Monthly Archives: March 2013

Simon Bennetts, Drunken Security News – Episode 325 – March 28, 2013

Simon is a Mozilla Security Automation Engineer and ZAP Project Leader. He is also one of the founders of the OWASP Manchester chapter and the OWASP Data Exchange Format project. Simon is on to discuss OWASP's Zed Attack Proxy v2.0.0.

From the OWASP site: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

The U.S. Electrical Grid More Vulnerable Than Ever

The U.S. electrical grid is more vulnerable today than it has ever been. Cyber attacks have the potential to disrupt large segments of the electrical grid, and top experts confirm that the U.S. is not prepared for this risk. Watch the 60 Minutes Video.

 

The post The U.S. Electrical Grid More Vulnerable Than Ever appeared first on Quick Start Survival.

Thousands of People Could Die if U.S. Power Grid is Attacked

Thousands of People Could Die if the U.S. Power Grid is Attacked.  “A terrorist attack on the U.S. power grid could be more destructive than superstorm Sandy, possibly costing hundreds of billions of dollars and leading to thousands of deaths, the National Academy of Sciences said.” Are You Prepared?  And if not, what are you doing about it?  See full article at businessweek.com

 

The post Thousands of People Could Die if U.S. Power Grid is Attacked appeared first on Quick Start Survival.

Drunken Security News – Episode 324 – March 21, 2013

Are you here to learn something about infosec? Well, you're in luck because this week you get even more. You even get Paul and Larry's beer trivia and find out who has the oldest trademark anywhere!

Can you guess the password on your first try? Of course you'd simply try the default password for the device, right? So would that be illegal to log in to that device and install software/malware? Of course it would be illegal, but it's still pretty neat that they were able to find approximately 1.2 million unprotected devices and turn about 420,000 of those into their botnet, which allowed them to scan the entire IPv4 address space in one hour. Also interestingly, this scan estimated that only about one-third of the IPv4 addresses are actually in use.

Along the same lines, Allison and Paul chatted about an article explaining how the botnet business is booming. One group is paying as much as $500 for 1,000 infections. Also discussed are the costs of a DDOS or 20,000 spam emails. Larry also pulls out $9 and some pocket lint wondering how many people he can spam with his resume.

Allison also brought up the Brian Krebs SWATing story and explains her own forays into this underground black-market subculture. Very interesting explanations of how easy it is to get enough personal information about someone in order to trick various businesses or services into helping the impersonator access their target's account.

NATO decided and published a report that they are justified in killing hackers. John offered his opinion on this that it makes sense. As war moves into new grounds and countries are using hackers to attack other countries, it makes sense that country is going to defend itself against this type of attacker.

Did you finally get your own 3D printer? Can you legally print out your own guns? Would that be legal? I would guess as long as you're the Vice-President and simply creating a double-barrel shotgun to scare people away, then it's all good. Maybe.

How's this for bottom-up economics? Larry tells us about a couple guys who owned a Subway sandwich shop and decided to get into the PIN pad business and eventually become a distributor to the parent Subway company. Except that these guys pre-installed remote admin access, and you can guess the rest.

Stick around 'til the end of the show for even more of Paul's beer trivia!

Interview with Jason Fossen – Episode 324 – March 21, 2013

Jason Fossen is a principal security consultant at Enclave Consulting LLC, a published author, and a frequent public speaker on Microsoft security issues. He is the sole author of the SANS Institute's week-long Securing Windows course (SEC505), maintains the Windows day of Security Essentials (SEC401.5), and has been involved in numerous other SANS projects since 1998.

Sanny CnC Backend Disabled

We recently encountered in the wild another sample related to the Sanny APT. For readers who are not familiar with the Sanny APT, please refer to our previous blog for the background. The sample was using the same lure text and CVE-2012-0158 vulnerability. However this time it was using a different board named "ecowas_1" as compared to "kbaksan_1" which was employed previously. The following are the CnC URLs to list stolen data entries extracted from the samples:

New    -->      hxxp://board.nboard.net/list.php?db=ecowas_1&p=1

Previous -->       hxxp://board.nboard.net/list.php?db=kbaksan_1&p=1

Based on the time stamps and other indicators, we believe that both samples were created and deployed at the same time. The attacker probably used different boards/DBs to divide victims to make sure that if one goes down he/she still can keep getting the stolen data from the remaining ones.

We have been in touch with Korea Information Security Agency (KISA) regarding the Sanny APT and with their help the CnC boards ecowas_1 and kbaksan_1 are shut down (not serving any content). The following screenshot shows the response if you access the ecowas_1 board.

[caption id="attachment_1432" align="alignnone" width="522"]sanny_v2_sshot

The text in the figure 1 roughly translates to “Error: Blackout”

We want to thank KISA for collaborating with FireEye on this important case. Both FireEye and KISA are monitoring this threat and will let you know if there is any new update.

Are we all RoboCops in the future?

7457645618_1c7dcd0523_oInternet together with small and inexpensive digital cameras have made us aware of the potential privacy concerns of sharing digital photos. The mobile phone cameras have escalated this development even further. Many people are today carrying a camera with ability to publish photos and videos on the net almost in real-time. Some people can handle that and act in a responsible way, some can’t. Defamatory pictures are constantly posted on the net, either by mistake or intentionally. But that’s not enough. Now it looks like the next revolution that will rock the privacy scene is around the corner, Google Glass.

Having a camera in your phone has lowered the threshold to take photos tremendously. It’s always with you and ready to snap. But you still have to take it out of the pocket and aim it at your object. The “victim” has a fair chance to notice that you are taking photos, especially if you are working at close distance.

Google Glass is a smartphone-like device that is integrated in a piece of headgear. You wear it all the time just like ordinary glasses. The screen is a transparent piece in your field of view that show output as an overlay layer on top of what’s in front of you. No keyboard, mouse or touchscreen. You control it by voice commands. Cool, but here comes the privacy concern. Two of the voice commands are “ok, glass, take a picture” and “ok, glass, record a video”. Yes, that’s right. It has a camera too.

Imagine a world where Google Glasses are as common as mobile phones today. You know that every time you talk to someone, you have a camera and microphone pointed at you. You have no way of knowing if it is recording or not. You have to take this into account when deciding what you say, or run the risk of having an embarrassing video on YouTube in minutes. A little bit like in the old movie RoboCop, where the metallic law enforcement officer was recording constantly and the material was good to use as evidence in court. Do we want a world like that? A world where we all are RoboCops?

We have a fairly clear and good legislation about the rules for taking photos. It is in most countries OK to take photos in public places, and people who show up there must accept to be photographed. Private places have more strict rules and there are also separate rules about publishing and commercial use of a photo. This is all fine and it applies to any device, also the Google Glass. The other side of the coin is peoples’ awareness of these laws, or actually lack thereof. In practice we have a law that very few care about, and a varying degree of common sense. People’s common sense do indeed prevent many problems, but not all. It may work fairly OK today, but will it be enough if the glasses become common?

I think that if Google Glass become a hit, then it will force us to rethink our relationship to photo privacy. Both as individuals and as a society. There will certainly be problems if 90% of the population have glasses and still walk around with only a rudimentary understanding about how the law restricts photography. Some would suffer because they broke the law unintentionally, and many would suffer because of the published content.

I hope that our final way to deal with the glasses isn’t the solution that 5 Point Cafe in Seattle came up with. They became the first to ban the Google Glass. It is just the same old primitive reaction that has followed so many new technologies. Needless to say, much fine technology would be unavailable if that was our only way to deal with new things.

But what will happen? That is no doubt an interesting question. My guess is that there will be a compromise. Camera users will gradually become more aware of what boundaries the law sets. Many people also need to redefine their privacy expectation, as we have to adopt to a world with more cameras. That might be a good thing if the fear of being recorded makes us more thoughtful and polite against others. It’s very bad if it makes it harder to mingle in a relaxed way. Many questions remain to be answered, but one thing is clear. Google Glass will definitively be a hot topic when discussing privacy.

Micke

PS. I have an app idea for the Glass. You remember the meteorite in Russia in February 2013? It was captured by numerous car cameras, as drivers in Russia commonly use constantly recording cameras as measure against fraudulent accusations. What if you had the same functionality on your head all the time? There would always be a video with the last hour of your life. Automatically on all the time and ready to get you out of tricky situations. Or to make sure you don’t miss any juicy moments…

Photo by zugaldia @ Flickr

 

Episode #166: Ping A Little Log For Me

We've been away for a while because, frankly, we ran out of material. In the meantime we tried to come up with some new ideas and there have had a few requests, but sadly they were all redundant, became scripts, or both. We've been looking long and hard for Fu that works in this format, and we've finally found it!

Nathan Sweaney wrote in with a great idea! It isn't a script, it isn't redundant, and it is quite useful. Three of the four of the criteria that makes a great episode (the fourth being beer fetching or beer opening). To top it off Nathan wrote the CMD.EXE portion himself. Thanks Nathan!

--Tim

Nathan Sweaney writes in:

Ping Network Monitor

Occasionally we have issues in the field where we think a customer's device is occasionally losing a connection, but we're not sure if, or when, or for how long. We need a log of when the connection is dropping so that we can compare to the customer's reports of issues. Sure there are fancy network monitoring tools that can help, but we're in a hurry with no budget.

In Linux this would be easy, but these are Windows boxen. So I hacked together the following one-liner for our techs to use in the field.

This command will ping an IP address once every second and when it doesn't get a response, it will log the time-stamp in a text file. Then we can compare those time-stamps to failure reports from the customer.

To use it, simply change the IP address 8.8.8.8 near the beginning to whatever IP we need to monitor. Then open a command prompt, CD into the directory you want the log file created, and run the command.

C:\> cmd.exe /v:on /c "FOR /L %i in (1,0,2) do @ping -n 1 8.8.8.8 |
find "Request timed out">NUL && (echo !date! !time! >> PingFail.txt) &
ping -n 2 127.0.0.1>NUL"

So let's dissect this. It's mostly just a combination of examples Ed has mentioned in the past.

First, we're using the "cmd.exe /v:on /c" command to allow for delayed environment variable expansion. Ed has explained in the past why that lets us do flexible variable parsing. This command wraps everything else.

The next layer of our onion is an infinite "FOR /L" loop that Ed mentioned WAY back. We're counting from 1 to 2 in steps of 0 so that our command will continue running until we manually stop it.

Inside of our FOR loop is where we really get to the meat. We've basically got 4 steps:

1) First we see @ping -n 1 8.8.8.8. The @ symbol says to hide the echo of the command to the screen. The switch (-n 1) says to only ping the IP once. And of course 8.8.8.8 is the address we want to ping.

2) Next we pipe the results of our ping into the FIND command and search for "Request timed out" to see if the ping failed. The last part of that >NUL says to dump the output from this command into NUL, because we don't really need to see it.

3) Now we get fancy. The && says to only run this command if the previous command succeeded. In other words, if our FIND command finds the text, which means our ping failed, then we run this command. And we've enclosed this command in parenthesis contain it as a single command. We need to use the "cmd.exe /v:on /c" command at the beginning to allow for delayed environment variable expansion; that way our time & date changes each iteration. So %date% and %time% becomes !date! and !time!.

And finally we're redirecting our output to a file called PingFail.txt. We use the >> operator append each new entry rather than overwrite with just >.

4) And finally we're on to the last step. As mentioned before, the & says to run the next command no matter what has already happened. This command simply pings localhost with (-n 2) which will give us a one-second delay. The first ping happens immediately, and the second ping happens after one second. This slows down our original ping back in step 1 which would otherwise fire off like a machine gun as fast as the FOR loop can go. Lastly, we're redirecting the output with >NUL because we don't care to see it.

WOW. I said it was convoluted. But it works, and it's rather simple to use.

Tim finds a letter in the mail slot:

Wow, it has been a while since we've dusted off the ol' kung fu for a blog post. I've missed it and I know Hal as too. In fact, he hasn't showered since our last episode. True story. This was his silent (but deadly) protest against our lack of ideas and usable suggestions. The Northwest can breathe a sigh of relief (in the now fresher air) now that we are back for this episode. I for one, missed the blog. Back to the Fu...

Nathan wrote in with his idea to log Ping failures. What a great idea for a quick and dirty network monitor. Thanks to CMD.EXE he's got a bit of funkyness to his command. Fortunately, we can be a little smoother with our approach.

PS C:\> for (;;) { Start-Sleep 2; ping -n 1 8.8.8.8 >$null; if(-not $?) { Get-Date -Format s | Tee-
Object mylog.txt -Append }}

2013-03-12T12:34:56

We start off with an infinite loop using the For loop but without any loop control structures. Without these structures there is nothing to limit the loop, and it will run forever...it will be UNSTOPPABLE! MWAAAAAHAHAHAHAHA! <cough> <cough> Sorry about that, it's been a while.

Inside our infinite loop we sleep for a few seconds. We could do it at the end, but for some reason I get inconsistent results when I do that. I have no idea why, and I've tried troubleshooting it for hours. That's OK, a pre-command nap never killed anyone.

After our brief nap, we do the ping. The results are sent into the garbage can that is the $NULL variable. Following this command we check the error state of the previous command by checking the value of $?. This variable is True if the previous command ran without error, if there was an error the the command is False. The If Statement is used to branch our logic based on this value. If it is False, the ping failed, and we need to log the error.

Inside our branch we get the current date with Get-Date (duh!) and change the format to the sortable format. We could use any format, but the OCD part of me likes this format. The formatted date is piped into the Tee-Object command which will append the date to a file as well as output to our console.

Notice we used the For loop here instead of a While loop. I did this to save single character. We can save a few more characters by using this command using aliases, shortened parameter names, and a little magic in our For loop.

PS C:\> for (;;sleep 2) {ping -n 1 8.8.8.8 >$null; if(-not $?) { date -f s | tee mylog.txt -a }}

I moved the Start-Sleep (alias sleep) cmdlet inside the For loop control. The For loops looks like this:

for ( variable initialization; condition; variable update ) {
Code to execute while the condition is true
}

The variable initialization is run once before our loop starts. The condition is checked every time through the loop to see if we should continue the loop. We have no variable we care to initialize, and we want the loop to run forever so we don't use a condition. The variable update piece is executed after each time through the loop, and this we can use. Instead of modifying a variable used in the loop, we take a lovely two second nap. This gives us our nice delay between each ping.

There you have the long awaited PowerShell version of this command. It is better than CMD.EXE, but there is no nice way to use the short-circuit operator && or || operators to make this command more efficient. Don't tell Hal, but I'm really jealous of the way his shell can be used to complete this task. I'm jealous of his terseness...and his full head of hair.

Hal washes clean

Let's be clear. The only thing that smells around here is the Windows shells. Have to use ping to put a sleep in your loop? Sleep that works at the start of the loop but not the end? What kind of Mickey Mouse operating system is that?

The Linux solution doesn't look a lot different from the Windows solutions:

while :; do ping -c 1 -W 1 8.8.8.8 >/dev/null || date; sleep 1; done

"while :; do ... done" is the most convenient way of doing an infinite loop in the shell. The ping command uses the "-c 1" option to only send a single ping and "-W 1" to only wait one second for the response. We send the ping output to /dev/null so that it doesn't clutter the output of our loop. Whenever the ping fails, it returns false and we end up running the date command on the right-hand side to output a timestamp. The last thing in the loop is a sleep for one second. And yes, Tim, it actually works at the end of the loop in my shell.

Well that was easy. Hmmm, I don't want to embarrass Nathan and Tim by making my part of the Episode too short. How about we make the output of the date command a little nicer:

while :; do ping -c 1 -W 1 8.8.8.8 >/dev/null || date '+%F %T'; sleep 1; done
"%F" is the "full" ANSI-style date format "2013-03-12" and "%T" is the time in 24-hour notation. So we get "2013-03-12 04:56:22" instead of the default "Tue Mar 12 04:56:22 EST 2013"

Oh, you want to save the output in a file as well as having it show up in your terminal window? No problemo:

while :; do ping -c 1 -W 1 8.8.8.8 >/dev/null || date; sleep 1; done | tee mylog.txt

Hooray for tee!

Well I can't tart this up any more to save Tim and Nathan's fragile egos. So I'm outta here to go find a shower.

Jonathan Ness, Michael Farnum – Episode 323 – March 7, 2013

Jonathan leads the Microsoft Security Response Center Engineering team in investigating externally-reported security vulnerabilities and ensuring they are addressed appropriately via Microsoft's monthly security update process. Jonathan also acts as one of the engineering technical leads for the Microsoft company-wide Software Security Incident Response Process. The most important aspect of his work is helping customers find ways to reduce attack surface and protect themselves. Outside Microsoft work, Jonathan participates as a member of a reserve military unit helping to protect DoD networks and has written three-part "Gray Hat Hacking" book series.

Michael Farnum has worked with computers since he got a Kaypro II and an Apple IIc during his middle school years. Michael served in the US Army, where he drove, loaded, and gunned on the mighty M1A1 Abrams main battle tank (which is where he got his "m1a1vet" handle). Michael has worked at Accuvant as a solutions manager and is the founder of HouSecCon, THE Houston Security Conference, which will hold its 4th annual event in October.

Joe McCray, Building a Security Lab, Drunken Security News – Episode 322 – February 28, 2013

Joe McCray is an Air Force Veteran and has been in IT security for over 10 years. His background includes both Network and Web Application penetration testing as well as incident response and forensics within the DoD and commercial sector.

Having a home lab is really key in our field. There always seems to be projects you want to work on that require a specific OS or software. You just need hardware at home, whether you are pen testing or doing security research. I grew tired of using laptops, and especially my own laptop. Having some low-cost servers will open up the possibilities.

Hear Mikko Unplugged – Don’t Miss our Live Lab Webinar!

mikko

UPDATE: You can now watch a recording of this event here.

Want to hear our cyber security rock star/guru Mikko Hypponen, live? Our upcoming free lab webinar is your chance! He’ll speak about the hot topics in the world of fighting malware. You’ll even have an opportunity to ask him your most burning questions.

Topics Mikko will cover:

  • Mobile Threat Report – Be the first to know what’s in our brand-new report, coming out the same day. Hear the latest on Android and Symbian, mobile banking Trojans and more – and get Mikko’s perspective.
  • Click Fraud Business – Advertising is big business. Click-fraud is complex and is an innovative crime. What does it involve and how did it get this way?
  • Fighting bots on your computers and your phone – Windows-based botnets are a major problem. What can we do to fight them? And how can we prevent our phones from becoming the next battleground?
  • Apple, FB hacks and its implications for the rest of the world – Facebook and Apple employees were compromised. How did it happen? What are the issues and who else may be affected? And what does it mean for the rest of us?

Hear it straight from the labs, live and unplugged – click here to sign up now.