Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
'pam_cifscreds' PAM Module 'cifskey.c' Stack Buffer Overflow Vulnerability
 

When infosec guys are performing intrusion detection, they usually look for attacks like portscans, buffer overflows and specific exploit signature. For example, remember OpenSSL heartbleed vulnerability? The following is the snort alert for this vulnerability, taken from the snort community rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 00|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:5;)

When you perform inline detection within electrical SCADA networks, latency is a big issue. That means you need to fully optimize the amount of checks so latency does not increase more than 3 ms. We also need to include other threats that could materialize from other threats different to malware, exploits and buffer overflows. I will detail in this diary some specific SCADA protocol packets that could be malicious traffic and cause terrible consecuences to the process infrastructure. Today I will detail malicious packets from DNP3 protocol.

The following text details DNP3 packet structure:

DNP3 Frame

Source: Practical Industrial Data Communications

  • Start: This is the starting delimiter of the DNP3 datalink layer. It is always set to 0x564
  • Length: This is the number of bytes for user data inside the DNP3 packet, plus 5 and does not count CRC bytes.
  • Control: This is the DNP3 Frame Control Byte, which provides control of data flow between the master and slave over the physical link. It identifies the type of the message and the flow direction for the communication.
  • Destination: DNP3 outstations are identified by a two-byte address. These two bytes are the little-endian representation for the outstation destination address .
  • Source: These two bytes are the little-endian representation for the outstation source address
  • CRC: Little-endian representation of the CRC-16 DNP3. This is calculated for each block and placed in the end of it.
  • Transport control: This DNP3 Frame Control Byte provides control of data flow between the master and slave in the transport level.
  • Userdata for block n:
    • Application Layer: Control byte: Duplicates the control byte in the transport control field.
    • Application layer: Function code: Defines the function being invocated by the packet
    • Application layer: structures: Defines the structures being written or queried.
  • CRC: Little-endian representation of the CRC-16 DNP3 for block n user data.

The following DNP3 functions could be used in a malicious way:

1. DNP3 Warm Restart: When this packet is received by the outstation and recognize that it comes from the master, it performs a partial restart on completition of the communications sequence. If this packet is received several times per second, the IED will experiment a denial of service and won't be able to perform actions to the industrial process, send events to the HMI or receive commands from the HMI. A typical DNP3 Warm Restart packet looks like the following: 

DNP3 Warm Restart

The following filters recognize these packets:

  • Wireshark: dnp3.al.func==14
  • Snort: alert tcp $DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (flow:from_client,established; content:"|0E|"; offset:12; depth:1; msg:"SCADA_IDS: DNP3 Warm Restart From Authorized Client"; classtype:attempted-dos; sid:1111112; rev:1; priority:2;)

2. DNP3 Cold Restart: When this packet is received by the outstation and recognize that it comes from the master, it performs a full restart on completition of the communications sequence. If this packet is received several times per second, the IED will experiment a denial of service and won't be able to perform actions to the industrial process, send events to the HMI or receive commands from the HMI. Packet looks same as previous one with one little change: count three bytes from the last to the first and change 0E (DNP3 Warm Restart) to 0D (DNP3 Cold Restart).The following filters recognize these packets:

  • Wireshark: dnp3.al.func==13
  • Snort: alert tcp $DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (flow:from_client,established; content:"|0D|"; offset:12; depth:1; msg:"SCADA_IDS: DNP3 Cold Restart From Authorized Client"; classtype:attempted-dos; sid:1111112; rev:1; priority:2;)

3. DNP3 Time Change: When this packet is received, the IED or RTU can change the internal clock time and so orders received with specific timestamp won't be executed and logs will be placed in other different places so the operator can't see them in real time. A typical DNP3 Warm Restart packet looks like the following: 

DNP3 Time Packet

Wireshark can't fully filter this packets so the following tcpdump filter is provided: ip[52]=2 and ip[53]=0x32 and ip[54]=1

SCADA Information Security is different from the regular IT information security practices. We need to cover the specific vectors to improve the security level of the associated industrial process.

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple's inability to meet demand for its Mac Pro desktop computer has surpassed that of its most egregious Mac production problem in memory, the debacle over the all-in-one iMac of late 2012 and early 2013.
 
IPTV is being added to lower priced bundles by digital TV providers to lure in a younger generation of subscribers and give the market a needed boost after years of declining subscriptions.
 
Apple's inability to meet demand for its Mac Pro desktop computer has surpassed that of its most egregious Mac production problem in memory, the debacle over the all-in-one iMac of late 2012 and early 2013.
 
 
As organizations move in-house systems to the cloud, Canonical wants them to consider switching their OSes as well.
 
Enterprise asset intelligence company Zebra Technologies said it is acquiring Motorola Solutions' enterprise business for $3.45 billion.
 
Aiming to play a bigger role in analyzing tweets and sharing the resulting insights with advertisers and other businesses, Twitter has acquired Gnip, its partner for the past few years.
 
For a potentially revolutionary smartphone, it wasn't the best start.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Python Imaging Library could be made to overwrite or expose files.
 
LinuxSecurity.com: Several security issues were fixed in curl.
 
[SECURITY] [DSA 2904-1] virtualbox security update
 
[security bulletin] HPSBST03001 rev.1 - HP XP P9500 Disk Array running OpenSSL, Remote Disclosure of Information
 
[SECURITY] CVE-2014-0111 Apache Syncope
 
RUCKUS ADVISORY ID 041414: OpenSSL 1.0.1 library's "Heart bleed" vulnerability - CVE-2014-0160
 
SAP user groups are stepping up pressure on the vendor over the fees charged for its user-friendly Fiori applications, saying they should be included as part of the substantial annual maintenance costs customers already pay, particularly given SAP's dismal track record with interfaces for its Business Suite ERP software.
 
The autonomous underwater robot that began searching for the missing Malaysian airliner Monday ran into trouble on its initial mission but is expected to try again today.
 
Luckily, gadget-makers understand the cruelty of travel, and are always creating new devices that help the mobile worker/road warrior ease the pain of a hotel room with few outlets, or expensive in-room Wi-Fi. Here are three gadgets I've recently tested that can help you on your next trip:
 
VUPEN Security Research - Adobe Flash ExternalInterface Use-After-Free Code Execution (Pwn2Own)
 
[SECURITY] [DSA 2903-1] strongswan security update
 
PDF Album v1.7 iOS - File Include Web Vulnerability
 
VMware started patching its products against the critical Heartbleed flaw that puts encrypted communications at risk, and plans to have updates ready for all affected products by Saturday.
 
I just finished up a lengthy tour through Latin America and Asia, as described in many of my latest blogs. Most recently I was in Australia and New Zealand (ANZ). I had the opportunity to work with various government agencies, organizations within critical infrastructure and general enterprise businesses across ANZ. Their primary topic of interest: big data. More specifically, they were interested in determining what needs to be part of a successful big data security strategy.
 
[security bulletin] HPSBMU02998 rev.1 - HP System Management Homepage (SMH) running OpenSSL on Linux and Windows, Remote Disclosure of Information
 
[security bulletin] HPSBMU02997 rev.1 - HP Smart Update Manager (SUM) running OpenSSL, Remote Disclosure of Information
 
[security bulletin] HPSBMU02994 rev.1 - HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL, Remote Disclosure of Information
 
The old wisdom that "first-to-market" technology products will win out gets thrown out the window when it comes to smartwatches and some other wearables.
 
Not one of the approximately 8,000 Google Glass Explorers but wish you were? If so, today is the day pick up a pair, but there are a few things you should know.
 
Some Wall Street analysts are warning that Apple needs to unveil its post-iPhone and iPad products to assure it can survive and thrive in the years ahead.
 

The heavily marketed fingerprint sensor in Samsung's new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset.

The hack, by researchers at Germany's Security Research Labs, is the latest to show the drawbacks of using fingerprints, iris scans, and other physical characteristics to authenticate an owner's identity to a computing device. While advocates promote biometrics as a safer and easier alternative to passwords, that information is leaked every time a person shops, rides a bus, or eats at a restaurant, giving attackers plenty of opportunity to steal and reuse it. This new exploit comes seven months after a separate team of whitehat hackers bypassed Apple's Touch ID fingerprint scanner less than 48 hours after it first became available.

"We expected we'd be able to spoof the S5's Finger Scanner, but I hoped it would at least be a challenge," Ben Schlabs, a researcher at SRLabs, wrote in an e-mail to Ars. "The S5 Finger Scanner feature offers nothing new except—because of the way it is implemented in this Android device—slightly higher risk than that already posed by previous devices."

Read 10 remaining paragraphs | Comments

 
CVE-2013-6216 - SetUID/SetGID Programs Allow Privilege Escalation Via Insecure RPATH in multiple HP products on Linux
 
[security bulletin] HPSBMU02995 rev.2 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure
 
Adobe Reader for Android exposes insecure Javascript interfaces
 
[SECURITY] [DSA 2902-1] curl security update
 
[SECURITY] [DSA 2901-1] wordpress security update
 
[ MDVSA-2014:077 ] jbigkit
 
Google has expanded its Cloud Platform to include locally hosted computing capacity, storage and data bases for the Asia-Pacific region.
 
Every business, it seems, needs a data scientist, but not everyone knows what to look for. The four qualities of a good data scientist described here will help you first write a job description and then evaluate candidates for your data scientist vacancy.
 

Becrypt unveils latest innovative Secure Mobility solution at InfoSec Europe ...
SourceWire (press release)
London, UK, 15 April, 2014 – Becrypt will be demonstrating tVolution Mini, the latest addition to its range of innovative secure mobility solutions at InfoSec Europe. tVolution Mini is a secure miniature computer the size of a credit card which plugs ...

 
Microsoft on Monday conceded that Google's Chrome OS and the Chromebooks the operating system powers are capable of doing real work, a reversal of its 'Scroogled' campaign that once blasted the laptops as worthless.
 
Five weeks after announcing a lower-cost subscription to Office, Microsoft today started selling Office 365 Personal to consumers.
 
Mt. Gox CEO Mark Karpeles, who was ordered to appear before a U.S. bankruptcy court to answer questions, has asked for a postponement of his deposition.
 
Google has issued a patch for an attack that could lead an Android user to a phishing site, according to security vendor FireEye.
 
Indian outsourcer Infosys reported revenue and profit growth in the first quarter, but is still troubled by strong staff attrition and key management changes.
 
Google has updated its terms of service to reflect that it analyzes user content including emails to provide users tailored advertising, customized search results and other features.
 
Google Glass is getting a big software update to coincide with its one-day sale on Tuesday, but video calling is one feature that's been put on hold.
 
If our checks and balances are so fragile that a typo can obliterate all meaningful security, we have some fundamental things to fix.
 
The next generation of USB cables, the Type-C, will offer faster data streams, an increased ability to power devices, and better ease of use.
 

Posted by InfoSec News on Apr 15

http://arstechnica.com/security/2014/04/heartbleed-bug-exploited-to-steal-taxpayer-data/

By Dan Goodin
Ars Technica
April 14, 2014

Underscoring the severity of the Heartbleed bug affecting huge swaths of
the Internet, hackers exploited the vulnerability to steal taxpayer data
for at least 900 Canadian citizens and an unknown number of businesses,
officials in that country warned Monday morning.

Canada Revenue Agency (CRA) officials said...
 

Posted by InfoSec News on Apr 15

http://www.dailymail.co.uk/news/article-2604805/Cosmetic-surgeons-targeted-hackers-personal-details-500-000-people-enquiries-clinic-stolen.html

By TANIA STEERE
Mail Online
15 April 2014

One of Britain's best-known and biggest providers of private cosmetic
surgery has been targeted by computer hackers, it was revealed last night.

Confidential personal details of nearly 500,000 people who made an enquiry
about surgery via Harley Medical...
 

Posted by InfoSec News on Apr 15

http://www.wired.com/2014/04/tails/

By Klint Finley
Wired.com
04.14.14

When NSA whistle-blower Edward Snowden first emailed Glenn Greenwald, he
insisted on using email encryption software called PGP for all
communications. But this month, we learned that Snowden used another
technology to keep his communications out of the NSA's prying eyes. It's
called Tails. And naturally, nobody knows exactly who created it.

Tails is a kind of...
 

Posted by InfoSec News on Apr 15

http://www.nextgov.com/cybersecurity/2014/04/cyber-warrior-training-no-easy-task/82498/

By Aliya Sternstein
Nextgov.com
April 14, 2014

The Coast Guard Cyber Command aims to qualify a couple of service members
for what Pentagon officials have said will be a 2,000-member force within
the next two years.

It will take all the military services a lot of time and money to get
their members qualified for the force. For the Coast Guard, the task is...
 

Posted by InfoSec News on Apr 15

http://healthitsecurity.com/2014/04/14/hipaa-security-risk-assessment-tool-small-provider-needs/

By Patrick Ouellette
Health IT Security
April 14, 2014

Though the Department of Health and Human Services (HHS) released its
HIPAA security risk assessment tool a few weeks ago, it’s still unclear
how healthcare organizations will use the tool as part of their HIPAA
Security Rule compliance strategy. Most organizations realize the tool
isn’t...
 
Internet Storm Center Infocon Status