Hackin9
Linux Kernel 'net/appletalk/ddp.c' Local Information Disclosure Vulnerability
 
Linux Kernel 'drivers/isdn/mISDN/socket.c' Local Information Disclosure Vulnerability
 
Linux Kernel 'net/netrom/af_netrom.c' Local Information Disclosure Vulnerability
 
Secretive Bitcoin creator Satoshi Nakamoto is a 64-year-old man living near Los Angeles who declines to talk about his role in the digital currency, according to a news report.
 

Memory dumping for incident response is nothing new, but ever since they locked down access to direct memory (/dev/mem) on Linux, I’ve had bad experiences dumping memory.  I usually end up crashing the server about 60 percent of the time while collecting data with Fmem.

 

A new version of Linux memory dumping utility rekall (previous called Winpmem) has recently came out. I’ve been testing it on the latest versions of Ubuntu and Redhat EL 5 and have not run into any issues with collection.  

 

If you are fortunate enough to have an environment where you have groups of servers with the same patch levels, you should run the following steps on a non-compromised server.  Additionally, if the compromised system is a VM, you can clone it and perform these actions on the clone. Make sure you collect all other volatile data (MACtimes, LSOF, PS ect..) before you dump memory as this may still cause instability to the system and you do not want to lose this data.

 

Preparing for collection

Install Linux Kernel Headers

Ubuntu

>sudo apt-get install linux-headers-server zip

CentOS/Redhat

>yum install kernel-headers gcc

 

Download and Compile rekall

When you run the makefile, it will automatically create part of the profile for the server. This will need to be copied off the server for analysis.

>wget http://downloads.rekall.googlecode.com/git/Linux/linux_pmem_1.0RC1.tgz

>tar -zxvf linux_pmem_1.0RC1.tgz

>cd linux

>make

 

Note:For Redhat/CentOS systems you will need to adjust the Makefile KHEADER variable.

 

Copy this file to your Volatility analysis machine under your volatility directory /plugins/overlays/linux/.

Load the Kernel Driver

>sudo insmod pmem.ko

>sudo lsmod |grep pmem

pmem                   12680  0

 

Collect Memory

Now that the drive is loaded, a new device is accessible /dev/pmem. We want to copy the memory to an external device/share.

#Items in {} need to be changed per incident to be useful for analysis

>dcfldd if=/dev/pmem bs=512 conv=noerror,sync  of=/{USBDRIVE}/ mount/{servername.date}.memory.dd hash=md5,sha256  hashlog=/{USBDRIVE}/{servername.date}.memory.dd-hash.log

 

Unload driver

>sudo rmmod pmem.ko

Analysis using Rekall

Now that collection is completed, we need to be able to examine the memory dump.  Copy the memory image to your analysis workstation.

 

Install Rekall

>sudo apt-get install python-pip python-dev

>sudo pip install rekall

 

Build Rekall Profile

We now need to create a profile that will work with Rekall. Convert the file that was copied from the server and name it something useful for future analysis.

>rekal.py convert_profile 3.5.0-45-generic.zip Ubuntu3.5.0-45-generic.zip

>rekal.py --profile ./Ubuntu3.5.0-45-generic.zip -f /media/mem.dd  pslist

 

To enter the interactive shell, you do not add a plugin on the commandline

>rekal.py --profile ./Ubuntu3.5.0-45-generic.zip -f /media/mem.dd

 

To list the available plugins, use the interactive shell:

>rekal.py info[tab][tab]

 

plugins.arp              plugins.check_idt        plugins.convert_profile  plugins.dwarfparser      plugins.info             plugins.lsof             plugins.null             plugins.psaux            plugins.vmscan

plugins.banner           plugins.check_modules    plugins.cpuinfo          plugins.fetch_pdb        

…..  


 

To get more info about a specific plugin use a ? after plugin name

mem 12:38:31>plugins.pslist?

 

Some of the more useful plugins are:

  • plugins.bash -searches for bash history

  • plugins.check_modules- List loaded modules

  • plugins.dmesg - Gathers dmesg buffer

  • plugins.lsof

  • plugins.netstat

  • plugins.pslist


 

Optional (If you want to use Volatility for analysis)

I haven’t spent much time on this, but Volatility will not be able to use the rekall default profile. You also have to do the steps below to read the memory dump with Volatility.  I’m guessing only a small change in the file is needed, but I have dug any deeper at this time.


 

>sudo apt-get install dwarfdump

>wget  https://volatility.googlecode.com/files/volatility-2.3.1.tar.gz

>tar -zxvf volatility-2.3.1.tar.gz

>cd volatility-2.3.1/tools/linux

>make

>zip Ubuntu{Kernel ver}.zip ./module.dwarf  /boot/System.map-`uname -r`


 

For more information on Rekall

http://docs.rekall.googlecode.com/git/tutorial.html


 

For more info on Volatility Linux analysis

https://code.google.com/p/volatility/wiki/LinuxMemoryForensics

 

--

Tom Webb

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
If you didn't like Facebook's News Feed redesign last year, you're in luck: The social network is trying to change what you don't like with another redesign.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
As tech companies increasingly rely on analyzing and selling user data to boost revenue, trust is emerging as one of the defining issues of the year for the IT sector.
 
CVE-2014-2044 - Remote Code Execution in ownCloud
 
SonicWall Dashboard Backend Server - Client Side Cross Site Scripting Web Vulnerability
 

As the most widely used technology to prevent eavesdropping on the Internet, HTTPS encryption has seen its share of attacks, most of which work by exploiting weaknesses that allow snoops to decode cryptographically scrambled traffic. Now there's a novel technique that can pluck out details as personal as someone's sexual orientation or a contemplation of suicide, even when the protection remains intact.

A recently published academic paper titled "I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis" shows how even strongly encrypted Web traffic can reveal highly personal information to employers, Internet service providers, state-sponsored spies, or anyone else with the capability to monitor a connection between a site and the person visiting it. As a result, it's possible for them to know with a high degree of certainty what video someone accessed on Netflix or YouTube, the specific tax form or legal advice someone sought from an online lawyer service, and whether someone visiting the Mayo Clinic website is viewing pages related to pregnancy, headaches, cancer, or suicide.

The attack works by carefully analyzing encrypted traffic and taking note of subtle differences in data size and other characteristics of the encrypted contents. In much the way someone holding a wrapped birthday present can tell if it contains a book, a Blu-ray disk, or a box of candy, an attacker can know with a high degree of certainty the specific URL of the HTTPS-protected website. The transport layer security and secure sockets layer protocols underpinning the Web encryption specifically encrypt the URL, so until now, many people presumed an attacker could only deduce the IP address of a site someone was visiting rather than specific pages belonging to that site.

Read 5 remaining paragraphs | Comments

 
With some opening shots in a cyber component to the war of nerves in the Ukraine already fired, security analysts today offered a look at how a full-fledged cyberwar in the region would unfold.
 
Microsoft will deliver five security updates to customers next week, two tagged as "critical," including one that will quash the open vulnerability in Internet Explorer that hackers have been exploiting since January.
 
Texas Instruments is tapping into the growing trend among enthusiasts who want to make their own wearable devices and small electronics, announcing the Tiva C Series Connected LaunchPad mini-computer.
 
The U.S. Federal Trade Commission should investigate Facebook's proposed $19 billion acquisition of mobile messaging app WhatsApp -- and possibly block it -- because of the potential impact on users' privacy, two privacy groups said in a complaint.
 
The rate of increase in tablet shipments is expected to slow this year after unabated growth during the device's first three years.
 
A Tip of the Hat to ZDNet's Larry Dignan for his incisive look at the state of IBM's cloud strategy after the unveiling of the BlueMix open cloud platform.
 
An asteroid measuring about 25 feet across will whizz safely past Earth today, the second such object in two days,
 
Net-SNMP snmptrapd Remote Denial of Service Vulnerability
 
Net-SNMP ICMP-MIB Remote Denial of Service Vulnerability
 
Media company Getty Images had made about 35 million of its images embeddable in order to start gathering data and better monetize usage of its material, the company said on Thursday.
 
Linux Kernel CVE-2014-0101 NULL Pointer Dereference Denial of Service Vulnerability
 
Linux Kernel 'complete_emulated_mmio()' Function Privilege Escalation Vulnerability
 
[ANN] Struts 2.3.16.1 GA release available - security fix
 
[slackware-security] sudo (SSA:2014-064-01)
 

All continues to not be well in the world of Bitcoin and related cryptocurrencies. Another exchange has been hacked, with the perpetrators making off with 76.69 bitcoins (a little under $50,000 at current trading rates).

On Tuesday, the owner of the Poloniex exchange admitted on the Bitcoin Talk forum that around “12.3 percent of the BTC on Poloniex” was stolen. Poloniex did not immediately respond to Ars' request for comment.

Poloniex owner Busoni explained that the hacker found a flaw in his site's code that processes withdrawals. The hacker discovered that multiple simultaneous withdrawals are processed essentially at the same time and that the system's software doesn't check quickly enough for a negative balance, so they are still processed.

Read 2 remaining paragraphs | Comments

 
Secretive Bitcoin creator Satoshi Nakamoto is a 64-year-old man living near Los Angeles who declines to talk about his role in the digital currency, according to a news report.
 
 
LinuxSecurity.com: Several security issues were fixed in Tomcat.
 
LinuxSecurity.com: IcedTea Web could be made to expose or alter sensitive information.
 
LinuxSecurity.com: New sudo packages are available for Slackware 13.0, 13.1, and 13.37 to fix a security issue. [More Info...]
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: An updated activemq package that fixes multiple security issues is now available for Red Hat OpenShift Enterprise 1.2.7. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Multiple vulnerabilities have been reported in Chromium and V8, worst of which may allow execution of arbitrary code.
 

ISC Reader James Lay has captured the mysterious port 5000 traffic and provided us with a copy of the packets and a snort signature.   Thanks James!  Your awesome!

The traffic is scanning TCP port 5000.  After establishing a connection it sends "GET /webman/info.cgi?host='" 

This appears to be a scan for Synology DiskStation Manager installations that are vulnerable to a remote code exection exploit published in October 2013.   There is currently a metasploit module available for the vulnerability.

Thanks to James for the following snort signature.

alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SERVER-WEBAPP Synology DiskStation Manager Reflected XSS attempt over UPnP"; flow:to_server,established; content:"/webman/info.cgi|3f|host="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, reference:url,www.scip.ch/en/?vuldb.10255; classtype:attempted-admin; sid:10000130; rev:1;)

Follow me on Twitter: @markbaggett

There are a couple of chances to sign up for SANS Python programming course.  The course starts from the very beginning, assuming you don't know anything about programming or Python.  The course is self paced learning and we cover the essentials before we start building tools you can use in your next security engagement.   You will love it!!    Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27.

http://www.sans.org/event/northern-virginia-2014/course/python-for-pen-testers

http://www.sans.org/event/sansfire-2014/course/python-for-pen-testers

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
And without remote management, getting patches onto devices scattered throughout the organization is hit or miss.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Having lots of Wi-Fi networks packed into a condominium or apartment building can hurt everyone's wireless performance, but Stanford University researchers say they've found a way to turn crowding into an advantage.
 

Exposing a previously unknown weakness in the cryptographic system securing bitcoins, scientists have devised an attack that can steal large amounts of the digital currency when hackers run even unprivileged software on the same computer processing the coins.

The technique, laid out in an academic paper published Wednesday, doesn't pose an immediate threat to Bitcoin users. A successful hack relies on the thief having some access to the same Intel-made processor that processes the targeted bitcoins. That requirement means there would almost certainly be easier ways for the same attacker to pilfer the digital coins. Still, the research is significant because it exposes subtle cryptographic weaknesses not only in a key Bitcoin algorithm, but also in OpenSSL, a widely used code library that implements the core cryptographic protections on the Internet.

The attack relies on "side channel analysis," in which attackers extract a secret decryption key based on clues leaked by electromagnetic emanations, data caches, or other manifestations of a targeted cryptographic system. In this case, cryptographers can retrieve the private key needed to take control of bitcoins by taking minute measurements of the CPU as it makes transactions using the digital currency. Specifically, by observing the last-level (L3) CPU cache of an Intel processor as it executes as few as 200 signatures, an attacker in many cases has enough data to completely reconstruct the secret key needed to take ownership. The attack exploits the way OpenSSL implements the elliptic curve digital signature algorithm (ECDSA) based on a specific curve known as secp265k1 found in Bitcoin.

Read 13 remaining paragraphs | Comments

 
Not everyone's a fan of Lenovo's recent plan to buy IBM's x86 server business. Since Monday, close to 1,000 workers at an IBM factory in China have been protesting the proposed acquisition, fearing they may lose their jobs if the deal goes through.
 
Cisco Systems released new firmware versions for some of its small business routers and wireless LAN controllers in order to address vulnerabilities that could allow remote attackers to compromise the vulnerable devices or affect their availability.
 
Yahoo has acquired Vizify, a company that turns social media data into interactive visual aids such as infographics and videos, adding to Yahoo's string of acquisitions designed both to get talent and access to new technologies and services.
 
How do half a billion dollars vanish into thin air? That seems to be what happened at popular Bitcoin exchange Mt. Gox, which made a a bankruptcy protection filing in Japan last week.
 
Plenty of people have engineering degrees but not many have one specific to data centers. A university in Dallas is offering what it says will be a first-of-its-kind graduate degree in data center engineering.
 
Apple has again been denied a permanent U.S. sales ban on 23 Samsung Electronics products that infringe on Apple patents.
 
Metadata has had a bad rap lately, with disclosures tying its collection to government spying programs. But those bits of information lurking behind our phone calls, photos and online chats can be useful in other ways if they're harnessed properly.
 
Getting rid of old, unsecured or unused software and services is not easy. Do it correctly, though, and you can save IT time and money.
 

Posted by InfoSec News on Mar 06

http://www.computerworld.com/s/article/9246786/CIO_not_the_only_one_to_blame_for_Target_breach

By Jaikumar Vijayan
Computerworld
March 5, 2014

That someone had to take the fall for the massive breach at Target is
neither surprising nor unexpected. The only question is whether more heads
will roll in the aftermath of one the biggest data compromises in retail
history.

Target on Wednesday announced that Beth Jacob, its CIO of more than five...
 

Posted by InfoSec News on Mar 06

http://www.defenseone.com/technology/2014/03/what-will-5-billion-military-cyber-spending-pay/79978/

By Patrick Tucker
Defenseone.com
March 5, 2014

The Pentagon's wants $5.1 billion for cyber operations next year, an
increase of about $4 million over this year's budget, but exactly what the
military wants to buy with that money is unclear.

"There's no set of program elements that led to this number. Maybe there
needs to...
 

Posted by InfoSec News on Mar 06

http://www.independent.co.uk/life-style/health-and-families/health-news/hospital-records-used-to-target-ads-on-twitter-and-facebook-say-privacy-campaigners-in-latest-nhs-data-concerns-9166633.html

By CHARLIE COOPER
HEALTH REPORTER
independent.co.uk
03 March 2014

The security of NHS data was thrown into further doubt yesterday after it
emerged anonymous patient information has been used by a marketing
consultancy to advise clients on targeting...
 
SolidWorks Workgroup PDM Arbitrary File Overwrite Vulnerability
 
Linux Kernel 'farsync.c' Local Information Disclosure Vulnerability
 
Linux Kernel 'net/ipx/af_ipx.c' Local Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status