Archive for category Hacking
Adding the ARDX.ORG source code to your Arduino Example folder
Posted by grymoire in Hacking, Shell Scripting, Technology on October 16, 2011
I purchased the ARDX kit from Lady Ada, and I wanted to experiment with all of the source code from the ARDX web site. However typing in the link and copying the source code didn’t automatically add it as an example. Instead I had to re-save it as a sketch. So instead, I wrote a shell script called ARDX.sh
This does several things.
- It downloads all of the sketches.
- It creates a directory to store all of the sketches
- It creates a directory for each one of the sketches.
- It renames the source code into a *.pde file
- It moves the *.pde file into the proper sketch folder
- It removes all files created during the process. that are no longer needed.
To use the script, simply type
./ARDX.sh
# This creates a folder called "Ardx"
mv Ardx .../arduino-0022/examples/.
Here is the script. Note how I used the $debug variable. This let me select if I wanted to show the commands or execute the commands.
#!/bin/sh # Remove the '#' at the beginning of the next line to debug this script #debug=echo if [ ! -d Ardx ] then mkdir Ardx fi cd Ardx Examples="01 02 03 04 05 06 07 08 09 10 11 12A 13A" for i in $Examples do $debug wget -r http://ardx.org/CODE$i done $debug wget -r http://www.ardx.org/src/circ/CIRC12-code-ADAF.txt $debug wget -r http://www.ardx.org/src/circ/CIRC13-code-ADAF.txt # Now create a directory for each of the examples Examples="01 02 03 04 05 06 07 08 09 10 11" for i in $Examples do if [ ! -f ardx.org/src/circ/CIRC$i-code.txt ] then echo unable to find file ardx.org/src/circ/CIRC$i-code.txt else $debug mkdir CIRC$i $debug mv ardx.org/src/circ/CIRC$i-code.txt CIRC$i/CIRC$i.pde fi done # Now remove the old files in $debug mkdir CIRC12A $debug mv www.ardx.org/src/circ/CIRC12-code-ADAF.txt CIRC12A/CIRC12A.pde $debug mkdir CIRC13A $debug mv www.ardx.org/src/circ/CIRC13-code-ADAF.txt CIRC13A/CIRC13A.pde $debug /bin/rm -r ardx.org www.ardx.org
Restart your Arduino session, and when you look in examples, you will see a new folder called Ardx. Inside is a sketch for each of the examples.
DigiNotar
Here is a summary of the DigiNotar hack that has been in the news.
DigiNotar is a Dutch Certificate Authority (CA). They provide a root certificate installed in your IE, Firefox, Safari or Chrome web browser. They are one of several hundred Certificate Authorities.
First of all, someone noticed someone was able to create an unauthorized Google certificate. The certificate was for “*.google.com” and allowed anyone using it to perform a Man-in-the-Middle (MITM) attack. Essentially, someone could intercept any secure traffic to and from Google (Gmail, etc.) It was spotted by someone in Iran Someone in Iran noticed this. The Google certificate was signed by DigiNotar, which was unusual, as Google uses a different CA. This sort of activity would be notices if you had installed a browser add-on like Firefox’s Certificate Patrol.
This created quite a bit of news, similar to the Comodo Hack. According to the Associated Press, “DigiNotar acknowledged it had been hacked in July, though it didn’t disclose it at the time. It insisted as late as Tuesday that its certificates for government sites had not been compromised.” And “But Donner said a review by an external security company had found DigiNotar’s government certificates were in fact compromised, and the government is now taking control of the company’s operations. The government also is trying to shift over to other companies that act as digital notaries, he said.”
It is then revealed that there were 531 forged certificates created, targeting CIA, Yahoo, Twitter, Facebook, WordPress, Microsoft Live, torproject, Mozilla, Skype, and others.
The root certificate to DigiNotar was revoked by Microsoft, Google (Chrome), and Mozilla (Firefox). Firefox was updated to 6.0.2 to address this.
It turns out that someone who calls themselves the ComodoHacker claims to have hacked Comodo and DigiNotar. The hacker has bragged about his intentions in his Pastebin account. Some of his comments
- He is an independent hacker, and not part of an Iranian Cyber Army
- He is a hactivist – he hacks for his own reasons
- He hacked DigiNotar because of their involvement in the Srebrenica genocide 16 years ago.
- He’s protesting “US and Israel’s involvement in Stuxnet”
- He’s protesting HBGary’s CEO for spreading malware in the Middle East, and that the FBI did not “see/find/detect/catch” this.
- He has hacked 4 other CA’s and names one: GlobalSign. In response GlobalSign stopped issuing certificates
- He claims he has hacked Microsoft’s update process. For proof, he has created a modified version of calc.exe that is “signed by Microsoft.”
There is a discussion if this person is really him. We shall see.
Expect more news. Many security experts have stated that the entire Certificate Structure infrastructure is broken. Having 100+ Certificate Authorities – all trusted equally, is just a bad idea. This is the opposite of Defense in Depth, where you need multiple failures to compromise a system. If any CA fails, the entire system fails. Let’s compare the two approaches mathematically.
Suppose you had a system where each certificate was signed by two certificate authorities. For the sake of simplification, let’s assign a probability of a certificate compromise to be 1%. Perhaps it should be 0.1%, but we can look at that later.
In the case of two CA’s signing each certificate, the probability of a certificate compromise is -(CA1)*(CA2), or in this case (1%*1%) or 0.01%.
Compare this to the case where you have ten CA’s, and if ANY are compromised, any certificate may be suspect.
To calculate the probability of a certificate compromise with multiple equivalent CA’s, you need the formula
1-(1-CA1)*(1-CA2)*(1-CA3)*(1-CA4)*(1-CA5)*(1-CA6)*(1-CA7)*(1-CA8)…*(1-CAN)
If there are 10 CA’s, and each has a probability of 1% failure, then the probability of a failure if any are compromised is
1-(99%*99%*99%*99%*99%*99%*99%*99%*99%*99%),
which is
1-0.9910 => 1-0.90438 or about 10%
If you had a hundred CA’s, then the chance of a failure is 1-0.99100 or 1-0.3660 or 73%!
Suppose you change the percentage to 0.1% per CA. 0.999100 is 90.4%, so the change of any single certificate being compromised is 10%.
If you assume is 0.01% per individual CA, the probability becomes 1%.
In any case, the proliferation of CA’s in the browser has seriously broken Internet Security. This is why people and teams like CMU and Moxie Marlinspike to offer suggestions.
Security News July 2011
- Contents
- Security News July 2011.
- Chinese Army Developed Online Wargame:
- Take a bow everybody, the security industry really failed this time.
- Another use of a Teensy as a HID device to hack into a company.
- Another Teensy-like device, from AdaFruit/Lady Ada.
- A commentary on Siemans Summit for End Users.
- INCORPORATING CYBER SECURITY INTO THE EXECUTION METHODOLOGY OF AUTOMATION PROJECTS.
- Microsoft follows Google in pulling plug on its home-energy service.
- Verizon: RSA Hackers Using Trojans, Keyloggers In Second Wave Attacks.
- MasterCard DDoSed.
- Google Labs vulnerable to SQL Injection.
- Lockheed Promises Electric-Grid Security.
- Hacked Fox News Twitter account claimed Obama had been assassinated.
- Hackers target Apple server
- DOE Networks under Siege – Labs Report Sophisticated Breaches.
- Microsoft releases Security Essentials 2.1.
- Some of Stuxnet source code available.
- Some of Spaf’s early ideas on defense, which are still valid ann unusual today.
- US Military researching secure chips.
- Symantec’s 2010 Annual Study: U.S. Cost of a Data Breach (March 2011)
- Microsoft says it is pushing cyber attacks on to the user
- Google dumps all 11+ million .co.cc sites from its results.
- National Board of Information Security Examiners.
- Updated July 8th.
- New BIND Release Fixes High-Severity Remote Bugs.
- Cyber Security and US-China Relations.
- What’s Worse, Incompetence or Deception?.
- Siemens Cyber Security Report Card (Part 1 of 2) (plus Presentation)
- Email: Washington Post Jobs Hacked.
- 10 Largest hacker attacks.
- Siemens – Implementing a Network Behavior-based Intrusion Detection System for Control System Networks.
- Five Steps To Help Repel The ‘Lulz’
- Anonymous vows revenge after 15 arrested; AntiSec hacks continue.
- Phone hacking probe: Ex-News of the World editor Coulson arrested.
- Hacker Exposes Florida’s Voting Database — Again.
- Apple fixes bugs used by the new Jailbreakme executable.
- Universal Music passwords exposed by Anonymous hack.
- Colorado agency loses medical aid applicants’ data.
- Massive botnet ‘indestructible,’ say researchers.
- Throwing in the Towel: The Sorry State of Client Security.
Updated July 13th.
- Google: Business version of Google+ is coming.
- Politics: Backdoors in hardware?.
- Politics: Threat of destructive coding on foreign-manufactured technology is real
- Politics: It’s China’s turn to wrestle with a pile of bad debt
- Politics: Smart grid cybersecurity standards potentially subject to conflict of interest
- Hackers: Anonymous, LulzSec and the Trouble with Hacktivism..
- Opinion: Is high security backfiring in U.S.?.
- Breach: David Beckham’s website defaced by hackers.
- Hackers: How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History.
- Alert: DroidDream Again Appears in Android Market Apps.
- Research: Information flow can reveal dirty deeds.
- Vulnerability: Java vulnerability demonstrates file planting.
- Research: “Transparent” photonics chip may lead to faster networks and cloaks of invisibility.
- Operations: Operational cybersecurity in shared HPC environments.
- Alert: Microsoft Fixes Scary Bluetooth Flaw, 21 Others.
- Alert: More on the bluetooth vulnerability.
- Breach: Kiplinger Reveals Breach Of 142,000 Customer Accounts.
- CyberSecurity: Elster REX2 Smart Meter Teardown.
- Research: Mitigating Software Vulnerabilities – Microsoft
- Alert: Putty 0.61 released.
- Hackers: CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability.
- Hackers: Cross Site Scripting Video Tutorial
- Hackers: Video on cracking PEAP.
- Hackers: A summary of PDF tricks, either based on data encodings, javascript, or PDF structure.
- Hackers: New version of the Bus Pirate available.
- Fun: Cryptex-based secure flash drive.
- Hackers: List of default passwords/backdoors in BIOS.
- Updated July 19th:
- Politics: U.S., Russia Forge Cybersecurity Pact
- Breach: Voda femtocells open phones up to intercept
- Breach: Vodafone Hacked – Root Password published.
- Breach: Anonymous attacks agri-giant Monsanto, leaking information on 2,500 employees.
- Breach: Monsanto responds to cyber attack.
- Technology: IT, security can’t keep up as consumer device use grows.
- Breach: New Report Finds U.S. Hosting Providers Infested With Malware, Botnets.
- Hack: Teensy/PDF Dropper
- Hack: And Blocking/Detecting Teensy/PDF Dropper
- Fun:Programming Monsters (Cartoon monsters representing programming errors)
- Hack: Live CD for RFID Hacking.
- Breach: Pentagon Discloses Massive Data Theft, Lays Out New Security Strategy.
- Politics: Pentagon’s new cyber strategy.
- Hack: How to buy friends and deceive ppl: how the freelance market has created a testbed for emerging cybercrime activities.
- Hack: Zeus for Android and fake Kaspersky Antivirus 2011.
- Hack: Blackhat Preview Webcast
- Visualization:The Tale of Two Visualizations – a TED Talk by the head of F-Secure.
- Breach: 24,000 files were swiped from a US defense contractor
- Security: Hotmail banning common passwords.
- Hack: Mantra Security Toolkit 0.6.1 Released – Browser Based Hacking Framework.
- Technology: Introducing BrowserID: A better way to sign in.
- Technology: How BrowserID differs from OpenID.
- Tool: DRAFT Web Application Security Working Group Charter
- Hack: Widespread site compromise leading to Zeus.
- Technology: Oracle to Fix 78 Bugs in July Patch Update.
- Politics: U.S. House Committee Questions Ability to Secure Wall Street Data.
- Breach: 4000 Websites hacked by The 077 ( HamDi HaCker )
- Anti-Tamper: An interesting blog on physical chip security by Christopher Tarnovsky.
- Politics: US military learning cybersecurity lessons from businesses.
- Crime: More Than 100 Arrested in Fake Internet Sales.
- Research: Http Parameter Contamination (HPC) Attack / Research Paper
- Politics: US forced to redesign secret weapon after cyber breach.
- Technology: A list of documented incident response methodologies from CERT Society Generale.
- Breach: US Cyber Attackers Hack Lady Gaga’s Website; Call Her Homophobic.
- Tools: List of Chrome Extensions for Security Professionals.
- Tools: Snort docs by platform – updated with Amazon EC2.
- Politics: Whizz kids deserting the spy world as threat of attacks increases.
- Hack: AVR Cheat Sheet
- Tool: New Sguil HTTPRY Agent
- Technology: Cisco Network Emergency Response Vehicle:
- Politics: China’s QR Code Bullet Train Tickets Spill Your Personal Info.
- Tools: Kernel Level exploitation book.
- Breach: Toshiba admits 7500 customer accounts pillaged.
- Breach: Ship to Gaza hit by cyber attack.
- Breach: The Sun gets hacked by LulzSec.
- Politics: Attacks on military targets are tightly focused.
- Technology: SCADA Vendors Issue Patches; Users Don’t Apply Them..
- Technology: Single Keystroke Nearly Self-Destructs Unmanned Navy Copter
Security News July 2011
Chinese Army Developed Online Wargame:
http://www.schneier.com/blog/archives/2011/06/chinese_army_de.html
Take a bow everybody, the security industry really failed this time
http://erratasec.blogspot.com/2011/06/take-bow-everybody-security-industry.html
Lessons to learn:
- Putting your security in the hands of tools will fail you every time.
- If you exclude anything from vulnerability testing you will fail.
- Security is the first business I have seen where the customer is not always right.
Another use of a Teensy as a HID device to hack into a company
http://pentest.snosoft.com/2011/06/24/netragards-hacker-interface-device-hid/
Another Teensy-like device, from AdaFruit/Lady Ada
http://www.ladyada.net/wiki/products/atmega32u4breakout/index.html?s[]=teensy
A commentary on Siemans Summit for End Users
http://www.isssource.com/summit-for-end-users-security-101/
INCORPORATING CYBER SECURITY INTO THE EXECUTION METHODOLOGY OF AUTOMATION PROJECTS
Microsoft follows Google in pulling plug on its home-energy service
Verizon: RSA Hackers Using Trojans, Keyloggers In Second Wave Attacks
MasterCard DDoSed
http://www.thehackernews.com/2011/06/mastercard-again-down-by-ddos-attack-in.html
Google Labs vulnerable to SQL Injection
http://www.thehackernews.com/2011/06/sql-injection-vulnerability-in-google.html
Includes step-by-step instructions using havij tool
Lockheed Promises Electric-Grid Security
Hacked Fox News Twitter account claimed Obama had been assassinated
The hacking group Script Kiddies, which purportedly desires to work with Anonymous, claimed responsibility for the hack to Stony Brook University’s Think Magazine. “We are looking to find information about corporations to assist with antisec,” a Script Kiddies representative told Think Magazine. “Fox News was selected because we figured their security would be just as much of a joke as their reporting.”
Hackers target Apple server
http://news.cnet.com/8301-1009_3-20076688-83/hackers-target-apple-server/
The find, posted via the AntiSec hacking campaign, appears to be a warning that Apple “could be a target too.”
DOE Networks under Siege – Labs Report Sophisticated Breaches
Microsoft releases Security Essentials 2.1
http://www.h-online.com/security/news/item/Microsoft-releases-Security-Essentials-2-1-1272446.html
Some of Stuxnet source code available
http://www.pentestit.com/2011/07/04/stuxnet-source-code-online/
Some of Spaf’s early ideas on defense, which are still valid ann unusual today.
http://www.cerias.purdue.edu/site/blog/post/more_than_passive_defense/
Rule #1 – Everything was built on a decoy system. Interesting for insider threat considerations.
US Military researching secure chips
Because of massive number of counterfeit chips, IARPA is interested in chip obfuscation, and split-manufacturing.
Symantec’s 2010 Annual Study: U.S. Cost of a Data Breach (March 2011)
http://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf
Microsoft says it is pushing cyber attacks on to the user
http://www.computing.co.uk/ctg/news/2084120/microsoft-pushing-cyber-attacks-user
“The easiest way to infect a computer is to ask the user to do it,” said Haber.
Google dumps all 11+ million .co.cc sites from its results
http://www.theregister.co.uk/2011/07/06/google_cans_11m_dot_co_dot_cc_sites/
*.co.cc sold cheap domains. Therefore…
“According to a recent report from the Anti-Phishing Working Group, the .cc top-level domain hosted 4,963 phishing attacks in the second half of 2010, almost twice the number found under any other extension.”
Google blocked that subdomain. Now Phishers are using *.co.tv http://blog.sucuri.net/2011/07/google-blocks-co-cc-attackers-are-now-using-co-tv.html
National Board of Information Security Examiners
https://www.nbise.org/our-work
Updated July 8th
New BIND Release Fixes High-Severity Remote Bugs
http://threatpost.com/en_us/blogs/new-bind-release-fixes-high-severity-remote-bugs-070611
The high-severity vulnerability in many versions of the BIND software has the effect of causing the BIND server to exit when it receives a specially formatted packet. The ISC said that although it isn’t aware of any public exploits for the bug, it still recommends that organizations upgrade to one of the newer versions of BIND, which include 9.6-ESV-R4-P3, 9.7.3-P3 or 9.8.0-P4.
Cyber Security and US-China Relations
http://www.chinausfocus.com/peace-security/cyber-security-and-us-china-relations/
What’s Worse, Incompetence or Deception?
http://www.digitalbond.com/2011/07/06/whats-worse-incompetence-or-deception/
Security research DIllon Beresford talks about Siemens, and their lack of being striaightforward regarding responsible disclosure. I think he’s building up to a Blackhat Frenzy (when he’s going to reveal the hack)
Siemens Cyber Security Report Card (Part 1 of 2) (plus Presentation)
http://www.tofinosecurity.com/blog/siemens-cyber-security-report-card-part-1-2-plus-presentation
Email: Washington Post Jobs Hacked
http://www.wusa9.com/news/article/157575/187/Email-Washington-Post-Jobs-Hacked
10 Largest hacker attacks
http://powerwall.msnbc.msn.com/politics/10-largest-hacker-attacks-10396.gallery
Not this year. Largest ever. Fancy pictures. Little content.
Siemens – Implementing a Network Behavior-based Intrusion Detection System for Control System Networks
http://scadahacker.com/nba-ids-video.html
Video of presentation is included in the link and is worth watching.
It is a very interesting examples of using real tools (snort, etc.) to make a set of snort rules for normal traffic, and then with tweaking, modify the results to detect abnormal traffic
If you want to do IDS of an ICS system, this is a great start, and it can be applied .to any small network.
And it would have detected Stuxnet, says the presenter. Nice intro to clever snort (or snort rule) thinking, as some IDS systems are snort compatible (e.g. Bro, suricata).
Five Steps To Help Repel The ‘Lulz’
Anonymous vows revenge after 15 arrested; AntiSec hacks continue
Phone hacking probe: Ex-News of the World editor Coulson arrested
http://www.bbc.co.uk/news/uk-14077405
Hacker Exposes Florida’s Voting Database — Again
http://yro.slashdot.org/story/11/07/08/0435222/Hacker-Exposes-Floridas-Voting-Database-mdash-Again
Apple fixes bugs used by the new Jailbreakme executable
http://www.networkworld.com/news/2011/070711-apple-developing-fixes-for-dangerous.html
Universal Music passwords exposed by Anonymous hack
http://www.theregister.co.uk/2011/07/07/universal_music_password_exposure/
Colorado agency loses medical aid applicants’ data
http://www.scmagazineus.com/colorado-agency-loses-medical-aid-applicants-data/article/206945/
Massive botnet ‘indestructible,’ say researchers
http://www.computerworld.com/s/article/9218034/Massive_botnet_indestructible_say_researchers
“TDL-4,” the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is “the most sophisticated threat today,” said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.
“[TDL-4] is practically indestructible,” Golovanov said.
Others agree.
Throwing in the Towel: The Sorry State of Client Security
Interesting essay on the latest hacking tools and botnet compromises.
Updated July 13th
Google: Business version of Google+ is coming
http://www.computerworld.com/s/article/9218267/Google_Business_version_of_Google_is_coming
Politics: Backdoors in hardware?
http://www.fastcompany.com/1765855/dhs-someones-spiking-our-imported-tech-with-attack-tools
Politics: Threat of destructive coding on foreign-manufactured technology is real
http://www.nextgov.com/nextgov/ng_20110707_5612.php
Politics: It’s China’s turn to wrestle with a pile of bad debt
http://www.msnbc.msn.com/id/43600432/ns/business-eye_on_the_economy/
Politics: Smart grid cybersecurity standards potentially subject to conflict of interest
Hackers: Anonymous, LulzSec and the Trouble with Hacktivism
Opinion: Is high security backfiring in U.S.?
http://worldblog.msnbc.msn.com/_news/2011/07/08/7019081-is-high-security-backfiring-in-us
By Richard Engel, NBC News Chief Foreign Correspondent, who travels to the Mid East many times.
TSA: “Don’t you travel to dangerous places all the time? How can this bother you? Where you go, people are shooting at you,” he said.
Engel: “Yes, but this is what the terrorists wanted. They want us to live in fear,” I said.
Breach: David Beckham’s website defaced by hackers
http://nakedsecurity.sophos.com/2011/07/11/david-beckhams-website-defaced-by-hackers/
Hackers: How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/
Alert: DroidDream Again Appears in Android Market Apps
http://threatpost.com/en_us/blogs/droiddream-again-appears-android-market-apps-071211
More Android packages have malware
Research: Information flow can reveal dirty deeds
http://www.sciencenews.org/view/generic/id/330731/title/Information_flow_can_reveal_dirty_deeds
Brandy Aven of Carnegie Mellon University in Pittsburgh reported June 1 at an MIT workshop on social networks.
He described how the hub and spoke communication organization kept the shady deals secret.
Vulnerability: Java vulnerability demonstrates file planting
Research: “Transparent” photonics chip may lead to faster networks and cloaks of invisibility
Operations: Operational cybersecurity in shared HPC environments
http://www.youtube.com/watch?v=qwGIUytMEnQ&feature=related
Interesting observation: We already have the tools to detect hacks. We just need to use them better.
Alert: Microsoft Fixes Scary Bluetooth Flaw, 21 Others
http://krebsonsecurity.com/2011/07/microsoft-fixes-scary-bluetooth-flaw-21-others/ http://threatpost.com/en_us/blogs/microsoft-patch-22-flaws-july-patch-tuesday-070711
Disable Bluetooth on your laptop.
Alert: More on the bluetooth vulnerability
This is a low-cost device used for reverse engineering hardware and monitoring busses.
Breach: Kiplinger Reveals Breach Of 142,000 Customer Accounts
CyberSecurity: Elster REX2 Smart Meter Teardown
http://www.ifixit.com/Teardown/Elster-REX2-Smart-Meter-Teardown/5710/1
Research: Mitigating Software Vulnerabilities – Microsoft
http://security-sh3ll.blogspot.com/2011/07/mitigating-software-vulnerabilities.html
How exploit mitigation technologies can help reduce or eliminate risk, prevent attacks and minimize operational disruption due to software vulnerabilities. It covers
- DEP
- ASLR
- SAFESEH and Structured Exception Handler Overwrite Protection (SEHOP)
- Enhanced Mitigation Experience Toolkit (EMET)
Alert: Putty 0.61 released
http://lists.tartarus.org/pipermail/putty-announce/2011/000016.html
New features
- Support for SSH-2 authentication using GSSAPI, on both Windows and Unix
- On Windows: PuTTY’s X11 forwarding can now authenticate with the local X server
- A small but important feature: you can now manually tell PuTTY the name of the host you expect to end up talking to
Hackers: CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability
http://j00ru.vexillium.org/?p=893
Hackers: Cross Site Scripting Video Tutorial
http://www.clerkendweller.com/2011/7/12/Cross-Site-Scripting-Video-Tutorial
Hackers: Video on cracking PEAP
http://www.securitytube.net/video/2039
Hackers: A summary of PDF tricks, either based on data encodings, javascript, or PDF structure.
https://code.google.com/p/corkami/wiki/PDFTricks
Hackers: New version of the Bus Pirate available
http://www.adafruit.com/blog/2011/07/12/updated-product-bus-pirate-bpv3-5-v3-5/
Fun: Cryptex-based secure flash drive
http://www.engadget.com/2011/07/12/cryptex-flash-drive-uses-combination-lock-sleeve-brings-a-whole/
Hackers: List of default passwords/backdoors in BIOS
http://www.duniapassword.com/2008/11/list-bios-default-backdoor-password.html
Updated July 19th:
Politics: U.S., Russia Forge Cybersecurity Pact
http://www.informationweek.com/news/government/security/231001440
Breach: Voda femtocells open phones up to intercept
http://www.theregister.co.uk/2011/07/14/vodafone_femtocell_hack/
Breach: Vodafone Hacked – Root Password published
http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html
Breach: Anonymous attacks agri-giant Monsanto, leaking information on 2,500 employees
Breach: Monsanto responds to cyber attack
http://www.ksdk.com/money/article/266840/5/Monsanto-responds-to-cyber-attack
Technology: IT, security can’t keep up as consumer device use grows
Smart devices evolution is “unstoppable and inevitable” for IT to properly support and secure their integration into the business.
Breach: New Report Finds U.S. Hosting Providers Infested With Malware, Botnets
Hack: Teensy/PDF Dropper
http://blog.didierstevens.com/2011/07/13/teensy-pdf-dropper-part-1/
Hack: And Blocking/Detecting Teensy/PDF Dropper
http://blog.didierstevens.com/2011/07/14/quickpost-blocking-and-detecting-a-teensy-dropper/
Fun:Programming Monsters (Cartoon monsters representing programming errors)
http://www.infosecurity.us/blog/2011/7/13/programming-monsters.html
Hack: Live CD for RFID Hacking
http://hackaday.com/2011/07/09/live-cd-for-rfid-hacking-on-the-go/
Breach: Pentagon Discloses Massive Data Theft, Lays Out New Security Strategy
Politics: Pentagon’s new cyber strategy
http://www.acus.org/new_atlanticist/pentagons-new-cyber-strategy
- First Pillar: The DoD will “treat cyberspace an an operational domain to organize, train, and equip so that DoD can take advantage of cyberspace’s potential.”
- Second Pillar: The Department will “employ new defense operating concepts,”
- Third Pillar: The Department will partner with other departments in the US goverment and the private sector.
- Fourth Pillar: DoD “will build on robust relationships with US Allies and international partners to strengthen collective cybersecurity.”.
- Fifth Pillar: The Department will “leverage the nation’s ingenuity through an exceptional workforce and rapid technological innovation”.
Hack: How to buy friends and deceive ppl: how the freelance market has created a testbed for emerging cybercrime activities
Freelancing jobs for account verification, spamming social networks
http://krebsonsecurity.com/2011/07/how-to-buy-friends-and-deceive-people/
Hack: Zeus for Android and fake Kaspersky Antivirus 2011
http://nakedsecurity.sophos.com/2011/07/14/zeus-for-android-update/
Hack: Blackhat Preview Webcast
https://www.blackhat.com/html/webcast/webcast-2011_preview.html
Visualization:The Tale of Two Visualizations – a TED Talk by the head of F-Secure
https://www.clarifiednetworks.com/Blog/2011-07-13%2020:47
Breach: 24,000 files were swiped from a US defense contractor
http://www.theinquirer.net/inquirer/news/2094275/-files-swiped-defence-contractor
by “an unidentified foreign government”
Security: Hotmail banning common passwords
Hack: Mantra Security Toolkit 0.6.1 Released – Browser Based Hacking Framework
Technology: Introducing BrowserID: A better way to sign in
http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in
Technology: How BrowserID differs from OpenID
http://identity.mozilla.com/post/7669886219/how-browserid-differs-from-openid
Tool: DRAFT Web Application Security Working Group Charter
http://www.w3.org/2011/07/appsecwg-charter.html
Hack: Widespread site compromise leading to Zeus
http://nakedsecurity.sophos.com/2011/07/15/widespread-site-compromise-leading-to-zeus/
Technology: Oracle to Fix 78 Bugs in July Patch Update
http://threatpost.com/en_us/blogs/oracle-fix-78-bugs-july-patch-update-071511
Politics: U.S. House Committee Questions Ability to Secure Wall Street Data
Breach: 4000 Websites hacked by The 077 ( HamDi HaCker )
http://www.thehackernews.com/2011/07/4000-websites-hacked-by-077-hamdi.html
Anti-Tamper: An interesting blog on physical chip security by Christopher Tarnovsky
Politics: US military learning cybersecurity lessons from businesses
http://www.networkworld.com/news/2011/071511-dod-cyberdefense.html
In its new cyberdefense strategy, the Pentagon is drawing on lessons about agility, lifecycle management and supply-chain protection that have already been learned by private corporations.
Crime: More Than 100 Arrested in Fake Internet Sales
http://krebsonsecurity.com/2011/07/more-than-100-arrested-in-fake-internet-sales/
Romanian and Moldavian scammers arrested.
Research: Http Parameter Contamination (HPC) Attack / Research Paper
http://www.exploit-db.com/download_pdf/17534
Politics: US forced to redesign secret weapon after cyber breach
http://www.theregister.co.uk/2011/07/15/cyber_breach_redesign/
“In a single intrusion this March, 24,000 files were taken.”
Technology: A list of documented incident response methodologies from CERT Society Generale
http://cert.societegenerale.com/en/publications.html
Breach: US Cyber Attackers Hack Lady Gaga’s Website; Call Her Homophobic
http://hken.ibtimes.com/articles/181614/20110717/lady-gaga-cyber-attack-hackers-homophobic.htm
US Cyber Attackers Hack Lady Gaga’s Website; Call Her Homophobic
Tools: List of Chrome Extensions for Security Professionals
http://www.pentestit.com/2011/07/18/list-chrome-extensions-security-professionals/
Tools: Snort docs by platform – updated with Amazon EC2
Politics: Whizz kids deserting the spy world as threat of attacks increases
Hack: AVR Cheat Sheet
http://tinkerlog.com/2009/06/18/microcontroller-cheat-sheet/
Tool: New Sguil HTTPRY Agent
http://isc.sans.org/diary.html?storyid=11200&rss
Technology: Cisco Network Emergency Response Vehicle:
http://www.cisco.com/web/about/doing_business/business_continuity/whitepaper_NERV.pdf
Enabling IP-Based Incident Management
Politics: China’s QR Code Bullet Train Tickets Spill Your Personal Info
http://www.penn-olson.com/2011/07/15/qr-train-tickets/
Tools: Kernel Level exploitation book
http://www.attackingthecore.com/
Breach: Toshiba admits 7500 customer accounts pillaged
http://www.theregister.co.uk/2011/07/18/tosh_customer_hack/
Breach: Ship to Gaza hit by cyber attack
http://www.thelocal.se/35002/20110718/
Breach: The Sun gets hacked by LulzSec
http://nakedsecurity.sophos.com/2011/07/19/sun-hack-lulzsec-video/
Politics: Attacks on military targets are tightly focused
http://www.thinq.co.uk/2011/7/19/attacks-against-military-targets-continue/
Technology: SCADA Vendors Issue Patches; Users Don’t Apply Them
http://www.isssource.com/vendors-issue-patches-users-don%E2%80%99t-apply-them/
Technology: Single Keystroke Nearly Self-Destructs Unmanned Navy Copter
Security News May 2011
Posted by grymoire in Hacking, Politics, Security, Technology on May 5, 2011
Advanced Persistent Tweets: Zero-Day in 140 Characters
http://krebsonsecurity.com/2011/05/advanced-persistent-tweets-zero-day-in-140-characters/
Interesting report on “a Chinese hacker” bragging about zero-day attacks.
Sony Online loses 12,700 credit card account numbers, 24.6 million accounts compromised [update]
http://www.joystiq.com/2011/05/02/sony-hit-with-second-attack-loses-12-700-credit-card-nu/
A second hack has occurred.
Bruce Schneier’s TED talk on security trade-offs
http://www.ted.com/talks/bruce_schneier.html?awesm=on.ted.com_Schneier
Bruce always has an interesting view on security. This one discusses how we react and evaluate security.
Crimeware Kit Emerges for Mac OS X
http://threatpost.com/en_us/blogs/crimeware-kit-emerges-mac-os-x-050211
“Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple’s Mac OS X operating system has appeared.”
Best Buy Suffers Second Email Breach
Epsilon hack victim’s customer emails exposed yet again — via a different vendor
“The Best Buy spokesman noted that the second breach was similar to that of Epsilon’s”
The X Factor hit by database breach, leading to quarter of a million personal details being stolen
“The personal details of 250,000 The X Factor hopefuls may have been compromised following a database hack. A Fox network spokesperson confirmed that no financial information was accessed”
Bin Laden Death Triggers Cyber Scams
http://www.techweb.com/news/229402787/bin-laden-death-triggers-cyber-scams.html
As expected. There are many other links as well.
Five Biggest Recipients Of Corporate Tax Breaks Spent $8 Million In 2010 Elections (UPDATED)
http://www.huffingtonpost.com/2011/05/03/recipients-corporate-tax-breaks-elections_n_856630.html
GE is listed as one of the top 5 companies that received a tax break.
Other references regarding lobbying include
http://www.opensecrets.org/orgs/list.php?order=A
http://www.opensecrets.org/orgs/totals.php?cycle=2010&id=D000000125
Sony notes deception in their attack
“Hirai went on to claim that the breach occurred at the same time as the DoS attack, which was not immediately detected because of its ‘sheer sophistication’ and because a ‘system software vulnerability’ was exploited.”
An example of deceptive hacking – Bruce
North Korea hackers blamed for bank crash in South
Michael Stores reports PIN pad attack in Chicago, according to email I just received.
Lastpass forces everyone to change their master password after a hack.
http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html#tk.twt_pcw
This may not be necessary, but the CEO felt it is best to be conservative regarding security. - Bruce
Scammers Swap Google Images for Malware
http://krebsonsecurity.com/2011/05/scammers-swap-google-images-for-malware/
Homeland Security Demands Mozilla Remove Firefox Extension That Redirects Seized Domains
Latvian energy grid hacked? Chinese hacking group claims responsibility all details; keys, rules.
http://seclists.org/fulldisclosure/2011/May/85
This is the URL to the bragging
The third Sony hack
http://mobile.reuters.com/article/idUSL3E7G701T20110507?irpc=932
http://www.thehackernews.com/2011/05/thn-hacker-news-exclusive-report-on.html
Vulnerability in Skype exposes MacOS to worm
http://www.networkworld.com/news/2011/050611-skype-to-fix-wormable-bug.html?source=nww_rss
Congress Bans Scientific Collaboration with China, Cites High Espionage Risks
“The clause prohibits the White House Office of Science and Technology Policy (OSTP) and the National Aeronautics and Space Administration (NASA) from coordinating any joint scientific activity with China.”
Renren (China’s equivalent to Facebook) Changes Key User Figure Before IPO
http://online.wsj.com/article/SB10001424052748704729304576286903217555660.html?KEYWORDS=renren
“Chinese social-networking company Renren Inc., which is hoping to raise $584 million in a public listing on the New York Stock Exchange, revised a key user number in its prospectus, highlighting the murkiness of data in China’s high-flying Internet sector.”
Phishing Becomes More Sophisticated
http://www.networkworld.com/news/2011/050911-phishing-becomes-more.html?source=nww_rss
“Organized cybercrime groups are using convincingly crafted emails to target high-level executives and employees within the organizations they want to attack. In many cases, the phishing emails are personalized, localized and designed to appear as though they originated from a trusted source. ”
Some pen test experts say they are 70% successful for each individual email. – Bruce
The hackers hacked: main Anonymous IRC servers invaded
OpenID warns of ‘psychic paper’ authentication attack
http://www.theregister.co.uk/2011/05/09/openid_security_bug/
Baddies can modify cross-site personal data … though no one has yet
Vulnerabilities in Online Payment Systems
http://www.schneier.com/blog/archives/2011/05/vulnerabilities_2.html
Paypal –based authentication flaw with third party
CS2: A Semantic Cryptographic Cloud Storage System
http://research.microsoft.com/apps/pubs/default.aspx?id=148632
“This paper presents CS2, a cryptographic cloud storage system that provides provable guarantees of confidentiality, integrity, and verifiability without sacrificing utility. In particular, while CS2 provides security against the cloud provider, clients are still able to efficiently access their data through a search interface and to add and delete files. ”
Metasploit 3.7 Takes Aim at Apple iOS
http://www.esecurityplanet.com/news/article.php/3932861/Metasploit-37-Takes-Aim-at-Apple-iOS.htm
“The Metasploit 3.7 release provides an enhanced session tracking backend that is intended to improve performance. Metasploit 3.7 also provides over 35 new exploit modules for security researchers to test, including new ones designed to test Apple’s iOS mobile operating system security”
Backtrack 5 released
http://www.backtrack-linux.org/
Backtrack is an exploitation distribution. The maintainers said on Twitter that they DoS on server the night before. Bruce
Google’s South Korea Office Raided over Location Privacy
“Google’s South Korean office was raided by police in that country over the use of location data in its AdMob mobile ad platform, which delivers ads on Android handsets and tablets.”
Breach at Michaels Stores extends nationwide. 70 hacked PIN pads found in stores from DC to West Coast
http://krebsonsecurity.com/2011/05/breach-at-michaels-stores-extends-nationwide/
Facebook Applications Accidentally Leaking Access to Third Parties
Unpatched DLL bugs let hackers exploit Windows 7 and IE9, says researcher
Problematic Certificates
http://www.f-secure.com/weblog/archives/00002155.html
Nothing new – just a discussion of the problem with certificates
Two Zero-Day Flaws Used To Bypass Google Chrome Security
French researchers say they hacked their way out of browser’s sandbox, bypassed DES and ASLR
Google responds
NASA, Stanford Hacked by Software Scammers
http://www.foxnews.com/scitech/2011/05/10/nasa-stanford-hit-software-scammers/
Shady online salesmen offering cheap Adobe software have hacked into several Web pages belonging to NASA and Stanford University.
Database of Fox Employees’ Passwords and Emails Leaked
http://gawker.com/5800366/database-of-fox-employees-passwords-and-emails-leaked
Finally Source code of ZeuS Botnet Version: 2.0.8.9 available for Download !
http://www.thehackernews.com/2011/05/finally-source-code-of-zeus-crimeware.html
Security Fixes for Microsoft Windows, Office
http://krebsonsecurity.com/2011/05/security-fixes-for-microsoft-windows-office/
“Microsoft issued just two updates today to fix at least three security flaws in its Windows and Microsoft Office products, a merciful respite following last month’s record-setting patch push. One of the patches issued today earned a critical rating, the company’s most serious.”
Preventive and protective measures against insider threats in nuclear facility
http://www-pub.iaea.org/MTCD/publications/PDF/Pub1359_web.pdf
Facebook worm w/cut&paste javascript
http://blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/
Businesses Need to Look at Security as a Military Operation
“Businesses need to look at security as a military exercise and can benefit from strategies that have proved useful in battle, a former military security expert told an Interop audience this week”
Exposing the Lack of Privacy in File Hosting Services
http://www.usenix.org/event/leet11/tech/full_papers/Nikiforakis.pdf
File hosting services like Rapidshare provide an apparently obscure and secret way to exchange files. Not so. The URL’s are guessable, and being actively examined by third parties.
ActiveX Flaw Affecting SCADA systems
http://isc.sans.edu/diary/ActiveX+Flaw+Affecting+SCADA+systems/10873
“If you are running a power plant, a refinery or any other system using ICONICS’ GENESIS32 and BizViz software[[...]please patch your plant.”
Amazon.com Server Said to Have Been Used in Sony Network Attack
Not surprising, as a stolen credit card can be used to create untraceable accounts.
Critical Flash Player Update Plugs 11 Holes
http://krebsonsecurity.com/2011/05/critical-flash-player-update-plugs-11-holes/
Final Fantasy maker Square Enix hacked
http://www.bbc.co.uk/news/technology-13394968
Hackers have broken into two websites belonging to Japanese video games maker Square Enix.
Pentesting Vulnerable Study Frameworks Complete List
http://www.felipemartins.info/2011/05/pentesting-vulnerable-study-frameworks-complete-list/
Useful list of tools and links for pentesters – Bruce
More details and theories on the Sony PSN hack
http://www.theregister.co.uk/2011/05/13/veracode_playstaion_hack_analysis/
And then it came up, and went down again.
Review of various password managers
http://blog.danielfischer.com/2011/05/12/its-time-to-start-using-a-password-manager/
Killerbee is an exploitation for 802.15.4/ZigBee sensor networks
http://code.google.com/p/killerbee/
Stuxnet: How It Happened
The paper recommendations:
* prevent unauthorized media
* Use host-based firewalls to disable P2P protocols
* Use tripwire, etc. to detect unauthorized changes
Qakbot Virus Causes Possible Data Breach at Mass. Agencies
http://threatpost.com/en_us/blogs/qakbot-virus-causes-possible-data-breach-mass-agencies-051811
“An untold number of computers at the Massachusetts Department of Unemployment Assistance and Department of Career Services were compromised in April, leading state officials to warn hundreds of thousands of people that their personal information may have been stolen as part of the attack.”
Code wars
http://www.cnbc.com/id/42210831/
CNBC’s “Code Wars”, hosted by Melissa Lee, takes you onto the frontlines of the war on cyber. Cyber attacks are almost impossible to trace, making cyber crime and acts of cyber warfare the ultimate anonymous crime. So how do we protect our systems whose components are largely manufactured abroad? Can our nation’s infrastructure be protected from cyber attacks? And how can the U.S. win a war in which conventional rules of combat do not apply? CNBC tackles the tough questions in “Code Wars: America’s Cyber Threat.”
TV show is Thursday May 26th
Hack Targets NASA’s Earth Observation System
http://threatpost.com/en_us/blogs/hack-targets-nasas-earth-observation-system-051711
A hacker is claiming that a security hole in a server at NASA’s Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief.
Executives underestimate cybercrime danger
http://www.dw-world.de/dw/article/0,,15083403,00.html?maca=en-rss-en-top-1022-xml-atom
“However, Ernst & Young found a remarkable contradiction in its poll. While 94 percent of those leaders surveyed talked about the growing danger of cybercrime, 38 percent said they thought the threat to their own firm was rather small.”
SCADA hack talk canceled after U.S., Siemens request
http://news.cnet.com/8301-27080_3-20064112-245.html
A security research cancelled his talk by request of DHS and Siemens.
And the related post:
Siemens working on vulnerability that threatens critical infrastructure
http://www.gsnmagazine.com/article/23386/siemens_working_vulnerability_threatens_critical_i
Hackers attack Norwegian Defense
http://www.norwaypost.no/news/hackers-attack-norwegian-defence-25222.html
U.S. Infrastructure Is Vulnerable to Cyber Attack, but No One Will Do Anything
Protecting Your Industrial Control System from Zero-Day Attacks
http://scadahacker.com/factorylink-video.html
NIST publishes BIOS recommendations
http://csrc.nist.gov/publications/nistpubs/800-147/NIST-SP800-147-April2011.pdf
Sony hacked again/Phishing
Hackers Infiltrate Sony So-net Subsidiary, Steal $1,125 in Points
http://www.pcmag.com/article2/0,2817,2385715,00.asp
“To So-net’s credit, whatever security system the company employs for its point system did manage to hold for quite a bit of time. That, or the hackers really had no other strategies other than what appears to be a brute-force attack on accounts. It allegedly took the attackers more than 10,000 different attempts before they were finally successful in accessing So-net’s system. “
Sony BMG Greece the latest hacked Sony site
http://nakedsecurity.sophos.com/2011/05/22/sony-bmg-greece-the-latest-hacked-sony-site/
This makes the 7th attack on Sony. -Bruce
Common Vulnerability Reporting Framework
http://isc.sans.edu/diary/Common+Vulnerability+Reporting+Framework+CVRF+/10900
Cyber-security legislation sent to Congress by President
http://www.gsnmagazine.com/article/23319/cyber_security_legislation_sent_congress_president
and another view:
Congress Just Sold You Out: Leadership Plans To Extend Patriot Act For Four Years With NO Concessions
Credit processors targeted in fight against spam
http://www.theregister.co.uk/2011/05/23/spam_economics/
“The researchers have discovered that the vast majority (95 per cent) of the credit card payments to unlicensed pharmaceutical sites are handled by just three payment processing firms – based in Azerbaijan, Denmark and Nevis, in the West Indies, respectively.”
There is also a 16-page paper “Click Trajectories: End-to-End Analysis of the Spam Value Chain” referenced
Researchers find irreparable flaw in popular CAPTCHAs
Decaptcha pierces Live.com, Yahoo!, Digg
http://www.theregister.co.uk/2011/05/23/microsoft_yahoo_captchas_busted/
“Decaptcha is a two-phase audio-CAPTCHA solver that correctly breaks the puzzles with a 41-percent to 89-percent success rate on sites including eBay, Yahoo, Digg, Authorize.net, and Microsoft’s Live.com. The program works by removing background noise from the audio files, allowing only the spoken characters needed to complete the test to remain.”
The creator of the “Great Firewall of China” was pelted with shoes
http://packetstormsecurity.org/news/view/19192/Chinas-Great-Firewall-Creator-Pelted-With-Shoes.html
“While many of China’s estimated 477 million internet users appear largely indifferent to the firewall because they use almost solely domestic sites and services, a growing number of young people are frustrated by curbs that not only prevent them accessing foreign news and social media sites, but increasingly make it hard or even impossible to use apparently uncontroversial sites, such as the Internet Movie Database (IMDb).”
Google notes that SSL False Start negotiation increases https connect time by 30%
http://blog.chromium.org/2011/05/ssl-falsestart-performance-results.html
Google has been verifying this in their Chrome browser.
9th attack on Sony
http://www.thehackernews.com/2011/05/lulzsec-leak-sonys-japanese-websites.html
False Positives – The Dirty Secret of the Web Security Scanning Industry
When using automated tools to test a web application for security, there are large number of false positives which must be manually and tediously examined. If the skill of the white hat pen tester is limited, they may overlook real vulnerabilities by assuming it’s a false positive.
Alienvault announces a SCADA SIEM (Security and Information Event Management)
http://alienvault.com/products/industrial-control-system-siem
A demo is coming soon. Alienvault had a VM image of their original SIEM that was impressive.
Senate debates president’s power during cyber-attack
http://www.washingtontimes.com/news/2011/may/23/senate-debates-presidents-power-during-cyber-attac/
“The Senate Homeland Security and Governmental Affairs Committee held a hearing on the administration’s legislative proposal, announced two weeks ago, that would rely on a pre-World War II radio emergency law to provide the president with authority to protect key computer and communication networks — like those mainly in private hands that run power grids, phone systems and banking services — from a cyber-attack.”
More news about the SCADA/Siemens hack that was cancelled at the last minute
http://www.networkworld.com/news/2011/052311-a-botched-fix-not-legal.html
For the next two days speculation swirled as to whether DHS weighed in with a heavy hand to pull the talk, or if Siemens threatened legal action against the security firm. “That’s not what happened here,” says Vik Phatak, chief technology officer at NSS Labs. “Siemens found out, near the last minute, that the mitigation they had planned didn’t work. It could be bypassed,” Phatak says.
Related: http://threatpost.com/en_us/blogs/metasploit-holding-siemens-exploits-052311
The exploits are ready to be released into the Metaspolit framework.
Hotmail Exploit Has Been Silently Stealing E-mail
http://www.darknet.org.uk/2011/05/hotmail-exploit-has-been-silently-stealing-e-mail/
The latest news is there has been a nasty bug in Hotmail for a while that has been actively exploited allowing malicious senders to snoop on e-mail and even add forwarding rules to the victim account.
negative reaction to Siemens for their reaction to discovery of security flaws in their SCADA equipment.
http://www.securitycurve.com/wordpress/archives/4164
http://threatpost.com/en_us/blogs/researcher-says-siemens-downplaying-serious-scada-holes-052411
UPDATE 2-U.S. government warns about Siemens security flaw
http://www.reuters.com/article/2011/05/24/siemens-security-idUSN2428619720110524
“But a spokesman for Siemens denied any fault, saying company officials are in a better position to assess potential security risks than researchers from an outside firm.”
I think this is a grave error on Siemens part, because it erodes confidence in their company – especially their denial of any problem.
Bruce Schneier discusses this here
http://www.schneier.com/blog/archives/2011/05/new_siemens_sca.html
I believe each company should have a “dry run” exercise to see how they will handle such an event. All public statements regarding security should be carefully managed, to prevent a public relations disaster. There should be a policy, and everyone should know what that policy is.
Vulnerabilities on Cisco Device
http://www.isssource.com/vulnerabilities-on-cisco-devices/
Cisco network equipment is still vulnerable to a single security vulnerability flaw nearly two years after the company issued a patch, according to an analysis of network scans by Dimension Data for its 2011 Network Barometer Report.
MacOS
I haven’t been reporting this, but Apple malware has been in the news. First a IOS Malware generation package was released, along with MacOS plugins for Metasploit, which makes writing malware for IOS easier. Next, Mac users have been tricked to install malware, named “Mac Defender”, masquerading as an anti-virus package. , Apple, as their policy, refuses to tell infected users how to remove the malware. Now Apple is issuing an OS update, but the malware authors are modifying the malware to defeat Apple’s response.
http://blogs.pcmag.com/securitywatch/2011/05/mac_defender_20_released.php
http://www.us-cert.gov/current/index.html#apple_mac_defender_macprotector_and
And now a Russian company has released a toolkit to break Apple’s encryption.
http://www.h-online.com/security/news/item/ElcomSoft-cracks-iOS-encryption-system-1250526.html
And now we know more about the people behind the MacDefender malware: ChronoPay
http://krebsonsecurity.com/2011/05/chronopay-fueling-mac-scareware-scams/
Bank of America Breach
http://www.latimes.com/business/la-fi-lazarus-20110524,0,1687635.column
An inside employee leaked personal account information that cost $10 million in damages. They have arrested 95 suspects, and apparently it took a year before BofA told their customers that thieves have been siphoning money from the customers bank accounts.
Microsoft finds 427K email addresses on knocked-out Rustock server
US Cert has released Common Cybersecurity Vulnerabilities in Industrial Control Systems
http://www.us-cert.gov/control_systems/pdf/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf
Vendor backdoors in Siemens, HP, and Allied Telesis
https://threatpost.com/en_us/blogs/hardware-vendor-offers-backdoor-every-product-052611
Lockheed network hit by major disruption: sources
http://www.nw32.com/business/sns-rt-us-lockheed-networktre74p7u3-20110526,0,5678682.story
http://www.reuters.com/article/2011/05/26/lockheed-network-idUSN2613783420110526
Congress approves extension of USA Patriot Act provisions
China Admits Cyber Warfare Unit – “Blue Army”
http://www.infowar-monitor.net/2011/05/china-admits-cyber-warfare-unit/
Reuters report on compromise of RSA Secure ID tokens at Lockheed
Lockheed Strengthens Network Security After RSA-based Hacker Attack
http://www.nytimes.com/2011/05/30/business/30hack.html?_r=2
They are keeping their RSA token technology. But they are getting new tokens, and using an additional password.
http://www.schneier.com/blog/archives/2011/05/lockheed_martin.html
And more details.
More details on the Siemens vulnerability.
http://news.infracritical.com/pipermail/scadasec/2011-May/020005.html
This is an excellent comment that shows how the customers view Siemen’s response as a “head in the sand” attitude.
Hackers Post Phony Tupac Shakur Story on PBS Site
http://www.nytimes.com/2011/05/31/technology/31pbs.html
Hackers Deface PBS Site, Promise More Lulz
http://www.pcworld.com/article/228983/hackers_deface_pbs_site_promise_more_lulz.html
New GPU-accelerated password cracker
http://hashcat.net/oclhashcat-plus/
New technology making use of OpenGL and CUDA-based graphics accelerators
Aussie banks cancel 10,000 credit cards
http://www.theregister.co.uk/2011/05/29/aus_banks_cancel_credit/
“The Commonwealth Bank and the St George Bank initiated the alert via SMS to customers notifying them that their cards would be cancelled as part of precautionary measures”
Aggressive social engineers
http://www.schneier.com/blog/archives/2011/05/aggressive_soci.html
Hours after I posted this on FaceBook, my sister got a phone call from someone who claimed her computer was sending out error messages, and wanted her to buy some software to “fix the problem.” The web site was v2serve.com – registered March 10, in India. I reported this to the FBI – Bruce.
RSA Breach
Posted by grymoire in Hacking, Security, Uncategorized on April 11, 2011
RSA/SecurID data has been compromised.
What does this mean?? Security researchers have been discussion the latest news about hackers getting data from RSA related to the SecurID authentication token. I have one and used it for years. The SecurID fob is simple to use. Every 30 seconds a 6-digit number is displayed on the device. You log onto a computer by typing your username, your PIN, and your 6-digit number. Since that number is unique to your device, only the owner of the device can use it to log in.
I’ve seen many interesting discussions on the RSA Breach, but I felt the threat analysis was incomplete. Since RSA said nothing, I’ve made some assumptions, and analyzed those assumptions.
Assumptions
I’ve made some assumptions about what might have happened. If these turn out to be false, then the threats are not as severe. But let’s set the foundation.
The 128-bit SecurID algorithm has been obtained
It’s well known that in 2000, someone who claims to be I. C. Wiener published the source code to the algorithm. However, others have said this is the old 64-bit version of the algorithm, and that the newer algorithm is based on 128-bit AES. The Russian name Wiener looks like a joke, BTW. It really doesn’t matter. First of all. Kerckhoff’s Principle says that the security should not be based on secret algorithms. Besides, if the hackers were inside RSA, they could have obtained the algorithm. Alternatively – they can reverse engineer the client application for the iPhone, Blackberry, Android, etc.
We should not assume that the algorithm is secret. I have not seen it published, but that does not matter. We have to assume it’s known.
The files containing seeds and the corresponding serial numbers were obtained
The SecurID token generates seemingly random numbers, which are used to authenticate users on a computer. The numbers are predictable once you know the serial number of the device, the special seed number, and the time (as the numbers change every 30 seconds). The time is of course guessable. Each device has a clock and it might “drift” or get out of sync with the real time, but the server allows some “slop” in which number is valid, and it recognizes the drift each token has. If a device’s clock is always slow, the server can learn how much it is off, and accurately know which number is showing on the token. I’ve seen email from people who know that imply that this data was obtained. The files that identify the company by the token serial number was obtained If this is true, then knowing the serial number of the device will tell you the name of the company that purchased the device. I have an old version, and a new version, and both of them have serial numbers greater than a million. I don’t know if these are sequentially numbered. But there must be an algorithm, and if a company orders 10,000 tokens, it is likely the numbers are close together, if they aren’t sequential. Summary of the SecurID Technology This section is for those who don’t understand the algorithm.
Steve Bellovin used a nice way to describe the technology. Let’s call the number being displayed on the SecurID token the TokenValue. There is a hash algorithm H, such that TokenValue= H(Seed, Serial Number, ClockTick) The ClockTick is based on the date, and/or a counter inside the device. It’s not considered a secret. And when a customer logs into a server, they enter Username PIN+TokenValue The server uses the username to look up the serial number, and/or the SEED value (perhaps the serial number is used to look up the SEED value.). If the generated TokenValue matches the number provided, and the PIN is the same, the user is authenticated. I call this calculation a hash value, because cryptographers describe hash functions (also known as one-way functions) as something that is hard to reverse. Knowing the token value will not help you learn the seed and serial number. It’s difficult to make a whole potato and a slice of corned beef from a serving of hash.
Threat Model
When analyzing risks, it is important to consider that the goal of the attack is – what is the threat model? The SecurID token provides a one-time password (OTP). That is, if someone learns your password and pin, (from a keystroke logger, shoulder surfing, of man-in-the-middle attack) then they do not have the ability to gain access to your account. Other threats not related to the SecurID technology include Sniffing passwords on the wire – HTTPS prevents this Brute force attacks on a server – the server should detect this and block the account when too many attempts fail. The SecurID technology does not address these issues.
Attack Probabilities
Let’s consider those pieces of information that are needed to do an attack. All five pieces of information is needed for an attack to be useful.
Can the attacker guess the SecurID Serial Number?
This information is written on the back of the SecurID fob. Some people attach it to their keychain, and it might be glimpsed. In addition, RSA may have records that associate the serial number to a company. If so, the search space is limited to the number of tokens issues. Let’s say a large order is 100,000 tokens, or about 2 to the 17th power (217). But it could be as small as 500 tokens. Let’s just say that the chances were formerly a snowball chance in Hell, but now the chance of a snowflake falling on your head.
Can the attacker guess the SecurID Username?
Of all of the values, I assume this is the easiest to guess. There are conventions used by each company and if you know this convention, you can predict the username. It could be a ID number, or a combination of letters from the user’s name. Usernames are rarely random. I therefore assume this is trivial.
Can the attacker guess the SecurID Pin?
This is also a concern. Some people, because of their belief that the SecurID token is secure, use a weak or trivial PIN. It may even be a 4-digit number.
Can the attacker guess the SecurID Company/Website?
Of course it’s essential to know where the token is useful. If the hacker has a SEED and serial number, they have to get the company, username and PIN. But we can’t assume this is a hard problem.
Can the attacker guess the SecurID Seed?
This is the crux of the issue. The largest threat is caused by the loss of the SEED files. Why is this? Because the seeds are the most valuable. The estimated number of stars in the Universe is 100,000,000,000,000,000,000,000. That’s a 1 followed by 23 zeros. The 128-bit seed, if generated correctly, should be a random number. The number of possible combinations are 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 That’s 3 followed by 38 digits, which is about 3,000,000,000,000,000 times larger than the number of stars in the universe. By knowing which seeds are used, the difficulty drops from 2128 to the same as finding the serial number (217) or less.
Threats
As I see it, there are three major threats
- Brute force attack social engineering
- Observing and cloning a SecureID Token – An increased ability to do a brute force attack, and
- the ability to replicate the SecurID Token.
Before I go into depth of the analysis,
Threat of a Brute Force Attack on the SecurID Token
Let’s first assume that the attacker guesses of knows the user PIN. People use (and reuse) simple PINS, like “abc123.” The username is guessable. If we then assume the company has 1000 tokens, the problem is to find which token belongs to a person. If there are 1000 tokens, then the attacker can try 1000 times. The attacker can spread out this attack across several different IP addresses, and try several different accounts, over a period of months. If the company does not know of the increased number of failed attempts, they may not realize a brute force attack is happening. This attack is a real possibility. It could happen once a year.
Threat of using Social Engineering to obtain the SecurID Token
This attack is easier, if the support team is unsophisticated about social engineering attacks., A user can contact the help desk and say they got a new token, but it’s not working. Then they can read off the serial number (using one where they have the SEED value), and if the account is reset, the attacker can gain access to the account because they can generate the token value. The attacker can likewise ask them to reset the PIN.
Threat of SecurID Token Replication
The third attack can occur if the attacker is able to observe the actions of a legitimate user. They may get a glimpse of the token value, and the serial number on the back of the token. They may see the username, and guess the PIN. This can be done by watching someone log in. After all, people assume SecurID is secure, and the user may not care if they are closely watched during the login process. Knowledge of the token value gives the attacker a way to identify the serial number. by a brute force attack using the list of serial number and seed values obtained. The attacker has to include some “slop” in the synchronization. But a brute force attack on 217 combinations does not take long. Also, if someone is able to observe the login sequence once, and they have the SEED values, they can predict future sequences. This is a brute force attack, but the difference is that this is done off-line. In other words, it cannot be detected. This says that the ability of the SecurID token to provide one-time-passwords is significantly weakened. If the account is either watched (camera, shoulder surfing, keystroke logger, man-in-the-middle attack, etc.) then the credentials can be re-used without the owners knowledge.
Conclusion
In the worse case scenario, there are three threats that exist that did not significantly exist before. Two can be addressed. The third one cannot. Brute force attacks can be detected. Single accounts can be disabled, but if the brute force attacks are against all users, the only way to prevent this is to issue new tokens. Social engineering attacks are possible, and customers can be alert for them, and prevent them. However, the biggest protection of the SecurID One-Time-Password is broken. It can no longer be assumed that if the attacker can observe one authentication transaction, they will be unable to re-use those credentials. We has to assume the hackers who got into RSA are able to re-use SecurID credentials. That is, if they can observe one authentication sequence, they can replicate the credentials without being detected.
Cracking Alchemy on the iPhone
Posted by grymoire in Hacking, Shell Scripting on March 13, 2011
Someone asked me how I got all of the Recipes for Alchemy on the IPhone. The answer – I cheated. I hacked the system.
Let me describe how I did this. There is some simple perl scripting involved, which might be useful to people.
Step 1 – Jailbreak the iPhone
I’m a hacker. What can I say.
Step 2 – Getting the Alchemy Files
Find where the Alchemy application is stored.
You can open a terminal window, run find, and look for some file that has Alchemy in the name.
find / -name Alchemy*
Instead of a terminal window, you might find it easier to ssh into the iPhone. You do have to use Cydia to install the various extra programs. I had the following installed
- Bourne-Again shell
- Openssh
Once OpenSSH is installed, you have to use your iPhone, check the settings, and find your IP address. Say it’s 192.168.1.222. The iPhone has a habit of shutting down its IP address if not in use. So refresh the IP address using the DHCP refresh, and then type
ssh -l mobile 192.168.1.222
The password for the user “mobile” is “alpine”
Then use ‘find’ to locate the file. Once you have found this, grab all of the Alchemy files by typing the following on your Linux (ofr Windows with Cygwin)
Copying the Alchemy files onto your Linux machine
scp -r mobile@192.168.1.181:/var/mobile/Applications/9E1E4FC0-B6CE-4036-8DFB-BCB5666D4741/Alchemy.app .
This will copy all of the files onto your computer.
The string above is on my machine. Your mileage may vary.
You can examine the files to see what they contain using “string” “od”, “emacs”, or whatever. It turns out that the file you want is Sparing.plist.
Next you want to decode the resource file that contains the recipes. I use perl. Looking at the various packages, the one that makes the most sense is the Mac::PropertyList module. Looking at the Dependency, it requires the XML::Entities module. Therefore, after you install perl, download and install the two Perl modules.
Step 3 – Getting Ready to use perl
Making it easier to install perl modules
I prefer to make sure /usr/local belongs to a certain UNIX group(5), such as adm, and that all of the subdirectories have group write permission.
In other words, type the following commands as root
chgrp -R adm /usr/local chmod -r g+w /usr/local
Installing the two perl Modules
This way you can install modules without requiring root access. To make the modules, after you download them, type
tar xfz XML-Entities* cd XML-Entities perl Makefile.pl make make install cd .. # And now do the next one tar xfz Mac-Properties* cd Mac-Properties* perl Makefile.pl make make install cd ..
Step 4-Extracting the Alchemy data from the Resource file
The Mac::PropertyList module creates a complex data structure with all of the information. The elegant thing to do is to write one perl program that reads the data and prints the results you want to get. But that takes more work. I prefer the “get the job done as easy as possible” school of programming. Rather than try to figure out the format of the complex data, the simplest thing to to is to let perl decode the binary information for you. The program to use is Data::Dumper which outputs the structure of complex data. This is essential for the Perl programmer. You just give it a pointer to a complex piece of data, and Data::Dumper will describe it. The code to read the file and dump the results is below:
#!/usr/bin/perl my $filename="./Alchemy.app/Sparing.plist"; use Mac::PropertyList qw( :all ); use Data::Dumper; my $data = parse_plist_file( $filename ); my $text = plist_as_string( $data ); print Dumper($data);
Call this program List, add the +x attribute with chmod, and they type
./List >List.out
If you look at the output of this file, you will see something that looks like this
VAR1 = bless( {
'Metal+Electricity' => bless( do{(my $o = 'Aluminium')}, 'Mac::PropertyList::string' ),
'Oil+Tool' => bless( do{(my $o = 'Petrol')}, 'Mac::PropertyList::string' ),
etc.
Aha! Clearly, Metal+Electricity creates Aluminum. Let’s write a perl script that reads this file, and outputs the recipe.
But some of the lines, like the first one, is a different format. Well, perl can handle this very easily.
Parsing ASCII in perl
I usually use the following template to do string parsing
#!/usr/bin/perl -w
use strict;
#my filename="List.out";
my $line;
while (defined($line=<>)) {
# 'Metal+Electricity' => bless( do{(my $o = 'Aluminium')}, 'Mac::PropertyList::string' ),
if ($line =~ /complexstring/) {
} elsif ($line =~ /string/){
printf("You didn't match this line: $linen");
} else {
printf("Can't parse line: $linen");
}
}
I include the string I am trying to parse as a comment, to help me get the regular expression correct.
The second string is how I debug the first string
First attempt at matching an ASCII line in perl. I replace the strings I am tring to match ‘Metal+Electricity’ and ‘Aluminum’ with “.*”
if ($line =~ /'.*' => bless( do{(my $o = '.*')}, 'Mac::PropertyList::string'/) {
} elsif ($line =~ /bless/){
But I want to remember the strings found within the ‘…’, so I need to add parenthesis around them, so perl will remember them. This would be
if ($line =~ /'(.*)' => bless( do{(my $o = '(.*)')}, 'Mac::PropertyList::string'/) {
printf("$1 => $2n");
} elsif ($line =~ /bless/){
This is a start, but there is a problem. When I use sed, I need to put backslashes before the parenthesis to mark them as special. Perl is the opposite. A backslash means the character is NOT special, or NOT a metacharacter.
So I need to put backslashes around the other parenthesis
if ($line =~ /'(.*)' => bless( do{\(my $o = '(.*)')}, 'Mac::PropertyList::string'/){
I also needed to put a backslash before the backslash. Running this gives me the error
Global symbol "$o" requires explicit package name at ./ParseBug.pl line 6.
(Smack forehead) I also need to put before the ‘$’
Sometimes I need to experiment with the regex, and the second line, where the ‘/bless/ is show, is a guess. Note that this also prints out lines that don;t match anything.
Eventually, I get this right. The final version is
-
#!/usr/bin/perl -w
use strict;
#my filename="List.out";
my $line;
while (defined($line=<>)) {
if ($line =~ /'(.*)' => bless( do{\(my $o = '(.*)')}, 'Mac::PropertyList::string'/){
printf("%s=%sn", $2, $1);
} elsif ($line =~ /bless/) {
printf("missed line: $linen");
} elsif ($line =~ /VAR1/) {
} elsif ($line =~ /Mac::PropertyList::dict/) {
}else {
printf("Can't parse line: $linen");
}
}
This prints out all of the recipes
Complete list of Alchemy for iPhone
Posted by grymoire in Hacking, Technology on March 5, 2011
Looking for the solution to Alchemy?
Here’s the complete list of 226 (now 231) recipes for the iPhone’s version of Alchemy.
I checked the came, and I think the programmer counted wrong. You see, some of the recipes use “*” as an element. This is a wildcard, and matches any element. So it should not be counted. If you get a score of 230, you win.
Note. This is “Alchemy”. This is NOT the following games:
- Zed’s Alchemy
- Master of Alchemy
- Alchemy Premium
This list is for the version created by This is the version Vitaliy Grinevetsky and Denis Butyletskiy. Copyright 2010.
NOTE here is the Walkthrough I wrote
Updated – New program
I had a bug that hid some of the combinations. Thanks for the comment, Mark. You pointed out my error.
Here are the new items in version 1.5
Grave = Corpse + Soil
Pinocchio = Wood + Life
Pillow = Feather + Fabric
Bank = Money + Brick House
Cockroach = Radiation + Bug
Total List
Air=Basic Element
Fire=Basic Element
Water=Basic Element
Soil-Basic Element
1up=Mushroom+Life
Acid=Fire+Sulfur
Acid Rain=Rain+Acid
AI=Computer+Life
Airplane=Bird+Metal
Alcohol=Water+Fire
Alien=Space+Life
Aluminium=Metal+Electricity
Ape=Human+Wool
Aquaman=Fish+Human
Aquarium=Glass+Fish
Arable Land=Soil+Tool
Ash=Book+Fire
Ash=Dragon+Human
Ash=Dragon+Hunter
Ash=Fire+Corpse
Ash=Fire+Dust
Ash=Fire+Lizard
Ash=Fire+Tobacco
Ash=Fire+Walking Tree
Ash=Fire+Worm
Ash=Moss+Fire
Ash=Nuclearbomb+*
Ash=Paper+Fire
Ash=Snake+Fire
Ashtray=Ash+Glass
Ash=Tree+Fire
Ash=Water+Fire Golem
Ash=Wood+Fire
Baby=Human+Sex
Bacterium=Swamp+Life
Bank=Money+Brick house
Beach=Water+Sand
Beast=Soil+Lizard
Beer=Alcohol+Bread
Beer=Wheat+Alcohol
Bird=Air+Egg
Bird=Air+Lizard
Bird=Bird+Bird
Blood=Beast+Hunter
Blood=Dinosaur+Human
Blood=Dinosaur+Hunter
Blood=Hunter+Bird
Blood=Warrior+Beast
Blood=Warrior+Dinosaur
Blood=Warrior+Dragon
Blood=Warrior+Human
Boat=Water+Wood
Boiler=Metal+Steam
Bomber=Plane+Bomb
Bomb=Metal+Gunpowder
Book=Paper+Feather
Bread=Fire+Dough
Brick=Clay+Fire
Brick house=Concrete+Brick
Bug=Soil+Worm
Bulb=Electricity+Glass
Bungalow=Hut+Beach
Business=Money+Human
Butterfly=Air+Worm
Cart=Wood+Wheel
Caviar=Fish+Fish
CD=Laser+Book
Cellphone=Radiowave+Computer
Cement=Clay+Limestone
Ceramics=Clay+Human
Cigarette=Paper+Tobacco
Clay=Swamp+Sand
Cleaner=Clobber+Human
Clobber=Fabric+Patient
Clone=Scientist+Livestock
Clothing=Fabric+Human
Cloud=Steam+Air
Coal=Nuclearbomb+*
Coal=Tree+Fire
Coal=Wood+Fire
Cockleshell=Stone+Plankton
Cockroach=Radiation+Bug
Coffee=Seeds+Energy
Columbus=Hero+Sailing Vessel
Computer=TV+Book
Concrete=Water+Cement
Cop=Hero+NewYork
Corpse=Fire+Human
Corpse=Human+Poison
Corpse=Patient+Doctor
Corpse=Patient+Medicine
Corpse=Patient+Shaman
Corpse=Warrior+Human
Cyborg=Computer+Human
Developer=Computer+Sex
Dinosaur=Dinosaur+Dinosaur
Dinosaur=Dinosaur+Human
Dinosaur=Dinosaur+Hunter
Dinosaur=Soil+Egg
Doctor=Human+Book
Doctor=Patient+Doctor
Dough=Water+Flour
Dragon=Dinosaur+Fire
Dragon=Dragon+Human
Dragon=Dragon+Hunter
Dragon=Flying Dinosaur+Fire
Drinker=Alcohol+Human
Drinker=Beer+Human
Drinker=Vodka+Human
Dust=Air+Soil
Dust=Nuclearbomb+*
Egg=Bird+Bird
Egg=Dinosaur+Dinosaur
Egg=Life+Stone
Egg=Lizard+Lizard
Egg=Snake+Snake
Egg=Turtle+Turtle
Electricity=Scientist+Energy
Elixir=Philosopher+Stone
Energy=Air+Fire
Energy=Fire+Alcohol
Energy=Nuclearbomb+*
Energy=Water+Fire Golem
Energy=Water+Lava Golem
Fabric=Tool+Wool
Fart=Human+Peas
FBI=Cop+Scientist
Feather=Hunter+Bird
Fern=Swamp+Moss
Fire-arms=Weapon+Gunpowder
Firefighter=Hero+Fire
Firefly=Fire+Bug
Fire Golem=Life+Fire
Fire=Nuclearbomb+*
Fire=Stone+Stone
Fish=Bacterium+Plankton
Fish=Water+Snake
Flour=Stone+Wheat
Flying Dinosaur=Air+Dinosaur
Fried Egg=Fire+Egg
Fried Meat=Meat+Fire
Frog=Fish+Swamp
Ghoul=Zombie+Corpse
Glass=Fire+Sand
Gold=Elixir+*
Golem=Clay+Life
Grass=Soil+Moss
Grave=Corpse+Soil
Gunpowder=Saltpeter+Sulfur
Hacker=Internet+Pirate
Hero=Warrior+Dragon
Hospital=Brick house+Doctor
HouseMD=Doctor+Vicodin
HouseMD=Patient+HouseMD
Human=Beast+Human
Human=Golem+Life
Human=Life+Beast
Human=Livestock+Human
Human=Metal+Human
Human=Patient+HouseMD
Hunter=Beast+Hunter
Hunter=Hunter+Bird
Hunter=Weapon+Human
Hut=Stone+Human
Internet=Computer+Computer
Japanese=Human+Rice
Kamasutra=Book+Sex
Katana=Japanese+Metal
Lake=Water+Water
Lamp=Glass+Fire
Laser=Radiowave+Fire
Lava Golem=Life+Lava
Lava=Nuclearbomb+*
Lava=Soil+Fire
Life=Swamp+Energy
Lighthouse=Brick house+Lamp
Limestone=Stone+Cockleshell
Livestock=Beast+Human
Livestock=Livestock+Grass
Lizard=Lizard+Lizard
Lizard=Snake+Worm
Lizard=Swamp+Egg
Manga=Japanese+Book
Manure=Livestock+Grass
Meat=Beast+Hunter
Meat=Hunter+Bird
Meat=Livestock+Human
Medicine=Shaman+Poison
Mercury=Metal+Fire
Metal Golem=Life+Metal
Metal=Stone+Fire
Meteorite=Space+Stone
Microwave=Energy+Radiowave
Milk=Livestock+Grass
Milk=Livestock+Human
Money=Gold+Paper
Moss=Swamp+Seaweed
Murderer=Poison Weapon+Human
Mushroom=Seaweed+Soil
NewYork=USA+Skyscraper
Ninja=Samurai+Poison Weapon
Nuclearbomb=Scientist+Bomb
Ocean=Sea+Sea
Oil=Coal+Water
Paper=Tool+Reed
Patient=Human+Bacterium
Patient=Human+Egg
Patient=Human+Patient
Peas=Arable Land+Seeds
Petrol=Oil+Tool
Phantom=Fire+Walking Tree
Phantom=Life+Ash
Phantom=Nuclearbomb+*
Philosopher=Scientist+Grass
Phoenix=Fire+Bird
Pig-iron=Metal+Coal
Pillow=Feather+Fabric
Pilot=Plane+Human
Pinocchio=Wood+Life
Pirate=Murderer+Sailing Vessel
Plane=Bird+Aluminium
Plankton=Bacterium+Water
Poison=Mushroom+Tool
Poison=Snake+Tool
Poison=Tool+Scorpion
Poison Weapon=Weapon+Poison
Pub=Brick house+Beer
Radiation=Nuclearbomb+*
Radiowave=Energy+Metal
Rain=Cloud+Water
Reed=Swamp+Grass
Rice=Arable Land+Reed
Robot=Japanese+Tool
Rocket=Plane+Gunpowder
Rust=Water+Metal
Sailing Boat=Boat+Fabric
Sailing Vessel=Wooden ship+Fabric
Salt=Acid+Metal
Saltpeter=Limestone+Manure
Samurai=Japanese+Weapon
Sand=Air+Stone
Sand=Nuclearbomb+*
Sandstorm=Sand+Storm
Sand=Water+Stone
Scientist=Doctor+Book
Scorpion=Bug+Sand
Sea=Salt+Lake
Seaweed=Water+Life
Seeds=Grass+Grass
Seeds=Life+Sand
Seeds=Tree+Tree
Sex=Human+Human
Shaman=Mushroom+Human
Shop=Clothing+Brick house
Skydiver=Clobber+Pilot
Skyscraper=Brick house+Glass
Snake=Sand+Worm
Snake=Snake+Snake
Snake=Swamp+Worm
Sniper=Fire-arms+Murderer
Space=Ocean+Air
Speedboat=Boat+Rocket
Starwars=Laser+Weapon
Steam Engine=Boiler+Coal
Steam Locomotive=Steam Engine+Cart
Steamship=Wooden ship+Steam Engine
Steam=Water+Air
Steam=Water+Fire Golem
Steam=Water+Lava
Steam=Water+Lava Golem
Stone=Air+Lava
Stone=Stone+Stone
Stone=Water+Lava
Stone=Water+Lava Golem
Storm=Air+Energy
Storm=Nuclearbomb+*
Submariner=Human+Submarine
Submarine=Whale+Metal
Sulfur=Bacterium+Swamp
Sun=Space+Lava
Sushi=Fish+Seaweed
Swamp=Water+Soil
T-1000=Cyborg+Mercury
Team=Beast+Cart
Tequila=Alcohol+Worm
Terrorist=Bomb+Murderer
Thermometer=Mercury+Glass
Thunderbird=Storm+Bird
Tobacco=Fire+Grass
Tool=Metal+Human
Tool=Tool+Metal
Tool=Tool+Wool
Tool=Tree+Tool
Torpedo=Rocket+Water
Toy=Baby+*
Tree=Soil+Seeds
Turtle=Sand+Egg
Turtle=Turtle+Turtle
TV=Radiowave+Bulb
UFO=Alien+Rocket
USA=Columbus+Ocean
Vampire=Blood+Human
Vampire=Vampire+Beast
Vampire=Vampire+Human
Vicodin=Medicine+Medicine
Vodka=Water+Alcohol
Volcano=Lava+Stone
Walking Tree=Tree+Life
Warrior=Warrior+Beast
Warrior=Warrior+Dinosaur
Warrior=Warrior+Human
Warrior=Weapon+Hunter
Warship=Wooden ship+Weapon
War=Warrior+Warrior
Weapon=Tool+Metal
Werewolf=Vampire+Beast
Whale=Beast+Water
Whale=Plankton+Fish
Wheat=Arable Land+Grass
Wheel=Wood+Tool
Whiskey=Alcohol+Fire
Wooden ship=Wood+Boat
Wood=Tree+Tool
Wool=Beast+Hunter
Wool=Livestock+Human
Worm=Bacterium+Swamp
Worm=Human+Egg
Worm=Soil+Plankton
X-Files=FBI+Alien
Yoda=Shaman+Starwars
Yogurt=Bacterium+Milk
Zombie=Life+Corpse
This link was helpful; So was Openssh, and looking at Sparing.plist
I started using perl to make things easier to manage.
Using Snort and Munin on Ubuntu
Here’s a little tip to get munin integrated with snort on an Ubuntu box
Assumptions
I assume you have snort running with acidbase. There are some steps needed to make sure mysql is set up. I’m not covering this at this time. If there are questions, I’ve cover it later
So make sure the following are installed
- snort-mysql
- acidbase – although this is not necessary
- munin
Snort changes
In the /etc/snort/snort.conf file, you need to add/uncomment the following line
preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
Then you need to make this directory.
mkdir /var/snort
chown adm /var/snort
chmgrp adm /var/adm
chmod 750 /var/snort
This is needed because you need a directory to store munin stats in, and this should not be /var/log/snorts which should have greater protection.
Munin changes
Munin should be in the “adm” group as part of the install.
Next, go to /etc/munin/plugins
and type
cp -i /usr/share/munin/plugins/snort* /etc/munin/plugins/.
I first used a symbolic link, but I found that these files had a bug in them. I tested them using
sudo munin-run snort_alerts
and the response was
EOF: command not found
To fix this, you have to use a text editor to remove the line that says “EOF” in these files.
Now I could write a script to do this, or couse
cd /usr/share/munin/plugins
for i in snort_*
do
sed ‘/EOF/d’ <$i >/etc/munin/plugins/$i
done
Test munin runs by runing (with sudo)
munin-run snort_alerts
you should get a value and a number, like
alerts.value 0.414
Then you need to restart snort, and munin. If your normal userid is in the group munin, then you can use munin-run yourself.
If all is working, you should have the file /var/snort/snort.stats – note that it takes a few minutes before data starts to appear.
and when you visit your server’s web page http://127.0.0.1/munin/
you should see a snort category. Enjoy