Information Security News
University of New South Wales to offer free online infosec courses
The University of New South Wales (UNSW), often ranked as Australia's top university for information security studies, will next year run free massive open online courses (MOOCS) under creative commons online licences. The University of NSW sec.edu.au ...
Gas detectors used in factories and other industrial settings to identify toxic conditions contain several vulnerabilities that can allow hackers to remotely sabotage the devices, according to an industry advisory published late last week.
The vulnerabilities in the Midas and Midas Black gas detectors manufactured by Honeywell can be exploited by hackers with a low skill level, according to the advisory, which was published Thursday by the Industrial Control System Cyber Emergency Response Team. The first weaknesses is a "path traversal" weakness, which allows remote attackers to bypass the normal authentication system. A second one results in the failure to encrypt user passwords when they're being transmitted.
"Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes," the advisory warned. The notice went on to advise organizations that rely on on the detectors to install versions 1.13b3 or 2.13b3, which patch against the vulnerabilities. The advisory pointed to this link from Honeywell.
Malware targeting banks, payment card processors, and other financial services has found an effective way to remain largely undetected as it plucks sensitive card data out of computer memory. It hijacks the computer's boot-up routine in a way that allows highly intrusive code to run even before the Windows operating system loads.
The so-called bootkit has been in operation since early this year and is part of "Nemesis," a suite of malware that includes programs for transferring files, capturing screens logging keystrokes, injecting processes, and carrying out other malicious actions on an infected computer. Its ability to modify the legitimate volume boot record makes it possible for the Nemesis components to load before Windows starts. That makes the malware hard to detect and remove using traditional security approaches. Because the infection lives in such a low-level portion of a hard drive, it can also survive when the operating system is completely reinstalled.
"The use of malware that persists outside of the operating system requires a different approach to detection and eradication," researchers from security firm FireEye's Mandiant Consulting wrote in a blog post published Monday. "Malware with bootkit functionality can be installed and executed almost completely independent of the Windows operating system. As a result, incident responders will need tools that can access and search raw disks at scale for evidence of bootkits."
Playing It Straight: Building A Risk-Based Approach To InfoSec
You might ask yourself what exactly this means and what this has to do with information security. Allow me to elaborate. What my teacher illustrated with that phrase was the idea of building the proper frame of reference. The haircut analogy ...
A while ago I shared a diary on offensive counter measures against stolen Windows hashes. You can review that diary here.
This one is for Linux! This fun tweet by @nixcraft showed how an attacker could us Bash terminal commands to move the cursor and disguise the contents of a file. " />
By moving the cursor around and printing over existing lines in the script the attackers hide the evil nature of the file. As @nixcrafts tweet Hacking like its 1999 implies this has been around for a while, but it is still pretty fun. After reading this tweet it occurred to me that I could use this same technique to protect my /etc/shadow file when an attacker steals a copy of it and/or displays it with cat, tailor some other command that processes terminal cursor movements. Lets give it a try! " />
OH NO!! There is the student accounts hash displayed in all its glory for the attacker to steal and crack. Enter Liam Neeson. Liam Neeson is a small python program that inserts terminal cursor movements to disguise your /etc/shadow file. " />
So what does an attacker see now that the file is protected by Liam_neeson.py??? " />
Now your password hashes are safe. Notice that the student hash is no longer visible. NOTE TO ALL ATTACKERS: If you do hack aserver protected by Liam Neesonthe proper response is to erase the shadow file and replace it with a file that simply says Good Luck.
You can download a copy of Liam_neeson.py from here:https://raw.githubusercontent.com/MarkBaggett/MarkBaggett/master/liam_neeson.py
Would I use this in production? Probably not. Your logins willstill work and your system will function properly until you add another user. I dont know what will happenwhen you try to add a user to the end of that file. It is unlikely that attackers will leave you alone based on this defense. As an attacker it would only spark my interest. BUT the concept is a good one if you are a little more subtle. Look at servers sitting in your DMZ where the users will not change. Then make small subtle changes to the hashes that appear when attackers view the files. Here is an example where I just overwrote a part of the hash with the word Changed hash. ">obvious so that">you can see what it is doing. ">then an attacker is likely to steal and try to crack those modified password hashes.
Of course there are obvious limitations. This will only deceive attackers who display the file with a command that interprets the cursor movements. But...defense indepth... every little bit helps. ">Check out my Python class and learn how to create tools like this. SEC573 Python for Penetration testers covers topics every defender can use to protect their network. ">Come check out Python in Orlando Florida, Berlin Germany or CanberraAustralia!! ">Follow me on Twitter at">@MarkBaggett (I tweeted about this one a few months ago)(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.