Hackin9
Dell reported a 72 percent drop in profit on Thursday, a month before an expected shareholder vote that could shape the future of the company.
 
Facebook plans to test a new service designed to streamline the check-out process for people shopping on their mobile devices. It could become a competitor to other e-commerce players like PayPal.
 
Intel, increasingly customizing server chips for customers, is now tuning chips for workloads in big data.
 
Cisco Systems may be "rebalancing" its business by eliminating 4,000 jobs, or about 5 percent of its workforce, but it'll keep its hands off its hot new security acquisition, Sourcefire.
 
IBM, Verizon and eight other companies will compete for US$10 billion worth of work to help move the U.S. Department of the Interior's IT systems to the cloud.
 
There's no such thing as a free email service, at least not when it comes to Google, according to industry analysts.
 
Microsoft today refused to clarify conflicting statements by its PR representatives about whether developers and enterprise customers will get the Windows 8.1 update weeks before the public, as is customary.
 
NASA's Kepler space telescope has come to the end of its mission to hunt for Earth-like planets in the galaxy.
 
The failure of a massive payroll project involving SAP software has California lawmakers, state officials and the vendor pointing fingers of blame at each other.
 
Engineers at Google have developed a way to display information to people in the lenses of their eyeglasses.
 
 
Ten years ago this week, the Blaster worm swept through Windows XP and Windows 2000 networks, bringing some government agencies to a halt and perhaps contributing to a power blackout in the Northeast U.S.
 
The market for x86 open-source PCs is now a two-horse race, with GizmoSphere releasing schematics and design documents for hobbyists to build from scratch a Windows 8 computer based on open design.
 
Druva chose to build the new private cloud edition of its inSync endpoint data protection using OpenStack because of its object storage functionality, but the increasingly popular cloud platform still needs to improve in some key areas, according to CEO Jaspreet Singh.
 
Windows 8 is workable with a normal display, but better with a touchscreen. If you don't want to spend much on a new laptop, try one of these low-cost systems.
 
LinuxSecurity.com: libimobiledevice could be made to overwrite files as the administrator, oraccess device keys.
 
CFP: WorldCIST'14 - World Conference on IST; Best papers published in JCR/ISI Journals
 
IT professionals won't get their hands on Windows 8.1 until October, getting the release at the same time as consumers rather than in advance as has previously been the practice.
 
IntraSrv Buffer Overflow Vulnerability
 
[security bulletin] HPSBMU02915 rev.1 - HP Service Manager, Remote Unauthenticated Access and Elevation of Privilege
 

 

This is a "guest diary" submitted by Tom Webb. We will gladly forward any responses or please use our comment/forum section to comment publically. Tom is currently enrolled in the SANS Masters Program.

When imaging a live system there are several factors to be taken into account. But this post is going to cover encrypted Linux systems. Use of the logical drive for imaging encrypted systems is critical if you do not have the decryption password.
 
A couple of key commands to use on Linux systems are: mount and fdisk. The mount command will give you a list of devices that are currently available to the OS. These mappings are the logical mounts on the system.
 
When reading output from the mount command on the left side is the device/object that is mounted and on the right is the logical mount point (e.g. Folder name).
 
# mount /dev/mapper/tw--pc-root on / type ext4 (rw,errors=remount-ro,commit=0)
 
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
/dev/sda1 on /boot type ext2 (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
vmware-vmblock on /run/vmblock-fuse type fuse.vmware-vmblock (rw,nosuid,nodev,default_permissions,allow_other)
gvfs-fuse-daemon on /home/twebb/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=twebb)
 
In the example above, I'm running whole disk encryption using LUKS. You can tell this by seeing the /dev/mapper being used for the mount point / instead of a hard drive device.
 
The boot mount points to a hard disk device /dev/sda1. This device is being directly mounted to a disk partition and is not encrypted. This is a typical setup for LUKS where the kernel is located in an unencrypted volume and all other volumes are encrypted.
 
Now we know what is mounted on the file system, lets look at the available disks and see if there are additional disks not mounted that we need to capture.
 
[email protected]:/tmp# fdisk -l
 
Disk /dev/sda: 1000.2 GB, 1000204886016 bytes�
255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors
�Units = sectors of 1 * 512 = 512 bytes
�Sector size (logical/physical): 512 bytes / 512 bytes
�I/O size (minimum/optimal): 512 bytes / 512 bytes
�Disk identifier: 0x000edb98
 
Device Boot Start End Blocks Id System
�/dev/sda1 * 2048 499711 248832 83 Linux
�/dev/sda2 501758 1953523711 976510977 5 Extended
�/dev/sda5 501760 1953523711 976510976 83 Linux

Disk /dev/sdb: 1000.2 GB, 1000204886016 bytes
�255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors�
Units = sectors of 1 * 512 = 512 bytes�
Sector size (logical/physical): 512 bytes / 512 bytes
�I/O size (minimum/optimal): 512 bytes / 512 bytes
�Disk identifier: 0x08020000
 
Disk /dev/sdb doesn't contain a valid partition table
 
Disk /dev/mapper/sda5_crypt: 999.9 GB, 999946186752 bytes�
255 heads, 63 sectors/track, 121569 cylinders, total 1953019896 sectors
�Units = sectors of 1 * 512 = 512 bytes
�Sector size (logical/physical): 512 bytes / 512 bytes
�I/O size (minimum/optimal): 512 bytes / 512 bytes
�Disk identifier: 0x00000000
 
Disk /dev/mapper/sda5_crypt doesn't contain a valid partition table
Disk /dev/mapper/tw--pc-root: 975.4 GB, 975435726848 bytes�
255 heads, 63 sectors/track, 118589 cylinders, total 1905147904 sectors�
Units = sectors of 1 * 512 = 512 bytes
�Sector size (logical/physical): 512 bytes / 512 bytes
�I/O size (minimum/optimal): 512 bytes / 512 bytes�
Disk identifier: 0x00000000
 
Disk /dev/mapper/tw--pc-root doesn't contain a valid partition table
 
Disk /dev/mapper/tw--pc-swap_1: 24.5 GB, 24461180928 bytes
�255 heads, 63 sectors/track, 2973 cylinders, total 47775744 sectors
�Units = sectors of 1 * 512 = 512 bytes
�Sector size (logical/physical): 512 bytes / 512 bytes�
I/O size (minimum/optimal): 512 bytes / 512 bytes
�Disk identifier: 0x00000000
 
Disk /dev/mapper/tw--pc-swap_1 doesn't contain a valid partition table
 
In the above output we see that /dev/sda has three partitions (sda1,sda2,sda5). We see that /dev/mapper is using sda5 and that tells us that partition is encrypted. We also have a /dev/sdb device that is not mounted and appears to not have a valid partition  This is likely an encrypted drive that is not currently mounted.
 
what options do you have?
�If you know the encryption password and the system is not RAID I would image the physical drive. The Physical drive were /dev/sda and /dev/sdb.
 
#dcfldd if=/dev/sda of=/mount/usb/system-sda.dd conv=noerror,sync bs=512 hash=md5,sha256 hashwindow=10G md5log=sda.md5 sha256log=sda.sha256
 
#dcfldd if=/dev/sdb of=/mount/usb/system-sdb.dd conv=noerror,sync bs=512 hash=md5,sha256 hashwindow=10G md5log=sdb.md5 sha256log=sdb.sha256
 
If you do not know the password, grab the logical volume (in this case / which is mapped to the device /dev/mapper/tw--pc-root ) of the first drive and the physical of the second. Also grabbing memory from the system maybe used to guess the password.
 
Test to see if you imaged the physical partition could you mount it
 
#mount -o ro,loop /dev/sda5 /tmp/mount/ mount: unknown filesystem type 'crypto_LUKS'
 
It appears that it is a LUKS encrypted
 
Test the logical partition and see if it looks correct
 
#dd if=/dev/mapper/tw--pc-root of=/tmp/usb/test.dd count=10
 
Use the file command to see if it will detect the test as a valid partition.
 
#file test.dd   test.dd: Linux rev 1.0 ext4 filesystem data, UUID=69cc19e5-5c81-4581-ac0b-9c8fac8f9d96 (needs journal recovery) (extents) (large files) (huge files)
 
Above, we can see that the file command successfully detected this as a valid partition.
 
Check and see if the partition is encrypted by running strings on the test image.
 
#strings test.dd
 
GNU GENERAL PUBLIC LICENSE�
Version 2, June 1991
�Copyright (C) 1989, 1991 Free Software Foundation, Inc.�
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
�Everyone is permitted to copy and distribute verbatim copies�
of this license document, but changing it is not allowed.
 
All signs appear to indicate that the logical image will work as we intend.
 
Collecting Logical Drive
 
#dcfldd if=/dev/mapper/tw--pc-root of=/mount/usb/logical-sda.dd conv=noerror,sync bs=512 hash=md5,sha256 hashwindow=10G md5log=logical-sda.md5 sha256log=logical-sda.sha256
 
Once collected you will need to use the following mount command, courtesy of Hal Pomeranz http://goo.gl/gdXhQk,  to access it.
 
#mount -o loop,ro,noexec,noload logical-sda.dd /tmp/mount/
 
-----
Tom Webb

 

 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Windows 8 is workable with a normal display, but better with a touch screen. If you don't want to spend much on a new laptop, try one of these low-cost systems.
 
Samsung has unveiled an Android flip-phone with dual-touchscreens in China, which will likely be positioned as a premium device.
 
IBM has signed an agreement to acquire security company Trusteer, and plans to set up a cybersecurity software lab in Israel.
 
Lenovo's sales of tablets and smartphones were higher than that of PCs in its fiscal first quarter, reflecting the company's efforts to reduce its dependence on the ailing PC business.
 
Microsoft will start selling its struggling Surface devices to business customers abroad via channel partners on Thursday.
 
The self-described nerds of President Obama's presidential campaign last year were back using big data analytics, this time to help Newark Mayor Cory Booker achieve a landside primary win Tuesday in the New Jersey Democratic primary for a vacant U.S. Senate seat.
 
Nokia is hoping to boost the number of apps available for the Asha 501 to make it more competitive with low-cost Android smartphones with the release Thursday of the first version of a software development kit (SDK) for the phone.
 
Google is distributing patches for a cryptography flaw in Android that may affect hundreds of thousands of applications.
 
Microsoft's decision to sit on Windows 8.1 for two months after engineers wrap up work was driven by the year's biggest sales cycles, analysts said.
 
ANGLE Multiple Integer Overflow Vulnerabilities
 

Posted by InfoSec News on Aug 15

http://healthitsecurity.com/2013/08/14/five-healthcare-security-training-expert-tips/

By Patrick Ouellette
Health IT Security
August 14, 2013

The need for wholesale data security training changes in healthcare
evident, irrespective of whether it’s educating non-IT clinical staff
members on HIPAA basics or further education for IT professionals. Most
healthcare pros will agree that the usual methods, such as annual training
classes,...
 

Posted by InfoSec News on Aug 15

http://www.csoonline.com/article/738100/researchers-explore-underground-market-of-twitter-spam-and-abuse

By Steve Ragan
Staff Writer
CSO Online
August 14, 2013

Researchers presented data from an ICSI (International Computer Science
Institute) driven project Wednesday at the 22nd USENIX Security Symposium
in Washington, D.C., that explores the underground market of spam and
abuse on Twitter.

Led by Vern Paxson of International Computer...
 

Posted by InfoSec News on Aug 15

http://www.v3.co.uk/v3-uk/news/2288778/android-securerandom-bitcoin-wallet-vulnerability-could-be-used-to-hack-more-than-300-000-apps

By Alastair Stevenson
V3.co.uk
14 Aug 2013

A flaw in Google Android's cryptographic protocols is leaving as many as
360,000 applications open to attack, Symantec claims.

The security firm announced the figure in a blog post, claiming that the
vulnerability, announced by Bitcoin earlier this week, may have...
 

Posted by InfoSec News on Aug 15

http://www.computerweekly.com/news/2240203559/Microsoft-delivers-early-warning-with-latest-Patch-Tuesday

By Cliff Saran
ComputerWeekly.com
14 August 2013

Microsoft is updating its Patch Tuesday releases to give customers and
security software firms advanced notice before hackers can exploit holes
in Windows code.

"Microsoft will be giving select companies like Trustwave a few extra days
of advance notification for the upcoming month of...
 

Posted by InfoSec News on Aug 15

http://www.cbronline.com/news/tech/software/malware/new-cyber-incident-response-scheme-from-gchq

By Claire Vanner
cbronline.com
13 August 2013

Cyber security attacks can now be responded to with industry expertise
thanks to CESG, the information security arm of GCHQ.

Cyber Incident Response schemes have been launched in association with the
Centre for the Protection of National Infrastructure, in collaboration
with the Council of Registered...
 
Internet Storm Center Infocon Status