Information Security News
At SANS Hackfest Penetration Testing summit I had the pleasure of reminiscing with Jedi Master Ed Skoudis about assembly language on our old Commodore 64s. Then Ed made one of his typical profound statements. He said, "In the end, it is all peeks and pokes." On the Commodore 64 the PEEK command was use to read from memory. The POKE command was used to write a value to memory. Ultimately that is all we need to be able to control any process on any computer.
Doing a PEEK in live memory is easy with winpmem. I've already shown you how you can use Python and winpmem to read live memory. If you missed the article click here to take a peek. (Pun intended) Today I'm going to show you how to poke. Not a Facebook poke; a Commodore 64 poke. Which is, of course, much much cooler. You see, winpmem can also write to anywhere in memory that you choose.
Winpmem has two different device drivers. One is used for read only access to memory. The read only device driver is installed by default when you use the "-L" option. This is the device driver of choice for capturing forensics images. The other driver is used for read and write access to memory. To install the write driver you run "winpmem_write_1.4.exe" and specify the "-L" and the "-W" option.
Winpmem will indicate that write mode is enabled and gives you a friendly warning by saying, "Hope you know what your doing." Well, ignorance has never stopped me. But, it is wise to note that are should save what you are doing before experimenting with this. You are using a device driver (that is running in Kernel memory) and you can write to anywhere you want to in memory. That includes KERNEL memory space. You can very easily render your machine unusable, blue screen your box or worse.
In yesterdays diary I showed you how you could read memory by calling two python functions. Writing to memory also only requires two functions. First you call win32file.SetFilePointer() to set the address you want to update. Then you call win32file.WriteFile() to write data. To make the process even simpler I'll add a writemem() function to the memsearch.py script I wrote yesterday. I add the following lines to yesterdays script: (Email me if you want a copy of the script or grab a copy from yesterday diary)
def writemem(fd,location, data):
win32file.SetFilePointer(fd, location, 0 )
Then I start the script and a Python interactive shell by running "python -i memsearch.py". Then I can use the memsrch() function to search for interesting data to update. In this case I am searching for the string "Command Prompt - python" in hopes of updating the titlebar for my command prompt. It finds the string at several addresses in memory. Then I can call writemem() and update the string. When you provide a string to write to memory keep in mind that strings in memory may be in ASCII, UTF-16LE OR UTF-16BE format. In this example I wrote "P0wned Shell" in UTF-16le format to the memory address 40345926. But it didn't update my command prompt title bar. Darn. Windows has several memory locations that contain that string. So I use readmem() to check the memory address to see if it changed. I can see that it did! The memory address contains the updated string.
One of those others addresses that I didn't change must contained our command prompts title bar. memsrch() returns a list of all the addresses that contain the search string. So I could do something like this to change all of the instances of that string between two given addresses.
for addr in memsrch(fd, "Command Prompt - python", 0x100000, 3fef0000, 1000):
writemem(fd, addr, "p0wned shell".encode("utf-16le"))
But as I said, be careful. I've spent as much time rebooting my machine as I have actually writing code. A better approach is to import Volatility into your script so you can parse memory intelligently and update memory data structures rather than just guessing.
In their excelent paper titled Anti-Forensics resilient memory acquisition, Johannes Stuttgen and Michael Cohen discuss how making small changes to magic values in memory data structures can defeat tools like Volatility. If you have a chance give the paper a read. It is here.
If that sounds interesting to you and you want to know more about Python programming check out SEC573 Python for Penetration Testers. I am teaching it in Reston VA March 17th! Click HERE for more information.
Follow me on twitter? @MarkBaggett(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Researchers have identified new self-replicating malware that infects computers running the Apache Tomcat Web server with a backdoor that can be used to attack other machines.
Java.Tomdep, as the backdoor worm has been dubbed, is Java Servlet-based code that gives Apache Tomcat platforms malicious capabilities. It causes infected machines to maintain Internet relay chat (IRC) communications with attacker servers located in Taiwan and Luxembourg. The control servers send commands and receive progress reports to and from the infected machines. Affected platforms include Linux, Mac OS X, Solaris, and most supported versions of Windows.
In a blog post published Wednesday, Takashi Katsuki, a researcher at security firm Symantec, said Java.Tomdep appears to be designed to harness the huge amounts of bandwidth and computing power available to Web servers for use in denial-of-service attacks against other machines. Unlike Darkleech and other malware targeting Web servers, there's no indication that it's used to attack end users visiting websites. Katsuki explained:
Huge chunks of Internet traffic belonging to financial institutions, government agencies, and network service providers have repeatedly been diverted to distant locations under unexplained circumstances that are stoking suspicions the traffic may be surreptitiously monitored or modified before being passed along to its final destination.
Researchers from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been improperly redirected to routers at Belarusian or Icelandic service providers. The hacks, which exploit implicit trust placed in the border gateway protocol used to exchange data between large service providers, affected "major financial institutions, governments, and network service providers" in the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran.
The ease of altering or deleting authorized BGP routes, or of creating new ones, has long been considered a potential Achilles Heel for the Internet. Indeed, in 2008, YouTube became unreachable for virtually all Internet users after a Pakistani ISP altered a route in a ham-fisted attempt to block the service in just that country. Later that year, researchers at the Defcon hacker conference showed how BGP routes could be manipulated to redirect huge swaths of Internet traffic. By diverting it to unauthorized routers under control of hackers, they were then free to monitor or tamper with any data that was unencrypted before sending it to its intended recipient with little sign of what had just taken place.
GitHub is experiencing an increase in user account hijackings that's being fueled by a rash of automated login attempts from as many as 40,000 unique Internet addresses.
The site for software development projects has already reset passwords for compromised accounts and banned frequently used weak passcodes, officials said in an advisory published Tuesday night. Out of an abundance of caution, site officials have also reset some accounts that were protected with stronger passwords. Accounts that were reset despite having stronger passwords showed login attempts from the same IP addresses involved in successful breaches of other GitHub accounts.
"While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly 40K unique IP addresses," Tuesday night's advisory stated. "These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to GitHub.com with commonly used weak passwords."
A hack on niche online dating service Cupid Media earlier this year has exposed names, e-mail addresses, and—most notably—plaintext passwords for 42 million accounts, according to a published report.
The cache of personal information was found on the same servers that housed tens of millions of records stolen in separate hacks on sites including Adobe, PR Newswire, and the National White Collar Crime Center, KrebsonSecurity journalist Brian Krebs reported Tuesday night. An official with Southport, Australia-based Cupid Media told Krebs that user credentials appeared to be connected to "suspicious activity" that was detected in January. Officials believed they had notified all affected users, but they are in the process of double-checking that all affected accounts have had their passwords reset in light of Krebs' discovery.
The compromise of 42 million passwords makes the episode one of the bigger passcode breaches on record. Adding to the magnitude is the revelation the data was in plaintext, instead of a cryptographically hashed format that requires an investment of time, skill, and computing power to crack. As Krebs noted:
Posted by InfoSec News on Nov 20http://www.businessinsider.com/navy-acoustic-hackers-could-halt-fleets-2013-11#ixzz2lAFZv7QO
Posted by InfoSec News on Nov 20http://www.zdnet.com/au/hackers-could-control-brisbane-traffic-controls-report-7000023405/
Posted by InfoSec News on Nov 20http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/
Posted by InfoSec News on Nov 20http://www.csoonline.com/article/743404/security-breaches-at-federal-agencies-fuel-speculation-on-break-in-tactics
Posted by InfoSec News on Nov 20http://www.foxnews.com/tech/2013/11/19/healthcaregov-already-compromised-security-expert-says/