hard drive
-----------------------------
Advisory
-----------------------------
Unauthenticated File-system Access in iomega Home Media Network Hard Drive
-----------------------------
Affected products
-----------------------------
iomega Home Media Network Hard Drive Firmware versions 2.038 - 2.061
San Diego, CA 92101
http://www.hotelsolamar.com
CRASH COURSE IN PENETRATION TESTING
Instructors: Joseph McCray & Chris Gates
Includes: 250GB 2.5" USB Harddrive preloaded with lab VMWare images
This course will cover some of the newer aspects of pen-testing covering; Open Source Intelligence Gathering with Maltego and other Open Source tools, Scanning, Enumeration, Exploitation (Both remote and client-side) and Post-Exploitation relying heavily on the features included in the Metasploit Framework. We'll discuss our activities from both the Whitebox and Blackbox approach keeping stealth in mind for our Blackbox activities.
Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection.
Nor do IP addresses prove anything, still people use them.
It is good enough reason to search his computer. If the poor user does
not know paths are embedded, he's likely to get himself into
trouble. And no, the path does not prove anything, but given how hard
it is to erase data on hdd, his harddrive is likely to prove a lot.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
which is initialized from a tarball stored in flash.
After the rootfs has been mounted, some consistency checks are done, and
several important configuration files will be "backed up" from encrypted
versions. That means that it's not possible to change arbitrary files,
for examples by mounting a harddrive externally, because they will be
replaced by their backup version on the next boot. The backup files are
encrypted, so they cannot be changed without being able to encrypt these
files.
A part of the /linuxrc file from the initrd image, which is executed
to control where this ends up (which apps are the qualified receivers)
or what the receivers do with it.
> So, if for example the user
> selects not to log OTR plaintext (so that this sensitive information
> doesn't touch the hard drive) another application on the other end
> of DBUS might choose to do something different (and not by malicious
> intent). There is no way to enforce the same security policy on the
> sender and the receivers.
>
> How this could be exploited by attackers or what forensic evidence
> the memory, the disk and even alter devices is going to be a soft
> target.
>
> The physical analogy that someone brought up earlier works well here.
> Would you consider your machine locked down if someone could open
> your computer case, yank the hard drive and attach new devices to the
> system at will? Well, with a virtual machine they can do that while
> the machine is running.
>
> > Mark Burnett
> > http://xato.net
-----------
Description
-----------
Streamripper is a program used to rip streaming media to mp3 format to
your harddrive.
Multiple buffer overflows that allow for arbitrary code execution have
been found in the HTTP header parsing code.
Other projects based on the same code may also be affected including
Speaking of the Enova key fob, there is a reverse diode that safeguards the accidental insertion of the key fob into a real 1394 (firewire) port that carries voltage more than 18 Volts. As a result, damage to the key fob due to mismatch of the firewire port can be avoided.
We would agree that a capable engineer would be able to apply electrical wire onto the serial bus and snoop the protocol to get to the secret key. But this is our simplest and basic design which was engineered to educate/show most of our customers how the X-Wall will be actually functioning. To show the exact opposite, we also engineered a sophisticated FIPS certified smartcard authenticated X-Wall design (to view more details, visit our website at http://www.enovatech.net/products/reference/secureusb_pro.htm). Being said, to snoop an electrical protocol maybe still a bit tougher than simply installing a key logger or camera for the password entry. Anyway, to conduct such hot plug electrical protocol attack, the attacker needs to get hold of the key fob as well as the circuit board and X-Walled hard drive.
To prevent serial bus sniffing, apply the harden epoxy on the X-Wall such that it creates chemical effect with the molding compound of the X-Wall to effectively avoid such attack as the attempts to use special dissolvent would effectively destroy the molding compound of the X-Wall thus destroy the circuitry. Alternatively, use the FIPS certified authentication mechanism to hold the secret key, which can only be released upon correct authentication.
> > the laptop is stolen (even if turned off), the
> > thief can access the file from the history until
> > the login session times out.
>
> Is the thought that once downloaded, the user is storing the file
> securely on the hard drive? If not, then I think the attacker will simply
> lift the file off the laptop rather than trying to re-download the file
> again.
Well, the user could have deleted the file. But
you're right, the file is likely to be in the
Once a process sends private info over DBUS there is no way
to control where this ends up (which apps are the qualified receivers)
or what the receivers do with it. So, if for example the user
selects not to log OTR plaintext (so that this sensitive information
doesn't touch the hard drive) another application on the other end
of DBUS might choose to do something different (and not by malicious
intent). There is no way to enforce the same security policy on the
sender and the receivers.
How this could be exploited by attackers or what forensic evidence
Unreal Commander is an award winning freeware file manager for Windows
98/ME/2000/XP/2003/Vista. The application support multiple archive
formats, has a built-in ftp client, and other features.
Unreal Commander fails to correctly handle malformed file name while downloading
a remote file from a malformed FTP server to a local hard driver. This allows an
attacker to perform a directory traversal attack. Successful exploitation may
lead to a full scale system compromise.
Unreal Commander also fails to correctly handle FTP reponses. This can lead to
the application entering an infinite loop, denying service to the legitimate
attacks presented in our preprint paper.
Furthermore, I'm only talking about Microsoft's BitLocker. It is not a
universal property of hibernate that it is automatically safe. Depending
on the implementation, it may be _worse_ for your operational security
as your keys may be written out to the hard drive without _any_ crypto
at all. It appears that TuxOnIce does the right thing while other
systems are all over the map.
Regards,
Jacob Appelbaum
* Roee Hay of IBM Rational Application Security reported an
unspecified integer overflow (CVE-2009-1869).
* Gareth Heyes and Microsoft Vulnerability Research reported that the
sandbox in Adobe Flash Player allows for information disclosure, when
"SWFs are saved to the hard drive" (CVE-2009-1870).
Impact
======
A remote attacker could entice a user to open a specially crafted PDF
This workshop has received a lot of attention recently and is filling
up quick. The premise behind this workshop is that the first half of
the class teaches the basics of penetration testing and the second
half involves running wild on a rootwars network setup in the
classroom and learning techniques with hands-on exercises. People
attending this workshop will leave with a 250GB 2.5" harddrive filled
with vmware images of challenge VMs and an attack VM pre-loaded with
all of the basic hacking tools needed to start playing. The goal is
that after people leave the class they'll be able to continue
developing their skills by completing further challenge levels in the
rootwars VMs.
Speaking of X-Wall not being able to hold the secret of the secret key, it is actually an intended engineering design and has been praised by many well known cryptographers. As X-Wall does not equip with any none-volatile memory and all the secret keys reside in the volatile memory, the security of data-at-rest is guaranteed as long as the power is shut down or the computer goes into hibernation state. The design was meant for the authentication part to hold the secret value as it makes sense that secret key will only be released upon correct authentication. Advantage in this design also guarantee there won’t be a risk of secret been extracted going through sophisticated semiconductor layer extraction method.
Speaking of the Enova key fob, there is a reverse diode that safeguards the accidental insertion of the key fob into a real 1394 (firewire) port that carries voltage more than 18 Volts. As a result, damage to the key fob due to mismatch of the firewire port can be avoided.
We would agree that a capable engineer would be able to apply electrical wire onto the serial bus and snoop the protocol to get to the secret key. But this is our simplest and basic design which was engineered to educate/show most of our customers how the X-Wall will be actually functioning. To show the exact opposite, we also engineered a sophisticated FIPS certified smartcard authenticated X-Wall design (to view more details, visit our website at http://www.enovatech.net/products/reference/secureusb_pro.htm). Being said, to snoop an electrical protocol maybe still a bit tougher than simply installing a key logger or camera for the password entry. Anyway, to conduct such hot plug electrical protocol attack, the attacker needs to get hold of the key fob as well as the circuit board and X-Walled hard drive.
To prevent serial bus sniffing, apply the harden epoxy on the X-Wall such that it creates chemical effect with the molding compound of the X-Wall to effectively avoid such attack as the attempts to use special dissolvent would effectively destroy the molding compound of the X-Wall thus destroy the circuitry. Alternatively, use the FIPS certified authentication mechanism to hold the secret key, which can only be released upon correct authentication.
------------------------------
access to the hard disk and flash.
Description:
When a user selects in the web GUI to encrypt a hard drive, he
has to supply a passphrase of 8-16 length.
The Qnap solution is to use the underlying Linux standard
mechanisms of LUKS to create the encrypted partition.
The user supplied passphrase is crypt(3)'ed with the MD5 salt
of $1$YCCaQNAP$ and used as the initial key to access the LUKS
Speaking of X-Wall not being able to hold the secret of the secret key, it is actually an intended engineering design and has been praised by many well known cryptographers. As X-Wall does not equip with any none-volatile memory and all the secret keys reside in the volatile memory, the security of data-at-rest is guaranteed as long as the power is shut down or the computer goes into hibernation state. The design was meant for the authentication part to hold the secret value as it makes sense that secret key will only be released upon correct authentication. Advantage in this design also guarantee there won’t be a risk of secret been extracted going through sophisticated semiconductor layer extraction method.
Speaking of the Enova key fob, there is a reverse diode that safeguards the accidental insertion of the key fob into a real 1394 (firewire) port that carries voltage more than 18 Volts. As a result, damage to the key fob due to mismatch of the firewire port can be avoided.
We would agree that a capable engineer would be able to apply electrical wire onto the serial bus and snoop the protocol to get to the secret key. But this is our simplest and basic design which was engineered to educate/show most of our customers how the X-Wall will be actually functioning. To show the exact opposite, we also engineered a sophisticated FIPS certified smartcard authenticated X-Wall design (to view more details, visit our website at http://www.enovatech.net/products/reference/secureusb_pro.htm). Being said, to snoop an electrical protocol maybe still a bit tougher than simply installing a key logger or camera for the password entry. Anyway, to conduct such hot plug electrical protocol attack, the attacker needs to get hold of the key fob as well as the circuit board and X-Walled hard drive.
To prevent serial bus sniffing, apply the harden epoxy on the X-Wall such that it creates chemical effect with the molding compound of the X-Wall to effectively avoid such attack as the attempts to use special dissolvent would effectively destroy the molding compound of the X-Wall thus destroy the circuitry. Alternatively, use the FIPS certified authentication mechanism to hold the secret key, which can only be released upon correct authentication.
------------------------------
-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28
st\..\..\..\..\..\BackSlashPoC
-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28
st/../../../../../SlashPoC
When the user chooses to download the file (or a directory in which this file
exists), the Magellan Explorer will try to create the file on a local harddrive
using the dots and backslashes as a part of a name.
Since more then enough \..\..\ will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file can
for example overwrite a critical system file, or create a file in the Autostart
folder.
This workshop has received a lot of attention recently and is filling
up quick. The premise behind this workshop is that the first half of
the class teaches the basics of penetration testing and the second
half involves running wild on a rootwars network setup in the
classroom and learning techniques with hands-on exercises. People
attending this workshop will leave with a 250GB 2.5" harddrive filled
with vmware images of challenge VMs and an attack VM pre-loaded with
all of the basic hacking tools needed to start playing. The goal is
that after people leave the class they'll be able to continue
developing their skills by completing further challenge levels in the
rootwars VMs.
===============
1) Introduction
===============
Pegasus Mail (PMail) is suitable for single or multiple users on stand-alone computers and for internal and Internet mail on local area networks. Pegasus Mail has minimal system requirements compared with competing products, for instance the installed program (excluding mailboxes) for version 4.51 requires only around 13.5 MB of hard drive space. Since Pegasus Mail does not make changes to the Windows registry or the system directory, it is suitable as a portable application for USB drives. Language packs are available for languages other than English.
Some commentators have described Pegasus Mail as convoluted and cumbersome to configure, whereas others value Pegasus Mail for the features it offers. A key feature of Pegasus Mail is that it does not use the HTML layout engine that is installed with every Microsoft operating system since 1997: The ubiquity of the Microsoft engine, which is used not only by all Microsoft products but by numerous 3rd party products as well, makes it a frequent target of malware such as Melissa and ILOVEYOU. Mail clients such as Pegasus Mail that have their own HTML rendering engine are inherently immune to these security exploits. Pegasus Mail will also not execute automation commands (for example ActiveX or JavaScript) embedded in an e-mail, further reducing the chances of a security breach.
(from Wikipedia website)
|
