Hackin9
Newly declassified documents released by the Obama Administration show that the National Security Agency collected phone and Internet data on tens of thousands of Americans.
 
Hewlett-Packard reassigned Enterprise Group chief Dave Donatelli on Wednesday as it reported an 8 percent decline in revenue for its fiscal third quarter, saying all of its major divisions except software brought in less money than a year earlier.
 
An Italian astronaut who nearly drowned during a July 16 spacewalk outside the International Space Station has used his blog to describe the terrifying ordeal.
 
HP LoadRunner CVE-2013-2368 Unspecified Denial of Service Vulnerability
 
FFmpeg Multiple Remote Security Vulnerabilities
 
Cacti CVE-2013-1434 Multiple SQL Injection Vulnerabilities
 
Cacti Multiple Command Injection Vulnerabilities
 
[SECURITY] [DSA 2739-1] cacti security update
 
Former Army Pfc. Bradley Manning may have been handed a 35-year prison sentence on Wednesday for leaking classified documents, but "his fight is not over" and he could be free much sooner, according to Manning attorney David Coombs.
 
Tumblr is working to resolve an issue causing seemingly random content to be posted to personal blogs.
 
Microsoft today stepped up the pace of its "Scroogled" attack ads, launching a new one just 12 days after the last.
 
Hewlett-Packard reassigned Enterprise Group chief Dave Donatelli on Wednesday as it reported an 8% decline in revenue for its fiscal third quarter, saying all of its major divisions except software brought in less money than a year earlier.
 
[security bulletin] HPSBGN02905 rev.2 - HP LoadRunner, HP Business Process Monitor, Remote Code Execution and Denial of Service (DoS)
 
Windows Embedded POSReady 2009: cruft, not craft
 
With 10,000 U.S. baby boomers turning 65 every day until 2030, the IT industry is among those that must plan how its workforce will be impacted when these employees eventually retire.
 
Facebook CEO Mark Zuckerberg's plan to connect five billion people to the Internet is feasible, analysts said today. But it it could take 20 years to complete.
 
Tumblr is working to resolve an issue causing seemingly random content to be posted to people's blogs that they didn't put there themselves, with pornography showing up in some instances.
 
Cisco Security Advisory: Cisco Prime Central for Hosted Collaboration Solution Assurance Denial of Service Vulnerabilities
 
Microsoft Internet Explorer CVE-2013-3186 Remote Code Execution Vulnerability
 
Cisco Security Advisory: Cisco Unified Communications Manager IM and Presence Service Denial of Service Vulnerability
 
Graphite 'renderLocalView()' Function Remote Code Execution Vulnerability
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Communications Manager
 
Netgear ProSafe switches: Unauthenticated startup-config disclosure and Denial of Service
 
[ MDVSA-2013:214 ] python
 

At SANSFIRE this year I had a fun presentation on Fibre Channel (FC) recon and attack (which I promise to post as soon as I get a chance to update it!).  In that talk we went through various methods of doing discovery and mapping of the fiber channel network, as well as some nifty attacks.

Today I'll add to that - we'll use WMI (Windows Management Instrumentation) and Powershell to enumerate the Fibre Channel ports.  Using this method, you can map a large part of your FC network from the ethernet side using Windows.

Microsoft has built Fiber Channel support into Powershell for quite some time now (I've used it on Server 2003) - you can review what's available by simply listing the file hbaapi.mof (found in %windir\system32\wbem and %windir%\system32\wbem) - it makes for an interesting read.  Or you can browse to Microsoft's Dev Center page on HBA WMI Classes, (which as of today is located at http://msdn.microsoft.com/en-us/library/windows/hardware/ff557239%28v=vs.85%29.aspx ).  Today we'll be playing with the MSFC_FCAdapterHBAAttributes class.

You can list the attributes of all the HBA's (Host Bus Adapters) in your system with the Powershell command:

Get-WmiObject -class MSFC_FCAdapterHBAAttributes  –computername localhost -namespace "root\WMI" | ForEach-Object { $_ }

This dumps the entire class to a form that's semi-readable by your average carbon-based IT unit, giving you output similar to:

 

PS C:\> Get-WmiObject -class MSFC_FCAdapterHBAAttributes  -computername localhost -namespace "root\WMI" | ForEach-Object { $_ }


__GENUS          : 2
__CLASS          : MSFC_FCAdapterHBAAttributes
__SUPERCLASS     :
__DYNASTY        : MSFC_FCAdapterHBAAttributes
__RELPATH        : MSFC_FCAdapterHBAAttributes.InstanceName="PCI\\VEN_1077&DEV_
                   5432&SUBSYS_013F1077&REV_02\\4&320db83&0&0020_0"
__PROPERTY_COUNT : 18
__DERIVATION     : {}
__SERVER         : WIN-QR5PCQK3K3S
__NAMESPACE      : root\WMI
__PATH           : \\WIN-QR5PCQK3K3S\root\WMI:MSFC_FCAdapterHBAAttributes.Insta
                   nceName="PCI\\VEN_1077&DEV_5432&SUBSYS_013F1077&REV_02\\4&32
                   0db83&0&0020_0"
Active           : True
DriverName       : ql2300.sys
DriverVersion    : 9.1.10.28
FirmwareVersion  : 5.07.02
HardwareVersion  :
HBAStatus        : 0
InstanceName     : PCI\VEN_1077&DEV_5432&SUBSYS_013F1077&REV_02\4&320db83&0&002
                   0_0
Manufacturer     : QLogic Corporation
MfgDomain        : com.qlogic
Model            : QLE220
ModelDescription : QLogic QLE220 Fibre Channel Adapter
NodeSymbolicName : QLE220 FW:v5.07.02 DVR:v9.1.10.28
NodeWWN          : {32, 0, 0, 27...}
NumberOfPorts    : 1
OptionROMVersion : 1.02
SerialNumber     : MXK72641JV
UniqueAdapterId  : 0
VendorSpecificID : 1412567159


We're mainly interested in:
What is the card?  (major vendor)
What is the full card description?
Is it active in the FC network?
And, most importantly, what is it's WWN? - note that in the example above, the WWN is mangled to the point it's not really readable.

We can modify our one-liner command a bit to just give us this information:

$nodewwns = Get-WmiObject -class MSFC_FCAdapterHBAAttributes -Namespace "root\wmi" -ComputerName "localhost"
Foreach ($node in $nodewwns) {
   $NodeWWN = (($node.NodeWWN) | ForEach-Object {"{0:X2}" -f $_}) -join ":"
   $node.Model
   $node.ModelDescription
   $node.Active
   $nodeWWN
}

Which for a QLogic node will output something similar to:

QLE220
QLogic QLE220 Fibre Channel Adapter
True
20:00:00:1B:32:00:F6:78

Or on a system with an Emulex card, you might see something like:

LP9002
Emulex LightPulse LP9002 2 Gigabit PCI Fibre Channel Adapter
True
20:00:00:00:C9:86:DE:61

Note that in all cases I'm calling out the Computer Name, which is either a resolvable hostname or an IP address.  Using this approach it gets very simple to extend our little script to scan an entire subnet, a range of IP's or a Windows Domain (you can get the list of servers in a domain with the command NETDOM QUERY /D:MyDomainName SERVER )

Where would you use this approach, aside from a traditional penetration test that's targeting the storage network?  I recently used scripts like these in a connectivity audit, listing all WWPNs (World Wide Port Names) in a domain.  We then listed all the WWNN's on each Fibre Channel Switch, and matched them all up.  The business need behind this exersize was to verify that all Fiber Channel ports were connected, and that each server had it's redundant ports connected to actual redundant switches - we were trying to catch disconnected cables, or servers that had redundant ports plugged into the same switch.

Microsoft has a nice paper on carrying this approach to the next step by enumerating the WWPN's at http://msdn.microsoft.com/en-us/library/windows/hardware/gg463522.aspx.

This approach is especially attractive if a datacenter has a mix of Emulex, Qlogic, Brocade and other HBAs, each which have their own CLI and GUI tools.  Using WMI will get you the basic information that you need in short order, without writing multiple different data collection utilities and figuring out from the driver list which one to call each time.

Depending on what you are auditing for, you might also want to look closer at firmware versions - maintaining firmware on Fibre Channel HBAs is an important "thing" - keep in mind that HBAs should be treated as embedded devices, many are manageable remotely by web apps that run on the card, and all are remotely managable using vendor CLI tools and/or APIs.  I think there are enough security "trigger words" in that last sentance - the phrase "what could possibly go wrong with that?" comes to mind ....

 

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple will unveil a pair of iPhones next month, including a lower-priced smartphone with a plastic case in five color choices, according to reports from a Taiwanese news outlet.
 
phpVID CVE-2013-5312 Multiple Cross Site Scripting Vulnerabilities
 

 

This is a "guest diary" submitted by Sally Vandeven. We will gladly forward any responses or please use our comment/forum section to comment publically. Sally is currently enrolled in the SANS Masters Program.

I got to wondering one day how difficult it would be to find the crypto keys used by my browser and a web server for TLS sessions.  I figured it would involve a memory dump, volatility, trial and error and maybe a little bit of luck.  So I started looking around and like so many things in life….all you have to do is ask.  Really.  Just ask your browser to give you the secrets and it will!  As icing on the cake, Wireshark will read in those secrets and decrypt the data for you.   Here’s a quick rundown of the steps:

Set up an environment variable called SSLKEYLOGFILE that points to a writable flat text file.  Both Firefox and Chrome (relatively current versions) will look for the variable when they start up.  If it exists, the browser will write the values used to generate TLS session keys out to that file.  

The file contents looks like this:

SSL Key File

 

64 byte Client Random Values
96 byte Master Secret
16 byte encrypted pre-master secret
96 bytes pre-master secret

The Client_Random entry is for Diffie-Hellman negotiated sessions and the RSA entry is for sessions using RSA or DSA key exchange.  If you have the captured TLS encrypted network traffic, these provide the missing pieces needed for decryption.  Wireshark can take care of that for you.  Again, all you have to do is ask.

Wireshark SSL Session

 

This is an encrypted TLS session, before giving Wireshark the secrets.

Point Wireshark at your file $SSLKEYLOGFILE.  Select Edit -> Preferences -> Protocols -> SSL  and then OK.

Wireshark SSL Configuration

 

To see the decrypted data, use the display filter “ssl && http”.  To look at a particular TCP session, right click on any of the entries and choose to “Follow  SSL Stream”.  This really means “Follow Decrypted SSL Stream”.   Notice the new tab at the bottom labeled “Decrypted SSL data”.  Incidentally, if you “Follow TCP Stream” you get the encrypted TCP stream.

wireshark decrypted session

 

Wireshark’s awesome decryption feature.

Below is a sample of a decrypted SSL Stream.  It contains a login attempt with username and password, some cookies and other goodies that web servers and browsers commonly exchange.  

Reassembled SSL Sesion

 

Remember: if you have a file with keys in it and the captured data on your system then anyone that can get their hands on these can decrypt too.  Hey, if you are a pen-tester you might try setting be on the lookout for an $SSLKEYLOG variable on your targets.  Interesting.

Give it a try but, as always, get written permission from yourself before you begin. Thanks for reading.

 

This exploration turned into a full blown paper that you can find here:
http://www.sans.org/reading-room/whitepapers/authentication/ssl-tls-whats-hood-34297

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
After spending the past two years beefing up its cloud storage and file sharing app for use in large enterprises, Box has turned its attention back to small and medium-size businesses with a new subscription plan.
 
RETIRED: TYPO3 Store Locator Extension Multiple Unspecified Security Vulnerabilities
 
RETIRED: Google Chrome Prior to 29.0.1547.57 Multiple Security Vulnerabilities
 
CVE-2013-4124 samba nttrans dos private exploit
 
With VMworld on the horizon, VMware has been touting its cloud strategy. That 'strategy,' though, seems to involve dissing Microsoft and Amazon, marginalizing CSP partners and clinging to the idea that the cloud is solely the domain of IT departments. If VMware keeps this up, it can expect a stormy future in the cloud, CIO.com columnist Bernard Golden says.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Putty, allowing attackers to compromise user system
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
RETIRED: Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-63 through -75 Multiple Vulnerabilities
 
Cross-Site Scripting (XSS) in BackWPup WordPress Plugin
 
Cross-Site Scripting (XSS) in Twilight CMS
 
Path Traversal in DeWeS Web Server (Twilight CMS)
 
A military court judge has sentenced U.S. Army Pfc. Bradley Manning to 35 years in prison on Wednesday on charges related to his leaking a large store of classified documents to Wikileaks, according to a number of published and broadcast reports.
 
Microsoft has launched an ad-free, no cost version of its Bing search engine that can be used in public and private schools across the U.S.
 
A portion of the North American user base of 'League of Legends' (LoL) had its account information compromised by hackers, according to Riot Games, the company developing the popular online multiplayer game. Passwords and credit card numbers stored in encrypted form were accessed, as well as other details.
 
TYPO3 Faceted Search Extension CVE-2013-5307 Unspecified Cross Site Scripting Vulnerability
 
Symfony CVE-2013-4751 Multiple Security Bypass Vulnerabilities
 

CounterTack Introduces Sentinel to Help Korea Defend Against Cyber Attacks
Marketwire (press release)
CounterTack.com), the only endpoint security organization delivering real-time, cyber threat detection and forensics to the enterprise, today announced a worldwide partnership agreement with SK Infosec, a multi-million dollar South Korean information ...

and more »
 
Google Chrome CVE-2013-2900 Unspecified Security Vulnerability
 
Google shipped Chrome 29, patching 25 vulnerabilities and rolling out under-the-hood changes the company said would offer more relevant suggestions when users typed in URLs or search strings.
 
LG Display has developed a 5.5-inch screen for next generation smartphones with 2560 x 1440 pixel resolution, the highest to date, according to the company.
 
Chinese police have detained two Internet users for allegedly starting online rumors that tried to defame government groups and a cultural icon in the nation.
 
Vine, the video service introduced by Twitter in January, now has 40 million registered users, it said Tuesday.
 
Google needs help. More specifically, the Internet giant is looking for people who are experts on basically anything to lead some of the first sessions for its soon-to-launch Helpouts video calling program.
 
Voyager 2, one of two NASA spacecraft to travel farthest from Earth, marked 36 years in space Tuesday.
 
NASA is warning that a coronal mass ejection may reach Earth this week, possibly affecting satellites and electronic systems on the ground.
 
Facebook CEO Mark Zuckerberg is launching a global initiative to try to speed the delivery of Internet access to the two-thirds of the world that are not yet connected.
 
Symfony CVE-2013-4752 HTTP Header Spoofing Security Bypass Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-1712 Local Privilege Escalation Vulnerability
 
Sixnet Universal Protocol Undocumented Function Codes Remote Security Bypass Vulnerability
 
Over the past 15 years, Apple has worked, and at times struggled, to figure out the best way to integrate its products into enterprise environments. Columnist Ryan Faas takes a look at that complex relationship.
 
OpenStack Keystone CVE-2013-2013 Password Information Disclosure Vulnerability
 

Forget hackers - storms and snafus are bigger threat, say infosec bods
Register
Cyber attacks caused fewer problems to communications networks than unrelated system failures and natural disasters, a study by an EU security agency has found. The European Union Agency for Network and Information Security (‪ENISA‬) reports that the ...

and more »
 

Posted by InfoSec News on Aug 21

http://arstechnica.com/tech-policy/2013/08/groklaw-shuts-down-rather-than-risk-feds-snooping-through-e-mail/

By Jon Brodkin
Ars Technica
Aug 20 2013

Groklaw, the 11-year-old website devoted to covering legal disputes
related to open source software, has announced it will shut down rather
than risk the government reading its e-mail.

Groklaw founder Pamela Jones (commonly known as "PJ") wrote today that she
is not confident the...
 

Posted by InfoSec News on Aug 21

http://www.theregister.co.uk/2013/08/21/intel_bakes_supersnooper_to_stop_industrial_espionage/

By Simon Sharwood
The Register
21st August 2013

Intel has created a Hadoop-based rig that analyses just about every
network event in the company – four to six billion of them on business
days - in close to real time so it can spot threats including industrial
espionage.

Intel officials declined to name the tool, saying it would not be...
 

Posted by InfoSec News on Aug 21

http://www.informationweek.com/healthcare/mobile-wireless/fda-issues-guidelines-on-wireless-medica/240160104

By Ken Terry
InformationWeek.com
August 19, 2013

The Food and Drug Administration (FDA) has released final guidelines on the
design, testing and use of radio-frequency (RF) wireless medical devices.
Although it doesn't promulgate legally enforceable responsibilities, the
document is intended to guide both device manufacturers and...
 
Internet Storm Center Infocon Status