Defcon 18, best of White/Gray/Black Hat security papers :)
Here is a small article with some links of white/gray/black-papers from Defcon 18..
0×01) Scada and ICS for Security Experts: How to Avoid Cyberdouchery http://www.defcon.org/images/defcon-18/dc-18-presentations/Arlen/DEFCON-18-Arlen-SCADA-Cyberdouchery.pdf
0×02) Non-Executable Stack ARM Exploitation http://www.defcon.org/images/defcon-18/dc-18-presentations/Avraham/DEFCON-18-Avraham-Modern%20ARM-Exploitation-WP.pdf
0×03) Exploiting SCADA Systems http://www.defcon.org/images/defcon-18/dc-18-presentations/JBrown/DEFCON-18-Brown-SCADA.pdf
0×04) Function Hooking for OSX and Linux http://www.defcon.org/images/defcon-18/dc-18-presentations/Damato/DEFCON-18-Damato-Function-Hooking.pdf
0×05) Exploiting Internet Surveillance Systems http://www.defcon.org/images/defcon-18/dc-18-presentations/Decius/DEFCON-18-Decius-Exploiting-Internet-Surveillance-Systems.pdf
0×06) Katana – Portable Multi-Boot Security Suite http://www.defcon.org/images/defcon-18/dc-18-presentations/Dunning/DEFCON-18-Dunning-Katana.pdf
0×07) Hacking and protecting Oracle Database Vault http://www.defcon.org/images/defcon-18/dc-18-presentations/Martinez-Fayo/DEFCON-18-Martinez-Fayo-Oracle-Database-Vault.pdf
0×08) Mastering the Nmap Scripting Engine http://www.defcon.org/images/defcon-18/dc-18-presentations/Fyodor-Fifield/DEFCON-18-Fyodor-Fifield-NMAP.pdf
For more about Defcon, you can visit the official site: http://www.defcon.org/
SourceForge.net Attack: Full Report
As we’ve previously announced, SourceForge.net has been the target of a directed attack. We have completed the first round of analysis, and have a much more solid picture of what happened, the extent of the impact, our plan to reduce future risk of attack. We’re still working hard on fixing things, but we wanted to share what we know with the community.
We discovered the attack on Wednesday, and have been working hard to get things back in order since then. While several boxes were compromised we believe we caught things before the attack escalated beyond its first stages.
Our early assessment of which services and hosts were impacted, and the choice to disable CVS, ishell, file uploads, and project web updates appears to have prevented any further escalation of the attack or any data corruption activities.
We expect to continue work on validating data through the weekend, and begin restoring services early next week. There is a lot of data to be validated and these tests will take some time to run. We’ll provide more timeline information as we have more information.
We recognize that we could get services back online faster if we cut corners on data validtion. We know downtime causes serious inconveniences for some of you. But given the negative consequences of corrupted data, we feel it’s vital to take the time to validate everything that could potentially have been touched.
Attack Description
The general course of the attack was pretty standard. There was a root privilege escalation on one of our platforms which permitted exposure of credentials that were then used to access machines with externally-facing SSH. Our network partitioning prevented escalation to other zones of our network.
This is the point where we found the attack, locked down servers, and began work on analysis and response.
Immediate Response
Our first action response included many of the standard steps:
* analysis of the attack and log files on the compromised servers
* methodically checking all other services and servers for exploits
* further network lockdown and updating of server credentials
Service shutdown
Once we knew the attack was present, we locked down the impacted hosts, so that we could reduce the risk of escalation, from those servers to other hosts, and prevent possible data gathering activities.
This strategy resulted in service downtime for:
* CVS Hosting
* ViewVC
* New Release upload capability
* ProjectWeb/shell
Password invalidation
Our analysis uncovered (among other things) a hacked SSH daemon, which was modified to do password capture. We don’t have reason to the attacker was successful in collecting passwords. But, the presence of this daemon and server level access to one-way hashed, and encrypted, password data led us to take the precautionary measure of invalidating all SourceForge user account passwords. Users have been asked to recover account access by email.
Data Validation
It’s better to be safe than sorry, so we’ve decided to perform a comprehensive validation of project data from file releases, to SCM commits. We will compare data agains pre-attack backups, and will identify changed and added. We will review that data, and will will also refer anything suspicious to individual project teams for further assessment as needed.
The validation work is a precaution, because while we don’t have evidence of any data tampering, we’d much prefer to burn a bunch of CPU cycles verifying everything than to discover later that some extra special trickery lead to some undetected badness.
Service Restoration
Now that most of the analysis is done, we’ve started the next stage of our efforts, which includes the obvious work of restoring compromised boxes from bare metal, and implementing a number of new controls to reduce likelihood of future attack.
We will of course also be updating the credentials which reside on these hosts and performed quite a few steps to further lock down access to these machines.
We are in process of bringing services back one by one, as data validation is completed, and we get the newly configured hosts online. We expect that data validation will progress through the weekend, and we’ll really start getting swinging on service restoration early next week.
File Release Services
Many folks have suggested that the most likely motivation for an attack against sourceforge would be to corrupt project releases.
We’ve found no evidence of this, but are taking extrodinary care to make sure that we don’t somehow distribute corrupted release files.
We are performing validation of data against stored hashes, backups, and additional data copies.
We expect to restore these services first, as soon as data validation is completed.
Project Web
One attack vector that impacts our services directly is the shared project web space. So, let’s talk about that in a bit more detail.
Sourceforge.net has been around a long time, and security decisions made a decade ago are now being reassessed. In most cases past decisions were made around the general principle that we trust open source developers to work together, play nice, and generally do the right thing. Services were rolled out based on widespread trust for the developer community. And that philosophy served us well.
But in the years since then, we’ve evolved from hundreds of sf.net users to millions, and in many cases it’s time to re-asses the balance between widespread trust and security. Project Web is a prime example of this, and we’ve been working at a deliberate pace to isolate project web space, and have begun rolling out the new “secure project web” service to many of our projects.
This new secure project web includes a new security model that moves us away from shared hosting while preserving the scalability we need for mass hosting.
Because of this attack we’ll be accelerating the rollout of Secure Project Web services as part of the process of bringing the project web service back online. This will allow us to provide both improved functionality, and better secruity.
CVS
CVS service is one of SourceForge.net’s oldest services and, due to limitations in CVS itself, cannot readily live on our scalable network storage solution. Validation of this data is going to require several days and we anticipate that this service will be restored sometime in the later part of week.
We are also considering the end-of-life of the CVS service and hope to have user support in migrating CVS users to Subversion in coming months. Subversion generally provides parity to CVS commands, and many of our users have made this transition successfully in the past.
From SVN, projects can move to Git if desired.
Looking forward
We are very much committed to the ongoing process of improving our security, and we will continue making behind the scenes improvements to our infrastructure on a regular basis. This isn’t a one time event, it’s a process, and we’re going to stay fully engaged over the long term.
I’d like to end with a more personal note, I’ve been working with our Ops team a lot this week, and I think we can all say that the patience and support that we’ve received from the community has been the best part of a very bad week.
Thanks again for all the support and encouragement.
source: http://sourceforge.net/blog/sourceforge-attack-full-report/
Hackers sell access to military and government academic websites
Dozens of military, government and education websites have been hacked and are up for sale, according to researchers from Imperva’s Hacker Intelligence Initiative (HII). The firm’s HII – hacker intelligence initiative – has unearthed evidence that dozens of sites are up for sale, including defence and state sites in the US and Europe.
According to a team led by Noa Bar Yosef, Imperva’s senior security strategist, high-profile sites such as the official Italian government website (http://itcgcesaro.gov.it), the Department of Defense Pharmacoeconomic centre (http://pec.ha.osd.mil/) and even the US Army, Communications-Electronics Command (CECOM) (http://cecom.army.mil ) are available.
In a security blog posting, Rob Rachwald of Imperva says that the hacker has put up a range of sites for anything between $55 and $499.
Imperva’s research team also claims to have discovered that the hacker was also offering personal information from the hacked websites at $20 per 1000 records.
“ The hacker is also selling info personally identifiable information from hacked sites, for $20 per 1K records”, says the blog, citing an example of “ a list of UConn staff”.
Imperva’s post is complete with screenshots, which the hacker claims as a proof of access.
According to Rachwald, the victim sites’ vulnerabilities were probably obtained by an SQL injection vulnerability automatic scanner and exploited in automated manner, as the hacker published his methods in a post in some hacker forum.
“ In the screen shot [here] we can see IRC chat between the SQLi “ master” = @evil which issues the scanning commands and the exploiting “ x0owner” which performs the commands”, says the Imperva blog.
“ In this specific case @evil issues command for to x0wner to obtain DB tables names (!tbls) from vulnerable link (www.site.gr/athlete.php?id=…) x0wner reports its findings – the tables ‘activities’,'admin’,” the blog notes.
Security researcher Brian Krebs picked up Imperva’s research over the weekend, detailing a lot of the site information that Rachwald chose to block out in his blog.
In his security blog, Krebs said that he finds it ironic that one of these sites allegedly for sale is the Department of Defense Pharmacoeconomic Center, which is a DoD site tasked with ‘improving the clinical, economic, and humanistic outcomes of drug therapy in support of the military health system’.
“ In all likelihood, if access to this site is purchased, it will be by someone looking to plant links to rogue online pharmacies of the sort frequently advertised in junk e-mail”, said Krebs.
“ People who get paid to promote these rogue pharmacies typically do so by hacking legitimate websites and including links back to fly-by-night pharma sites, and they particularly like dot-mil, dot-gov and dot-edu sites because search engines tend to treat links coming from those domains with more authority than random .com sites”, he added.
Krebs also noted that the ‘Undetected Private Java Driveby Exploit’ that the hacker is selling is “ none other than the social engineering trick I blogged about last week.”
Microsoft releases free secure development tool
Microsoft on Monday announced the free availability of a new software verification tool designed for coders, as well as IT professionals.
Announced at this week’s Black Hat conference in Washington, D.C., the tool, called Attack Surface Analyzer, helps determine when poorly designed applications widen the attack surface of a Windows system.
The tool is used to “ highlight the changes in system state, run-time parameters and securable objects on the Windows operating system,” according to a Security Development Lifecycle blog post. It identifies altered or new files, registry keys, services, ActiveX controls, listening ports, access control lists and other components that could increase an attack surface.
“ The tool takes snapshots of an organization’s system and compares these to identify changes,” the post said, citing a product description. “ [It] does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.”
The tool also produces a report detailing the changes that a particular application may have made to a system.
The Attack Surface Analyzer can be downloaded here.
Source: http://www.scmagazineus.com/microsoft-releases-free-secure-development-tool/article/194470/
IT director gets jail term for hacking former employer’s site
IDG News Service – A man fired as IT director for a Richmond, Virginia, seller of telecom equipment has been sentenced to 27 months in prison for hacking into his former employer’s website and deleting files, the U.S. Department of Justice said.
Darnell Albert-El, 53, pleaded guilty to one count of intentionally damaging a protected computer without authorization on June 29. He was sentenced Friday in U.S. District Court for the Eastern District of Virginia and, in addition to the prison time, ordered to pay US$6,700 in restitution to Trans Marx, which sells discounted telecom equipment and supplies.
Albert-El, of Richmond, worked at Trans Marx from February to June 2008, according to court documents. Before he was fired, Albert-El had access to the Trans Marx computer network, including the company website hosted in Georgia, the DOJ said.
On July 25, Albert-El used a personal computer and an administrator account to access the computer hosting the company’s website, and he deleted about 1,000 files related to the Trans Marx website, the DOJ said.
In his plea agreement and an earlier interview with U.S. Federal Bureau of Investigation agents, Albert-El said he deleted the files because he was angry about being fired, the DOJ said.
Albert-El later told Trans Marx employees where backup tapes were located and offered to assist them in restoring the files, said his lawyer, Mary Maguire, while arguing in court documents for a lenient sentence.
