iPhone new Worm - ikee

Source code available on line....here

Ready? ./set

Social Engineer Toolkit:

The Social Engineering Toolkit (SET) is a python-driven suite of custom tools,
SET has two main methods of attack, one is utilizing Metasploit payloads and Java-based attacks by setting up a malicious website that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing.

The SET is designed to make complex social engineering tasks relatively simple for you by allowing you to utilize a robust framework for penetration tests.

SET works with metasploit and basicaly targets on automatic mail and website attack.

Email password leak update

After the leak of 10,000 Hotmail and Windows live email passwords and details yesterday, this morning it emerges that another list containing 20,000 e-mail addresses and passwords from Hotmail, Yahoo, AOL, Gmail and others service providers has been posted online.

There were more then 10,028 pairs of user names and passwords posted to multiple pages of public upload website like Pastebin.com, some of which remained live at time of writing. The stash is likely only a small sample of a much larger file,

Wouldn't it be great if this phishing was somehow linked to Mafia Wars or any other FB APP? could it be a phising attack?

Clarification

I would like to clarify the article that have been posted yesterday @themarker regards the security breach in Cellcom website. I didn`t do any penetration testing or auditing on the website.

I just got the link and been asked for my professional opinion. As far as i know, the security department knew about the risks that this info can lead. that`s all.

M4y th3 S0urce b3 w1th u5.

Audit VoiP++

A great suite of exploring, classifying, and auditing telephone systems that can be found in Warvox

the suite of tools provides the unique ability to classify all telephone lines in a given range, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders.

WarVOX is intended for legal security assessment, asset inventory, and research purposes only.

DirectShow 0day in the wild

DirectShow 0day is a high rate of 0day exploit, the current outbreak has already begun last week online. In order for the attack to work the victim needs to use XP built-in Windows Media Player to play media files which in turn triggers internal loopholes.

This is a client side (IE) exploit, so visiting a malicious site will result in infection.

Attack characteristics are as follows:
(I`ve found the code on http://**.****.cn website)

var appllaa='0';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

Microsoft's advisory offers workarounds for the issue (from today), including setting the killbit for the ActiveX control.

There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.

\x1 Create the following Key

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

\x2 Create a dword value named "Compatibility Flags" and give it a value of 400.

Let it sn0w

The iPod/iPhone 3G jailbreak is out. The iphone-dev team just released the 24kpwn LLB patch to allow for a persistent jailbreak. The team had been hanging on to this patch because there was the possibility the exploit could be used on future iPhone versions. Unfortunately, a group started selling the code, so the team was forced to release it for free. There is a tutorial available for updating a factory reset iPod/iPhone (backup link).

That means the same sort of technique can be used with the current redsn0w tool to jailbreak and unlock the iPhone 3GS.

Let it ultrasn0w....