Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

In an intriguing follow-up to Tuesday's report that Russian hackers gained access to Democratic National Committee servers, an anonymous blogger has claimed he alone was responsible for the breach and backed up the claim by publishing what purport to be authentic DNC documents taken during the online heist.

In a blog post published Wednesday, someone with the handle Guccifer 2.0 published hundreds of pages of documents that the author claimed were taken during a lone-wolf hack of the DNC servers. One 231-page document purports to be opposition research into Donald Trump, the presumptive Republican nominee. Other files purport to be spreadsheets that included the names and dollar amounts of large DNC donors. Yet another document purportedly came from the computer of presumptive Democratic nominee Hillary Clinton while she was secretary of state.

"Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by 'sophisticated hacker groups," Wednesday's blog post stated. "I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy."

Read 8 remaining paragraphs | Comments

 

Enlarge (credit: Gerald England)

Underscoring the flourishing world of for-profit hacking, researchers have uncovered a thriving marketplace that sells access to more than 70,000 previously compromised servers, in some cases for as little as $6 apiece.

As of last month, the xDedic trading platform catalogued 70,624 servers, many belonging to government agencies or corporations from 173 countries, according to a report published Wednesday by researchers from antivirus provider Kaspersky Lab. That number was up from 55,000 servers in March, a sign that the marketplace operators carefully maintain and update the listed inventory.

"From government networks to corporations, from Web servers to databases, xDedic provides a marketplace for buyers to find anything," Kaspersky researchers wrote in a separate blog post. "And the best thing about it—it's cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6." The post continued:

Read 5 remaining paragraphs | Comments

 
[MWR-2016-0002] DDN Default SSH Keys
 
[MWR-2016-0001] DDN Insecure Update Mechanism
 
Microsoft Visio multiple DLL side loading vulnerabilities
 
Cisco Security Advisory: Cisco RV110W, RV130W, and RV215W Routers Arbitrary Code Execution Vulnerability
 

If youve noticed a slow-down in diaries over the past few days, check out this picture on twitter https://twitter.com/tbeazer/status/742509914900271104from our State of the Internet Panel.That is quite a few of us at SANSFIRE 2016 #SANSFIRE. It is the once a year pilgrimage that some of us take to gather together and take some training. Before going Warp17, it felt important to note that even handlers need training.

So, Lorna? Challenge thrown down, challenge accepted. (Look for a review of SANSFire from the handlers over the next couple of months)smiley


Now, onto a tool a colleague and friend sent over. The website can be found @ http://warp17.net/ and codebase @ https://github.com/Juniper/warp17. First question I asked was why Warp17, whats the cool GEEK reference? Well, this handler was expecting some cool Star Trek reference and was met with Whos A Rapid Packet generator? [1] Ahhh Warp17 cause it goes REALLY FAST. *wheres the coffee?*

The authors state, with hardware used to achieve, that Warp 17 can push near 40Gigs out an x64 platform. Not only that, it can send out http packets. See Docs regarding their layer 7 aspirations, according to documentation WARP17 currently supportsRAW TCPandHTTP 1.1application traffic. Even though we are currently working on adding support for more application implementations, external contributions are welcome.[2]" />

Fig 1. Basic Logical Setup

First thing I noticed is running this as a virtual machine (VM) on a lab laptop will require some cores. This application is CORE hungry and likely designed to be run on hardware or virtual machines with some serious cores available to it. In my VM, it was given 4GB RAM and 4 Cores. Setting aside the first two cores for CLI and Management and second 2 cores for packet generation. Now, it is highly unlikely *sarcasm* that we will get 40Gb of packets out of two cores from the laptop i7 it is running on, but here we go" />

Fig 2. CPU Cores on Laptop i7

The documentation is pretty straight forward, but some math will be involved. The first step in the example was doing some bitwise math to determine core usage. According to the readme figure 3 is the table for the command. After review, it looks like my " />

Figure 3. Bitmask Table from README

After looking at a blank memory channel output when building my own VM, some discussion with the author ensued and getting memory channels from a VM and from some hardware can have different results. The Warp17 team has built a Star Ship *poor attempt at humor* for us [4] [5]. This began the (not-so)fun adventure of downloading a 1G VM on the #SANSFIRE hotel link.

Further dialog concluded that the n command can be left out on virtual machines safely as memory is dynamically allocated. The m command will inform the virtual hypervisor how much ram is requested and my start command seems to be:

-c 0xF -m 2048

Now before you go off on an adventure to build your own VM, please take a look at the Warp17 Virtual Machine README https://github.com/Juniper/warp17/blob/dev/common/ovf/README.md and decided carefully if you want to download theirs. The authors have already patched DPDK for you and done some test. At the time of this writing, the author disclosed that 1.1 is in the works and should be released some-time after this diary in the next day or two, and hes not marketing so it will likely be the next day or two *sarcasm filled humor*.

Following the README, check dpdk in order to find status of the vNICs (see figure 4.) The VM README [6] covers this, in short, we need to bind interfaces to dpdk.. So far it seems that my first vNIC is active, at first glance there are some issues. vNIC0 is for management and CLI, vNIC1 and 2 seem to be inactive. When bringing up your interfaces for use with Warp17 dont add an L3 IP like some people did *cough* me *cough* (RTFM, the Warp17 authors cover a lot of this). For a full run through on getting dpdk to attach to NIC refer to this readme section (https://github.com/Juniper/warp17/blob/master/README.md#configure-dpdk-ports) [7].

For those that want to just jump straight to QEMU? Read the VM README fully, there are instructions on how to take flight on QEMU quickly [6]. When dpdk is set correctly and you sprinkle magic pixie dust on your VM (*kidding* Its pretty straight forward if you RTFM" />

Warp Speed Mr. Sulu!

sudo ./warp17/build/warp17 -c f -m 2024-- \

--tcb-pool-sz 1 \

--cmd-file /home/user/warp17/examples/

Make sure to pay attention to -m and set your page sizes to the memory you have allocated to Warp17, it seems the Warp engines in this ship are VERY hungry. Also, it was noted to pay attention to the tcp-pool-sz, notice in the manual the default was 10 and the developers had a monster hardware platform to work with. My little Fusion VM on my MacBook Pro would probably cry and tap out very fast with a 10, so we set this argument to 1.

Moving on to examples, for those of us that Just want to fire it up and set Phasers to blast out packets the authors have CFG examples in *musical tone* da da DA the examples directory. Note:Found in the Warp17 directory (where ever you put it) under ./examples.

Bottom line, this application is worth a look as a low cost (code is free), open source, BSD licensed star ship designed togenerate a ton ofpackets. The authors are active and ready to collaborate.

Find them on social media @

Twitter: @warp1_7

Facebook: https://www.facebook.com/warp17stg

Google: https://groups.google.com/forum/#!forum/warp17

GitHub: https://github.com/Juniper/warp17


References

[1] http://warp17.net

[2] https://github.com/Juniper/warp17

[3] https://github.com/Juniper/warp17/blob/master/README.md#performance-benchmarks

[4] https://github.com/Juniper/warp17/tree/dev/common/ovf

[5] http://warp17.net/downloads/

[6] https://github.com/Juniper/warp17/blob/dev/common/ovf/README.md

[7] https://github.com/Juniper/warp17/blob/master/README.md#configure-dpdk-ports

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Bridging the Insurance/InfoSec Gap: Results of the SANS Cyber Insurance Survey Released
PR Newswire (press release)
The communications gap is so wide that only 30% of underwriters and 38% of InfoSec respondents believe they even speak the same language, according to the results of the SANS Cyber Insurance Survey, conducted in conjunction with Advisen, Ltd. and ...

and more »
 
BookingWizz < 5.5 Multiple Vulnerability
 

Infosecurity Magazine

Gartner Predicts Top Ten InfoSec Technologies
Infosecurity Magazine
Analyst group Gartner has identified the top ten technologies it believes are shaping the information security industry in 2016, and what impact they will have on the companies operating within it. Presented by Gartner analysts at its Security & Risk ...

and more »
 

SC Magazine UK

InfoSec 2016: Mikko Hypponen says SWIFT heists 'never seen before'
SC Magazine UK
The SWIFT attacks represent a series of unprecedented developments in cyber-criminality according to Mikko Hypponen, chief research officer at F-Secure. He made the comments at last week's Infosec conference, Europe's largest cyber-security trade show, ...

 
[CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's executable installers
 
FortiManager & FortiAnalyzer - (filename) Persistent Web Vulnerability
 
NEW VMSA-2016-0009 VMware vCenter Server updates address an important reflective cross-site scripting issue
 
Joomla com_enmasse - SQL Injection
 
Internet Storm Center Infocon Status