrawn from or transferred out of  the recipients’ accounts. 

 In  addition to the large wire transfers, the malicious actors also sent domestic ACH and wire transfers to money mules in the United States  within minutes of conducting the overseas transfers. The domestic wire transfers range from $200 to $200,000. The intended recipients are money mules, individuals who the victim company has done business with in the past, and in one instance, a utility company located in another U.S. state. The additional ACH transfers initiated using compromised accounts range from $222,500 to $1,275,000.   

 Malware

The type of malware has not been determined in every case but some of the cases involve ZeuS, Backdoor.bot, and  Spybot. In addition, one victim reported  that  the hard drive of the compromised computer that was infected was erased remotely before the IT department could investigate.

   ZeuS  —  malware that has the capability to steal multifactor authentication tokens, allowing the criminal(s)  to log in to victims’ bank accounts with the user name, password, and token ID.  This can occur during a legitimate user log-in session.

   Backdoor.bot — malware that has worm, downloader, keylogger, and spy ability. The malware allows for the criminal(s)  to access the infected computer remotely and  further infect computers by downloading additional threats from a remote server. 3

   Spybot —  an IRC backdoor Trojan which runs in the background as a service process and allows unauthorized remote access to the victim computer.

   Recommendation to Financial Institutions

   Banks should notify their business customers of any suspicious wire activity going to the following Chinese cities: Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning.  

  Wire activity destined for the Chinese cities of Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning should be heavily scrutinized, especially for clients that have no prior transaction history with companies in the Heilongjiang province.  

For recommendations on how businesses can Protect, Detect, and Respond to Corporate Account

Take overs such as this, please refer to the “Fraud Advisory for Businesses: Corporate Account

Take Over” available at http://www.fsisac.com/files/public/db/p265.pdf.

 Incident Reporting

When you open presentations that contain layouts with background images in PowerPoint 2003, an error may occur. When the error occurs, you receive a message that states that some contents (text, images, or objects) have corrupted. You can determine what content has been lost by viewing the layout, but not by viewing the slide content. Items that were removed will display a blank box or a box that contains "cleansed." 

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problems that are described in this article. Apply this hotfix only to systems that are experiencing the problems described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

You must have Microsoft Office 2003 Service Pack 3 installed to apply this hotfix package.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix replaces security update 2464588, which is described in bulletin MS11-022.

Registry information

To use one of the hotfixes in this package, you do not have to make any changes to the registry.

File information

This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.

The global version of this hotfix package uses a Microsoft Windows Installer package to install the hotfix package. The dates and the times for these files are listed in Coordinated Universal Time (UTC) in the following table. When you view the file information, the date is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel. 

-----------------------------------------------------------
KB Article Number(s): 2543241
Language: English
Platform: i386
Location: (http://hotfixv4.microsoft.com/Microsoft%20PowerPoint%202003/sp4/office2003KB2543241ENU/11.0.8335.0/free/431548_ENU_i386_zip.exe)
Password: [*****4
Password Changes On: 04/30/2011
Next Password: 9*****5
NOTE   Make sure that you include all the text between "(" and ")" when you visit this hotfix location.

 Link download:

Microsoft