Hackin9

Posted by InfoSec News on Mar 05

http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/

By Brian Krebs
Krebs on Security
March 4, 2015

In response to questions from KrebsOnSecurity, upscale hotel chain
Mandarin Oriental Hotel Group today confirmed that its hotels have been
affected by a credit card breach.

Reached for comment about reports from financial industry sources about a
pattern of fraudulent charges on customer cards that had all recently...
 

Posted by InfoSec News on Mar 05

http://www.wsj.com/articles/is-the-prefix-cyber-overused-1425427767

By DANNY YADRON and JENNIFER VALENTINO-DEVRIES
The Wall Street Journal
March 4, 2015

These days, CyberPatriots go to CyberCamps. Washington wonks ponder a
Cyber Red Cross. Last week, the Director of National Intelligence told
Congress a “cyber Armageddon” is unlikely. This week, CBS Corp. will
premiere the latest iteration of its long-running cops and crime
franchise,...
 

Posted by InfoSec News on Mar 05

http://www.rawstory.com/rs/2015/03/tesla-worried-customers-will-get-hurt-hacking-the-model-s/

By Thomas Halleck
Posted with permission from International Business Times
March 4, 2015

Tesla Motors Inc. warned investors that its stock could be negatively
affected by customers hacking its Model S and other cars and injuring
themselves in the process. The company also said that safety issues with
the lithium ion batteries used to power its...
 

Posted by InfoSec News on Mar 05

http://www.nj.com/entertainment/tv/index.ssf/2015/03/csi_cyber_review_patricia_arquette_cbs.html

By Vicki Hyman
NJ Advance Media for NJ.com
March 04, 2015

Thank goodness Patricia Arquette just won an Oscar, because otherwise I'd
really have nothing to say about "CSI: Cyber."

The newest "CSI" franchise, which debuts on CBS tonight at 10 p.m., is
about the FBI's cyber crime division, comes with all the...
 

Posted by InfoSec News on Mar 05

http://arstechnica.com/security/2015/03/ubers-epic-db-blunder-is-hardly-an-exception-github-is-awash-in-passwords/

By Dan Goodin
Ars Technica
March 4, 2015

Recent revelations that Uber stored a sensitive database key on a publicly
accessible GitHub page generated its share of amazement and outrage. Some
Ars readers called for the immediate termination of the employees
responsible or for the enactment of new legal penalties for similar...
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Recent revelations that Uber stored a sensitive database key on a publicly accessible GitHub page generated its share of amazement and outrage. Some Ars readers called for the immediate termination of the employees responsible or for the enactment of new legal penalties for similar blunders in the future.

Left out of the discussion was a point Ars first tried to drive home more than two years ago. To wit, GitHub and other public code repositories are awash with personal credentials posted by tens of thousands, or possibly even millions, of people, some of whom work for extremely sensitive organizations. A case in point are GitHub entries that appear to include everything needed to log into many Secure File Transfer Protocol accounts. One GitHub search revealed almost 269,000 entries like the one pictured above, showing the domain name or IP address, username, and password needed to log in to each account. Similar searches generated almost two million entries for WordPress accounts.

A quick scan of the results shows that many of them represent no security threat at all, since the password fields are blank or the credentials belong to non-existent accounts or accounts that are accessible only to users already connected to the local network. But a mind-numbingly large percentage of the results appear to provide credentials for accounts on production servers. Whether percentage is 33, 25, or even 10, it's way too high. It wouldn't be surprising if many of the credentials offered shell accounts that ran with highly privileged administrator rights. To protect the careless, this post won't reveal the specific search terms used, even though they are extremely easy for readers figure out on their own or to find on Twitter, in blog posts, or in other venues.

Read 3 remaining paragraphs | Comments

 

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Big data security analytics: Can it revolutionize information security?
TechTarget
Wednesday at the 2015 SecureWorld conference, Demetrios "Laz" Lazarikos, IT security researcher and strategist for Los Angeles-based Blue Lava Consulting LLC, recounted his time working as the chief information security officer for the online division ...

 

For more than a decade, malicious hackers have used booby-trapped USB sticks to infect would-be victims, in rare cases to spread virulent, self-replicating malware on air-gapped computers inside a uranium enrichment plant. Now, a security researcher says he has found a way to build malicious Blu-ray discs that could do much the same thing—without any outward signs that an attack was underway.

Stephen Tomkinson, a security consultant at NCC Group, said he has devised a proof-of-concept exploit that allows a Blu-ray disc to compromise both a PC running Microsoft Windows and most standalone Blu-ray players. He spoke about the exploit on Friday at the Securi-Tay conference at the Abertay University in Dundee, Scotland, during a keynote titled "Abusing Blu-ray players."

"By combining different vulnerabilities in Blu-ray players, we have built a single disc which will detect the type of player it’s being played on and launch a platform-specific executable from the disc before continuing on to play the disc’s video to avoid raising suspicion," Tomkinson wrote in an accompanying blog post. "These executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example."

Read 4 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: Updated freetype2 packages fix security vulnerabilities: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds [More...]
 
LinuxSecurity.com: Updated bind packages fix security vulnerability: Jan-Piet Mens discovered that the BIND DNS server would crash when processing an invalid DNSSEC key rollover, either due to an error on the zone operator's part, or due to interference with network [More...]
 
LinuxSecurity.com: USN-2515-1 introduced a regression in the Linux kernel.
 
LinuxSecurity.com: USN-2516-1 introduced a regression in the Linux kernel.
 
LinuxSecurity.com: Updated foreman-proxy packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated foreman-proxy packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform Foreman. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated kernel packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
 

Have you ever been on a pentest, or troubleshooting a customer issue, and the next step was to capture packets on a Windows host? Then you find that installing winpcap or wireshark was simply out of scope or otherwise not allowed on that SQL, Exchange, Oracle or other host? It used to be that this is when wed recommend installing Microsofts Netmon packet capture utility, but even then lots of IT managers would hesitate about using the install word in association with a critical server. Well, as they say in networking (and security as well), theres always another way, and this is that way.

netsh trace is your friend. And yes, it does exactly what it sounds like it does.

Type netsh trace help on any Windows 7 Windows Server 2008 or newer box, and you">C:\">Commands in this context:
? - Displays a list of commands.
convert - Converts a trace file to an HTML report.
correlate - Normalizes or filters a trace file to a new output file.
diagnose - Start a diagnose session.
dump - Displays a configuration script.
help - Displays a list of commands.
show - List interfaces, providers and tracing state.
start - Starts tracing.
stop - Stops tracing.

Of course, in most cases, tracing everything on any production box is not advisable - especially if its your main Exchange, SQL or Oracle server. Well need to filter the capture, usually to a specific host IP, protocol or similar.">netsh trace show capturefilterhelp

One of the examples in this output shows you how t o e.g. ">netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1

You could also add Protocol=TCP or UDP and so on..

Full syntax and notes for netsh trace can be found here: https://technet.microsoft.com/en-us/library/dd878517

For instance, the following session shows me capturing an issue with a firewall that Im working on. Note that you need admin rights to run this, the same as any capture tool. In a pentest you would likely specify an output file that isnt in the users">C:\">Trace configuration:
-------------------------------------------------------------------
Status: Running
Trace File: C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace
.etl
Append: Off
Circular: On
Max Size: 250 MB
Report: Off

When you are done capturing data, it">C:\ netsh trace stop
Correlating traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as
C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace.cab">c:\

The cool thing about this is that it doesnt need a terminal session (with a GUI, cursor keys and so on). If all you have is a metasploit shell, netsh trace works great!

If this is a capture for standard sysadmin work, you can simply copy the capture over to your workstation and proceed on with analysis. If this is a pentest, a standard copy might still work (remember, were on a Microsoft server), but if you need netcat type function to exfiltrate your capture, take a look at PowerCat (which is a netcat port in PowerShell).

Next, open the file (which is in Microsofts ETL format) in Microsofts Message Analyzer app - which you can install on your workstation rather than the server we ran the capture on (" />

If you do need another packet analysis tool, its easy to a File / Save As / Export, and save as a PCAP file that Wireshark, tcpdump, SNORT, ngrep, standard python or perl calls, or any other standard tool can read natively.

Or you can convert to PCAP using PowerShell (of course you can).">$s = New-PefTraceSession -Path C:\output\path\spec\OutFile.Cap -SaveOnStop
$s | Add-PefMessageProvider -Provider C:\input\path\spec\Input.etl
$s | Start-PefTraceSession

This Powershell cmdlet is not available in Windows 7 - youll need Windows 8, or Server 2008 or newer
(This script was found at http://blogs.technet.com/b/yongrhee/archive/2013/08/16/so-you-want-to-use-wireshark-to-read-the-netsh-trace-output-etl.aspx )

If netsh trace has solved an interesting problem for you, or was the tool that got you some interesting data in a pentest, please, use our comment form to let us know how you used it (within your NDA of course!)

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status