Tempest/RF emanation

DNS resolution and DNS server

STP - w and d

host ID after translation - inside global

Double Tagging = VLAN hopping

Split Pairs

SNMP

SIEM

Window Detective 3.3

reliability of communication session

flow control

WPA over WEP

RADIUS server, SCP and swipe card questions.

 4.You are onsite as a consultant. The client’s many remote-access users experience connection problems. Basically, when users try to connect, the system cannot service their authentication requests. What kind of server might you recommend to alleviate this problem?
 A. RADIUS server
 B. IPsec server
 C. Proxy server
 D. Kerberos server
5. Which of the following services or protocols use SSH technology to provide additional security to communications? (Choose two.)
 A. SCP
 B. SFTP
 C. SNMP
 D. SMTP
6. Which of the following systems use a credit card-sized plastic card read by a reader on the outside of the door?
 A. Contiguity reader
 B. Key fob
 C. Swipe card
 D. Cipher lock

4. A. By installing a RADIUS server, you can move the workload associated with authentication to a dedicated server. A proxy server would not improve the dial-up connection’s performance. There is no such thing as a specific Kerberos server or an IPsec server.

5. A, B. Secure Shell (SSH) technology is used by both Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). Answers C and D are incorrect because Simple Network Management Protocol (SNMP) and Simple Mail Transfer Protocol (SMTP) do not use SSH technology for additional security.

6. C. Swipe card systems use a credit-card-sized plastic card read by a reader on the outside of the door. To enter the server room, you must swipe the card (run it through the reader), at which point it is read by the reader, which validates it.

netstat and arp questions with answers

 1. What command can you issue from the command line to view the status of the system’s ports?
 A. netstat -p
 B. netstat -o
 C. netstat -a
 D. netstat –y
2. Which of the following tools can you use to perform manual DNS lookups on a Linux system? (Choose two.)
 A. dig
 B. nslookup
 C. tracert
 D. dnslookup
3. Which of the following commands generates a “Request Timed Out” error message?
 A. ping
 B. netstat
 C. ipconfig
 D. nbtstat
4. Which of the following commands would you use to add a static entry to the ARP table of a Windows system?
 A. arp -a IP Address MAC Address
 B. arp -s MAC Address IP Address
 C. arp -s IP Address MAC Address
 D. arp -i IP Address MAC Address
5. Which command created the following output?
Server:  nen.bx.ttfc.net
Address:  209.55.4.155

Name:    examcram.com
Address:  63.240.93.157
 A. nbtstat
 B. ipconfig
 C. tracert
 D. nslookup

 Answers1. C. Administrators can quickly determine the status of common ports by issuing the netstat -a command from the command line. This command output lists the ports used by the system and whether they are open and listening.
2. A, B. Both the dig and nslookup commands can be used to perform manual DNS lookups on a Linux system. You cannot perform a manual lookup with the tracert command. There is no such command as dnslookup.
3. A. The ping command generates a “Request Timed Out” error when it cannot receive a reply from the destination system. None of the other commands listed produce this output.
4. C. The command arp -s IP Address MAC Address would correctly add a static entry to the ARP table. None of the other answers are valid ARP switches.
5. D. The output was produced by the nslookup command. The other commands listed produce different output.

WikiLeaks: CIA used bits of Carberp Trojan code for malware deployment

The CIA’s hacking operations allegedly borrowed elements from the Carberp  financial malware when the code was leaked in 2013, writes Michael Kan

When the source code to a suspected Russian-made malware leaked online in 2013, guess who used

it? A recent release from WikiLeaks claims the US CIA borrowed some of the code to bolster its own hacking operations. In April, WikiLeaks released 27 documents that allegedly detail how the CIA customised its malware for Windows systems. The CIA borrowed a few elements from the Carberp financial malware when developing its own hacking tool known as Grasshopper, according to those documents. Carberp gained infamy as a Trojan program that can steal online banking credentials and other financial information from its victims’ computers. The malware, which likely came from the criminal underground, was particularly problematic in Russia and other former Soviet states. In

2013, the source code was leaked, sparking worries in the security community that more cybercriminals might use the malware. The WikiLeaks release includes supposed CIA user manuals that show the

agency took an interest in the malware, especially with the way it can survive and linger on a Windows PC. “The persistence method, and parts of the installer, were taken and modified to fit our needs,” the US spy agency allegedly wrote in one manual, dated January 2014.  It’s unclear why the agency chose

Carberp. However, the borrowed elements  were only used in one ‘persistence module’ meant for the CIA’s Grasshopper hacking tool. That tool is designed to build custom malware configured with different payloads, according to a separate document. The WikiLeaks’ release describes several  other modules that work with Grasshopper  to let malware persist on a PC, such as by  leveraging Windows Task Scheduler or a  Windows registry run key. However, no actual  source code was included in the release.

Nevertheless, the documents will probably  help people detect the CIA’s hacking tools,  which is WikiLeaks’ intention in releasing the classified information. In March, WikiLeaks began releasing a

trove of secret files allegedly obtained from the CIA. Those first leaks described how the  agency has a library of hacking techniques borrowed from malware out in the wild. The US spy agency has so far declined to comment on the authenticity of WikiLeaks’ document dump.

Medidas contra o WannaCry

Atualmente, há nenhuma ferramenta de descriptografia de WannaCry ou qualquer outra solução disponível, portanto os usuários são fortemente aconselhados a seguir as medidas de prevenção a fim de se protegerem.

• Mantenha seu sistema atualizado: primeiro de tudo, se você estiver usando versões com suporte, mas mais antigas do sistema operacional Windows, mantenha seu sistema atualizado, ou simplesmente atualizar seu sistema para Windows 10.

• Sem suporte do sistema operacional Windows? Se você estiver usando versões sem suporte do Windows, incluindo Windows XP, Vista, Server 2003 ou 2008, aplica o patch de emergência lançado hoje pela Microsoft.

• Habilitar o Firewall: habilitar o firewall e se ele já estiver lá, modificar suas configurações de firewall para bloquear o acesso a portas SMB através da rede ou da Internet. O protocolo opera portas TCP 137, 139 e 445 e portas UDP 137 e 138.

• Desativar SMB: siga os passos descritos pela Microsoft para desativar Server Message Block (SMB). Nas referências abaixo.

• Manter seu software antivírus atualizado: definições de vírus já foram atualizadas para proteger-se contra esta ameaça mais recente.

• Backup regularmente: manter uma boa rotina de backup em dispositivo de armazenamento externo que não está sempre conectado ao seu PC.

• Cuidado com Phishing: sempre desconfie de documentos sem ser convidado, enviados um e-mail e nunca clique em links dentro desses documentos a menos verificar a fonte.

• Mohit Kumar

• Empreendedor, Hacker

How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Windows Server 2016

Windows Server: Server Manager method 

 

Windows Server: PowerShell method (Remove-WindowsFeature FS-SMB1)

 

 
Windows Client: Add or Remove Programs method

 

 
Windows Client: PowerShell method (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)

 

For more information, see Server storage at Microsoft.

References:

https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-
smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

http://thehackernews.com/2017/05/wannacry-ransomware-windows.html







Fact Sheet: WannaCry Ransomware
1. About WannaCry
 Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
 Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It
uses EternalBlue MS17-010 to propagate.
 Ransom: Between $300 to $600.
 Backdoor: The worm loops through every RDP session on a system to run the ransomware as that
user. It also installs the DOUBLEPULSAR backdoor.
2. Prominent Infections
 NHS (UK) turning away patients, unable to perform x-rays.
 Telefonica (Spain)
 FedEx (USA)
 University of Waterloo (USA)
 Russia interior ministry & Megafon (Russia)
 Сбера bank (Russia)
 Shaheen Airlines (India, claimed on twitter)
 Train station in Frankfurt (Germany)
 Neustadt station (Germany)
 The entire network of German Rail seems to be affected (@farbenstau)
 Russian Railroads (RZD), VTB Russian bank
 Portugal Telecom
3. Informative Tweets
 Sample released by ens: hxxps[:]//twitter.com/the_ens/status/863055007842750465
 Onion C&Cs extracted: hxxps[:]//twitter.com/the_ens/status/863069021398339584
 EternalBlue confirmed: hxxps[:]//twitter.com/kafeine/status/863049739583016960
 Shell commands: hxxps[:]//twitter.com/laurilove/status/863065599919915010
 Maps/stats: hxxps[:]//twitter.com/laurilove/status/863066699888824322
 Core DLL: hxxps[:]//twitter.com/laurilove/status/863072240123949059
 Hybrid-analysis: hxxps[:]//twitter.com/PayloadSecurity/status/863024514933956608
 Impact assessment: hxxps[:]//twitter.com/CTIN_Global/status/863095852113571840
 Uses DoublePulsar: hxxps[:]//twitter.com/laurilove/status/863107992425779202
 Your machine is attacking others:
hxxps[:]//twitter.com/hackerfantastic/status/863105127196106757
 Tor hidden service C&C:
hxxps[:]//twitter.com/hackerfantastic/status/863105031167504385










www.paladion.net

Paladion | Confidential

 FedEx infection vector: hxxps[:]//twitter.com/jeancreed1/status/863089728253505539
 HOW TO AVOID INFECTION:
hxxps[:]//twitter.com/hackerfantastic/status/863070063536091137
 More of this to come:
hxxps[:]//twitter.com/hackerfantastic/status/863069142273929217
 C&C hosts: hxxps[:]//twitter.com/hackerfantastic/status/863115568181850113
 Crypted files will be deleted after countdown:
hxxps[:]//twitter.com/laurilove/status/863116900829724672
 Claim of attrib [take with salt]:
hxxps[:]//twitter.com/0xSpamTech/status/863058605473509378
 Track the bitcoins: hxxps[:]//twitter.com/bl4sty/status/863143484919828481
4. Cryptography Used
 Encrypted via AES-128-CBC (custom implementation in the binary)
 AES key generated with a CSPRNG, CryptGenRandom
 AES key is encrypted by RSA-2048 (windows RSA implementation)
 hxxps[:]//haxx.in/key1.bin (the ransomware pubkey, used to encrypt the aes keys)
 hxxps[:]//haxx.in/key2.bin (the dll decryption privkey) the CryptImportKey() rsa key blob
dumped from the DLL by blasty.
5. Bitcoin ransom addresses
Three addresses found hard coded into the malware:
 hxxps[:]//blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
 hxxps[:]//blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

 hxxps[:]//blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

RAID 1

Your manager asks you to implement a fault-tolerant disk solution on your server. You have two 3TB hard disks and two controllers, so you decide to implement RAID 1. After the installation, your manager asks you how much storage space is now available for storing data. What do you tell her?

 A. 3TB

 B. 4TB

 C. 6TB

 D. 12TB

RAID-1 Also called disk mirroring, RAID-1 uses two disks and writes a copy of the data to both disks, providing fault tolerance in the case of a single drive failure. 

RAID 1 is mirroring or duplexing (if two controllers are used). Requiring at least two drives, RAID 1 writes the same data to each drive. RAID 1 arrays have great fault tolerance, but because each drive contains the full file, they are about as fast as a single drive when writing. Read times are faster, though, because the controller can access both drives together.

Another option to consider is using multiple drives in a RAID array. This gives you redundancy, if one drive in the array fails your data is still on the other. This isn’t a replacement for taking regular backups but it 

does protect you against a drive failure. 

With RAID 1, the simplest configuration, two drives are mirrored. All data is written to both drives but read from one (which can give 

improved read performance as the data comes from whichever drive seeks to it first). Most distro installers will handle installing to a 

RAID array, but with RAID 1 you can also install to a single drive and add the second to create the array. RAID is handled by the Linux 

kernel, do not enable any RAID settings on your motherboard. 

802.1X

To increase wireless network security, you have decided to implement port-based security. Which of the following standards specifies port-based access control?

 A. 802.11X

 B. 802.1X

 C. 802.11ac

 D. 802.11n

802.1x

EAP was a huge success and almost overnight gave those who needed point-to-point authentication a one-stop-shop methodology to do so. EAP was so successful that there was a cry to develop an EAP solution for Ethernet networks. This solution is called 802.1X. Whereas traditional EAP is nothing more than an authentication method wrapped in PPP, 802.1X gets rid of the PPP (Ethernet is not a point-to-point protocol!) and instead puts the EAP information inside an Ethernet frame.

802.1X is a port-authentication network access control mechanism for networks. In other words, it’s a complete authentication standard designed to force devices to go through a full AAA process to get anywhere past the interface on a gateway system. Before 802.1X, a system on a wired network could always access another system’s port. 

From Mike Meyers 

DHCP Relay Agent

Your company has two subnets on its network. Subnet A uses 192.168.1.X, subnet B uses 192.168.2.X. An Administrator installs a new server on subnet A and assigns it the address of 192.168.1.2, with a DHCP scope of 192.168.2.2–192.168.2.100. The users on subnet A complain that they cannot connect to company resources. The users on subnet B have no problems. How would you correct this problem?

• A. Add a DHCP Relay Agent
• B. Add a second DHCP Scope
• C. Add an Alias record for subnet A to the DNS server
• D. Have the users on Subnet A reboot their machines

Some types of broadcast traffic, such as DHCP messages, need to travel beyond the broadcast domain. Not all VLAN keeps its own DHCP server. A centrally managed DHCP server can provide DHCP to multiple VLANs by configuring a DHCP relay agent. A router programmed to support a relay agent receives the message and creates a message of its own to send the specified DHCP traffic beyond the broadcast domain. On some Cisco products, a more robust command, ip helper-address, can be configured to create and send helper messages to support several types of UDP traffic, including DHCP, TFTP, DNS, and NetBIOS.

Forensics

"Como resultado, as tecnologias que facilitam a busca e análise rápidas de evidências em sistemas 'vivos' começaram a florescer na última década e formaram a base do que é conhecido como mercado de detecção e resposta de endpoint", disse ele. Os produtos EDR normalmente oferecem alguma combinação dos seguintes recursos:

Gravação contínua de telemetria de pontos-chave - como processos executados ou conexões de rede - para fornecer um cronograma prontamente disponível de atividade em um sistema. Isso é análogo a um gravador de caixa preta em um avião, ele disse. O acesso a essa telemetria alivia a necessidade de reconstruir os eventos históricos através das fontes nativas de evidência de um sistema. Pode ser menos útil nos casos em que a tecnologia de investigação é implantada em um ambiente depois que uma violação já ocorreu.

Análise e pesquisa das fontes forenses de evidência de um sistema - isto é, o que é preservado pelo sistema operacional por conta própria durante as operações normais do sistema. Isso inclui a capacidade de executar buscas rápidas e direcionadas para arquivos, processos, entradas de log, artefatos na memória e outras evidências em sistemas em escala. Ele complementa o uso de um gravador de eventos contínuo e pode ser usado para ampliar o escopo de uma investigação e encontrar leads adicionais que de outra forma não poderiam ter sido preservados.

Alerta e detecção. Os produtos podem coletar e analisar proativamente as fontes de dados citadas acima e compará-las com inteligência estruturada de ameaças (como Indicadores de Compromisso), regras ou outras heurísticas destinadas a detectar atividades maliciosas.

Coleta de evidências de hospedeiros individuais. À medida que os investigadores identificam sistemas que necessitam de uma inspecção mais aprofundada, podem conduzir colecções e análises de dados de "mergulho profundo" através da totalidade da telemetria histórica de um sistema sujeito (se presente e gravado), ficheiros no disco e na memória. A maioria das organizações preferem realizar análises remotas e triagem de sistemas ao vivo, em vez de imagens forenses abrangentes sempre que possível, disse ele.
http://www.itworld.com/article/3192348/security/computer-forensics-follows-the-bread-crumbs-left-by-perpetrators.html

App from the Silicon Valley first episode

Injection

A1: Injection

SQL injection is the most common type of injection attack, and Grails applications are largely immune to these, but not entirely. An SQL injection attack typically consists of tricking the application into running SQL queries or updates that either damage data or expose information. This can happen when you have a search form or other web page that accepts user input and you use the input as part of a dynamically generated SQL query without properly escaping the inputs.

Using regular JDBC, you can use a java.sql.Statement to run a select query; for example:

String sql = "select * from person where username ='" + params.username + "'"
ResultSet rs = statement.executeQuery(sql)

This works well if you have control over the inputs, but users can enter whatever they want in your form. If someone enters foo, then the where clause of your query will be where username ='foo', but if a hacker enters ' or '1'='1, then it will be select * from person where username ='' or '1'='1'. Because '1'='1' is always true, the or results in the query returning unexpected records (in this case, all of them). Tricks like this can be used to bypass password checks during login or create a denial-of-service style attack where too much data is returned from the database repeatedly, or even to damage data or tables. If you use execute instead of executeQuery, you can mix select queries and updates and allow real damage:

boolean ok = statement.execute(sql)

If a hacker submits '; drop table foo; -- or '; truncate table foo; --, you’ll be scrambling to restore the database from the most recent backup.

The problem here is that we’re trusting the users to do the right thing. The deeper problem is a failure to escape the user input properly before sending it to the database. You could look for patterns like the ones I’ve shown and implement a whitelist/blacklist filtering approach to using user-submitted data in your queries, but the best approach is to let the database driver do the work for you. Rather than using a Statement, use a PreparedStatement with parameter placeholders in the SQL:

String sql = "select * from person where username = ?"
PreparedStatement ps = connection.prepareStatement(sql)
ps.setString(1, params.username)
ResultSet rs = ps.executeQuery()

Now, if an unfriendly user submits a username with quote characters, they will be escaped properly (the approach is different for various databases, but the driver handles it for us) and the worst-case scenario now is an SQLException.

Fortunately for us, Hibernate uses a PreparedStatement for criteria queries, and all Grails queries are converted to criteria queries under the hood (the exception being single-element queries like get() or read(), which also use a PreparedStatement). You can see this by turning on SQL logging and enabling SQL comments in DataSource.groovy:

dataSource {
   ...
   logSql = true
}
hibernate {
   ...
   format_sql = true
   use_sql_comments = true
}

Given this simple domain class:

class Person {
   String username
}

You can use a few different approaches to find a user by username:

Person.findByUsername(params.username)

Person.where { username == params.username }.find()

Person.createCriteria().get {
   eq 'username', params.username
}

and each of these results in roughly the same SQL:

Hibernate:
    /* criteria query */ select
        this_.id as id0_0_,
        this_.version as version0_0_,
        this_.username as username0_0_
    from
        person this_
    where
        this_.username=?

You can see from the comment that Hibernate generated the SQL from a criteria query and, from the SQL, that a PreparedStatement is being used because the username parameter isn’t the actual string being queried, but the ? placeholder.

So we’re safe from SQL injection attacks in the general case, but we can also use HQL queries with the executeQuery and executeUpdatemethods. Hibernate converts our HQL to SQL, so naive string concatentation of HQL can open up an SQL injection vulnerability:

Person.executeQuery("from Person where username='" + params.username + "'")

Hibernate has no way of knowing that a parameter should be escaped, because it just sees the final concatenated string. But, of course, HQL has the same support for placeholder replacement as SQL:

Person.executeQuery('from Person where username=?', [params.username])

and also has support for more readable named parameters:

Person.executeQuery('from Person where username=:username',
                    [username: params.username])

So, as long as you use the standard GORM methods to run your queries and are careful with HQL queries, you should be safe from SQL injection risks. Note that Groovy GStrings don’t help here and, in fact, hide the problem to a certain extent. I could have written the SQL above as "from Person where username='${params.username}'" and the HQL as "select * from person where username ='${params.username}'"; the lack of + characters in the code can make it more likely that this would get missed in a code review.

Command injection

Groovy makes it easy to execute arbitrary operating system commands by adding the execute method to the metaclass of the String and String[] classes. For example, it’s simple to get a directory listing on a Unix or Linux system by running 'ls -l'.execute().text. If your application uses this feature and creates the commands to be executed based on user input, you are at risk of a command injection attack. Unfortunately, there isn’t a simple fix like there is for SQL; you will have to be vigilant and scan the user input based on a whitelist and/or a blacklist of allowed characters and expressions that are valid.