Cupfighter.net

As you have probably read in cupfighter article: Undocumented Equallogic CLI Commands, there is still much to discover under the hood of these great boxes. You would figure that if Equallogic runs on top of netBSD that it should be possible to run shell commands. Well it is, but you have to leave the Equallogic CLI and open up a bash shell to perform these tasks.

To enter a bash shell on your Equallogic box you open a terminal session to your array and type:

> su exec bash

Be aware of the following message!

You are running a support command, which is normally restricted to PS Series Technical Support personnel. Do not use without instruction from Technical Support.

That simple!

Now you can execute shell commands like ifconfig, uname etc.

From this shell you can also restart the Equallogic Management Engine without rebooting your controllers. In my case it solved issues with replication schedules that did not get executed anymore. You just enter:

# eqlinit restart MgmtExec

To check the status of the MgmtExec you enter:

# eqlinit status

NB. Be careful because entering the bash shell and executing commands from here is not supported by Equallogic!!

By Christiaan Beek

From isfullofcrap Flickr photo stream. Creative Commons License

BlackhatEU : Virtual Forensics
By Christiaan Beek

What are the challenges when you have to do forensics on a virtual environment?
•    What are the tools available?
•    Are the tools forensically sound?
•    Where is the data?
•    Who owns the data?
•    What forensic techniques do we use?
•    How to acquire data from the cloud?

Citrix is a nightmare for forensics investigators. There is no personal hard disk to investigate, only a personal profile which does not have very much data in it.
Read more…

By David Lindsay & Eduardo Vela Nava

The talk is about abusing the anti-XSS filters built into IE8 to always be able to perform XSS.

Microsoft decided to implement anti-XSS measures in IE because XSS is so common. On the other hand the wanted to be careful not to break the web and to keep things performant and the solution itself had to be secure.

So how do these filters work?
•    Examine all outbound requests for XSS patterns using heuristics filters.
•    If something matches the filter a dynamic signature is generated
•    If the signature matches then the response is neutered.
Read more…

By Steve Ocepek & Wendel G. Henrique

Steven and Wendel will be showing live demos of tools for exploitation of Oracle that will be released after the conference. These tools are all about performing man in the middle attacks. And while a lot of people think this is a hard scenario, the truswave guys find that it is surprisingly efficient in practice.

First tool demoed is vamp. Vamp is a tool for basic arp spoofing.
Arp poisoning is old. The specification of ARP was written in the 80s. However it still very effective and open up an entire category of attacks.
Read more…

By Christian Papathanasiou

Christian demoed two tools called JBoss-autopwn and Tomcat-autopwn.

For both tools he demonstrated that exploitation is possible both on Windows and Linux systems. It is also very likely that his tool also works on Solaris.
Read more…

By Andre Adelsbach

Image from christianmeichtry's Flickr photostream. Creative Commons license

The talk starts with explaining the properties of Satellite ISPs. Due to the nature of satellite communication, high latency, high downstream bandwidth, the ISPs often use performance enhancing proxies. Often the satellite ISPs use asymmetric links, using a local uplink in combination with the satellite downlink, but symmetric communication, where the uplink also is sent via the satellite is possible too.

The performance enhancing proxy on the local machine has to breaks some of the basic TCP/IP properties to enhance performance, in this also breaking some of the basic security measures.

Read more…

By Enno Rey & Daniel Mende
erey@ernw.de
dmende@ernw.de

When implementing Cisco Wireless network infrastructure Enno and Daniel got the impression that, security wise, these systems smell.

First part of the presentation focuses on what a typical implementation looks like.

There are three generations:
1.    Structured Wireless-Aware Networks (SWAN)
2.    Based on managed APs and LWAPP (After acquiring Airport)
3.    Cisco Unified Wireless Network

The talk focuses on generation one and three.
Read more…

By James Arlen (@myrcurial, james.arlen@pushthestack.com)

James talk is not about SCADA, it about talking about SCADA.

The security industry has discovered that SCADA systems are in fact information system and all of a sudden security professionals are talking about how they can fix the SCADA security issues.

One of the biggest pieces of FUD that is out there is: if you own the computer you own the system? This is not the case, most of the time when SCADA systems fail, the processes they control stop.

Yes, SCADA systems use control processes by using standard protocols, like modbus tcp, but that doesn’t mean that you understand what energizing coil 13 does to the actual process. If you can break the computer system, it doesn’t men you can break the process.

There are more controls in place in a manufacturing process, e.g. the safety systems that are their to prevent catastrophic from happening or the quality control systems that prevent that dodgy products get out. The most important control in place is that manufacturing is still mostly run by humans who will notice that stuff is about to go wrong.

One of the facts about big infrastructures (electrical nets and manufacturing processes) is that the people who run them count on stuff breaking down. Most of the time you don’t even notice that a major failure in these systems has occurred.

It’s not all negative…
We can understand SCADA systems and we can indeed help. In industrial systems Availability is the key element of the triad, not Integrity or Availability.

If you are going to get involved, be a student, before you become the teacher. Buy some people a cup of coffee and be prepared to put you ego behind you. Understand that these people have being doing this work for a long time and are indeed you parents age, that makes you the kid.

James shared, not for disclosure, a number of examples of IT Security bad practices that where found in the real world and make most IT Security wince and giggle at the same time. Words like rsh, solitaire and non-upgradable NT 4.0 where mentioned.

What will save us, Super Ninja’s, l337 super heros or just “Not Sucking”.

As IT Security people we need to open up, understand this stuff and make small progress that will have a big effect.

By Stephan Chenette (schenette@websense.com)

This talk is accompanied with the release of Fireshark, a Firefox plugin. It can be downloaded here: fireshark.org

Compromised legitimate websites have increased 225% in the last 12 months.

Stephan wrote the Fireshark too to address the problem of analyzing malware serving legitimate site. He found that to date there was no tools that are available today gave him the information that he needed.

Most malware landing pages use exploit kits that will try to use about 25 exploits. These kids are highly obfuscated. Most analysis tools are well known by the bad guys and are thus protected against de-obfuscation.

What is Fireshark?
Read more…

By Roelof Temmingh

Maltego 3.0 will be a major upgrade. The first upgrade that shows is in terms of the visual representation. The Windows based GUI no longer looks like a port from a Unix application to Windows, but has a far more Windows look and feel to it and supports dynamic graphing. The user interface is now fully interactive in all views.

Enhancements include:
•    Dynamic graphs
•    Manual object linking
•    Infinite transfors (e.g. to follow tweets as they occur)

But is not just user interface changes, Maltego v3 will also handle so called “Dead End Entities” entities that currently don’t have transforms.
Read more…