Diaries

Published: 2006-08-31

Another IE Exploit makes the rounds...

We received a report from Gilbert Sebenste, a reader of ISC, (thanks!) of a new IE bug.  Discovered Monday (or rather, published on Monday), and has been apparently assigned CVE number 2006-4446,  that the bug only affects IE 6.0 SP1, according to Bugtraq.

So, we've said it before, and we'll say it again.  Yes, sometimes it's not practical to switch off of IE, but where you can...  do.  Diversify I say!  Even though Mac users aren't affected, use your Safari, Firefox, Opera... 

Windows users..  check out Firefox, Opera, and whatever other nice browsers you can throw out there.  (I'm a Mac/*nix/*bsd user, so I am not familiar with all the Windows offerings)  IE is riddled with countless holes and bugs, so, try and use something else.

Reader Ottmar followed up on this article with a suggestion for folks that just can't follow the advise above and want to try and make the best of the situation with using IE. With respect to this specific issue and other ActiveX based vulnerabilities in IE, the following Microsoft article explains how to modify the registry to kill ActiveX controls from running. Since this does involve modifying the registry, user beware! Without further ado, the Microsoft article can be found here.

0 Comments

...
Joel Esler
Published: 2006-08-31

MS06-040 Worm

For the past several days, the Handlers here at ISC have received all kinds of emails about the recent increase in scanning on port 139, as noted by fellow handler Lorna, the other day, yes there was definitely something going on, but we haven't seen any c0de.

Well,  guess what.  One of loyal readers out there on the 'Information SuperHighway', Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it).  It appears, in typical antivirus fashion to be named several things: McAfee is calling it "W32/SDbot.worm!MS06-040", Sophos is calling it, "W32/Vanebot-A", and Symantec is calling it, "W32.Randex.GEL".  (Yes, it's been out for a couple days)

Let's take a look at this bad boy shall we?  How does it spread..  well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.

This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it's about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to "forum.ednet.es" over port 4915.  (Until the next variant changes it, and we know it will).  It has the ability to do a bunch of things including spreading to network shares..

Prevention, as always, (and it should have been done for years now), block 139 and 445 at the router/firewall.  Netbios traffic shouldn't be allowed to exit or enter your network from egress points anyway. 

Update your antivirus.  At least daily.

Patch.  You know the deal by now.

Now, since cleaning botnets, is.. pretty much impossible, prevention is the key.  If you DO get hit with a botnet infection running throughout your network, my general recommendation is..  rebuild the box.  Now, I know that sounds drastic to some of you, but it gets rid of the worm, gets rid of the botnet, and plus you have a brand new box!  So, maintain those images, keep your antivirus up to date, patch your boxes, and make sure your IDS/IPS is up to date.

0 Comments

...
Joel Esler
Published: 2006-08-31

Mailbag grab

Security book online

Ryan sent us a link to an on-line book:

Security Engineering: A Guide to Building Dependable Distributed Systems
by Ross Anderson
http://www.cl.cam.ac.uk/~rja14/book.html

But I guess you'll need to come back in a few days before you can get in and download it.
It is a good book well worth reading and I for one really like the attitude of the author.

RFC 1918

Jon send as traffic to and from 10.x.y.z going over the Internet. It reminded us to filter that traffic away on your borders. There is no good such IP addresses (and any other mentioned in RFC 1918) can do out there. Dropping the traffic in ingress/egress filters is the right thing to do (also for the ISPs involved).

MS06-040

We got a few contacts from Canada, and some clarification regarding the MS06-040 bots might be needed:
  • This is not an isolated issue. Several entities in various geographic locations are being hit.
  • This is not the only such bots. There are many similar bots and it is not trivial to tell them apart unless you actually have the malware and the time to analyse it in detail.
  • In most countries, the Internet is global: packets do not stop for customs or immigration ;-). Since most botnet herders are in it for the money so far, they don't really care about countries either.

--
Swa Frantzen -- Section 66


0 Comments

...
Swa Frantzen
Published: 2006-08-31

An ISC Back to School Special

Yes, it is that time of year.  The hustle and bustle of getting kids situated in school has begun and for many folks has already occurred.  Along with that, comes the purchase of that shiny new laptop or desktop for little Johnny Joe or Sally Sue.  If your not buying one, you maybe powering up the one you have for the first time in a while.  To quote a line from Uncle Ben in the movie Spiderman "With great power comes great responsibility".  A computer is a powerful tool and someone has to be responsible for that tool.  So here are some things that you need to consider as you get your kids ready for school.

Back to School Shopping List
For starters, here are some assessories you might want to make sure they have available that you might not have considered. 
  • Blank CDs/DVDs are pretty useful for burning a backup copy of a home work assignment or major project that they might be working on and can't afford to lose.
  • Consider a USB key(s) for easy transferring of data.
  • An extra ethernet cable (if you don't have access to a wireless network)  and a handy wireless card to take with you as a backup or if you don't have wireless built-in.
  • A good backpack for your laptop or rollers for the laptop.  I find a backpack is much easier for when you're on the go alot.
  • A lap top security cable, especially for use in the dorm rooms
  • Make sure you have purchased antivirus software for your systems.  You cannot exercise that "great responsibility" mentioned above without having it.
Back to School TO DO List
Now that you have that new computer or your old one for that matter, how do you exercise "great responsibilty" over that power?  Here are some tips:
  • Make sure the system is patched and stays patched with all the lastest updates.  This is especially true for systems that have been shutdown/offline for the summer.  Before doing anything else, patch the systems (from a protected network, if at all possible).  Remember that Microsoft releases their patches on the second Tuesday of the month and many vendors release theirs as well during the same time frame it seems.  So mark the date on your calendar to watch for patches.  Also you can configure most software to automatically check for updates.  Don't just focus on the patches for the operating system, remember all those other programs and pieces of software on the computer that need to be updated as well.
  • Ensure your system is running an antivirus program and has up to date virus definitions.  Many vendors are releasing weekly if not daily updates.  The software will often times automatically look for updates on a weekly basis.  I would consider marking the update page for you antivirus vendor and checking it on a daily basis for new signature releases.
  • If you run a windows box, ensure your firewall is turned on for both your wireless and local area network. Macs have a builtin firewall as well, so ensure it is turned on, and don't forget those Advanced options in OSX 10.4!  If you're running an operating system that doesn't have a firewall builtin, look for a third-party firewall that is compatible for that system.
  • Screen savers, that are password protected, are another good option to turn on.  Just don't set the timeout on the screen saver to be something like 30 minutes or an hour since that will defeat the purpose.  My personal preference is just learn to lock the desktop when walking away from the system.  You're still just typing in a password
  • Don't run your system with Administrator privileges as a matter of course.  Set up an account as a regular user and run with that account except in those rare instances when you need the greater privileges.  It can lessen the impact of malware and remote exploits.
  • If you are using wireless take great care and ensure that you encrypt your data.  However, there are many times that you have to attach to an open wireless network.  It may be that the campus has open wireless network or that you decide to work at the local coffee shop and use their network.  In such cases, you don't have control over how you connect but you can still secure your data.  One solution is to use Kyle's  Tip of the Day: Secure Surfing at the Coffee Shop (or Hacker Conferences).  Another  good option is to use a hosted VPN solution.  There are some good ones out there that are available for a small price and well worth the money.
  • Stay away away from peer-to-peer (P2P) networks.  While growing in popularity it is also growing in risk.  The risks involved range from the software you download to participate in the P2P network (ontaining spyware or other beasties)  to the actual files being distributed or obtained.  A vast majority of the files being shared are copyrighted songs and movies which is illegal and can land your little Johnny Joe or Sally Sue in alot of trouble.  Many of the infection mechanisms used by malware today target P2P networks.
  • A final set of tips for safe computing.  Be careful when opening email from unknown individuals.  If your mail viewer has a preview pane it needs to be turned off and change your settings to read your mail in plain text.  Be very careful what you click on, especially links that come in via email or IM.  The same principle applies for opening attachments.
During the month of August, we published a daily Tip Of the Day that you might want to take a look at and will also give you some good guidance.  The computer is a powerful tool and school networks are prime targets for folks looking for vulnerable systems.  Protect yourself and others by sending your kids off to school with their backpacks completely packed and ready to go.

0 Comments

...
Lorna Hutcheson
Published: 2006-08-31

NT botnet submitted

We received copies of malware that are being discussed in public forums, it appears to be (variants of) known botnets. Here's what Norman and virustotal.com had to say about them [sanitized]:

eraseme:

[ General information ]
   * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.
[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.
[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[deleted]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[deleted]", port 1863.
   * Connects to IRC Server.
[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.         

Virustotal:
 AntiVir 6.35.1.11     08.31.2006 Worm/Sdbot.86016.43
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLZ
 BitDefender 7.2       08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
 CAT-QuickHeal 8.00    08.30.2006 no virus found 
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
 eTrust-Vet3 0.3.3052  08.31.2006 no virus found
 Ewido 4.0             08.31.2006 Backdoor.SdBot.anp
 Fortinet 2.77.0.0     08.31.2006 W32/SDBot.AKI!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 no virus found
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.anp
 McAfee 4841           08.30.2006 no virus found
 Microsoft 1.1560      08.31.2006 no virus found
 NOD32 v21.1733        08.31.2006 a variant of IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Malware
 Panda 9.0.0.4         08.30.2006 no virus found
 Sophos 4.09.0         08.31.2006 no virus found
 Symantec 8.0          08.31.2006 W32.Spybot.Worm
 ... 

csrsc:

Norman:
[ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * Anti debug/emulation code present.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:        86016 bytes.
   * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.                               

[ Changes to filesystem ]
   * Creates file C:\WINDOWS\csrsc.exe.
   * Deletes file c:\sample.exe.

[ Changes to registry ]
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Creates key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
   * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
   * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
   * Modifies value "UpdatesDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "AntiVirusOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Modifies value "FirewallOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
   * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Sets value "AUOptions"="^A" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
   * Creates key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\wscsvc".
   * Creates key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\TlntSvr".
   * Creates key "HKLM\System\CurrentControlSet\Services\RemoteRegistry".
   * Creates key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\Messenger".
   * Sets value "restrictanonymous"="^A" in key"HKLM\System\CurrentControlSet\Control\Lsa".
   * Creates key"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
   * Creates key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
   * Creates key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Sets value "DoNotAllowXPSP2"="^A" in key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
   * Creates key "HKLM\Software\Microsoft\OLE".
   * Sets value "EnableDCOM"="N" in key "HKLM\Software\Microsoft\OLE".
   * Sets value "Record"="??^N" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".

[ Network services ]
   * Looks for an Internet connection.
   * Connects to "[DELETED]" on port 1863 (TCP).
   * Sends data stream (30 bytes) to remote address "[DELETED]" port 1863.
   * Connects to IRC Server.
   * IRC: Uses nickname [XP||N|677795].
   * IRC: Uses username XP88038.
   * Opens URL: http://[DELETED]/prxjdg.cgi.
   * Opens URL: http://[DELETED]/x/maxwell/cgi-bin/prxjdg.cgi.
   * Opens URL: http://[DELETED]/mute/c/prxjdg.cgi.
   * Opens URL: http://[DELETED/tomocrus/cgi-bin/check/prxjdg.cgi.
   * Opens URL: http://[DELETED]/cgi-bin/proxy.cgi.
   * Opens URL: http://pDELETED]/little_w/prxjdg.cgi.
   * IRC: Sets the usermode for user [XP||N|677795] to .
   * IRC: Joins channel #NGEN with password [DELETED].

[ Process/window information ]
   * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
   * Attempts to access service "npx".
   * Creates a mutex LOLFOB.
   * Attempts to access service "Tlntsvr".
   * Attempts to access service "RemoteRegistry".
   * Attempts to access service "Messenger".
   * Attempts to access service "SharedAccess".
   * Attempts to access service "wscsvc".

[ Signature Scanning ]
   * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.

Virustotal:
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLZ
 BitDefender 7.2       08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
 CAT-QuickHeal 8.00    08.30.2006 no virus found
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
 eTrust-Vet 30.3.3052  08.31.2006 no virus found
 Ewido 4.0             08.31.2006 Backdoor.SdBot.anp
 Fortinet2.77.0.0      08.31.2006 W32/SDBot.AKI!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 no virus found
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.anp
 McAfee 4841           08.30.2006 no virus found
 Microsoft 1.1560      08.31.2006 no virus found
 NOD32 v21.1733        08.31.2006 a variant of IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Malware
 Panda 9.0.0.4         08.30.2006 no virus found
 Sophos 4.09.0         08.31.2006 no virus found
 Symantec 8.0          08.31.2006 W32.Spybot.Worm
 TheHacker 5.9.8.202   08.31.2006 no virus found
 UNA 1.83              08.31.2006 no virus found
 VBA32 3.11.1          08.30.2006 Win32.HLLW.MyBot
 VirusBuster 4.3.7:9   08.30.2006 no virus found

i.exe:

Virustotal:
 AntiVir 6.35.1.11     08.31.2006 Worm/Spybot.1093632
 Authentium 4.93.8     08.30.2006 no virus found
 Avast 4.7.844.0       08.31.2006 no virus found
 AVG 386               08.30.2006 IRC/BackDoor.SdBot2.HLY
 BitDefender 7.2       08.31.2006 Win32.Worm.Tilebot.GM
 CAT-QuickHeal 8.00    08.30.2006 no virus found
 ClamAV devel-20060426 08.31.2006 no virus found
 DrWeb 4.33            08.31.2006 Win32.HLLW.MyBot
 eTrust-InoculateIT 23.72.111 08.31.2006 Win32/SDBOT.AQJ!Worm
 eTrust-Vet 30.3.3052  08.31.2006 Win32/Petribot.XM
 Ewido 4.0             08.31.2006 Backdoor.SdBot.aqj
 Fortinet 2.77.0.0     08.31.2006 W32/Tilebot.AQJ!worm
 F-Prot 3.16f          08.30.2006 no virus found
 F-Prot4 4.2.1.29      08.31.2006 no virus found
 Ikarus 0.2.65.0       08.31.2006 Backdoor.Win32.SdBot.aqi
 Kaspersky 4.0.2.24    08.31.2006 Backdoor.Win32.SdBot.aqj
 McAfee 4841           08.30.2006 W32/Spybot.worm.gen.p
 Microsoft 1.1560      08.31.2006 Backdoor:Win32/Rbot!02A6
 NOD32 v21.1733        08.31.2006 IRC/SdBot
 Norman 5.90.23        08.31.2006 W32/Spybot.AXGM
 Panda 9.0.0.4         08.30.2006 W32/Sdbot.IAZ.worm
 Sophos 4.09.0         08.31.2006 W32/Tilebot-GM
 Symantec 8.0          08.31.2006 W32.Spybot.AKNO
 TheHacker 5.9.8.202   08.31.2006 no virus found
 UNA 1.83              08.31.2006 Backdoor.SdBot.8
 VBA32 3.11.1          08.30.2006 Win32.HLLW.MyBot
 VirusBuster 4.3.7:9   08.30.2006 no virus found

Reading up on what the antivirus community has written about these they seem to attack  through so many vectors that it's likely they affect poorly patched systems (and NT or any other legacy windows version would make a prime target).

--
Swa Frantzen -- Section66.com

0 Comments

...
Swa Frantzen
Published: 2006-08-31

Contacting the ISC, good practices for response

Recently we've received several good emails, concerning many of the topics that we've discussed recently on our Diary entries.  Port 139 traffic, HP JetDirect traffic, Java updates, you name it, we've received email about it.

The problem with a couple of these excellent emails is...  the sender hasn't left their email address!  We had one individual write us and offer packet captures of the 139/445 traffic that has been reported, but didn't leave their email address for us to contact him. 

So please, these items are essential.  If you are thinking about not submitting your email address for privacy reasons, feel free to do so, we try to make a habit about not posting people's email addresses on the site.  We like to give credit where credit is due, but if you do not want your name mentioned at all, make sure and check the radio button that says "Do NOT mention my name".

You may contact the ISC by clicking on the Handler of the Day's name at the top of the page, or clicking on "Contact" at the bottom right of the page.

Thank you for your submissions about this "NT4/2000 worm" that is rumored to be spreading around, we'd love to receive full packet captures of the traffic, as well as any binaries that it drops.  (If there really is a worm).

Thanks!

0 Comments

...
Joel Esler
Published: 2006-08-31

Tip of the Day: Audit

As the last in the series of tips of the day, I chose the subject Audit.

Audits might sound scary as they verify your work, but they really should not. They can be a great tool into doing the right thing and catching (and correcting) errors before they escalate and become a problem. As a matter of fact, you can audit your own work. Or do it in a team. We all know we cannot find errors in stuff we wrote ourselves while it's obvious if somebody else wrote it.

Audit yourself

You can do various audits yourself of your work:
  • Are backups actually able to be read?
  • Can we actually restore a backup from a system if we loose all the harddisks or are we missing information?
  • Are the dates/sizes of system files on all our computers still the same (poor man HIDS, but it can also detect failed patches etc.)
  • Do logs from all our systems actually end up in our central log repository?
  • Did managment acknowledge all incident reports you gave them? Where there changes implemented due to the incidents?
  • Do we have blocklists? Do we update them regularly? Did we check if they are still relevant?
  • Exposed scripts (such as e.g. cgi-bin perl scritps)? Who reviewed them for security? Where they changed afterwards?
  • ...

Internal Audits

Internal audits can go further:
  • Are all our users in our user database(s) still rightfully there? Does the list match with what e.g. HR has as list of employees/contractors? Are the other users interactively used? Are they regularly re-confirmed as needed users? Do we have users that never log in?
  • Can we actually start a Disaster Recovery without touching the existing equipment and information?
  • Do people inside the company know where to find security policies? Do they know key content of the policies? When were they last reminded of the password policy? Are all our policies easy to read? Are all our policies short enough to be read in under 5 minutes?
  • Is equipement we rely on for being warned about problems (availability, IDS, logs, ...) actually tested regularly? How are we sure?
  • Are policies overruled? Why? By who? How often? Was it investigated? Did the policy change afterwards to fix the problem?
  • Where are incidents logged? What were the conclusions? Do people know incidents that were not logged?
  • ...

External Audits

Well external audits generally should check the same stuff as the Internal audits do, but be independent. Sill they are valuable as they can give you the one magic bullet: management support. Typically this starts with regulatory and legal requirements, but it can check compliance with standards as well.
  • Can grant a seal of approval.
  • These audits can also audit those persons that are very hard to audit as an employee: the big chief: does (s)he feel the policies do not apply to him/herself?
  • ...


--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-30

What's up on Port 139?

It seems that we are experiencing a nice upswing on port 139.

port graph

The data for Sources, Targets and Reports shows all three are on the rise.  There could be several possibilities for this.  For starters, Microsoft released a patch for MS06-040 which was already being exploited in the wild (see the august patch status table for more details). There are also two worms that have been given a CME identifier that take advantage of MS06-040.  However, both of these worms were given a CME number on August 14, so they have been around for a while and this upswing just started over the past couple of days.  With that in mind, be sure that you are blocking port 139 and 445 if you can. 

And if by chance you encounter anything interesting such as the malware or packet dump of the exploit, please let us know.

0 Comments

...
Lorna Hutcheson
Published: 2006-08-29

Tip of the Day - Protecting HP JetDirect-based Printers


HP JetDirect based printers are extremely popular in academia and elsewhere around the Internet.  As such, they need to be protected from malicious use as we do with the general computers and other network devices on our networks. 

Note: the concepts presented in this Tip of the Day may be used in other network printers, though I haven't messed with other varieties enough to know the details.

My first suggestion is to firewall off printers from Internet access.  Force connections to the printer originate from your locally managed network, or through a VPN authenticated computer residing elsewhere.

Unfortunately in academia, we rarely know the IP address of every network printer on our network. And I would suspect that in the corporate world that this can be true without very strictly enforced policies. Even if you know every printer and its IP on your network today, tomorrow it could be different after someone brings a new super fast, color, duplexing, with mailbox output tray, hard drive, extra fonts, bluetooth, infrared, firewire, usb, network, mp3 playing, digitial media card reading, all-in-one, scanning, faxing, washing-the-dishes-in-the-kitchen-sink printer and installed it without your knowledge or approval.

Here you are left with a few choices.
  1. Use a tool like nmap or nessus to scan for a few choice tcp or udp ports on printers and do some type of version or OS detect on the results. (Some of the ports to look for are 21, 23, 80,280,515,631 and 9100 tcp.)
  2. ARP walk your routers/switches looking for the MAC addresses of the HP JetDirect or other printerss.
  3. The DHCP Method.
The first 2 are time consuming and will have to be repeated often to keep track of newly discovered.

So,what is the DHCP Method?!?

HP devices with JetDirect cards have a vendor class identifier which reports to the DHCP server that they are 'Hewlett-Packard JetDirect' cards.  You should be able to log this on your DHCP server and use it for custom applications.  OR you can use this identifier to pad on some DHCP options which tells the printer to download a tftp file from a local tftp server which has a host.allow line to only accept connection from your institution's IP
range.  Since all HP printers DHCP by default(as in factory defaults) you have a catch-all mechanism in case the printer is reset to factory defaults and fail to reset the passwords or if users put new printers on
the network without you noticing or approving.

Using this same method using MAC address lists you can build a set of known special printers (such as the one used by your CEO, Chancellor, President, VIP) and should only be allowed from certain computers/servers.
These use separate config file with other additional options.  In addition to setting authorized IPs one can also disable features such as the appletalk, and IPX protocols which are unnecessary in your environment.  You can also set items like contact name, location, syslog server and the like. However you should be careful to make sure that all of the configuration features you are enabling/disabling is supported by a particular HP JetDirect model.

A sample config file for this with a little more information is located here:
http://www.lprng.com/LPRng-HOWTO-Multipart/x5171.htm

Last but not least, VLAN all of the printers into a printer virtual network.  This may make it easier for you to do maintenance tasks on them, check versions of the JetDirect Cards and the like if they are all in one virtual area.  I am sure there are other reasons that you could/should vlan them together, but I will leave that to your imagination.

If you have other HP JetDirect security resources, please share and I will update the diary later tonight/tomorrow with those links.

Update 1:

Overnight we have had a number of very useful links to add to the tip of the day.  Thanks to Jerry, Charlie,  Jack, Kahlib and others that shared more useful information.

HP Technical Document on Securing Jetdirect systems
HP Security Briefing on Jetdirect
HP JetAdmin Tool
HP Web JetAdmin Software

It is highly recommended that users update the firmware on the specific models of Jetdirect.  This will help the security posture some, and in some cases protect your nmap scan, or the newest lpr based worm causing the printer to output reams garbage.






---
Scott Fendley
Handler On Duty


0 Comments

...
Scott Fendley
Published: 2006-08-29

Sendmail DoS Vulnerability

For some of the Unix types out there, this may be old news by now.  However, we do have a couple of reports in the mailbag about the Sendmail Denial of Service issue. 

On August 9, 2006, Sendmail.org released version 8.13.8 which addressed a few bugs that were discovered in 8.13.7, and fixed a few other bugs.  One particular bug fixes an issue where sendmail would crash due to referencing a variable that had be freed.  This flaw can be exploited by crafting a message which very long header lines. I did not see much media attention to this when it was released (in fact I personally missed the note that it had updated). However in the past 24 hours a number of organizations have now posted information about it.  Oh well, looks like I wasn't the only one that missed it at the time.

As this appears to just be a DoS issue, it is our recommendation that if you are using Sendmail based products, please upgrade to 8.13.8 available at Sendmail.org, or contact your vendor for appropriate updates.  Also, make sure you are on the appropriate announcement list for any software vendors that you use.  Sometimes little security issues can get past even the best of us if we don't visit the local CVS repository, or website on a daily/weekly basis.

I am looking around for appropriate Snort Rules that might detect for this


For More Information:
http://secunia.com/advisories/21637/
http://www.openbsd.org/errata.html (August 25 sendmail patch)
http://www.frsirt.com/english/advisories/2006/3393


---
Scott Fendley
ISC Handler On Duty

0 Comments

...
Scott Fendley
Published: 2006-08-29

Ernesto domain name registrations up

Today we noted a spike in registrations of domains with the term "Ernesto". No surprise given the approaching hurricane by that name. Today, 19 new "Ernesto" domains became live. One of them is just the name of a person and not hurricane related. The other 18 are hurricane related. 17 of these domains are registered by one person.

Today's Names:
cnnernesto(.com)|(.net)
ernestodamage(.com)|(.net)
ernestohurrican(.com)|(.net)
ernestoinsurance(.com)|(.net)
ernestomoney(.com)|(.net)
ernestonews(.com)|(.net)
ernestopipeline(.com)|(.net)
ernestovideo(.com)|(.net)
ernestoweather(.com)|(.net)
thehurricaneernesto.com

Last year, we had a big number of fraudulent sites asking for donations for Katrina victims. We are afraid that similar issues may arise this year. At this point, the domain names listed above are parked. We will keep an eye on them. Let us know if you find any donation-fraud sites.

Graph of "Ernesto" domain registrations:
graph
(click for full size)

Update:

The person who registered most of these domains wrote to say this:

Tell me why I deserve this, or at least help me recover as I have spent hours, barely slept in order to get good news about that situation. I lived on the Gulf Coast, my grandfather's mosoleum was destroyed by Katrina, as well as his house and many family and friends homes and properties.

Yes, I have other domains for sale. This is America, this is capitalism. People buy real estate often with the intent of bettering it and selling it. I own CNNErnesto.com, b/c this is obviously a company that can cover this better than me.

Please, it is really painful to deal with this situation when all I could be putting up valuable information. Annd then, using money earned to build a nice company that will be very beneficial to a lot of people (TheWorldPipeline.com).

0 Comments

...
Johannes Ullrich
Published: 2006-08-28

Tip of the Day: Don't be a victim (well try to not be a victim) - security toolbars

A recent study (http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf) proved what we all don't like to admit.

That even as super human beings blessed with keen intellect and sage experience, human nature is undeniable.
Most anyone can be duped and most people tend to overestimate their chances of success and their skills
http://en.wikipedia.org/wiki/Overconfidence_effect

The study focused on phishing, but there are a number of other relevant examples.
This is what makes information security so hard. Its the humans! Just check out the list of all these other biases which have been researched experimentally (http://en.wikipedia.org/wiki/List_of_cognitive_biases) while thinking about security policies, social engineering, etc.

As security professionals we really can't just write off "everyone else on the planet" as dumb. (BOFH's everywhere will disagree). It is for this reason that insecurity can never be solved solely through technology. There is no silver bullet. (well if everyone followed this Tip of the Day http://isc.sans.org/diary.php?storyid=1530  and left them off maybe....)

There really is no silver bullet. User education is a must. So most of you out there know all of this. Which also means the future rests on each of you doing your part to educate those around you.

So we have gobs of busy people that might not know a lot about computers and security clicking and surfing all over the web (logged in as admin), but that think they know what they are doing. Sounds like a recipe for disaster or a great Monty Python episode involving loaded shotguns.

One disturbing finding of the report was that many users are not even looking at (and/or understanding) the indicators they have available in a browser that relate to their safety (SSL padlocks, location fields, status bars, etc). This is akin to getting off on the _wrong_ exit at 3am in an unfamiliar city holding a map. Not good.

There are some current tools out there which may help users make better choices (or block their bad choices). I'm just going to talk about browser toolbars. For the user class of not completely hopeless up to expert I really recommend McAfee's SiteAdvisor. This toolbar works with Firefox and IE and will provide more prominent and granular indicators that a site is dubious (or downright malicious). Users will need to keep an eye on their browser corner (which may require education) or optionally glance at the pretty red, yellow, green icons next to their google search results (RED means BAD)

SiteAdvisor
http://www.siteadvisor.com/ (IE and Firefox)

Also for those looking at getting involved in the community sign up to be a reviewer. Help SiteAdvisor catch and correctly flag all those bad sites that try oh so hard to look legit.

Netcraft Toolbar
So back to phishing. Netcraft has a really nice toolbar which can provide visual clues (YMMV) as well as speed bumps to doing something unsafe. It can actually block access to a site pending user verification (ok so we all know most users click OK on anything that pops up to get it out of the way)

http://toolbar.netcraft.com/ (IE and Firefox)

Expect this warning and popup trend to continue. Google is taking steps to prevent accidental wrong exits (see http://www.stopbadware.org/ for details on this initiative)

The next versions of IE and Firefox should have some of these protections built in. None of these will remove the need for user education (good luck explaining hostnames and mouse-overs to grandma). The criminals will figure out ways to circumvent these technologies and users will continue to ignore all the annoying popup warning windows and glaring red warning symbols. Its just human nature. If only it were as simple as just telling people to "only surf trusted sites". Right. uh huh.



Other cool stuff and links:
http://www.castlecops.com/t107217-Anti_Phishing_Toolbars.html
http://www.cerias.purdue.edu/weblogs/coj/secure-it-practices/post-22/
NoScript: https://addons.mozilla.org/firefox/722/
Spoofstick: http://www.spoofstick.com/
http://research.microsoft.com/displayArticle.aspx?id=1521
http://www.sandboxie.com/

0 Comments

...
Robert Danford
Published: 2006-08-28

Notable Tidbits

Notable updates for today:
http://liveview.sourceforge.net/

"Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.
The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine."

Live View is capable of booting

    * Full disk raw images
    * Bootable partition raw images
    * Physical Disks (attached via a USB or Firewire bridge)

Containing the following operating systems

    * Windows XP, 2000, 2003, NT, Me, 98
    * Linux (limited support)
[source: liveview site]

http://ssdeep.sourceforge.net/ (Came across while browsing Richard's excellent aggregate site http://www.bloglines.com/public/TaoSecurity)
Uh context triggered piecewise hashes. Makes my head hurt. But you'll like it if you need to compare closely related files (polymorphic malware samples maybe?)
Here's a greaqt interview. http://cyberspeak.libsyn.com/index.php?post_id=115142
This is way beyond me too http://dbacl.sourceforge.net/


0 Comments

...
Robert Danford
Published: 2006-08-27

J2SE Runtime Environment (JRE) & Java SE Developer Kit (JDK) Update 8

Sun has released Update 8 to for JRE 5.0 for download.  As an earlier diary discussed, versions prior to 5.0, Release 6, allowed applets and/or applications to call earlier unpatched versions.  What is the risk to me?  Having the ability to call earlier, unpatched versions could potentially allow an attacker to run her/his code of choice along with it.  The Java Runtime Environment and Java Developer Kit both have release 8.0 available for download here.



0 Comments

...
Tony Carothers
Published: 2006-08-27

Tip of the Day - Making the Switch

Wi-Fi; most of us are using it, I am as I type this.  But how do I know my neighbor isn't watching what I do?  Because some time ago I dumped Wired Equivalent Protection (WEP) for the more robust, and unbroken as of yet, Wi-Fi Protected Access (WPA2).  WEP has been broken for several years, with a number of tools out there to exploit it.  WPA2, as of now, has yet to be broken.  Which are you using?  WPA2 Personal, a pre-share key type authentication implementation is very similar to WEP on the setup and administration side, but that is where it ends.  WPA2, or 802.11i, makes use of the AES Block Cipher, which as stated, has yet to be broken.

Now the Wi-Fi Alliance is set to launch WPS, or the Wi-Fi Protected Setup, which will make it extremely easy and versatile to deploy.  Instead of explaining it though I will let you read about it.....


0 Comments

...
Tony Carothers
Published: 2006-08-27

Tip of the Day: Standards

When I got interested in security in a more formal way than securing my unix boxes I administered in the early 90s, the first standard I found was RFC1244 (now obsoleted by RFC2196). Being technical staff in a university environment I found it overly complex at the time.

And since I'm still convinced many of us even today still think of security as a technical problem and not as the management problem it is, I'll try to promote thinking of security as a management problem:

Security in essence is managing risk.

In the late 90s I rediscovered some information security standards:
  • BS 7799 part 1
  • and a bit later BS 7799 part 2.
I learned to appreciate this as they do have interesting content to bridge the gap between the technical level that wants to fix things but often fails to see the management part and the management level that fails to understand the mechanisms and just wants it to support the business and cost as little as possible.

So what's out there from a standard point of view? And what do they address?

'7799 family

ISO17799:2005

"Code of practice for information security management"

ISO17799 was formerly known as BS7799 part 1. "BS" Stands for British Standard. It is a standard that suggests a best practice and I find it often useful to grab my copy when e.g. writing requirements for a backup system as it makes me think about a dozen things backup needs to cover and makes sure that if I leave one of them out that I did it intentionally.

I also use it when writing policies as it tells me what I should cover in the policy in addition to what I come up myself.

It exists since 1994 and has been reviewed a few times. The pitfalls I knew in the pre 2005 version are mostly out of it. It addresses a wide range of items you want to control in a corporate viewpoint. It does go into detail on how you could gain that control. But it stays away from technical details.

This standard will be renamed to ISO27002 in the future.

ISO27001:2005

"Information Security Management System Requirements" (ISMS)

ISO27001 was formerly known as BS7799 part 2. It exists since 1999. It tells you how to build a management system that manages your information security. It might seem even less technical and the size might be deceiving as it tells you to do a risk assessment for all your assets as one of the things it tells you to do. Now the implications of that are huge.

ISO27001 can be certified. A third party auditor can certify that you implemented it and it is seen as a quality label of your information security. I've seen a few RFPs that required a certificate to be able to content for the contract in the past.

The link to ISO17799 comes from the last thing to complete when doing it all and the first thing the auditor wants to see: The Statement of Applicability. It is a list of control suggested in ISO17799 that you decided you did not need with a justification for it. This does make the 100+ controls in ISO17799 somewhat mandatory, but then again they are best practices.

BS7799-3:2006

"Guideline for information security risk management"

This latest sibling if the '7799 family is "only" a British Standard at this point. BS7799-3:2006 is a set of guidelines on how to get one of the hardest parts of ISO27001 done: risk management.

It's IMHO rather thin at the moment, so unless you intend to certify ISO27001 I'd skip on it. Get another source for how to do risk management the easy way: do not go to far in the math part of it, just low/medium/high is hard enough to deal with.

Do not fear!

Get it! Read it!

While the above standards are not available for free download, do get a copy of them (legally of course). Especially the ISO17799 is a standard that is mature and can help you greatly when building an environment and when trying to expand or improve something in the existing environment.

Don't be silly!

ISO17799 is not a policy, do not copy it and say "our policy is to do this". You cannot do that as e.g. the very first control in there addresses itself to management and tells them:

"Management should set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization. "

So ... read the document, read the details, e.g. that goal above has a page of explanation on how to achieve it. and then act on the steps.

Don't try it all in one step. You'll fail. Try it one step at a time, prepare for each possible step and every time try to get more in it and make sure you try to continuously improve the situation. That continued improvement is also what ISO27001 will demand of you, especially if you try to certify it.

Other standards

Security standards

There are loads of other security standards, I've by far never read all of them. And it seems that every time I look there are more of them.
  • ISO13335 is about IT security management. There are 5 parts in this.

  • ISO18004 is about incident management.

  • ISO18043, ISO18028, ISO18044, ISO15408, ISO18045, ISO18045, ISO15442, ISO15446

  • ...
There are also interesting IT related things to look into such as Cobit and ITIL (ISO 20000)

Non security

I promise to be brief but I just must point out that other things such as environment, quality, etc. do have their own ISO standards and that those standard also build management systems and that they are compatible and even reference each other. So you might and up looking at ISO14001 (envirnoment), ISO9001 (quality) etc as well.

Conclusion

Go out and buy the ISO17799:2005, you'll love it if you take the time to get to know it. And it's a good ally if you need to write policies or RFPs.
Do watch out for certification as a driver to get this in motion. It can easily lead to a monster on paper that has no impact on the real world. And therefore is a waste of time and effort. 

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-26

Tip of the Day - Color and Bar Coded Daily Risk Analysis

We all get busy, but when it comes to performing the daily risk analysis of vulnerability & exploit information that could affect your environment do not rely on the "risk/threat" color or other graphic indicator assigned by third parties to triage the amount of information you read. Whether a third pary has assigned Green, Yellow, Red or "1 out of 4" as a "risk/threat" level, the same vulnerability & exploit information is being evaluated by your attackers.

0 Comments

...
Patrick Nolan
Published: 2006-08-26

Update for Intel(R) PRO/Wireless 3945ABG Network Connection Software bugs

Release Notes for the Intel(R) PRO/Wireless 3945ABG Network Connection update have been posted at Intel.

The release notes describe a number of bug fixes including Memory Utilization Increase issues mentioned in a Diary entry by Bojan here.

The download location for Intel® PROSet/Wireless Software version 10.5.0.1 is here.

Thanks Jack!

0 Comments

...
Patrick Nolan
Published: 2006-08-26

Haxdoor.KI Deja Vu

F-Secure has updated their description of Haxdoor.KI to note "The skyinet.info website (located in Russia) that the backdoor connects to, is now offering a URL that points to a file named samki.exe. This file contains a nasty payload that damages Windows beyond repair. This file can be downloaded and launched by a hacker to destroy all infected computers when time comes." . Their original blog alert info is here.

0 Comments

...
Patrick Nolan
Published: 2006-08-26

Reader Report from Botnet Master Christopher Maxwell's sentencing

We had a noteworthy news submission from Russ who had just "attended Christopher Maxwell's sentencing today in Seattle and at 4:45 PST in the case of the US vs. Christopher Maxwell,  Mr. Maxwell was sentenced to three years incarceration, followed by three years probation and will pay approximately $250,000 in combined restitution to DoD and Northwest Hospital. He may ultimately pay more restitution to a school district he wreaked havoc on in his adware for dollars campaign.
Ring one up for the good guys...the US Attorney Kathryn Warma was excellent and the Judge was incredibly fair and deliberate in her judgement."

More details;
"Botnet" hacker sentenced to 3 years

0 Comments

...
Patrick Nolan
Published: 2006-08-26

Aug 21 Sun JAVA patch fixes problems that May Allow Applets and Applications to Run With Unpatched JRE's installed

I didn't see much mention of this, but it's a long needed critical fix. SUN says prior to version 5.0 Update 6, an application or an applet could specify the version of the JRE on which it would run. "This issue can occur in the following releases (for Solaris, Linux and Windows platforms):

Java Plug-in included with J2SE 5.0 Update 5 and earlier, 1.4.x, 1.3.1, and 1.3.0_02 and later
Java Web Start included with J2SE 5.0 Update 5 and earlier, and 1.4.2
Java Web Start 1.2, 1.0.2, 1.0.1, and 1.0".

Advisory - Java Plug-in and Java Web Start May Allow Applets and Applications to Run With Unpatched JRE

 

0 Comments

...
Patrick Nolan
Published: 2006-08-26

Mailbag Detect info

Ed was able to send the Handlers some packets of the data he was looking at. 

The packets we received appear to be a Freebsd iso download from one of freebsd mirrors, so these particular alerts from Snort appear to be false positives.  SHELLCODE rules can generate alot of false positives, because the detect is such a simple payload.  It is more reliable to use other detection rules in conjunction with SHELLCODE rules, on order to get a full picture.  Snort.org + Sourcefire know this, and that's why the rules are disabled by default.  Finally, as with any rule in Snort, make sure to read the documentation paying particular attention to the false positive section.

As a reminder, when submitting Snort alerts, or other packets to ISC Handlers, please, we need full packet captures.  Not only alerts from Snort (such as logging in tcpdump mode), but to better assist you, we need full stream.  (Syn, Syn, Ack, Ack.. the whole conversation!)  Packets that we get that are in context (full packet capture), are 10x better then just one sided alerts.

0 Comments

...
Joel Esler
Published: 2006-08-25

Tip of the Day: Protect the Single Points of Compromise

Automation is a great thing in large environments. If an organization has to maintain thousands of laptops roving around the country, it either needs to hire lots of traveling IT guys, or use automated tools to handle patching, software loads, and installation. Manual processes on a large scale almost ensure there will be patches missed and systems compromised.

However, tools that automate installation, patching, and software installation comes with a risk. Namely, the machine or machines that control software being pushed out to machines becomes the single point of compromise in an environment.

As an example, imagine an RIS, Kickstart, Jumpstart, or other automated install server. If someone compromised this server and added a small package that included a rootkit, you would be quietly putting compromised machines on a network. For machines that push out patches or software, it wouldn't take much to quietly push out a trojan the next time Patch Tuesday comes around.

It would probably have to be an inside job, but most information intrustions are inside jobs. In the case of corporate sabotage or espionage, custom-written malware would be very likely to pass by virus scanners and spyware scanners who have to react to new malware being sent to them. If no one has ever seen it before, odds are it isn't detected.

The point? By all means, keep using automation to keep control of workstations and laptops (or even servers). However, beware that the systems you use for that automation are a single point of compromise and need to be excessively hardened and monitored for even the slightest bit of tampering. Examing and auditing what those machines put out into your environment is a must.

--
John Bambenek
bambenek /at/ gmail /dot/ com

0 Comments

...
John Bambenek
Published: 2006-08-25

Printer Hacking for Fun and Profit

Nate Johnson and Sean Krulewitch of Indiana University discovered two vulnerabilities with the Fjui Xerox Printing System.  In the United States this effects Dell branded printers (specifically the color laser 3100 and 5100).  There are Japanese printers that are affected but I don't read Japanese and I'm not sure that information has gone public on the Japanese CERT lists (if someone sees it, let me know).  Apparently one of these Japanese printers doesn't release firmware updates and customers have to pay maintenance for a technician to come out and update the firmware.

FTP Bounce Attack (CVE-2006-2112):

If FTP printing is enabled (and reportedly is by default), a vulnerability exists in the FTP PORT command that lets malicious users establish connections to ports on another system.  This would allow anonymous scanning by a hacker for reconnaissance purposes.

HTTP authentication bypass (CVE-2006-2113):

If the printer allows for HTTP access to modify system settings, a vulnerability exists to bypass the administrator password and would allow a malicious user to gain complete control of the printer.  This would include loading new and potentially malicious firmware.  (Think a small linux distro with hacking tools and SSH access.)

Remediation:

First, if you aren't using FTP printing or HTTP-based printer management, those should be turned off anyway.  If you must run them, apply vendor patches which in the case of Dell, are already available.

--
John Bambenek
bambenek /at/ gmail /dot/ com

0 Comments

...
John Bambenek
Published: 2006-08-24

Tip of the day: using host based firewall on Windows XP SP2

I'm sure almost everyone knows about the host based firewall that was added to Windows XP with the Service Pack 2. Although Windows XP had a possibility of filtering network traffic before the SP2 was released, it was rarely used as it required use of IPsec policies.

With the release of SP2, Microsoft also made a pretty brave step (let's stay on the firewall in this diary) ? the firewall was turned on by default and this inevitably caused some applications to break.

The idea of today's tip of the day is to encourage you to use the host based firewall in your corporations. I'm explicitly mentioning corporations as I noticed that in a lot of cases administrators in corporations simply turn off the host based firewall provided with SP2 because it prevents them from managing the machine remotely.

The host based firewall that comes with Windows XP SP2 is in no way perfect, but it can offer an additional layer of protection (and we all know that defense in depth is the only way to get more secure) that can help you a lot sometimes.
For example, take a look at the last month patch bundle Microsoft released. The most critical and remotely exploitable vulnerability was in the Server service (MS06-040).
Windows XP SP2 machines which were just running the host based firewall in the default configuration were automatically protected from this. Of course, these machines should still be patched (as soon as possible), but this at least gives some breathing space.

One thing that you have to be aware of is that the host based firewall that comes with Windows XP SP2 filters only inbound traffic. While this isn't as good as some commercial firewalls, it still offers decent nice protection. I won't go into why Microsoft didn't filter outbound traffic as well, but the bottom line is that if a machine gets infected with a malware, it can easily turn the firewall off (or add itself on the list of allowed programs, as many malware does today), so if you look at it this way, outbound traffic filtering isn't that important. The firewall in Windows Vista is much more powerful and does allow outbound traffic filtering.

Letting the good guys in

The biggest problem with the host based firewall not being used in corporations today is that, besides bad traffic, it also drops legitimate inbound traffic.
Typically administrators need access to IPC in order to remotely manage your machine, or they use remote desktop services to perform actions on client machines. The host based firewall effectively stops this and administrators have to rely to group policies in order to change configuration on client machines. As group policies are read only when machine is booted (with Windows XP, this is different with Vista) and remote users typically put their machines in standby, you can see why administrators don't like this.

So, in order to still have some security, I typically recommend that administrators just put holes on their client machines which will allow connection from their designated management machine or network. This way the host based firewall will still protect the machine from everything (and everyone) else and the administrator can freely manage the machine remotely.

Adding such a rule is pretty easy. On a client machine you can add this through the Windows firewall control applet for a service or port you want to allow access to and select the appropriate scope. For example, you can allow access to port 445 just to IP address 10.0.0.10, which is your management server.

Using profiles

Fellow handler Swa (who else?) noted that the bad guys might know this (for example, a disgruntled employee in your company) and then wait at local Starbucks where your employees hang, get the internal IP address for himself and attack the target machine.

Windows actually comes with a pretty nice feature for different firewall profiles. In GPOs, an administrator can define different rules for the "Domain Profile" and different rules for the "Standard Profile".
Windows has a NLA (Network Location Awareness) service which determines where the machine is, and applies appropriate policy for the host based firewall:



Now, NLA will use the connection-specific DNS suffix to determine where your machine is. If it matches your domain, the Domain Profile will be used. Otherwise, the Standard Profile is used (you can check the connection-specific DNS suffix with the ipconfig command). So all you have to do now is setup rules you need for administration in the Domain profile, while completely closing machine in the Standard profile.

A bad guy could still spoof an Access point on a wireless network, for example, and have his own DHCP server to issue fake information to you, but this indeed raises the bar a bit.

Command line kung-fu

Seeing that command line kung-fu is very popular with our readers, I'd just like to end this tip of the day with some nice command line options you can use to configure the host based firewall on Windows XP SP2.

You have full firewall configuration options through the netsh command interface. This is very useful when you want to create a batch file which will open or close some ports on your machine.
I've used this to open the host based firewall to only one IP, so the anti-virus product we had was able to communicate with the client machines (poll their status, tell them to update definitions, etc).

So, let's say that you want to open port 10000 to the IP address 10.0.0.10, where your AV server is. This can be easily done with the following command line:

netsh firewall add portopening TCP 10000 Anti-Virus ENABLE CUSTOM 10.0.0.10

You can script this easily to do whatever you want. Just be aware of the limitation ? you can't have port ranges so you'll have to open every port separately, in case you need to open more ports.


If you have some neat tricks with the Windows XP SP2 host based firewall let us know, and I'll update the diary with the best tips we receive.

0 Comments

...
Bojan Zdrnja
Published: 2006-08-24

Wireshark (ex Ethereal) multiple vulnerabilities

Multiple vulnerabilities have been reported in Wireshark dissectors (dissectors are Wireshark modules which analyze particular protocols – hundreds of protocols are supported), as usually. Reported vulnerabilities can cause a denial of service (resulting in Wireshark crashing), but also remote execution.

The SCSI, DHCP and SSCOP dissectors are affected. Besides these dissectors, the IPsec ESP preference parser is also affected, when Wireshark is compiled with ESP decryption support (this is probably the case in most installations).

The new version (0.99.3), available at http://www.wireshark.org/download.html, fixes all these vulnerabilities.

If, for some reason, you can't upgrade, some workarounds are available at http://www.wireshark.org/security/wnpa-sec-2006-02.html (the original advisory). Basically, what you can do is turn off dissectors for affected protocols and disable ESP decryption.

0 Comments

...
Bojan Zdrnja
Published: 2006-08-24

* MS06-042 reissue

The anxiously awaited reissue of the patch from bulletin MS06-042 is now live.  Time to re-apply the patch on Internet Explorer 6 Service Pack 1 for Windows XP Service Pack 1 (all versions) and Windows 2000 (all versions)

0 Comments

...
Jim Clausing
Published: 2006-08-24

Problems with Intel wireless drivers

Three weeks ago Johannes wrote a diary (http://isc.sans.org/diary.php?storyid=1535) about vulnerabilities in Centrino device drivers for Windows and the PROSet management software.

Update: Intel is telling customers that a patch should be ready within 2 weeks (thanks Matthias).

Intel initially issued a big file (100MB) that you had to download, but at least it upgraded everything on your machine, if it needed upgrades.
After rebooting in the next few days I noticed that my machine is a bit slower then it was. A look at Task manager output, or excellent Process Explorer from Sysinternals showed that a process called S24EvMON.exe is using quite a bit of CPU, as you can see below.



That process gets started by the Intel(R) PROSet/Wireless Service, which is used to manage the wireless card.

After battling with this, and as I was going to a conference, I went to Dell's web site and noticed that they released their own version of drivers. Hoping that this will fix the problem, I downloaded another 90MB to find out that Dell's drivers have the same problem.
I initially thought that there is maybe something else on my machine causing this, but as news started spreading around, it looks that everyone with (at least) 2915ABG/2200BG wireless cards is affected. F-secure posted this in their weblog as well: http://www.f-secure.com/weblog/archives/archive-082006.html#00000954.

So, you might ask: what do we do now? I would recommend that you install the patches. If you don't use wireless normally you can stop the four services that Intel software needs (Intel(R) PROSet/Wireless Event Log, Intel(R) PROSet/Wireless Registry Service, Intel(R) PROSet/Wireless Service, Intel(R) PROSet/Wireless SSO Service). I put them on manual so they don't start automatically, but if I need to connect to a wireless network I can manually start them.
This way you at least won't be vulnerable, but your machine will be a bit slower due to bugs in these services.

Let's hope Intel will release a fixed version soon.

UPDATE:

The easiest way to start and stop these services (so you actually run them only when you really need them) is to create a batch file that will do this job for you (so you don't have to click manually on all 4 of them).  You can use the sc start and sc stop commands to perform this for you.
Thanks to reader Paul for reminding us about this.

UPDATE 2:

Olli, Steve and Andrew wrote to tell us that they don't use Intel's utilities to manage their wireless card. Indeed, you can use the built-in Windows Wireless Zero Config service, in which case you only need to patch the driver for your wireless card, so you are not vulnerable. As the problem with CPU/memory leaks are in the management service, this is an effective workaround at least until the management service is fixed.
While the built-in configuration service works ok, I personally like Intel's utilities as they give you quite a bit more control over the wireless card and have pretty good monitoring programs (which sometimes come very handy, when you are troubleshooting problems with the wireless card).


0 Comments

...
Bojan Zdrnja
Published: 2006-08-23

Cisco Advisories

Seems Cisco VPN concentrators can be played with over FTP. Why anyone would want to allow FTP to their VPN concentrator escapes me though. See http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml
Another one you sure are also going to like is a Cisco advisory with a truly lovely title. They call it "Unintentional Password Modification Vulnerability in Cisco Firewall Products". I wonder if there is a vulnerability that allows intentional password modification. Or an unintentional feature that allows the same. But oh well: http://www.cisco.com/warp/public/707/cisco-sa-20060823-firewall.shtml has the details of an apparently rare glitch that can make PIXes and ASAs lose their EXEC password.


0 Comments

...
Daniel Wesemann
Published: 2006-08-23

PHP Security Update

In response to yesterday's tip of the day on PHP security, a number of readers wrote in to point to the minutes of a PHP developer meeting, discussing upcoming changes in PHP 6. Now PHP 6 may seem far away. But you can't start early enough to think about how to make sure project work well with it.

From a first read, I am not quite happy with the security related changes. But the document is brief and may not explain all the details. So here a few of the security related highlights.
  • Dealing with Unicode. Not directly security related. But this could affect some validation functions. Overall there appears to be a global switch covering how to deal with unicode.
  • register_globals is going to go away (Finally ;-) ). This option, which "way back" used to be the default, has been one of the big problems in the past.
  • magic_quotes is going to go away. Not sure if I like this. 'magic_quotes' has been an issue for developers who had no control over the php configuration (e.g. shared hosting) and had to cover both cases (quotes on/off). But it has been a valuable safety net for others.
  • safe_mode feature is going to be removed. Another questionable choice IMHO. The feature had problems in the past, but then again, I would rather see them fixed then have them go away.
  • the SOAP extension will support more security options. But it will also be turned on by default.
  • the "Hardened PHP patch" will be included (at least pieces of it. Nice!).
  • looks like there will be no 'taint' mode, but there may be 'sandboxing'. The notes are a bit brief on this.
  • No more '<%'. This could be an issue if your PHP code is using '<%' and will now no longer be parsed, but instead the source code will be visible.
So thats the quick summary of the (already quite brief) document. For a more detailed discussion you will likely have to check the PHP developer mailing lists. I am not that familiar with PHP politics, so I am not sure how flexible these changes are. There are PHP 6.0 development snapshots available at this point. But at least to me, PHP 5 is still quite new ;-). PHP has had a good history of supporting older versions, so there is no reason to panic quite yet.

For the full document, see Minutes PHP Devlopers Meeting.

0 Comments

...
Johannes Ullrich
Published: 2006-08-23

More on encoded malware

ISC reader Jan Monsch was sufficiently intrigued by today's diary entry on "Decoding Malware" that he started experimenting on his own. By the simple expedient of saving a Word document with an embedded "EICAR" file in different formats and running the resulting files through VirusTotal was he able to show that ... quite a number of AV programs seem to have BIG problems with decoding even the simplest text based file formats. As Jan correctly writes:

Apart from having lots of up-to-date virus patterns the quality of a virus scanner is to a large extent defined by the number of formats it is able to decode.

As it turns out, only two AV programs were able to spot the EICAR in all seven of the functionally equivalent MSWord formats. The full 15-page PDF with Jan's analysis can be found on http://www.iplosion.com/isc/alternativ_word_formats_v2.0.pdf , or rather, because this box seems to sit on the far end of a very slow connection, as a locally mirrored copy here on http://handlers.sans.org/dwesemann/alternativ_word_formats_v2.0.pdf

[Update 1656UTC: We've had two reports that testing with locally installed AV yielded different/better results than the ones reported by Virustotal for the same AV product]

[Update 2151UTC: The author and we are well aware that in order to _run_, the malware/eicar would have to be unpacked from the Word document, and that  AV would likely catch it then. This isn't about virus detection on the endpoint, it's about evading detection by proxy and email gateway anti-virus filters on the way _to_ the endpoint.]

0 Comments

...
Daniel Wesemann
Published: 2006-08-23

Tip of the day: Test, don't ping

Ping is the all-time favorite of "monitoring" in IT. Looking at network traffic on the job, I have seen servers being pinged by various "monitoring" tools all across the enterprise no less than every second or so. I usually refer to this as "theft prevention", because the "monitoring" application will - if at all - only turn "red" if someone grabs your box and walks away with it. It ain't no secret that true monitoring requires that you monitor the key functionaliy, and not the existence, of a device.

While this concept is increasingly in use for operational (service availability) monitoring, it seems to me this hasn't quite caught on yet for the monitoring of security filters. Experience tells that security filters which you think are in place but aren't, or are not working anymore, make for nasty surprises. Here's a few hints on how to avoid them:

Case #1: Proxy Anti-Virus
If you have a proxy server that is supposed to do AV filtering, a simple script that pulls an EICAR test file through the proxy can go great lengths in detecting whether the AV is still working. It won't tell you if the patterns are up to date, but it WILL tell you if, for example, the AV process has crashed and the solution is in "fail open" state.

Case #2: Proxy URL Filtering
If there is something in place that supposedly should keep your users from going to www.morelength.porn, then having a script that tries exactly this access can tell you if your URL filter is working as desired.

Case #3: Proxy Content Filtering
If your proxy is configured to prevent downloads of, say, files with .scr extension, trying to grab such a file through the proxy makes a good test, too. Not that I advocate blocking by extension only, read my earlier post on "Decoding Malware" to see how current malware avoids extension and content filters. But if having such a block is part of your defense strategy, testing that it still works should also be part of it.

Case #4: EMail Content Filtering
Pretty much the same as #3, but due to the load of spam and virii on the email side, content and extension based blocking still makes a lot of sense here. If you can get away with it, even better are white lists that only allow a pre-defined set of attachment types. In any case, testing that these filters still work as advertised is highly recommended. You can set up an external server to send "known blocked" email types against your mail gateway. You can even address such test emails to the operations or abuse team mailbox, and if they ever get one of the test mails complete with attachment delivered, they know right away something is broken  (test mails which have been filtered correctly can be moved into a folder automatically, so they dont clutter the inbox)

Case #5: EMail Anti-Spam and Anti-Virus
Trying to send inbound EICARs and GTUBEs via email, following the same approach as above, will tell you if your spam filter and AV are doing their job as desired.

If you have some neat feat to share on how you test the working condition of your security filters, please let us know and I'll update this diary later today with the best tips we receive.

0 Comments

...
Daniel Wesemann
Published: 2006-08-23

Decoding malware

When ISC handler Bojan Zdrnja mentioned a "pretty interesting piece of malware" he had found, those of us who like to analyze and reverse-engineer such critters immediately jumped onto it.

The malware was talking to a handful of servers over HTTP to fetch additional content, and only by faking user agent headers to look exactly like the malware was setting them was Bojan able to retrieve the additional files. The files he got were "big strings" of ASCII character sequences which Bojan quickly figured out how to decode/translate from the Ceasarean substitution cipher into URLs. But when requesting one of these URLs, all he got was another messy big string, and one whose coding method was different:

FOEJIDBDBABDBDBDBHBDBDBDOMOMBDBDKLBDBDBDBDBDBDBDFDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBD
BDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDNLBDBDBDBNAMKJBNBDKHBKNODCKLBCFPNODCEHHL
HKGADDGDGBHMHEGBHCHODDHAHCHNHNHMGHDDHBHGDDGBGGHNDDHKHNDDFHFMEADDHOHMHHHGDNBOBOBJ
DHBDBDBDBDBDBDBDBGMODBNBAMBABABEFOELELFDFGEKFHFCEKFFFNFBEKFFFAFCELACANBGBHBAEKBE
AMBEBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDFCKPFPICBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBD
EDFGBDBDFPBCBABDKKGNNFFHBDBDBDBDBDBDBDBDPDBDBMBCBIBCBFBDBDJDBDBDBDADBDBDBDEDBCBD
[...]
KHBKNODCKLBCFPEHHLHKGADDGDGBGMOIOMOMHMHEGBHCHODDHAHCHNHNHMGHDDHBHGDDGBGGHNDDHKBB
FHFMEADDHOHMHCOMNCONHHHGDNBOBOBJDHFAGEPFNGHDCAJELICABANLCEMMOOFLIILECACBBEKDIILG
CACCMIILLCCACEJMCOOFMLLMBMHDLHKBBEHJLHKLBMCAJELJNCNFIFNOCAKMECILCLDEKOCECPKBOEKC
KNBEEBHKHAHLEEKIEDFGHMJEGOKIFPBCOGLDGNNFFHAAPDNODCBIBCAOKIBGKKBFBKLFADBHAAGJOEHP
OFKKMEBHADBAAABKADBMAOKBIIGOMKBEBDDDBGDEDJBBBDEKKBHGHMBBBEBFDNOPFCFFMIBAFMKHPOAD
BGBDHPBIAGKFBIIDHHFLBBANNBBNMIOPDNGHHGGLGHCLONIDBCILODHNONMMIIBDBHPDDNHHHCGHHCGL
KJBAOIOPAMNIIFBABDDANDEAHLHCGBHGHHIHIOPPKLDHCGCLMDBHDDDEKCNKPOPOODDNDGHPHMHAMILN
(broken up for readability here - the original was one single long line with no CR/LF)

At first, we were convinced that the long string we were looking at was just another collection of URLs. But all the pattern matching we could cook up did not turn up anything looking like an encoded URL. So it was time to try a different approach - statistical analysis. Counting characters and character sequences can frequently tell something about the code or cipher used.

Starting with how many different "single" characters were in the cipher:

daniel@debian:~$ cat bigstring.txt | perl -ne 's/\s//g; s/(.)/$seen{$1}++/eg; foreach $c (keys %seen) {print "$seen{$c} $c\n"}' | wc -l
16

Hmm. Sixteen different chars. Let's see how many different two-character sequences we have:

daniel@debian:~$ cat bigstring.txt | perl -ne 's/\s//g; s/(..)/$seen{$1}++/eg; foreach $c (keys %seen) {print "$seen{$c} $c\n"}' | wc -l
256

Well well, another power of two. This can't be coincidence :-)

daniel@debian:~$ cat bigstring.txt | perl -ne 's/\s//g; s/(....)/$seen{$1}++/eg; foreach $c (keys %seen) {print "$seen{$c} $c\n"}' | wc -l
13160

Four-character sequences, on the other hand, don't seem to be anything special, what with 13160 different ones in the file. So most likely what we are dealing with here is a code that translated two-byte hexadecimal chars into a different alphabet. Let's see the 16-char alphabet and related frequency:

daniel@debian:~$ cat bigstring.txt | perl -ne 's/\s//g; s/(.)/$seen{$1}++/eg; foreach $c (keys %seen) {print "$seen{$c} $c\n"}'
4077 A
3523 F
3415 J
3496 O
3380 N
4108 P
3361 K
6790 B
3332 E
4334 H
3338 M
4718 C
6530 D
3623 I
3730 G
3781 L

Hmm. The frequencies dont help anything, but these are the first 16 chars of the alphabet. Maybe someone was lazy and did a simple substitution of the 16 hex values into the first 16 chars of the alphabet - which would mean that an "A" is 0, a "B" is 1, etc until "P" which would equal 0xF - 15 in Hex.  Trying this hypothesis on the file meant to convert the sixteen characters found in the file into their corresponding value. Done quick and dirty in PERL, this meant subtracting 65 from the ASCII code of each of the characters (65 is the ASCII code of "A" - consequently ascii(A)-65 equals 0, as desired):

daniel@debian:~$ cat bigstring.txt | perl -ne 's/(.)/printf "%x",ord($1)-65/ge' > stage1.txt

which had the resulting "stage1" file look something like this:

5e4983131013131317131313ecec1313ab1313131313131353131313131313131313131313131313
1313131313131313131313131313131313131313db1313131d0ca91d13a71ade32ab125fde32477b
7a603363617c7461727e3370727d7d7c673371763361667d337a7d33575c40337e7c77763d1e1e19
371313131313131316ce31d10c1010145e4b4b53564a57524a555d514a5550524b020d1617104a14
0c1413131313131313131313131313131313131352af5f8213131313131313131313131313131313
435613135f121013aa6dd5571313131313131313f3131c1218121513139313131303131313431213
[...]

These were still hex values. In order to translate them into the corresponding characters, another line of PERL-fu had to be applied:

$cat stage1.txt | perl -pe 's/(..)/chr(hex($1))/ge' > stage2.bin

This line takes the hex codes from the "stage1" file and converts them into one-byte characters.

Taking a look at the resulting "stage2.bin" file with a hex-dumper, we got:

daniel@debian:~$ hexdump -C stage2.bin | more

00000000  5e 49 83 13 10 13 13 13  17 13 13 13 ec ec 13 13  |^I..........ìì..|
00000010  ab 13 13 13 13 13 13 13  53 13 13 13 13 13 13 13  |«.......S.......|
00000020  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
00000030  13 13 13 13 13 13 13 13  13 13 13 13 db 13 13 13  |............Û...|
00000040  1d 0c a9 1d 13 a7 1a de  32 ab 12 5f de 32 47 7b  |..©..§.Þ2«._Þ2G{|
00000050  7a 60 33 63 61 7c 74 61  72 7e 33 70 72 7d 7d 7c  |z`3ca|tar~3pr}}||
00000060  67 33 71 76 33 61 66 7d  33 7a 7d 33 57 5c 40 33  |g3qv3af}3z}3W\@3|
00000070  7e 7c 77 76 3d 1e 1e 19  37 13 13 13 13 13 13 13  |~|wv=...7.......|
00000080  16 ce 31 d1 0c 10 10 14  5e 4b 4b 53 56 4a 57 52  |.Î1Ñ....^KKSVJWR|
00000090  4a 55 5d 51 4a 55 50 52  4b 02 0d 16 17 10 4a 14  |JU]QJUPRK.....J.|
000000a0  0c 14 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
000000b0  13 13 13 13 52 af 5f 82  13 13 13 13 13 13 13 13  |....R¯_.........|
[...]
000001c0  46 43 4b 23 13 13 13 13  13 43 12 13 13 03 13 13  |FCK#.....C......|
000001d0  13 13 13 13 13 17 13 13  13 13 13 13 13 13 13 13  |................|
000001e0  13 13 13 13 93 13 13 f3  46 43 4b 22 13 13 13 13  |.......óFCK"....|
000001f0  13 93 13 13 13 73 12 13  13 69 13 13 13 17 13 13  |.....s...i......|
00000200  13 13 13 13 13 13 13 13  13 13 13 13 53 13 13 f3  |............S..ó|
00000210  3d 61 60 61 70 13 13 13  13 03 13 13 13 f3 12 13  |=a`ap........ó..|
00000220  13 11 13 13 13 6d 13 13  13 13 13 13 13 13 13 13  |.....m..........|
00000230  13 13 13 13 53 13 13 d3  13 13 13 13 13 13 13 13  |....S..Ó........|
00000240  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|

While this might still look like gibberish to some of you, folks who have looked at malware binaries in a hex dump before will notice the same we did: This sure does have the same structure as an UPX compressed EXE binary - with the difference that normal binaries don't have a file header full of "0x13" but rather a "0x00" in those places, and that "normal" EXEs also start with the tell-tale "MZ" byte sequence and not with "^I".

The simplest trick in the book to get to "0x00" from "0x13" is a binary XOR operation. XOR-ing something with the same value twice in a row yields the original byte again, so let's try a XOR with 0x13 to get from 0x13 back to 0x00:

daniel@debian:~$ cat stage2.bin | perl -pe 's/(.)/chr(ord($1)^0x13)/ge' > stage3.bin
daniel@debian:~$ file stage3.bin
stage3.bin: MS-DOS executable (EXE), OS/2 or MS Windows

Yee-Hah! The resulting decoded file is indeed an UPX packed windows binary. 

Looks like the days are over when a running malware foolishly gave away its presence by trying to download additional components in EXE form.  First, we had EXEs, then EXEs with JPG extension, then EXEs with JPG header - and now plain ASCII blobs. The task of your perimeter (proxy) anti-virus filter has just gotten a couple notches more daunting.

-- Daniel Wesemann

0 Comments

...
Daniel Wesemann
Published: 2006-08-22

More MS06-042 woes

The hotfix for MS06-042, which was supposed to be released today, has been delayed. Worse: It turns out that MS06-042 introduced a new security problem. The crashes everyone is having so much fun with are just the tip of the iceberg. The issue can also be used to execute arbitrary code. In particular, note that MSFT's advisory essentially tells you how to exploit the issue. Exploits will likely follow very soon (days?).


At this point, we recommend:
  • Keep MS06-042 applied if you can. It fixes more bugs than it creates.
  • If you are having problems with internal web sites that can no longer be used: Restrict MSIE to be used internally only.
  • Use Firefox/Opera or other browsers for now.
  • "SandboxIE" can be used to protect your system from damage caused via MSIE.
  • If you establish a "No MSIE" policy, you can use the snort rule below to detect accidental policy violations.
Snort Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(content: "|0D 0A|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0";)
Links:
http://isc.sans.org/diary.php?storyid=1611 (updated patch matrix)
http://research.eeye.com/html/alerts/AL20060822.html (EEye Alert regarding the code execution)
http://www.microsoft.com/technet/security/advisory/923762.mspx
http://blogs.technet.com/msrc/archive/2006/08/16/447023.aspx (MSRC blog article regarding MS06-042 issue, dated Aug. 16th).
http://blogs.technet.com/msrc/archive/2006/08/22/448689.aspx (latest MSRC blog)
Sandboxie
 

0 Comments

...
Johannes Ullrich
Published: 2006-08-22

Tip of the Day - PHP Security

For all of us here coding in PHP (Motto: Input validation is for people who can'tdo forensics), I put together a couple of configuration tips to provide an extra layer of security. Now while all of your own applications are of course bug free and will never get exploited, you just may have to use some third party code once in a while.

php.ini choices:

The following options should be no-brainers and are the default choices for current php installs:
magic_quotes_gpc = On
register_globals = Off
The first option will automagically escape all quotes, taking essentially care of 90% of your SQL injection worries. The second part will prevent creative users from adding their own variables without you explicitly requesting them. Extra super secret tip: You probably want to get rid of any php application that breaks after you turn off register_globals. 

For some extra credit, you can play with 'safe_mode'. But read the instructions carefully. safe_mode is something you best enable before starting to code, as it can be tricky to enable it for an existing application.

/tmp partition:

Most php exploits need a bit of space to pull down additional code. Now we don't allow our web server to write files just anywhere. But if you are an exploit, you always got /tmp to use as your "scrap space". Probably the most effective defense against php exploits is to make /tmp its own partition and make it non executable. (and while you are at it, read Swa's tip about mount options). Don't forget to make /usr/tmp and /var/tmp a symlink to /tmp. Any other directory that has to be writable by Apache should be placed on this partition. You don't have to repartition your system. Just use a loopback file.

Honeytokens:

The two tips above should protect you from most of the automated codes thats running around the net these days with not too much effort on your side. After all, you need to get back to coding quickly. So how do you keep the more pesky little kids aways from exploring the underbelly of your applications? Now this is where a little bit of IDS and automated response can go a long way. First of all, lets talk dirty for a bit: robots.txt. As the name implies, robots.txt is for 'bots. But then again, some web developers associate magic powers with it and expect it to cloak all files listed in it from all bad influences. Now yes, this may be true. But did you use the key stroke associated with "magic spell" as you edited the file in vi? If not: your files are still all visible and robots.txt can provide a roadmap to an attacker. Consider this robots.txt file pulled from some random website:
User-agent: *
Disallow: /adminpage.php

Now where would you go today attacking this website?

Simple lesson: Add a good looking file like this to your robots.txt file, with a little twist: "adminpage.php" should not unlock all your secrets. Instead, have it send you a quick e-mail and maybe have the IP added to a shun-list if this page is hit. (Extra credit: Find out how to get yourself locked out of isc.sans.org for the next week... so no playing in the dirt while pretending to wear a white hat).

More Extra Credit:

We all love extra credit. So here a couple more pointers:
  • chrooting apache/php. Not for everyone, but a very nice extra layer. Quick tip: If you still want to send email from php, look for a program called mini_sendmail.
  • mod_security. very nice IDS/IPS style extension for Apache.
  • swatch to monitor your log files.
  • disable extensions you don't need.
And now its time for our commercial break. If you want to know more about securing MySQL, Apache and PHP, see me in Vegas in October.

Reader additions:

Richard recommends "mod_evasive" as another Apache module to consider:

"In addition to mod_security (which I think is tricky to configure well) I'd recommend mod_evasive. This tool which used to be called mod_dosevasive blocks any IP that makes too many identical requests. For pages that are CPU intensive (which PHP often is) blocking these requests can be a big win.
http://www.zdziarski.com/projects/mod_evasive/"

Sounds like a nice idea.



----
Johannes Ullrich.

1 Comments

...
Johannes Ullrich
Published: 2006-08-21

Amazon Woes

Just got a message from Eric Haskins pointing out that www.amazon.com is having troubles.  Surfing there indicates:

"We're sorry!

An error occurred when we tried to process your request. Rest assured, we're already working on the problem and expect to resolve it shortly.
If you were trying to make a purchase, please check Your Account to confirm that the order was placed.

We apologize for the inconvenience. "

Looks like my wife's one-click-shopping habit (a.k.a., crack for geeks) will be on hold for a bit.

Interesting, fellow handlers Swa "I'm software, not human" Frantzen mentions that the various country Amazon.com sites are down too, except for Japan.

--Ed Skoudis
Intelguardians

UPDATE:

Now, amazon.com looks OK from a whois lookup at www.internic.net (record points to Network Solutions) and from a Network Solutions whois lookup. 

I just now checked, and they seem to be back up...  so, intermittent problem fixed?  For now...  It's not the end of the world.

--Ed Skoudis
Intelguardians

0 Comments

...
Ed Skoudis
Published: 2006-08-21

Hack Bill Challenge Winners Announced

A fellow handler, whom I call Ekim Roop, wrote a challenge based on the Tarantino "Kill Bill" movie about a month ago.  Today, he posted the winners of this challenge.

If you are interested in securing sudo, ssh, and pgp/gnupg on Linux, learning a bit more about Bill Stearns' apptrace program, or reading a Kill Bill themed challenge, read the results here.

By the way, I was surprised to see old Ekim write a challenge called "Hack Bill" that did not mention Microsoft at all.  What restraint!

0 Comments

...
Ed Skoudis
Published: 2006-08-21

Tip of the Day - Like a Kid in a WMIC Candy Store

A long time ago, in a galaxy far, far away (actually, it was about 5 months ago, and I was in the same geographic location), I wrote a diary about WMIC.  For the uninitiated, WMIC is the Windows Management Instrumentation Command-line, an amazing tool for managing Windows boxen at a very fine-grained level.  You can read my previous diary for some ideas I compiled from readers like you on using WMIC to support incident handling.

My previous WMIC article, however, was very focused on attributes of a Windows box… listing them, reading them, and even tweaking a few.  The areas that WMIC can interact with are called aliases, and there are a bunch of them, such as process, os (operating system), nteventlog, startup, etc.  Each of these has its own set of attributes.  To get a list of aliases supported by WMIC, you can do this:

C:\> wmic /?

Then, to get a list of attributes and all of their settings for a given alias, type:

C:\> wmic [alias] list full

But, WMIC is object-oriented, you see, so you've got attributes and methods.  Attributes are cool, letting you get info about your box and tweak it a bit, but methods let you take action on a box, giving you real power.  And, with great power comes great responsibility, as we all know.

To illustrate the difference, consider the sky.  It has attributes (cloud cover, color, etc.).  If Microsoft implemented a WMIC alias for the sky*, you might be able to check your weather by doing something like this:

C:\>  wmic sky list full

Or, even:

C:\> wmic sky where location="NYC" get cloudcover

But, what if you could have methods for the sky?  That would give your real power.  Why, you might be able to do something like this:

C:\> wmic sky call scorch

Now, that would be scary.  Note that you invoke methods using the "call" syntax.

* As far as I know, the sky alias for WMI was originally planned for Windows Vista, but was dropped or majorly tweaked like so many other things.

It occurs to me that, if you were a Jimi Hendrix fan, you could run:

C:\> wmic sky where haze="purple" call kiss

(Sorry, I couldn't resist.)

So, musings about the sky alias aside, let's look at some fun methods we can call for various attributes of Windows.  Keep in mind, that to get a list of methods you can call for any given alias, you could run:

C:\> wmic [alias] call /?

First off, one of the annoying things about "wmic process" is that it doesn't have an attribute for the owner of the process.  But, what the Big Softie left out in attributes, he gave us in methods:

C:\> wmic process where name="cmd.exe" call getowner

Or, even:

C:\> wmic process where name="cmd.exe" call getownersid

Nice!  (Note... Thanks Robert for the pointer about fixing the badly pasted double-double quotes... they are fixed now).

Second, how about this?  Want a built-in command to reboot or shutdown a Windows box (that can even work across the network… see my old article for making this stuff happen remotely)?  Try this (make sure you've saved all work in any running applications first!):

C:\> wmic os where buildnumber="2600" call reboot

Or, replace "reboot" with "shutdown" if that's what you want.  Note that I've found that I have to specify a where clause in the "wmic os" alias whenever I call a method to identify a specific instance, even though there is only one operating system.  Other WMIC aliases don't require the precision of referring to a specific instance, but os does.  Go figure.  Note that on a WinXP box, I refer to the build number, because, for whatever reason, it is easy for me to remember that one.  ;)

Third, let's get into network stuff.  Here's a handy one for getting MAC addresses (and remember, it can be run remotely, too!):

C:\> wmic nic get macaddress

I know, I know… that is attribute oriented.  But I like it… a lot.  You want interface-related methods?  Check these out:

C:\> wmic nicconfig call setdefaultttl 200
C:\> wmic nicconfig call settcpwindowsize 3212

Those change the IP TTL and TCP Window size from default settings to something else, possibly fooling some forms of passive OS fingerprinting.  Be careful with them, though... changing those settings could hose your network performance, make your system ugly, and make your hair fall out.  You have been warned!

Fourth, how about some event log stuff?  To clear the security event log, you could:

C:\> wmic nteventlog where (description like "%secevent%") call cleareventlog

Or, if you just want to get certain kind of events (I'm going to go all attribute on you here again) like those associated with logging onto the box:

C:\> wmic ntevent where (message like "%logon%") list brief

Fifth, here is one that could be useful for handlers:

C:\> wmic netlogin where (name like "%skodo") get numberoflogons

Replace skodo with any other name you are interested in, and it'll show you the cumulative number of times they've logged in to that box historically.  One thing that bothers me here is that WMIC refers to "netlogin" with an "i".  Whenever I write articles and stuff, I always try to use the word "login" when referring to Linux/UNIX and the word "logon" when referring to Windows.  It drives my editors nuts, but it is how these actions are typically referred to in each operating system.  But, here we have a Windows command referring to that action as "login".  Spooky, I tell ya.

-------------

So, enough of my stuff… I'd like to hear from you.  What WMIC methods have you found useful or interesting?  Send them to me, and if they tickle my fancy, I'll summarize them and post them throughout the day.

UPDATE:

ISC reader D. Alan Ridgeway points out that you can use methods associated with "wmic service" to change the service configuration, as in:

C:\> wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled

While that is true, I personally prefer the syntax of the sc command.  Still, I could foresee circumstances where the sc command is kaput (and the Services Control Panel is really messed up), so having this option in our WMIC arsenal is helpful.  Thanks, Alan, for the tip!

UPDATE 2:
Fellow Handler Daniel "I beat your CtF game" Wesemann wrote in:

"My favorite:

C:\> wmic /node:box.domain.com qfe where "not description like ''" get description,hotfixid,installedon   [like followed by two single qutes]

to quickly verify if a certain box has a certain patch and when it got applied, rather than to have to tediously log into the patch mgmt system first."

Good stuff, Daniel... thanks...  And your where clause does help to clear out some clutter from the output (although it's rather long to type...)

Another item we got from a mysterious reader desiring some semblance of anonymity involves hunting down apps that shouldn't be used in their enterprise, like file sharing apps.  Writes this mystery person:

"[I really like] the "wmic process" domain, mainly to doublecheck after an IDS alert if a user is
indeed trying to run kazaa or the like before i call him for personal counseling." -- Mysterious Person

ISC reader Matt Wagner has some good ideas, again attribute focused, but useful in spotting discrepancies:

"No methods here, but useful WMIC queries that I have my desktop support folks do to spot any obvious problems when they are working on troubled machines.  They usually run them from a batch file and pipe the output to a text file on the network.  Keep in mind that batch scripts use "%" as escape characters, so you need two of them when doing a "LIKE" condition.

//Spot odd executables
C:\> wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath

//Look at services that are set to start automatically
C:\> wmic SERVICE WHERE StartMode="Auto" GET Name, State

//Find user-created shares (usually not hidden)
C:\> wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path

//Find stuff that starts on boot
C:\> wmic STARTUP GET Caption, Command, User

//Identify any local system accounts that are enabled (guest, etc.)
C:\> wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name" -- Matt Wagner

Nice stuff, Matt.  I really like the startup alias... it's pro'lly my third favorite (after process and qfe).

FINAL UPDATE:
Well, that's it for me for today.  Thanks for the fun adventures.   I  appreciate all of your helpful comments and insights today.

Get a good rest tonight.  You just might need it.

See you next time!

--Ed Skoudis
Intelguardians

0 Comments

...
Ed Skoudis
Published: 2006-08-20

FAQ on PowerPoint 0-day

As was reported yesterday, there seems to be a new issue with PowerPoint.  Reader Juha-Matti has put together a comprehensive FAQ about the situation.  He is soliciting comments via his FAQ page, see the links at the bottom.  More details coming as this develops.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

...
Marcus Sachs
Published: 2006-08-20

Tip of the Day - Home Wireless Gateways

Today's tip focuses on small office/home office (SOHO) wireless routers.  As most of our readers probably know, I teach SANS Security Essentials (SEC 401) about five times a year at the large SANS conferences.  We always get into a sidebar discussion at some point about how to safely configure your home wireless router or gateway.  So I thought that the ideas we've come up with over the past few years would be good for discussion here.

I'll use my home system as an example.  After all, practice what you preach, right?  :)

I am on a cable modem system and also have access to a fiber optic service provided by the local telco.  To simplify things, let's just assume that I have one ISP.  Dual-homing in your house tends to upset the residential ISPs so therefore let's don't go down that road today.  I am in a "normal" suburban neighborhood, average sized wood frame house, two levels above ground plus a basement, garage, porch, etc.  Nothing fancy but perfect for building a home network.

In a "typical" setup the cable modem connects to a SOHO wireless router.  Wired and wireless hosts are behind the SOHO router and get their IP addresses, DNS settings, etc. from the router via DHCP.  Being the geek that I am, there are two SOHO routers in my basement, one wired (connected to the cable modem) and one wireless (connected to the wired router.)  By using two devices I can create a separately numbered wireless LAN.  Also, I have an old two-port  router that connects to the wired SOHO router, and behind that old router is my test network on its own subnet.  My IP subnetting looks like this:

68.x.y.z - wired SOHO router, low (WAN) side
192.168.1.1 - wired SOHO router, high (LAN) side
       192.168.1.11..15 - DHCP assigned wired hosts
       192.168.1.200 - printer
192.168.1.2 - old two port router, low side
       192.168.2.1 - old two port router, high side
       192.168.2.21..25 - test computers with fixed IP addresses
192.168.1.3 - wireless SOHO router, low side
       192.168.3.1 - wireless SOHO router, wireless side
       192.168.3.31..35 - DHCP assigned wireless hosts

By using discipline in subnetting I have a much easier time troubleshooting problems, plus I've created a few "layers of defense" in my home network.  On the wireless SOHO router, I do the following for wireless protection:

- Turn off SSID broadcast
- Use MAC address filtering
- Turn on 128-bit WEP
- Keep the router at or below ground level
- Limit the number of DHCP licenses to only what I need
- Change the default frequency (channel) to one that is not used by my neighbors

Why put the wireless SOHO router below ground?  Well, wireless signals are at 2.4GHz if you are using 802.11b/g service and at that frequency they don't travel very well through dirt.  So if the router is below ground, the signal is fine inside the house, but drops off significantly more than a few feet away outside the house.  This is yet another "layer" since it makes war driving from the curb very difficult with standard antennas.

One other item for home users.  If you have one of the popular SOHO routers (Linksys, Netgear, DLink, etc.) the odds are good that they can create logs for the DShield service.  See the how-to page over at DShield for instructions.  I use the wired SOHO router to create my logs, from the router they go to a desktop computer with a fixed IP address, then that computer submits them to DShield once an hour.  By logging into DShield I can see graphically what is coming at my home network based on what the SOHO router is logging.  Very cool!

Have you got any other useful tips for home or small office wireless routers?  If so, send them to us via the contact page and we'll post additional ideas here.

UPDATES

Chris suggests:
  - Change the SSID to something other than what the manufacturer provided
  - Make sure that you also change the default password(s) on the router
  - Use WPA or WPA2 if available (I know that WEP is "crackable" but you've got to have a lot of packets to do that.  Most home networks are not that noisy so you force an attacker to use additional tools to create traffic.  Remember the idea here is to use whatever the best tool is that you have, WEP is better than nothing, WPA is better than WEP and WPA2 is better than WPA.  TKIP gives you bonus points.)

Pedro pointed us to a nice URL:
 - Wireless LAN Security Guide

Ned expanded on the DHCP limits idea:
 - You could use a restrictive subnet mask (eg, 255.255.255.248 if you only need 6 IP addresses) to further limit the number of actual IP addresses available on the subnet to just those needed. Once these have been assigned, a hacker can't connect if there's no more IP addresses available on the subnet, and how many SOHO users actually need the full range of 254 IP addresses normally available by default on a SOHO router.

Andrew sent us these ideas.  Some of them may be a stretch for home or small business users, but good ideas to think about:
 - Set speed to 802.11g ONLY. Prevents 802.11b clients from connecting and may prevent some injection and replay based attacks that use Atheros based 802.11b cards. This can be done on a Cisco 800 series router using the "speed ofdm-throughput" command in Interface conifiguration mode.
 - Utilize egress and ingress ACLs and IP inspection on Cisco wireless routers. Inspection and CBAC (Context Based Access Control) can really help you lockdown what "gets out" from your machines to the Internet. As much as we like cool apps, most of them are really phone-home friendly. Also, only return traffic from internal requests will get back into the network.
 - Disable "Ad-Hoc" or "Peer-to-Peer" connections on your wireless card. No need to be able to connect directly with other wireless machines!
 - Turn on a host firewall such as Windows Firewall. I personally use Zone Alarm.
 - Use SSHv2 to manage the router, if available.


Marcus H. Sachs
Director, SANS Internet Storm Center

MORE UPDATES:

Dr. Neal Krawetz makes some additional useful points (which I've edited very slightly):

I suggest putting the WiFi as the outter wall of the DMZ.

 cable modem <-> Wifi <-> DMZ <-> Wired <-> LAN

This way, if your Wifi does happen to get used by someone else, they cannot get into your home computers.  This is a good solution if you don't need to access shared drives.  (I have rarely come across homes with multiple computers that actually use shares -- most have it enabled but don't use it.)  I do allow LPD from the Wifi to the Wired so I can print -- an attacker could waste my paper and toner, but not delete my data.

Regarding antenna placement, I fully agree with you: a basement is best.  Choose a corner that is surrounded by dirt.  If you don't have a basement, consider placing the Wifi near the front of the house and have a fish tank (or refrigerator) between the Wifi and the street.  Your neighbors will see the signal, but war drivers probably will not.  Also consider a metal hood (or aluminum-lined shoebox -- either properly grounded) to limit signal propagation.  And whatever you do, don't put the Wifi on the 2nd floor if you can help it.

This may sound odd, but 802.11a is sometimes better than 802.11b/g.  Since 802.11b/g is more common, running 802.11a is effectively security-by-obscurity.  As long as the attacker does not see you, you're safe. [NOTE FROM ED:  Please do not inundate us with a tired debate about security through obscurity... we've heard it all, and we've all come to the conclusion that I am right.]

As far as encryption goes, WEP is better than nothing and will deter most wardrivers.  If someone wants to crack your WEP then it's because they want "your" network and not just "a" network.  WAP, TKIP and other encryption systems are better, but you may not have compatability with all wireless computers.  MAC authentication will slow down an attacker, but also isn't bullet proof.  Then again, security is a measurement of risk: for most homes, WEP + MAC filtering is more than good enough.

Your other tips, like disabling the SSID broadcast, limiting DHCP hosts, and changing default settings is right on the money.  Also, add in: disable Wifi configuration from the Wifi network (if your router has that option), set a non-trivial admin password on the router, and disable ping-from-WAN (good for all routers).

-------

Good stuff.  Thanks, Dr. Neal!

---

Ryan Merrick pointed us to this URL, where some configs are described that can let you really mess with the head of someone surruptitiously using your wireless network, flipping their pages, reversing fonts, and blurring things.  I don't recommend this, but it is an interesting idea.

--Ed Skoudis
Intelguardians

0 Comments

...
Marcus Sachs
Published: 2006-08-20

More Email Tips

After Brian posted his Tip of the Day on email policies, we received an excellent set of ideas from reader David.  Here's what he said, and they are pretty good tips.  Thanks, David!

1) Use throw-away addresses for web-registrations, and other similar venues.  A good way is to own your own domain, setup a catch-all forwarder for email to that domain, and then use the company name as part of the throw-away address (amazon@yourdomain.com for Amazon, tomsbestdeals@yourdomain.com, for TomsBestDeals, etc).  This allows you to instantly recognize what the email is about, who sent it, or who sold it to a third party.  Also, it seems spammers clean their spam lists of their own domains and customers' names, so this approach automagically keeps you off spammer lists.  For those without domains, there are free services, such as www.sneakemail.com.

2) Use a simple filter for your inbox:  If sender is NOT already-known (in address book, or in previous recipients), file in a New-Contacts folder.  This leaves your inbox clean of spam, without worrying what the spam actually looks like.  A quick scan through the New-Contacts folder can reveal new contacts and spam.  Additional rules to identify specific problem spam (and send to a Spam folder) can also be applied.  New contacts can be either replied to (so they become "previous recipients"), or added to your address book.

3) Use a variation of (2) for company-wide filtering:
    a) Don't accept email for unknown addresses.  This forces the outside server to create any bounce messages, and if that server is a spammer, the spam disappears.
    b) Depending on the company needs, either don't accept email from unknown addresses, or limit what a previously-unknown address can do.  Use your logs to populate a "previous recipients" database, a "known-good-sender" database, and a "known-bad-sender" database.  The known-bad senders get rejected, the known-good senders get very relaxed thresholds (can send more mail per second, etc), the previous-recipients get somewhat relaxed thresholds, and everyone else gets restrictive thresholds (only 1 message per minute, for instance).  Adjust to taste.

4) Do as much filtering based upon "protocol" as possible (as opposed to filtering based upon message content).  Spammers change message content constantly.  Spammers cannot do their jobs unless they send lots of copies of the same message really quickly.  This generally means multiple recipients per message, and multiple short messages per connection.  This also means there is likely to be a greater than 1% rate of bad addresses, as spammers' lists are not generally perfect.

5) Encourage TLS and DKIM use.  Spammers tend to use botnets, which are unlikely to use TLS or various encryption/signing methods.


0 Comments

...
Marcus Sachs
Published: 2006-08-19

Trojan dropper in Power Point - a new issue?

As pointed out by one of our readers, Juha-Matti, Trendmicro has recently released information about some Trojan droppers in Microsoft Power Point. The two links are TROJ_MDROPPER.BH and TROJ_SMALL.CMZ.

These articles a little light in detail with respect to the inner mechanics of the vulnerability, but they sound very similar to issues reported last July as you can see in our previous diary. It is possible that these issues are related to MS06-048 and is just a variant of the attack described by Microsoft here. The question remains whether this is truly a new vulnerability, if Microsoft failed to fix the root cause with MS06-048 or if MS06-048 addresses these issues. Trendmicro's claim is there is no current patch for this issue.

--
T. Brian Granier

0 Comments

...
Brian Granier
Published: 2006-08-19

Tip of the Day - Fleshing out the details in email policy

If for nothing else than as a survival reflex, anti-virus programs exist in most corporate environments. Further, anti-spam programs appear to be gaining ground. This is all good, but there are a few common mistakes that are worth considering as we review the way we implement our email policies. Some of these issues have an impact on the effectiveness of security and other issues are purely operational in nature, but in the end it is usually the security group that will hold the keys to ensuring these details are addressed. Without further ado, here's a few of the often overlooked do's and don'ts for the email world:

DO view emails in plaintext only

As discussed in a previous tip of the day, avoiding html has many benefits. It reduces the probability for successful phishing attacks, it avoids propagation of exploits that depend upon flaws in html renderers and it reduces the profitability of many SPAMmers who depend upon hits to their embedded advertising banners for general advertising revenue.

DON'T filter abuse boxes for spam and virus

Okay this tip comes with a disclaimer. If you turn off all filtering for abuse boxes, you need to take very special measures to properly train and protect both the environment and the users who open the abuse email. Theoretically, these users should be trained well above average in security practices and know not to blindly open email attachments, etc..., etc..., etc... That being said, if the goal of abuse emails is to be able to receive and appropriately respond to all events that come in, doing any filtering is dangerous due to the very nature of the types of legitimate emails you might expect to receive. The complication here is that abuse emails are often made publicly available and, as a result, these accounts might be subject to an increased amount of SPAM. If the amount of spam from outside sources just becomes too much, at least create a separate internal abuse email for your internal employees to use that has no filtering of any kind.

DON'T turn on auto-respond features

Auto-responding to an email telling someone it's been blocked because it contains a virus or because it was a spam message is generally not held in high regard. A very high percentage of virus and spam emails have a spoofed source address and it is probable that the reply message being sent is going to an innocent bystander who actually had nothing to do with the original email being sent in the first place. Further, if you chose to ignore this tip, at bare minimum don't bounce the virus back to the sender. Again, they are probably an innocent bystander and if you send the original attachment/virus back to the apparent sender, you could be falling into the trap of propagating the virus even further.

UPDATE:
Reader Andrew from Vancouver says this point should be underscored: "As a rule, assume that the virus is NOT honest enough to report the true sender's email address as the From address!  Viruses randomly generate an email address or use a list of discovered addresses in their spoofed From/mailfrom address.  Therefore, your virus alert will NOT go to the user whose workstation is infected.

Again, by sending virus alerts on inbound mail, you WILL be causing backscatter against an innocent bystander who had nothing to do with the virus in the first place or who may not even have an existing account.  By sending unsolicited mail to these innocent bystanders, you may end up getting your own server blocklisted."

Well said...


DON'T send failure to deliver messages

Sending failure to deliver messages due to someone sending an email to an invalid account is bad for two reasons. First, suppose the person who sent the email is using a legitimate from address. If they are an attacker, you've just given them an ability to enumerate your mail server and find out which mail addresses are valid and which aren't. This may take an attacker a little longer, but it's effectively the same as leaving the SMTP VRFY command available. On the other hand, consider that a large amount of spam and viruses are propagated to random email addresses using random email addresses as the spoofed from address. By sending a failure to deliver message to the apparent sender, you may be causing backscatter against an innocent bystander who had nothing to do with the spam/virus in the first place or who may not even have an existing account.

- Credit for this suggestion goes to reader Art.

DO learn how to read SMTP headers

When reporting abusive email, it is very important that the abuse is reported to the right source. Too many times, users (and sometimes even security administrators) will track down the apparent owner of the source email address or the abuse department for the domain of the source email address to complain to someone who is an innocent bystander (see previous tip). For example, in Microsoft Outlook open the email in question and click on View > Options. Look in the box that says "Internet headers" to access the SMTP headers. Further, when users report spam messages or virus messages to your abuse department, require that these SMTP headers are included in the complaint in order for full and appropriate action to be taken.

DON'T setup vacation messaged that will respond to mailing lists.

Okay, maybe this line item will sound like a rant, but it's very annoying to see messages on mailing lists that are a vacation or out of the office automated email. What's worse is when these messages are setup, it's usually because a person is going to gone for quite some time, which means if no action is taken there will be a lot of these messages built up in the list detracting from the purpose of the list in the first place. A good list administrator should identify these people quickly and immediately remove them from list subscription, followed by an independent email that lets them know how to resign up once they've returned from their vacation.

DON'T setup distribution lists without considering who can send to them.

A few weeks ago, I received an email from a certain telecomm provider giving me an updated escalation procedure. This email appears to have gone to a newly created distribution list for a range of customers for this provider. Immediately after receipt, my email box was flooded with the aforementioned vacation messages. In this case, I don't blame the individuals who setup vacation messages. They had no knowledge that they were about to be added to a new distribution group and it is not in their control that the email that was sent to this new distribution group was sent with the "reply to" address being the same as the distribution group. Further, they had no control over the fact that the telecomm provider failed to block the outside world from being able to send messages to this new distribution group.

DO hide the email addresses of members of email distribution lists/groups.

If setup improperly, sometime emailing to an email group will expand the address line to include all of the email addresses of the members inside a group. This might be acceptable for an internal company communication, but it's not a good idea when the email is destined for locations outside of the company. Further, this basically eliminates the effectiveness of who can send to the distribution list as mentioned on the previous tip since they no longer would have to respond to the email address of the distribution list. Instead, they can now do a reply all and communicate directly to everyone in the list.

DO make use of the BCC field.

BCC fields are very useful for quickly sending a message out to multiple people when you do not have the need, time or ability to create a distribution list as described above. Any recipient in the BCC field will receive the message, but their email address will be hidden from anyone who receives the message. If everyone who is meant to receive the message needs to have their email address hidden, you should put your own email address in the "to" field. This is also useful for giving additional people a copy of an email for documentation sake without the receipient being aware of the fact that there is someone else who is privy to the conversation. This useful feature can be used to archive all emails about a certain subject to an undisclosed mailbox for later review and retrieval (such as for a quality control process).

- Credit for this suggestion goes to reader Robert

--
T. Brian Granier

0 Comments

...
Brian Granier
Published: 2006-08-19

Tip of the Day: The -they shall not be broken into- challenge

What if your boss walks up to you and asks you to build a web site that shall not be broken into, no matter what. What would you do, how would you approach it, and how would you make sure it does not get hacked when your job is one the line? Moreover should something fail, how do you get it back fast, automatic and without additional exposure.

So let's assume we have a website with fairly static content, some feedback forms where people can inquire the status, a search option and a table in a database that needs to be published somewhat real-time on the website to spice things up a bit. We know from the past that our web traffic is only less than a 1 Mbps.

Connectivity

Let's start with the connectivity.
If we build this we'd rather set it in a place where we can will the contest should it come to a DDoS, so we'll preferably not set it in the HQ in a DMZ as we're likely to have much less bandwidth there. One of the solutions would be to outsource the hosting of our servers to a tier-1 ISP and have it at their location.
Make a contract with them that they need to help you during DoS attacks and filter the traffic away from your connection. Over-engineer the physical connection far beyond what you need for your visitors. But do not let the connection become so bug that it can overwhelm your servers. I'd suggest a 100Mbps full duplex link for modern solutions if you have traffic levels in the lower Mbits or less. This allows you to keep it simple.

At such hosting facilities they are likely to connect you on a set of redundant switches with either a IP address in a VLAN with a set of routers doing a failover protocol such as HSRP and a few other customers in the VLAN. Try to negotiate to be the only customer in that VLAN. Negotiating to be the only customer on the link and having an air-gapped switch (not a VLAN) will not work for most of us as ports in routers are really limited in numbers.

Network

For our switches we standardize on a single model of not so big switches from a single vendor. It must have private VLANs, ports that we can shutdown, limits on what MACs can be learned, etc. Traffic reporting needs to be available but we'll not use SNMP v.1/2. We'll manage the switches as much as possible out of band over the consoles. See also the Tip of the Day on switches.

Server hardware

For server hardware we're going to standardize on a single model of hardware. We'd like it not to have an Intel CPU as the hackers have way too many exploits ready for it for comfort. moreover the bad guys seem to know hat CPU's architecture much better than the defenders so we'll skip on that if possible. Unfortunately that means we're limited in choices so we might need to concede on this point a bit. See also the Tip of the Day on diversity.

We want machines that are fully remote manageable. With a console we can get to easily form far away. Easy to swap hard-drives are a requirement. See further.

We want hardware based raid solutions such as mirrorring (raid 1), that's fully supported by our OS of choice.

Server OS

We want a well tested OS on the security side, developed by a small set of people who really get security and put security above usability, speed or anything else. We'd like the source code and the implementations to be vetted regularly. So we'll go for OpenBSD. There really is nothing else in the same league.

This further limits the hardware choices above as current versions of OpenBSD don't like "binary" blobs to be inserted in the OS by vendors of hardware, so we'll need to mix and match a bit to get out platform together.

On our productions servers we'll install the bare minimum of the OS, e.g. no X11, no compilers. So we'll need a machine back in the office that does have at least that compiler and we'd like a test-bed to test new versions and be able to enhance our contraption while the previous version is out there.

Web server

Well once we chose OpenBSD we're left with Apache that even comes in a chroot-ed jail on OpenBSD. But we're going for extremes here, it's our job and reputation that's on the line so we're building 2 machines:
  • www.example.com will do static content only.
  • cgi.example.com will do the form feedback only.
The reason for doing this is that the normal way in for a hacker is through the dynamic part, if we only keep a very small dynamic part we can have a larger static part that can be kept from defacement by separating it from the dynamic content.

So we'll recompile apache from source and we'll remove all that we do not need in the source and create two binaries out of it:
  • The one for www.example.com needs only to be able to display static content. It needs not to be able to display directory content, have a cgi interface or anything lile it. We do want to increase the number of possible processes that can be forked as we'd like to win a DoS attempt or two.
  • The one for cgi.example.com needs to have a bit more abilities like doing cgi.
We will not use any off the shelf script on cgi.example.com. We'll write them all from scratch and will avoid using complex libraries. We want the code to be clean, overly documented, and scrutinized and audited for security problems. These scripts are code that is exposing us, so we want to put a lot of effort in it to engineer them well. It's not like building a tradition piece of software with the trial and error method. This needs to be made with engineering principles like bridges are built: if it collapses you'll never build another bridge.

Filtering

We will use pf (packet filter) of OpenBSD, it's extremely powerful in what it can filter and write filters that allow the bare minimum our servers need to do. Future Tips of the Day might expand a bit on the ideas needed to get this working very well. Stay tuned.

And the database?

Ah, yes the database link containing items to be displayed and update in near real time. We really do not want to expose our database. Nor do we want to -should something happen- on the webserver to allow them any connectivity to our database as that's a welcome mat for intruders.

So how do we solve it? We put up one of our machines where it can reach the database server, let it run the queries and generate html out of it in a static fashion and then keep the initiative and send the data over a management connection to the static webserver.  Repeating this process every so often as desired and we have our content on the static website where it's best protected without exposing the database server in any way.

Should in a future update (yes they happen!) there be a need to have some form of feedback towards the database, we can use that same machine, let the cgo.example.com machine collect the feedback, fetch it over the management connection, scrutinize it again, and then insert it in the database. Keeping the initiative on the safe side is the critical part in making it much harder to attack it. Scrutinizing any and every bit of data and treating it as tainted till proven otherwise is the second critical part. And the final part is to create software like this in a right form the first time try. It's like building bridges, not in the typical trial and error fashion.

Management connections

We need a way to connect back to the managment of the server that are hosted out there.

We'll have a small set of trusted machines in our organization that are allowed to get to the machines and use ssh to get there. It's important to make sure the ssh ports aren't exposed (while at it, please do not run them on port 22 or 2222 or something predicatble like that) and to make sure the endpoints are well protected. The encryption only protects data while in transit! See also the Tip of the Day: using ssh keys.

We will add at the remote location a management network to connect to the servers out of band. We can also use this network for backup proposes. And we add a terminal server to it that connects to all the serial consoles of all network equipments and servers we have there.

Emergencies prepared.

In an emergency we'd like to be able to put up a "sorry we're closed, will be back soon" website and be able to pull the original one off-line for further incident handling. One of the low-cost ways is to have a hard-disk ready and swap it in the server, another is to have spare server sitting ready to take over (this is better as you can update the server with patches). The "website" might be made not using apache. One of the reasons you failed might be that apache got a security problem. Alternate ways to hand out html are possible, so let's be unpredictable and e.g. use netcat (nc) to hand out content.

Logbooks have been discussed in a previous Tip of the Day, we're going to be religious about using them.

Fast recovery in case of hardware failures or other incidents is something we need.

Disaster Recovery is something we need to prepare and perhaps have contracts for.

Backups is something we need to prepare.

Redundancy

Adding redundancy adds a lot of complexity to this kind of solution. We can do it but there are risks. OpenBSD has some features to do it, and you could buy off the shelf solution for it. The problem remains the complexity it introduces.

If it's acceptable to have a manual failover I'd strongly suggest to keep offline machine and swap them manually if something does goes wrong. It's much more KISS, and that's just one of those plain good engineering principles.

Having only one type of server and only one type of switch etc. allows us to minimize the support contracts, while allowing for a spare device ready to take over any of it's failed cousins in minutes.

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-18

Update on MS06-042 and CA Unicenter Service Desk

There was a diary yesterday from Chris about the MS06-042 vulnerability and its impact on the CA Unicenter Service Desk product.  Today we received an official statement from CA relayed to us by Ken Williams:

"Last week, CA identified problems involving Internet Explorer browser crashes after Microsoft security patch MS06-042 was installed on systems running Unicenter Service Desk. CA is currently working with Microsoft to resolve these issues. Until Microsoft re-releases updated MS06-042 patches, CA recommends that users who experience problems with MS06-042 and Unicenter Service Desk either a) use Firefox or Mozilla, or b) uninstall MS06-042 and wait for the re-release of MS06-042. The MS06-042 re-release, which is currently scheduled to be released by August 22, 2006, should fix at least two issues that could cause Internet Explorer browser crashes for Unicenter Service Desk users. Note that Unicenter Service Desk does officially support Firefox and Mozilla. When using the PDA interface, any browser that supports basic HTML should work."

You can go here for the matrix showing the updated status summary on all of the Microsoft August updates.

0 Comments

...
David Goldsmith
Published: 2006-08-17

Tip of the Day - If you don't need it on, turn it off.

The release of MS06-040 serves as the inspiration for today's Tip Of the Day.

Disable any and all un-needed services.

Removing any un-needed services greatly reduces your exposure to vulnerabilities as you now have fewer items running that could be vulnerable to attack.

Let's use the server service aka File and Printer Sharing as an example.

Chapter 7 of the Windows XP Threats and Countermeasures Guide (a must read for sysadmins IMHO) has a list of XP and Server 2003 services and a description of what each one does.

Threats and Countermeasures says the following about the Server service

"The Server service provides RPC support, file, print, and named pipe sharing over the network. It allows local resources to be shared, such as disks and printers, so that other users on the network can access them. It also allows named pipe communication between applications that run on other computers and your computer, which is used to support RPC. Named pipe communication is memory that is reserved for the output of one process to be used as input for another process. The input-acceptance process does not need to be local to the computer. This service is installed and runs automatically by default on Windows XP and Windows Server 2003.

If the Server service stops or if you disable it, the computer will not be able to share local files and printers with other computers on the network, and it will not be able to satisfy remote RPC requests."

Ok, so, why would you need this service enabled on your system?  That depends on what role the system is playing.

If the system is a file and/or print server you need the server service running or you have nothing but  an energy gulping, heat generating paperweight.

If the system is a web server only, you don't need the server service enabled.  Other types of application servers may or may not need the service enabled depending on the nature of the application.

Corporate laptops and desktops typically don't need the server service enabled. 

Corporate users/admins take note - disabling the server service will make some forms of remote administration and management difficult, if not impossible so carefully evaluate the risks before taking any action.

If you are a home user with no other systems on your local LAN, you don't need the server service enabled.

If you are a home user with other systems on your internal LAN, then you only need the server service enabled if you are sharing folders or printers with the other system(s) on your LAN.

Ok, so you've realized that you don't need the service ruinning and you want to know how to stop it.

**Warning - the changes described below could cause a negative impact on production systems.  Testing is required to determine whether the server service and/or any dependant services can / should be stopped.

You can either manage the service through the GUI (right click 'My Computer', manage, Services and Applications, Services) or ...

From a command shell on the target machine.:

C:>net stop lanmanserver

The system may respond:

Stopping the Server service will also stop these services.

[List of Services Here]

Do you want to continue this operation? (Y/N) [N]:

These are services that are dependent on the server service.  You should carefully evaluate the need for any listed services before stopping the server service.

Ok, so the server service is stopped and the network is still functioning.  Unless you change the way the service starts up (it is set to start automatically), the next time the system is rebooted, the server service will start again.

From the same command shell:

C:>sc config lanmanserver start= disabled
(Make sure the there is no space between 'start' and '=')

Which when successfull will return:

[SC] ChangeServiceConfig SUCCESS

For those unfamilliar with sc.exe, a full description can be found here.

sc.exe (and Netsvc.exe) can also be used to stop services but  I prefer net stop for local use as it provides (again IMHO) a cleaner method of stopping dependant services.  SC and Netsvc are excellent tools (as are some of the free offerings available from reputable vendors) for use in scripting remote service management.

This is just one example of a service that is enabled by default that many users keep enabled thinking they need it, when in many cases, they do not.

Home users: Take a few minutes and look through your list of running services and compare them with the descriptions in the Threats and Countermeasures Guide.  Turn off and disable whatever you don't need.

Administrators:  Take some time and look at your systems.  Determine what is running, and what needs to be running.  Develop a plan (including testing) to make any needed changes, get the approval you need and implement your plan.

0 Comments

...
Chris Carboni
Published: 2006-08-17

Microsoft August 2006 Patches: STATUS

# Known Problems with this patch
 Known Exploits
 client rating server rating
MS06-040 Issue with:
  • Huge memory allocations on Windows 2003 server SP1 (32bit).
  • Microsoft Business Solutions–Navision 3.70 on above platform.
  • Websense Manager when using terminal services
Fix:
  • Hotfix available by calling Microsoft.
More information:
 Botnets actively exploiting this in  the WILD

Exploit available in easy to use package
read more...
 PATCH NOW
 PATCH NOW
MS06-041 No reported problems
Critical Critical
MS06-042 Issue:
  • MSIE6SP1 crashes while using multiple application such as Peoplesoft, Siebel, and websites using HTTP 1.1 and compression such as the register on W2000 SP4 and XP SP1.
  • CA Unicenter Service Desk seems to cause MSIE to crash
  • Roll-up patch so it has all older issues as well.
Workaround:
  • Workaround to disable HTTP/1.1
  • Use alternate browser (for problem sites)
Fix:
  • Upgrade to MSIE 6 SP2
  • Fix will be published by Microsoft on August 22nd, 2006
  • Hotfix available by calling Microsoft
More Information:
 Well known vulnerability since 2004
 PATCH NOW
 Important
MS06-043 No reported problems
Important Less urgent
MS06-044 No reported problems
Critical Critical
MS06-045 No confirmed problems
Critical Less urgent
MS06-046 No reported problems
Critical Important
MS06-047 No reported problems Trojan dropper reported in word document by Symantec, Trendmicro(1) and Trendmicro(2).  The dropper loads a backdoor: Trendmicro, Symantec
 Critical Less urgent
MS06-048 No reported problems
Critical Less urgent
MS06-049 No reported problems
Important
 Less urgent
MS06-050 No reported problems
Critical Important
MS06-051 No reported problems
Critical Critical

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

0 Comments

...
Swa Frantzen
Published: 2006-08-17

New Malware for MS06-047

Juha-Matti dropped us a note regarding some new malware and the links for the Symantec and Trend Micro descriptions.

Shortly after, we heard from Sergio de los Santos from Virustotal who gave us some additional information:

We have detected a new malware for MS06-047 vulnerability.

It comes with a name syosetu.doc with 107.520 bytes. Hash MD5 is
7443358555983341CB9BB12BB0A0A191

Today, only a few AV can detect it (via virustotal):

W97M/ProjMod!exploit (eTrust-Vet), W32/Bgent.ZE!tr (Fortinet ),
Exploit-OleModule (McAfee), Exploit:Win32/Ponaml.gen (Microsoft),
Trojan.Mdropper (Symantec), TROJ_MDROPPER.BK (TrendMicro).

Thanks Juha-Matti and Sergio!

0 Comments

...
Chris Carboni
Published: 2006-08-17

Vacation Rental Property Scam

From the mailbag


Dear ISC,

I run a vacation rental business whereby I represent approximately 600 vacation homes.  We are often subject to phishing scams where the perpetrator appears to be a legitimate renter and does a last minute booking.  Sometimes they claim to be making reservations for a friend as a gift or they are a bunch of doctors traveling to a convention and any property we pick for them would be wonderful, etc, etc.  The story usually goes that the car rental company won't take credit cards so could we please charge $200 extra to the card and add $100 for our trouble and could we please send the car rental payment to the company directly.  Then, something happens and they don't need the car rental so could we please just send them a return check for the money, and please take another $50 out for our trouble.  The idea, obviously, is that the charge fails or gets contested, but we've sent them a legitimate check that can be cashed and not recovered.

Yesterday, I discovered a new one, and was alerted to this by a legitimate renter who found a listing of the property that they wanted to rent from my firm on a different website, only the pictures didn't match.  What the bad guys had done was spliced together several pieces of copyrwritten material along with several pictures from several different ads and had taken out their own false ad that I assume they paid for.  I purposely tried to flush them out, and contacted them to rent *their* property.  The response I got back from <email address deleted> had no answers to any questions that I asked, and they urged me to send a check for the deposit immediately and they would courier the keys to my address.  This is obviously a ruse since noone in the industry conducts business this way.  I tried to coerce them into releasing something other than their bogus yahoo mail account such as a phone number or mailing address, but they wouldn't.  I suspect they will disappear as soon as I report the ad as being fraudulent.

I don't know if this story is relevant to your audience, but this is the first time I've seen the bad guys trying to bilk larger sums of money out of legitimate renters instead of them trying to mess with the agencies.  Obviously, this causes much damage to my business since renters aren't sure who they can trust since anyone can seemingly take an ad out for anything.  I think it behooves these advertising companies to do a little more due diligence to verify the accuracy of the information they are displaying rather than just slapping up anything for anybody who has some cash.


1 Comments

...
Chris Carboni
Published: 2006-08-17

MS06-042 and CA Unicenter Service Desk

We've recieved a few reports (and independantly confirmed the problem) of IE crashing on systems with MS06-042 installed when accessing Unicenter Service Desk.

More information to come as it becomes available.

0 Comments

...
Chris Carboni
Published: 2006-08-17

Tip of the Day - Turn the NICs off during installation

During one of those past weekends I was installing and configuring some honeypots.

I decided to try different Operating Systems to see which one would fit better for my needs.

As I already had a perfect NAT for one IP, nothing more natural that I already put the IP address on the OS during installation, right?
Yep, WRONG! The reason is that if you install an internet facing OS (like my NAT was providing me), maybe there will be not enough time to apply the patches (even offline patches, from CDs or Pen Drivers).

So, my Tip of the Day, is for whatever OS that you are installing, if you can't unplug physically the network, choose to not configure the NICs during installation. In this way, you will have enough time to check which Services will be running in your machine, and turn it down before someone explore your unpatched OS, because if you are installing a fresh OS, chances are that some applications/services are already outdated and you may be a victim of some bot of the day...
Don't trust me? Check this out...

-------------------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc .sans .org )

0 Comments

...
Pedro Bueno
Published: 2006-08-16

MS06-042 and IE 6.0 SP1 issues

Looks like the recent Microsoft patch (MS06-042) , which is a cumulative Security Update for Internet Explorer is affecting some IE 6.0 SP1 users. So, if you are a IE 6.0 SP1 user, you may be affected by this issue when "visiting a website that use HTTP 1.1 and compression"
MS updated the advisory to contain this information and plan to re-release the patch by August 22, for those users only.

You may ask how many users can be affected by this. I really dont know, but I suspect that the number is not high (but I can be completely wrong). The reason is that HTTP 1.1 compression is not (or at least wasn't ) enable by default on both IIS and Apache web servers, the most used webservers.

If you are one of those users, please let me know if you are seeing this issues.

---------------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc .sans. org )

0 Comments

...
Pedro Bueno
Published: 2006-08-16

Tip of the Day: Secure Surfing at the Coffee Shop (or Hacker Conferences)

This tip is how to use SSH port forwarding to browse the web at your favorite coffee shop (or hacker conference).

1) Setup a machine on your home network.  If you don't have a static IP address, then use dynamic DNS.

2) On this machine setup squid (http://www.squid-cache.org/) and bind it only to localhost.  Do this with the "http_port 127.0.0.1:3128" line in squid.conf.  This will prevent others on the Internet from abusing your open proxy.

3) Setup SSHD on this machine.  And do yourself a favor, require SSH key authentication and run SSHD on a port that is NOT 22.  This will keep all those brute force SSH grinders from filling your log files.

4) At the coffee shop, do ssh -p <sshd_port> -L3128:127.0.0.1:3128 <user@IP>.  This will setup your SSH tunnel.

5) The most critical piece is to configure your web browser to use a proxy.  Host: 127.0.0.1; port 3128

6) Surf away.  All your web surfing will be encrypted to your home box before travelling to the Internet.  Be advised that your outbound DNS requests are still sent to the local network unencrypted.  But you have at least prevented snooping and/or modification on the HTTP(S) traffic.

You can forward almost any standard TCP application though an SSH tunnel and OpenSSH has recently introduced lightweight VPN features.  But that's a topic for another day.

0 Comments

...
Kyle Haugsness
Published: 2006-08-15

Thoughts about Informix

With most of the world scrambling to patch against MS06-040, there was an interesting release from David Litchfield yesterday about Informix.  Litchfield is one of the best vulnerability researchers in the world and he's been spending the last several years on database platforms.  Looks like he has been playing with Informix, which is a commercial product purchased by IBM in 2001.  The wikipedia article has the complete history of Informix, if you are interested.

Of course, Litchfield has found lots of vulnerabilities and reported them to IBM in January 2005 and now patches are released in August 2006.

Please note that I'm not trying to make a political statement about IBM.  There are plenty of other vendors with similar types of problems still lurking about.  Instead, I am merely highlighting the research of Litchfield and posing some thoughts for our readers.  I will do my best to leave my opinion unstated, so that you can draw your own conclusions.

Here is what I find interesting about the vulnerabilities that Litchfield found:

1) There is a basic stack overflow in the username parameter when you authenticate to the database.  You can't get any more easy than this.  The bug exists on all versions of Informix on all operating systems.  This reminds me that "Smashing the Stack for Fun And Profit" by Aleph1 is almost 10 years old now.

2) An attacker doesn't need to authenticate to determine the remote operating system, exact database verion number, hostname, and installation path of the database engine.  All of this is very useful for exploiting #1.

3) After authentication, there are numerous buffer overflows available that allow for code execution and privilege escalation.  These are vanilla buffer overflow scenarios that are easy to exploit.

4) In the event of a crash, Informix will dump username and password information to files that are world readable in /tmp.  This makes it convenient for an unprivileged bad guy with local access to get usernames and password for admin or privileged users.

5) Any authenticated user has the ability to create a new database, which gives that user DBA privileges on the database.  So once you do this, you own the whole server.  This is a major architectural flaw.

6) Normal users can run arbitrary OS commands using the SYSTEM SQL command.  There are numerous paths to get commands and user-specified DLLs executed as the privileged Informix account.

7) Finally, there are stack overflows still available in environment variables used by SUID command-line binaries.

Here is a link to the research paper by Litchfield: http://www.databasesecurity.com/informix/DatabaseHackersHandbook-AttackingInformix.pdf

So given the facts above, are you asking the right questions of your vendors?  How certain are you that your favorite software vendor is writing secure code?  Do you have the ability to change software packages if you find that a product has been found to have basic programming errors?  And can your organization afford to let known holes live unpatched for 1.5 years?

0 Comments

...
Kyle Haugsness
Published: 2006-08-15

Analysis of Mocbot Goals

The folks are LURHQ have done some excellent analysis of the latter stages of Mocbot.  Exactly what is the final goal of this bot?  Find out here: http://www.lurhq.com/mocbot-spam.html

0 Comments

...
Kyle Haugsness
Published: 2006-08-14

winsnort defaced - use caution

Website defacements are unfortunately common and mostly we'd rather not report about it as it only gives the bad guys exactly what they seek: fame and attention for them or their cause.

Having said that, the defacement of winsnort.com is a bit special to the security community as it is a site that's used for a security product. We advise extreme caution with the site and any of it's content till the extend of the hack becomes known.

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-14

Unpatched exploit gets publicity

An exploit that got missed by the patches in MS06-035 is receiving public attention on mailing lists. The exploit itself has been public since July, and got reported on by Microsoft in their blog on July 28th.

Microsoft has confirmed in that blog that this is indeed a problem that results in a crash. We also got confirmation that MS06-040 does not fix this problem either.

We are looking forward to a patch from Microsoft, but have not received any indication of a timeline at this point.

In the mean time, consider blocking ports 135-139 and 445. It is good advise to have them restricted on all but your fileservers at all times.

Block it in your perimeter using firewalls or routers (e.g. in SOHO setups) and block them in personal firewalls to help tightening it down.

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-14

Tip of the Day: Logbooks

Over the years I found the use of a logbook, either on paper or electronically an essential instrument in managing (security of) devices.  They can be useful for more than just managing security but they shine during emergencies. Since most emergencies with devices involve loss of either Confidentiality, Integrity, or Availability, the use of these logbooks is highly related to security.
In some organizations the system or network administrators are the ones who are in the best position to keep them up to date and working properly, sometimes making it hard to coordinate with a different set of security people.

What should be in such a logbook ?

Hardware and configuration

Identification

You need to be able to identify a device should it get lost, stolen or otherwise compromised. I've found it useful for administrators who are less familiar with certain devices to still locate the right device and be able to power toggle a completely unresponsive system back to life. This information can be of great value and is easy to obtain during physical installation and initial staging.
  • Hostname
  • Location
  • Brand
  • Model
  • Options: CPUs, memory, disks ...
  • Serial numbers
  • Host ID
  • ...

Network(s)

Information on the network connections.
  • Interface
  • Connects to: device, port
  • Speed/Duplex
  • MAC address
  • IP addresses (use CIDR, network and broadcasts written out, remember you'll use it in an emergency!)
  • FQDN (DNS name)

Filtering

Filtering used by this device such as packet filters, their configuration, how to turn them on and off and how to get a closed emergency filter installed.

Disk(s)

Detailed information on disks, partitions and slices. Make sure to add what they are used for and the information needed to select the right replacement drive.

The easiest is to print out the information from the OS. E.g.:
$ sudo fdisk wd0
Disk: wd0       geometry: 24321/255/63 [390716865 Sectors]
Offset: 0       Signature: 0xAA55
         Starting       Ending       LBA Info:
 #: id    C   H  S -    C   H  S [       start:      size   ]
------------------------------------------------------------------------
 0: 00    0   0  0 -    0   0  0 [           0:           0 ] unused      
 1: 00    0   0  0 -    0   0  0 [           0:           0 ] unused      
 2: 00    0   0  0 -    0   0  0 [           0:           0 ] unused      
*3: A6    0   1  1 - 24320 254 63 [          63:   390716802 ] OpenBSD

$ sudo disklabel wd0a
# /dev/rwd0a:
type: ESDI
disk: ESDI/IDE disk
label: WDC WD2000JD-00G
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 16383
total sectors: 390721968
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

16 partitions:
#        size   offset    fstype   [fsize bsize   cpg]
  a:  4194225       63    4.2BSD     2048 16384   328   # (Cyl.    0*- 4160)
  b:  1048320  4194288      swap                        # (Cyl. 4161 - 5200)
  c: 390721968        0    unused        0     0        # (Cyl.    0 - 387620)
  d:  4194288  5242608    4.2BSD     2048 16384   328   # (Cyl. 5201 - 9361)
  e:  4194288  9436896    4.2BSD     2048 16384   328   # (Cyl. 9362 - 13522)
  f: 377085681 13631184    4.2BSD     2048 16384   328  # (Cyl. 13523 - 387615*)

$ mount
/dev/wd0a on / type ffs (local)
/dev/wd0e on /home type ffs (local, nodev, nosuid)
/dev/wd0d on /var type ffs (local, nodev, nosuid)
/dev/wd0f on /var/www type ffs (local, nodev, nosuid)
...

RAID

Make sure you have all the information to deal with raid devices you might have. As most often this is proprietary in format, giving guidance is hard. But make sure you have all information needed to replace drives, use hotspares, rebuild partity and reconfigure them in the same way as they were should the configuration information get lost.

Software

Operating System

This information changes with reinstallation but stays as a while fairly static
  • Brand
  • Version
  • Revision (if any)
  • Installation time choices indicating installed components.
  • ...

OS patches

This information changes a lot in modern OSes. An informational paragraph on how the patches are applied now and how they are done normally should suffice. Having a log of what was installed when is important.

Applications

This section is what you installed as applications on the machine. It should include the important choices made during installation so that people coming after the installer could redo the installation in the same manner. This section must be expanded as time goes by and more applications are installed or removed.
If activation keys are used they should be copied here as well or at least clearly indicated how they can be obtained in an emergency.

Service contracts

Information on all hardware and software or other service contracts related to this machine. It should include the needed procedures, contract numbers , FAX and phone numbers, and any reference the other party will demand before they will start their service execution.

Dependencies

A tricky part in larger organization to get right and it might make use of automation if you have many. Basically you want to show:

Services offered

Services the device offers. It should list what needs to be in place, how to test that the services are working, and a list of machines and/or other services depending on them. A prediction of what happens when the services are lost can be very valuable information when dealing with incidents and their needed communication.

Services used

Devices typically need a bunch of services of other machines. Having such a list with simple test to see if those services perform their intended task can be a great timesaver.

Incidents

Any incident this machine was involved in, should be documented in detail. Even simple hardware failures should be documented as they can lead to discover a trend that could indicate a problematic device and trigger a need for replacement.
  • operator
  • date&time
  • what was observed
  • what was done

Procedures

Procedures can be either detailed procedures or pointers to specifics. Remember you'll need them under stressy conditions, so make them easy to find and execute. Make sure they list when and by whom they were last actually tested.

Emergency access

How does an authorized person not having or remembering the passwords access the system in an emergency (e.g a sealed envelope in a safe).

Check Backup status

How do you see what backups have been made, what they contain etc.

Normal backup out of sequence

How do you make a backup use normal means for backing up ?

Emergency backup

How do you make a backup in an emergency ?

Restore of data

How do you restore a single file or directory ?

Restore of full system

How do you restore a full system ?

Raid procedures

As needed.

For additional inspiration refer to Security Consensus Operational Readiness Evaluation check lists and incident forms and
--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-14

MS06-040: BOLO -- Be On the LookOut

Over the weekend there was a botnet doing fairly wide scale scanning for hosts affected by the vulnerabilities in the MS06-040 advisory. While technically a botnet, it was spreading in a worm like fashion.

Be on the lookout for:
  • laptops that might have been infected returning to the inside of your perimeter.
  • infected machines scanning the rest of the network
  • infections flaring up due to the above
Preventive actions to take:
  • If you have not done so yet:
    • Do not forget to reboot those machines after patching!
  • Check that all machines have been patched and rebooted, we have confirmations that the patches are effective in stopping the initial attack.
  • Update anti-virus signatures: They might not be in the mainstream signature yet, so check manually what your vendor has to say.
  • While at it, install filtering wherever possible for ports 135-139 and 445. E.g. enabling personal firewall on laptops is very smart in future-proofing your machines against this kind of attack.
Reactive actions to take:
  • If you have an IDS, make sure you have signatures for the MS06-040 exploit
    (best not aiming for the payload, but rather the exploit of the vulnerability)
    • For snort:
      • BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) 
        [Bleedingsnort, free] 
      • NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt
        [Sourcefire VRT, subscription only till the 16th]
  • Check for outgoing traffic to port 18067/TCP of the command and control (C&C) centers: 
bniu.househot.com: (the main one)
61.189.243.240
202.121.199.200
210.75.211.111
211.154.135.30
218.61.146.86
58.81.137.157
61.163.231.115
ypgw.wallloan.com: (the fallback one)
58.81.137.157
61.163.231.115
61.189.243.240
202.121.199.200
211.154.135.30
218.61.146.86
Please note these IP addresses can be changed quite easily by the controllers of the botnet, so checking (or even blocking) them in your DNS servers might be much more effective.
  • Check for the presence of following files:
MD5                               FILENAME
9928a1e6601cf00d0b7826d13fb556f0  wgareg.exe
2bf2a4f0bdac42f4d6f8a062a7206797  wgavm.exe
  • Check for the presence of the registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAREG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAVM
  • Check for outgoing traffic scanning for others being vulnerable on port 445/TCP
Cleaning up:
  • You really cannot and
    • Even if you delete the keys that start the malware,
    • your settings will be mangled. E.g.: a test infection with the wgareg.exe:
      • created 17 new registry keys
      • modified 77 other keys including keys used for firewalls, sharing of files, etc.
      • That was just the infection itself, no follow up, no communications with the C&C
    • Like any bot it is unpredictable in what the C&C caused the bot to do
  • Wipe! (as in nuke from orbit)
    • Backup data (if any) and keep these off-line
    • Unplug the network
    • Wipe the disk effectively (while booted from clean media)
    • Reinstall software
    • Install (personal) firewall, anti-virus, anti-spyware
    • Apply patches & Update signatures
    • Carefully restore needed data

      For installing, see also our survival guide for XP
Other sources:
--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-13

Tip Of The Day

Do you know where your backup tape software is?

We have been talking about backups the last couple of days.  I am a big advocate of backups, having had one computer crash and burn a few years ago and left me high and dry with no backups.  I suddenly became obsessed with backups. 

I went to work for a large corporation who also was adament about backups. They expected them to be done on all systems containing any company information period.  We installed a server (Novell at that time) and set a policy that all company data was to be stored on the file server. Anyone caught with company data on a local hard drive could be written up or penalized.  The backups were done everyday. Tapes were stored in a fireproof/bomb proof vault. This was a reinforced room in the center of the office building that was tightly controlled for access. In this room were additional fire proof cabinets.  The tapes were kept in these cabinets in fire proof tape cases.  We had a 12 month rotation. We did daily backups Monday thru Thursday, weekly backups Friday 1 through 4, and monthly backups Month 1 through 12.  At the end of the fiscal year a backup was done that was kept forever (theoretically).  The year end tape was sent to the corporate IT department and was clearly marked for location and dates covered.

I thought we had a more than adequate backup plan.  And we did. However, here are a couple of things that I/we overlooked. 

1) We had a system failure and had to reload from scratch.  We had to replace the hard drives in the servers (this was more than15 years ago by the way, pre raid stuff).  After the drive was replaced, I had to reinstall the Novell OS from scratch.  After the install was done then I had to reload the tape software before I could restore the tapes.  Oh No, where did the tape software go, let's see where did we put it.  Software cabinet, hmmm, not there. desk drawer, nope. Vault, not there either.  Started asking guestions about where the software may have been stored.  My supervisor wasn't sure, the guy that I replaced had initially installed the system. He probably would know where it was at but we couldn't call him. He had left the company not of his own free will.  I didn't think he would be very quick to answer my questions. So now what do we do. I called the software vendor and explained the dilemma to them. They said that it was not a problem. I just needed to fax them a copy of the paperwork showing we owned a legal copy of the software with my license number on it.  No problem right.  Purchasing would have that.

Off to the purchasing office.  The Purchasing Manager had been with the company just a little longer than I had so he was not sure when the software was purchased or where it was purchased from.  We looked through the files and couldn't find anything. Luckily the previous purchasing manager had been transferred to another location within the company so we contacted him.  He had a "great little sponge in his head" and was able to tell us where it was purchased from, when, approximately it was purchase and which box in the fireproof vault we would fine the information in.  Thankfully we thought we were back on track.

We dug up the paperwork and faxed it to the company to get replacement for the software.  Thinking we were going to be ok we anxiously awaited word that the software was in route.  Umm - no the story does not end here.  I received a call back from the software company - umm that is a really old version of the software. We don't have that anymore. We will have to send you the new version and you will have to pay us I think it was $2500 for the new version.  I said ok - we have no choice - I will get a PO and fax to them.  Then they dropped the bomb on me. By the way - this is not a clean restore.  There is a process that needs to be done to restore the old format and convert for the new. No guarantee that all fo the files will restore. Oh my goodness, this just keeps getting worse.

We did get the new software, and we did go through the reinstall, and we did go through the conversion. I had to apply some updates to my Novell server that I hadn't planned on as a result of the software update, I had to do some heavy breathing and sweating. But 3 days (and nights) later we were back on line and had lost a minimal amount of information.  I had to reinstall my users manually, I could not restore the permissions from tape. That was a bit of a challenge and took a while to get everyone back to "normal". 

The moral of this story and my tip first tip for the day is:

Keep your tape software in a safe, secure location. Make sure you stay up to date and install new versions as they come out. Document your user's and security settings, document your system configuration so that if you have to reinstall and have problems restoring your settings you will know what they are.

Now for tip number 2:

What about your archival tapes?

Another issue with backups that I have dealt with happened about 5 years ago.  A customer that I was working with had been doing backups and had been doing archival backups at year due to government reporting requirements that they have to deal with.  They can for 10 years be mandated to produce information on demand.  They do backups that will allow them to recover the information that is required.  They had an adequate backup plan.  They stored the backups off site at the local bank.

They did overlook one thing.  They had replaced there backup drive.  The old drive was disposed of, it was obsolete and didn't work very well anymore.  They received a request for reproducing a report for a court case that was evolving.  They sent some one to the bank to get the tape to do the restore. No problem, except that the tape was for a drive they no longer had. How do they restore now?  Can we buy a tape drive? Do we know anyone that can restore it for us? How do we get to the data? 

Luckily I had the same type of tape drive that they needed to do the restore. I was able to recover the data for them and then it was backed up to the new tape device.  All of the other tapes were brought to me and I was able to recover the data from all of them and we moved them to the new media.

The moral to this story and second tip of the day is:

If you are replacing your current tape drives you need to restore any information in the old format and backup to the new format. Or you need to keep the old drive around as long as possible for retrieval purposes. 



0 Comments

...
Deborah Hale
Published: 2006-08-13

Programs That Request A Lot Of Contiguous Memory May Fail After Security Update Is Applied

Programs that request lots of contiguous memory may fail after you install security update 921883 (MS06-040) on a Windows Server 2003 SP1-based computer. It appears that the problem occurs if you use programs that require one gigabyte or more contiguous memory the programmay fail with an unexpected error after you install security update 921883 on a 32-bit Microsoft Windows Server 2003 Service Pack 1 (SP1)-based computer. For example, programs such as Microsoft Business Solutions - Navision 3.7 may fail.

Microsoft has a temporary hotfix available but recommend that it only be installed if you have a severe problem.  Otherwise they recommend waiting until service pack 3 when the additional testing has been completed.

Hotfix available for contiguous memory problem.



0 Comments

...
Deborah Hale
Published: 2006-08-13

Information to Help Track Down Infections From WGAREG.EXE

Many thanks to Andreas, one of our readers from Germany.  He has provided us with the results of his research and where he found tracks left by the install.  He has agreed to allow us to share the information with our readers.

From Andreas analysis:

[1] The exploit might also have entered using some java "hole", since I found a trace in ..\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ with a handful of highly suspicious .jar and .zip files.

[2] C:\WINNT\NT contained a file named NRCS.EXE, 25,185 bytes in length.

[3] C:\WINNT\Debug contained a file named dcpromo.log.

[4] Found malicious registry keys in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAREG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAVM

YOU CANNOT EVEN DELETE THOSE IN SAFE MODE!

See information below for a method to remove these keys.

[5] NOD32v2.......1.1704/20060811....found [a variant of Win32/IRCBot.OO]

[6] The malicious program disguised as a .jpg in C:\Documents and Settings\Default User\Temporary Internet Files\Content.IE5\<some random folder>.

According to Andreas it has behavior very close to CUEBOT-K.

Sophos Cuebot-K

Cuebot-K is believed to be spreading through AIM or AOL neither of which he has installed. 

We hope this will give you some places to look for the tracks of this new malicious program.

Updated

Again Andreas has provided us with some terrific information. He has figured out how to remove the registry keys. Here is his information.

1. Use REGEDT32, *not* regedit!

2. Check current real time. Supposed it's 16:30.

3. In DOS prompt:
at 16:31 /interactive regedt32.exe

This will - after 1 minute - open regedt32.exe with SYSTEM rights!!! (yes there is something _more_ powerful than an Administrator in Windows). And automagically - the keys can be violently deleted.

As an alternate, you can open the registry editor with "administrator" rights and then give yourself "full control" on the registry key in question. By default, the keys under CurrentControlSet\Enum are accessible only to the all-powerful SYSTEM user, but this is for good reason. Delete or change the wrong key under \Enum, and your Windows installation will turn into an inert heap of bytes. So tread carefully!

0 Comments

...
Deborah Hale
Published: 2006-08-13

MS06-040 wgareg / wgavm update

We have received samples and infection reports from several sources. It looks like there are so far two different binaries involved:

9928a1e6601cf00d0b7826d13fb556f0  wgareg.exe
2bf2a4f0bdac42f4d6f8a062a7206797  wgavm.exe

The former, wgareg.exe, apparently shows up simply as ".exe" (blank-dot-exe) on infected systems and only later gets renamed or copied to wgareg.exe.  AV protection is slowly coming online, here's a few of the names chosen:
Symantec - W32.Wargbot - not yet in the current pattern
TrendMicro - Worm.IRCBOT.JK and JL - protection available
McAfee - IRC.Mocbot - protection as extra.dat available
F-Secure - IRCBOT-ST - protection available

We'll update this post as more information becomes available.




0 Comments

...
Daniel Wesemann
Published: 2006-08-12

* MS06-040 exploit in the wild

We have caught a live exploit against a Windows 2000 Server. The pcap packets of the exploit fire the signatures in Sourcefire VRT for the vulnerability described in MS06-040.

It looks like it's building a botnet (as we expected).

More details will follow as we analyze this piggy further.

Please do not ask for samples at this point. We have shared it with the usual anti-virus vendors already.

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-12

SquirrelMail 1.4.8 released

A new version of squirrelmail was released yesterday.  The announcement at http://www.squirrelmail.org says that it contains a security fix to a vulnerability announced last week.  So, if you're running squirrelmail, you probably should apply this upgrade.

0 Comments

...
Jim Clausing
Published: 2006-08-12

Public release of exploits against the windows help system

We've received reports of a public release of exploits against the windows help system.

The exploits use *.hlp files. The best advise at this point it to block those at perimeters and to never trust them otherwise.

Please note that a few days ago Microsoft released patches for the HTML help system: MS06-046. But they don't seem to have anything to do with this.

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-12

Tip of the Day - Backup and Backup Management for Home or Small Business Users

As home or small business users, do you back up your data regularly? If no, why not? Too troublesome? No idea how to do it? Or simply what is backup?

To back up data is simply making additional copy of the data which may be restored if the originals are damaged or lost.

Why do you need to back up your data?
This is important as data will be lost if your hard disk crashes. Consider yourself lucky if you have not experienced this before. Even if the hard disk is not crashed, data could still be lost due to loss/theft of laptop or data corruption (accidentally or cause by malware or ransomware).

Here we are not covering how to manage backup for large enterprise because it can get quite complex, so we will just focus on home and small business users.

There are basically three types of backup:
* Full backup: All data is backed up.
* Differential backup: back up the files that have been modified since the last full backup.
* Incremental backup: back up all the files that have changed since the last full or incremental backup.

What to backup?
Of course is your data, especially those that you created/authored. For applications, you can still install them back, but you will be freaky frustrated if you lost your own documents. If you have no backup storage issue, you can backup everything. But important is to ensure your own data is back up first.
 
One point that you need to consider is the protection of the media that contains your backup data. If the backup data is sensitive, you may want to consider encrypt them. Otherwise, ensure you have a good physical protection for your backup media.

How to back up?
For windows users, the easiest is to just copy out your data to another physical media. A neat way to do this is to create one folder that stores all your data. You then just need to copy out the whole folder as your backup. Windows also comes with a Backup tool which you can consider:

Start > All Programs > Accessories > System Tools > Backup

For Unix, you can consider using tar, dump or dd as your backup means. Each has its pros and cons. If you just want to back up your data, one simple way is to use tar to copy your data out. For example,

cd to your mydata directory (assuming mydata directory contains your data)
tar -cf mydata.tar mydata

Where to back up?
Note that the backup data must be on a different physical media. If you have two drives (C: and D:) but both are on the same physical disk (in simple word, you have only one hard disk), back up (or copy) your data from one drive (say C: Drive) to another drive (say D: drive) is not considered as backup, since all your data will still be lost if your single hard disk crashed.

The backup media could be:
* Another separate hard disk (but beware this hard disk could be crashed too)
* CD-R, CD-RW
* DVD-R, DVD-RW
* Magnetic tape (more for small business than home users)

For small business users, you may want to consider offsite storage for your backup media. This is particular important as part of your disaster recovery plan.

How frequent should you backup your data?
It depends. If your data changes frequently, you should consider weekly backup (or even daily backup). Otherwise, monthly backup is a good start.

Backup data is useless if you don't know or can't restore them. Recovery is as important as back up. You should test out and verify that you are able to restore your backup data on a regular basis.

Lastly don't forget to document on what, how and where you backup your data. It is useless if you forget how and where you have stored your data and not able to retrieve your data when you need them most.

Besides achieving the purpose of availability (of your data), backup data could also be used as a form of regaining/checking the integrity of your data.

Earlier, one of our readers (James) has sent us his tip on backup to address the integrity of the systems/data:

I had a network environment that challenged just about any tools by the sheer number of web servers, domains, subnets and administrative passwords.  Not all systems had anti-virus, and the ones that did have it could not always communicate back to let us know what it found.

But one thing we did have was a common backup architecture to make sure no data was ever lost.  This turned into an excellent way to perform analysis for artifact files across the environment by searching the index files for files that are known artifacts of compromises.  We were also able to use it to check that system installations met build standards regarding directory structures.

Many companies have full system backup capabilities long before they have full systems management capabilities through agent-based management and/or AV.  The back up system index files are a resource in understanding the systems on the network.

If you have any additional tips on this topic that you like to share, please send them to us.

Update: Tips from our readers.

Note: Usual disclaimers apply.

1) Cobian Backup for Windows
Further to the advice on backups for home users/small businesses, I can recommend a Windows "beggarware" (make a donation if you like it to encourage further development) utility called Cobian Backup that knocks spots off Microsoft's Backup.  It is simple to configure automatic, regular full, incremental or differential backups on a single machine, plus it works over the network i.e. each of the machines on the office LAN can backup to a single machine, and from there I can backup to separate media (USB hard drives, USB memory sticks, CDs and/or DVDs in my case).  See www.cobian.se for info.

2) Rsync for Unix (from our reader Ned)
In addition to the unix backup options you mention, I'm a huge fan of rsync for incremental backups. Despite being primarily designed to sync remote directories on the net, it also works great for syncing directories on the local machine or remote clients if their directories are mounted. For example, even Windows clients may be smb mounted on a *nix server and incrementaly backed up in this manner, and the whole process automated in a cron job.

0 Comments

...
Koon Yaw Tan
Published: 2006-08-11

Hotfix for MSIE problem related to MS06-042

All those of you holding off on the MS06-042 patch or suffering from issues due to MSIE crashing on Windows 2000 SP4 and Windows XP SP1, there is a new hotfix out:

http://support.microsoft.com/kb/923762/en-us

It's interesting to note the date on the file, as well as the claim that the crashes seem to be triggered by websites using the HTTP 1.1 protocol and compression.

Anyway, this might make your weekend more interesting.

Thanks Kathleen for the heads-up!

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-11

NT 4.0 Protection

A number of readers have asked about NT 4.0 recently with regards to vulnerability advisories or exploits. I have found that one of the best ways to protect legacy applications and operating systems is to isolate them. Ideally only those clients/users that absolutely must access these systems should be able to. This can be accomplished at the switch, router, firewall, proxy, or at the end point. The painful part of the process is establishing who must access what, and then which protocols are actually needed. Then figure out where you can best form an 'enclave' or internal perimeter with access control. This isn't ideal, but can shield these systems from a worm or unauthorized access. You also need to determine the value of the data/service that these systems have. If they are performing a valuable service, or hold critical data you really should be protecting them. The unfortunate truth is that NT 4.0 is dead, and really should not be used.

One reader wrote back:
"Block port 139 at our choke routers and possibly some network routers. Remove systems from the network
Remove the infection if possible (hopefully a tool would be created to remove). Possibly buy support for NT from MS. Disable port 139 on the NT systems. This would most likely break what is running on the system, which would be broken anyway. We have a patch cycle around patch Tuesday. We will be ready to patch next Tuesday. Currently testing. The operation that you mentioned about isolating systems would be difficult for us to manage. Let's hope that those out there who might be thinking of releasing a worm remember the last several mass attacks that occurred against MS, these individuals have been arrested and prosecuted."

Another reader wrote in that there are third party support pay options for NT 4.0, including custom patch development.

The bottom line though, you really do need a migration/upgrade plan.

Cheers,
Adrien

0 Comments

...
Adrien de Beaupre
Published: 2006-08-11

Tip of the Day : snort rule management


Tip1
We maintained a central CVS repository where each analyst had an account.  The repository contained the snort configurations for each sensor (different subdirectories) and snort rules from sourcefire in addition to tuned rules, custom local rules, and some 3rd party rules.  I wrote some python scripts to filter out "good" bleeding-snort rules for example.

every N hours, each snort sensor would update its rules and configs from CVS and reload itself

on a daily basis a cron job would pull down the latest rules from sourcefire, do a diff of what changed and email that diff to all the analysts.  It would then automatically add the new changes to a branch in CVS that would be merged in 24 hours unless an analyst who had seen the diff made changes otherwise.

any time a rules change was committed, the CVS server would run the config files and rules through snort -T to validate the syntax and would reject the commit if it failed validation, so the CVS repository always at least had valid configuration files in it.

whenever an analyst committed a change to anything in CVS, a diff was taken and emailled to all the other analysts letting them know what happened.

If a sensor ever blew up, replacing it was trivial, as was reverting the rules or config back to an earlier configuration thanks to CVS and additionally, all changes were tracked to who did what when, so troubleshooting problems became easier as well.

Tip2

For updating and managing Snort rules use Oinkmaster (http://oinkmaster.sourceforge.net/).

However, when it comes to implementing rules, don't just assume the rules are going to be perfect and without flaws. The process I use is:

1. Check if there are any new rules and notify me but don't install them.
2. After reviewing the rules, install the rules.
3. Run a taint check against the rules. If there is a problem, revert back to the old set (you did make a backup, right?) and notify the rule author.
4. Activate the new rules and monitor for false positives.
5. If false positives are found then report them to the rule author and help, if possible, with testing the corrected rules.

- KenM

Tip3

I work for a major (healthcare organization), and we have multiple snort boxes deployed at multiple aggregate points within the network.  The architecture follows a standard snort deployment with multiple sensors sending alert data via mysql to a mysql database, and then there is an IDS correlation web application front ending the db to view event data etc.  As the IDS correlation web application has the ability to manage snort rules, the functionality did not meet our technical needs.  As a solution, we designated two snort sensors to serve as the rules management systems using oinkmaster.  One system is positioned on our link out to the Internet, while the other is at another aggregate point.  These two systems are fully redundant in respect to the oinkmaster configuration for pulling down rules, however, the sensor located on link out has a different rules directory because this is the only link we see traffic heading out to the Internet, and to avoid the same alerts in the IDS console, the HOME_NET to EXTERNAL_NET is only useful at this location.  The secondary sensor does the opposite and triggers on rules not heading out to the public Internet; HOME_NET to HOME_NET etc.

The snort box on link-out is configured to automatically poll updates from bleeding-snort and snort.org using oinkmaster.  As these rules are downloaded and installed, I receive an email on the rules added or if there were any modifications to the existing rules.  Once this is complete, I have a script that syncs the /rules directory to all other snort sensors and restarts the snortd engine. This uses a PKI architecture to automate the login to each remote snort sensor.  Also, the script is intelligent enough to sync other important snort files, such as snort.conf, and other configuration files.  In regards to local rules, we administer these rules only on the link-out snort sensor, and the secondary master sensor has the same script to sync local rules to the remaining snort sensors.

In regards to snort.conf, we define all variables, such as HOME_NET, EXTERNAL_NET, DNS, etc… as this is crucial to mitigate false positives.  Also, if we create local rules that need added variables to make it easier to group ports or IP addresses, we create new variables in snort.conf so each rule can cross reference the variables.

- BenP.

Tip4

Having already extended neck for the chopping block and been smacked accordingly ;-)...I use the following to do quick changes and checks to my Snort installs on CentOS 4.3.
Ultimately, it's purely a convenience factor to type single word commands so, in my path, I keep the following little scripts, chmod a+x applied.

For Bleeding-Edge rules, I prefer the single bleeding-all.rules so I use this to update it rather than Oinkmaster:

#bleedingpig
cd /etc/snort/rules/
rm -f bleeding-all.rules
wget http://www.bleedingsnort.com/bleeding-all.rules
-----------------------
To fire Oinkmaster manually rather than cron:
#oink
oinkmaster.pl -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules
-----------------------
To kill the daemon:
#killpig
killall snort
-----------------------
To confirm Snort process state:
#pigps
ps aux | grep snort
-----------------------
To confirm Snort running cleanly after config or rule changes:
#pigchk
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -v
-----------------------
To start the daemon:
#pigd
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort -D

- RussM

Cheers,
Adrien

0 Comments

...
Adrien de Beaupre
Published: 2006-08-11

Snort rulez management

A few readers have written in with new snort rules, comments on those we have posted, or questions about managing snort rules. So this is a request for the community to share how best to write and manage snort rules. I'll summarize as the Tip of the Day at the end of this shift. Send us your tips here

The tips submitted have been published here.
So far no tips on writing rules, but some great ideas on management.

Cheers,
Adrien


0 Comments

...
Adrien de Beaupre
Published: 2006-08-11

Snort Sig for MS06-040

The US-CERT shared the following Snort signature with us today.  This is for the MS06-040 vulnerability and may not match some of the public exploits discussed in an earlier diary.  If this signature alerts, please let us know via the contact form.

alert tcp any any -> any $RPC_PORTS (msg:"US-CERT MS06-040 Indicator"; content:"| 90 90 EB 04 2B 38 03 78 |";  classtype:malicious-activity; sid:1000003; rev:1;)

Note that the RPC_PORTS is a placeholder for 135, 139, 445.

UPDATE

Russ wrote us with some additional ideas:

In order to make the US-CERT rule work I had to do as follows:

Add to snort.conf under network variable:

# Placeholder for 135, 139, 445
var RPC_PORTS 135
var RPC_PORTS 139
var RPC_PORTS 445

Add to classification.config under NEW CLASSIFICATIONS:

config classification: malicious-activity,Malicious Activity,2

Then I dropped that actual rule in rpc.rules.

Thanks, Russ!!


Marcus H. Sachs
SRI International
Director, SANS Internet Storm Center

0 Comments

...
Marcus Sachs
Published: 2006-08-11

Tip of the Day: Use the features of your switches

Chances are that you have very smart switches in your corporate environment, but only use them for a small portion of their capability to do some VLANs or so.

So some tips of what switches can do for you on the security side of things with a little reconfiguration.

You will notice that most of these will require a managed switch port per host, so combine them together to get to this.

Private VLANs

Private VLANs can be used to stop certain ports to talk among themselves. Now where would such a thing be a good thing (TM)?
Think of your DMZs: would it be good if your email gateway cannot talk to your public webserver, while still sitting in the same network ? Sure, it would mean that if somebody finds a vulnerability in your SMTP server they cannot escalate their tools towards your webserver and from there e.g. move towards your database back-end.
Another environment where this can do wonders is a internal LAN: do clients have any business need to talk to other clients ? Or do they just need to talk to default routers and servers? Worms can run rampant inside an Internal LAN, but if the machines cannot exchange packets, there is little to propagate over. Imagine running such a network and having 5 employees clicking on an email worm and only having to clean up 5 workstations (while it was network aware and would have taken out your network).

Limit the number of MACs per port

Teaching switch ports to shutdown when they learn more than one MAC address is not only an obvious way to stop rogue hubs, to stop flooding mac stables, but it teaches the users that the network and its policies is something to be taken serious.
If they have policies that deny them to mess with the network and the network shuts down when they do it anyway, you force them into turning themselves in... . Even if you can be less strict for the first problem, they learn the lesson not to mess very fast. 

Manage unknown MAC addresses

If you keep a good inventory of what MAC addresses are known good (It's not that hard to do it, really all you need is entry, replacement and exit processes for machines or network parts), you can decide what to do if a switch learns an unauthorized MAC address:
  • Shutting down the port is a good option in a high secure network. It teaches the lesson to the users to comply with the policies and not bring unauthorized hardware and hook it up to the network.
  • Dumping the port in a "GUEST" VLAN and giving them Internet access only (no internal, no ...). This is a great solution if you have an open environment where people, consultants etc walk in and hook up to get Internet connectivity, attend meetings etc.
I know technically savvy people can change their MAC address, so it's just a layer for the less technically savvy users, still it works in most real life situations a lot better than letting any and all machines connect to internal the network.

Limit traffic

Many switches understand traffic and can actually filter it, interesting things to limit are the ability to answer on requests such as DHCP, except for your official DHCP servers. It helps to avoid the problems with rogue DHCP servers racing to hand configuration to your clients.

Monitor traffic.

Check traffic statistics on ports using commercial setups or simply with "rrd", can often detect anomalies long before anybody has analyzed the malware and or written signatures for it. Moreover you can trace it back to physical ports and physical machines that you can go and collect, no matter what clever hiding the bad guys tried to do.

Shutdown unused ports

Shutting down unused ports keeps the ability to add rogue machines much lower and allows for enforcing processes that require a consious action on the network to enable the machines to use it.

VLANs vs. airgaps

VLANs are easy to configure and many network engineers just love them, but in high security environments, keep in mind that an airgap using real air is fundamentally more secure than one using logic in a switch. Also you might find that small switches, even managed ones that can do all on this page, aren't all that expensive to use in e.g. a DMZ.

Manage the switches, keep them secure

A bit obvious perhaps, but SNMP v1/2 community strings are basically passwords and "public" and "private" are real bad choices. Go for v3 if you can. And if you do not use SNMP, turn it off.
Web based management might be appealing at first, but take great care with it. Using a separate VLAN to manage the switches is common good practice. So is not using protocols like telnet but relying on ssh instead. VLAN multiplexing such as 802.1q should only be done towards other switches under the same management, not towards hosts not absolutely needing this ...

Follow up on vulnerabilities for the vendor and plan the updates accordingly.

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-11

MS06-040 and MS06-042 updates

MS06-040 (Server Service Patch):

We are getting a lot of questions about this one. The short answer: Don't panic, but keep on patching. It apprears that the release of a public exploit is imminent, but we don't have it. A lot of speculations about a possible worm. But then again, worms are so 2004. Once an exploit is made public, I would expect it to be added to standard bot payloads quickly.

MS06-042 (MSIE Rollup patch):

We received some reports about users having problems with Internet Explorer crashing after applying the latest patch (MS06-042) and accessing certain sites – mainly Peoplesoft applications.

We can't confirm this yet, but it looks like only Windows XP SP1 machines that applied the patch are affected (Windows XP SP2 with the patch seems to be working ok, from some very limited tests we were able to do).

Let us know if you can confirm this.

Update
We have also had a number of reports that Windows 2000 is also affected, particularly accessing Peoplesoft applications. Rather than un-installing the patch, using an alternate browser is another workaround.





0 Comments

...
Johannes Ullrich
Published: 2006-08-10

MS06-040 exploit(s) publicly available

As almost everyone predicted, it didn't take long to have MS06-040 (vulnerability in the Server service) publicly available.

The current exploit seems to be working on all Windows 2000 systems and Windows XP SP0 and SP1. The good thing is that it doesn't work against Windows XP SP2 or Windows 2003 SP1.
The current version doesn't work against Windows 2003 SP0 or NT4 SP6 either, but this doesn't mean that they are safe.

This is probably a good opportunity to remind you of the host based firewall in SP2 which should, by default, protect the machine from this exploit. Of course, as it effectively stops administration, it's pretty common that in organizations administrators turn the firewall off via GPOs. If you need to do this then try to limit access to the machine – instead of completely turning off the firewall (or opening it to your whole network), it's much better if you just allow traffic from your administration servers.

In any case, as the exploit is public, it's just a matter of time when script kiddies will start using this (if they haven't already). We can expect that this exploit will soon be added to the attack arsenal of bots such as Sdbot and similar. In other words – patch!

0 Comments

...
Bojan Zdrnja
Published: 2006-08-10

eEye Releases Free Scanner for MS06-040

We received a heads up tonight from Marc Maiffret (thanks Marc!!) that eEye had released a free vulnerability scanner that searches for the MS06-040 vulnerability.  According to Marc:

"we have released a free vulnerability assessment tool for the critical, and potentially wormable, MS06-040 vulnerability. This free tool can be used by IT administrators to scan their networks for any potentially vulnerable machines. This tool does not require administrator access to machines so it will give IT administrators a real-world perspective on where their network stands against this attack regardless of what they think they have or have not patched yet."


Another email about the scanner went out to a public mailing list and provided an email address in case you find bugs in it:

"Look forward to your feedback and please feel free to email skunkworks@eeye.com if you find any bugs in it etc..."

No one around the ISC has had a chance to test it yet, but many of us have downloaded for tomorrow.  Here is the tool and the link for it!

Retina MS06-040 NetApi32 Scanner
http://www.eeye.com/html/resources/downloads/audits/NetApi.html

Happy Scanning!

0 Comments

...
Lorna Hutcheson
Published: 2006-08-10

Snort Sigs for MS06-042 and ICMP tunnel mentioned in Diary

Frank Knobbe sent in these signatures today via Bleedingsnort.com.

Note that on the signatures below I have added the "\" continuation character to get better formatting on the Storm Center page.

Signature for the ICMP Banking Trojan:

# By Joe Stewart,  Based on valuable work by Tom Fisher
alert icmp any any -> any any (msg:"BLEEDING-EDGE TROJAN ICMP Banking Trojan \
sending encrypted stolen data"; dsize:>64; content:"|08|"; itype:8; icode:0; depth:1; \
byte_test:4,>,64,1,little; byte_test:4,<,1500,1,little; content:"|0000|"; distance:4; within:1495; \
classtype:trojan-activity; reference:url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570; \
sid:2003073; rev:1;)

The link to the signatures for ICMP tunnel


For the signatures for MS06-042, please refer to the link on bleedingsnort.com: signatures for MS06-042

Mike Poor
Intelguardians.com



0 Comments

...
Mike Poor
Published: 2006-08-10

Critical Ruby on Rails security vulnerability

A new version of Ruby on Rails (a very popular framework for developing database-backed web applications) has been released which patches a critical security vulnerability.

The details about the vulnerability have not been disclosed yet, but the authors urge everyone to patch as soon as possible: "This is a MANDATORY upgrade for anyone not running on a very recent edge".

Unfortunately, they didn't specify what this "very recent edge" exactly is, so you can't say if you are vulnerable or not. We can confirm, though, that all older versions (0.13, 0.14, 1.0 and 1.1.x) are vulnerable.

The new version (1.1.5) is supposed to be completely compatible with 1.1.4, however we would recommend that you check the original post about this available at http://weblog.rubyonrails.com/.

The new version can be downloaded from http://rubyforge.org/frs/?group_id=307.

Thanks to Christian for sending us a note about this.

0 Comments

...
Bojan Zdrnja
Published: 2006-08-09

Detection and Deployment Guidance

Microsoft released a Knowledge Base article yesterday that provides some guidance about deploying the patches from yesterday.  It does detail those updates that would not be detected, or deployed through the various mechanisms supported by Microsoft.   For more information, please see http://support.microsoft.com/kb/923752.

--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas

0 Comments

...
Scott Fendley
Published: 2006-08-09

A Peek Into The MailBag

Good Morning Everyone!  We had a few items to just mention from the MailBag.

VA Desktop Stolen and VA Laptop Thiefs Arrested
As pretty well everyone knows by now, a desktop unit has been stolen which contained a number of records of vets.  This does not look good for the VA to have this second snafu so quickly after the previous one.  However, it is good news that law enforcement has arrested the teens involved in the laptop theft from  a couple of months ago. We usually do not report such  things as it has made it to CNN and is more of a political hot button at this point.  If you hear of something IT Security-wise from CNN, then chances are it is quite old news to the community, or has a political interest.  There is no need for us to copy the mass media. :-)

Websense Report on Phishing/Data Stolen via ICMP

Websense sent an alert a couple of days ago concerning the use of ICMP as a conduit for a new Phishing Trojan.  Is there any wonder that we recommend that you block everything inbound and outbound except those services you actually need.  Does every computer on your network need the ability to ping (or many other ICMP style activities) resources outside your network?  Probably not.   Be aware that the adversaries are finding those protocols we are not watching as closely and tunneling data in and out.   For more information on this, please see
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=570

--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas

0 Comments

...
Scott Fendley
Published: 2006-08-09

Tip of the Day: Surviving the monthly patch cycle

Yesterday we announced we would write about tips on how people patch their systems after a Black Tuesday. Since Mike is apparently suffering from a withdrawal symptoms after defcon, his fellow handlers will do the honors.

There are basically a few tactics to this in use. What strikes me in the responses we got: most of those writing in value not breaking applications significantly more than patching before you get hit with an exploit. Perhaps there is a lot work left to be done in order to convince (upper) management of the risks of patching late as patching even an hour after the worm or the targeted exploit hit you might cost the company significantly more than losing a few hours left and right over a not so critical system not being 100% healthy with a new patch.

Just patch

The folks doing this, take the risk and let the patches roll out in their organization. They expect a few systems to fail somehow more or less randomly and will deal with them as they go. Should one of the patches prove to be incompatible with one of their critical applications, they will deal with them at that point.

This group includes by necessity also most home users as they lack other means to patch. At best they can wait till others got some problems, but if all do that, it won't work and expose you for longer.

Test on limited scale, roll out carefully

You can use the Microsoft tools like WSUS and delay the rollout a few hours to make sure a few test systems survive and can run the critical applications. Typically smaller organizations use this with great success for the masses of general-purpose client machines.

Reader Ken wrote: "As we all know, patching any kind of operating system or application is fraught with dangers. In my environment, I don't have the luxury of a full test environment that I would love to have in order to be able to test each patch against all the applications and services in use. But that is just not possible with a limited budget.

In order to minimize the risk of a patch causing harm, I apply patches first to a set of known systems. The first system is my own workstation. I'd rather have it crash there than one of my coworkers' systems. After a day or so, the patches are then deployed to a subset of the systems (about 10) in the office. Finally, if there are still no issues found and no problems have been reported on sites such as the Internet Storm Center or on any of the security lists, the patches are distributed to all systems.
                                                                                      
I actually use two tools for patch management. The first is Microsoft's WSUS service. I have all systems pointing there in order to get their updates. There are a couple of advantages. The first is Internet bandwidth usage. The patches are only downloaded once for all the systems. This can be a major savings in terms of time and bandwidth. Second, I can specify how and when the patches are applied via a GPO. Third, I control which patches are installed. If there is a known problem with a specific patch, I can just not release just that one patch to the users. Finally, I can get a status on which patches are applied and what systems have had problems installing the patches. The other tools is Shavlik's NetChk. This tool allows me to deploy a number of non-Microsoft Windows application patches and also to verify that patches are indeed being installed.

I use a similar process when it comes to apply patches to UNIX systems. First my own system, then a subset of system and finally all the systems.

So far, I have not had a major problem when it has come to applying patches. In almost every case where there was an issue, it surfaced within the smaller group of systems and the disruption was minimized.

Of course patching is not the only line of defense. I also have NIDs, firewalls, proxy web servers, virus scanning and log monitoring in place to try to reduce the risk to the office. Also recently, user information security awareness sessions have been started within the organization. This helps bring the users into the equation of defending the company against malicious software and web sites."

Test applications thoroughly

Testing applications to the end is next to impossible, you at the very best can test a few critical operations in your application and will have to gain trust it at some point. This approach is more often used on critical servers. The big drawback to this is that it takes time and resources to get this done. But in those cases where you end up with an incompatible patch you gain the pain of rolling back out incompatible patches and having to restore potential damage.

Mike wrote in on their strategy: "Simple strategy really:
  1. obtain patches, vet requirements and deploy to a QA environment, containing like for like hosts; exchange, SQL, IIS, workstation builds etc
  2. test, monitor, test, monitor...
  3. deploy to a pre-production group
  4. monitor, monitor, monitor
  5. deploy to primary production group
  6. monitor
  7. push out to remaining hosts/workstations.
The time scale for deployment is fairly aggressive with immediate introduction for 'critical' updates."

Personally I like the last line of his comment as it show they are trying to balance the heavy testing scheme with a fast track for getting those "PATCH NOW" patches out.

Fully features planned rollouts

Some organizations might (need to) plan ahead all their patching and actually do a roll-out plan that covers a long time before they come full circle and start over.

We had one such anonymous submission: "On the day after Black Tuesday, a task force meets to discuss the recently released patches. There is a set of ~100 users who represent all applications used. They get the patches via MS SMS to test. Once they verify their apps still function as expected, the patches are sent out via SMS each week to four predefined patch groups. This process lasts a month. Lather. Rinse. Repeat".

Divide and conquer

A well-known strategy from the real world can be used to divide the to be patched machines in different categories and tackle each differently. E.g.:
  • The general clients, not mission critical, could be patched as soon as the patches are available at Microsoft. This would yield some fall out left and right but just be ready to pick them up, those systems would get in trouble anyway. Why do we take the risks here? Well those systems might be your laptops that go the next day on a trip for 3 weeks and be used in the mean time in hotels, airports and other (potentially hostile) networks whithout a decent chance to get patched. Or they could be the laptop that takes off to a coffee serving place with annex hotspot and work there for a few hours, exposing themselves to any other visitor there. It gets worse if they pick up something evil and bring it home to a network of unpatched systems ...
  • The servers that are not mission critical, you could try to wait for the not so "PATCH NOW" patches, and roll them out if you see no problems reported, or you could just roll them out and be ready to roll back if you see problems. After all, it's not mission critical.
  • Mission critical servers should have many layers protecting them from evil, even from internal users. They should also not be exposed to most of the internal machines and they could remain unpatched or even isolated for a long while, till you get the chance to run the mission critical tests in a QA lab and roll out the patches being certain they don't break anything.
This approach does require a security architecture and approach that controls what computers are used for, and most environments are not ready for this today, but if you redesign your environment to a model that supports this, you can have it both ways at the same time.

Let's not forget that one of the reasons that getting Microsoft to release patches slow -aside from the obvious marketing impact- is that they test these patches. So you only get tested patches to start with ...

Thanks to all those writing in!

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-09

Microsoft exploits on Reboot Wednesday

Well it certainly didn't take long for some to start making available (those I've seen so far are not for free) exploits against the vulnerabilities described in MS06-040, MS06-042 and MS06-046, which where only released yesterday.

Those of you're still testing patches, you'd better hurry up and get some of these fixed before you get hit.

Just as a reminder:
  • Filtering ports 135-139 and 445 helps against MS06-040; as do private VLANs (preventing client-client communication in the switch). None of those will help your fileserver, so patching is critical.
    Since there are still unpatched vulnerabilities in this software, filtering still remains crucial.
  • If you cannot apply MS06-042: stop using MSIE now, use an alternate browser.
  • Switching away to a browser not doing ActiveX (almost any will do) should help protect you against MS06-046 attacks as well.
But the best solution is to patch and do the above, layered defences!

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-08

Microsoft updates - overview

# KB Platform MSFT rating ISC
client rating		 ISC
server rating
MS06-040 921883 2000, XP, 2003 Critical PATCH NOW
 PATCH NOW
MS06-041 920683 2000, XP, 2003 Critical Critical Critical
MS06-042 918899 MSIE Critical PATCH NOW
 Important
MS06-043 920214 XP, 2003 Critical Important Less urgent
MS06-044 917008 2000 Critical Critical Critical
MS06-045 921398 2000, XP, 2003 Important Critical Less urgent
MS06-046 922616 2000, XP, 2003 Critical Critical Important
MS06-047 921645 Office 2000, XP, VBA Critical Critical Less urgent
MS06-048 922968 Office 2000, XP, 2003 Critical Critical Less urgent
MS06-049 920958 2000 Important Important
 Less urgent
MS06-050 920670 2000, XP, 2003 Important Critical Important
MS06-051 917422 2000, XP, 2003 Critical Critical Critical

0 Comments

...
Swa Frantzen
Published: 2006-08-08

MS06-050: Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)

MS06-050:  Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)

https://www.microsoft.com/technet/security/bulletin/ms06-050.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3086
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3438

Affected Software:
• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1
   for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition
 
Impact:  Remote Code Execution
Severity:  Important
Replaces:  MS05-015


Description:  This update actually addresses two separate issues.  One is the Hyperlink COM Object Buffer Overflow Vulnerability and the other is the Hyperlink Object Function Vulnerability.  Each of these will be addressed seperately below.

Hyperlink COM Object Buffer Overflow Vulnerability:  There is a buffer overflow in the Hyperlink Object Library which is used to handle hyperlinks.  An attacker who created a malicious hyperlink could take complete control of the system.  The attacker only gains the rights as the user logged on the system.  Good Admins don't let users run as Administrator!

Hyperlink Object Function Vulnerability:  From Microsoft:  "This problem exists when the Hyperlink Object Library uses a file containing a malformed function while handling hyperlinks."  This is the result of another buffer overflow in the Hyperlink Object Library.  Again, the attacker only gains the rights of the user logged on the system. 

Even though the severity rating of these are listed as Important, I would venture to say they are under rated and would recommend patching ASAP. 

 

0 Comments

...
Lorna Hutcheson
Published: 2006-08-08

MS06-051: Vulnerability in Windows Kernel

Vulnerability in Windows Kernel Could Result in Remote Code Execution
MS06-051 - KB917422

This update focus on two main vulnerabilities.
    - CVE-2006-3443: The User Profile Elevation of Privilege - LOCAL
    - CVE-2006-3648: The Unhandled Exception - REMOTE

If any of them is successfully exploited, the attacker can gain complete control of the affected system.

The advisory focus on W2k systems. For the Elevation of Privilege vulnerability: "...If a specially crafted DLL is placed in the user directory, it is possible for WinLogon to execute the code of the DLL resulting in an elevation of the user's privileges.".

For the Unhandled Exception vulnerability, looks like a simple spam with a link would lead the user to a specially crafted website which would exploit it.

Worthless to say that it is REALLY important to patch your systems against these vulnerabilities! Test and Patch!!

-------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org)

0 Comments

...
Pedro Bueno
Published: 2006-08-08

MS06-048: Microsoft Office Remote Code Execution Vulnerabilities

Vulnerabilities in Microsoft Office Allow Remote Code Execution
MS06-048 - KB922968  (CVE-2006-3590 CVE-2006-3449)

Severity:   Critical for PowerPoint 2000, and Important to all others.
Replaces:    MS06-038   for PowerPoint 2000, XP, 2003, 2004 for Mac and v.X for Mac
Affected Software:
       Microsoft Office 2000 SP3
       Microsoft Office XP SP3
       Microsoft Office 2003 SP1 or SP2
       Microsoft Office 2004 for Mac
       Microsoft Office v.X for Mac

Description:

This update addresses 2 different remote code execution vulnerabilities that exists in Microsoft Office.  These vulnerabilities specifically affect  PowerPoint, though the binary is shared by several Office products.  To exploit either vulnerability, an end user will have to received a specially crafted PowerPoint via email, from a website or similar mechanism.  The end user would then have to open the file with a vulnerable product.

An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. Those users with limited access would be less impacted.

One of the 2 vulnerabilities has been publicly disclosed and is being actively exploited.  So, it is recommended that this patch be applied immediately.


--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas

0 Comments

...
Scott Fendley
Published: 2006-08-08

MS06-041: Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)

MS06-041 - KB 920683 - CVE-2006-3440 - CVE-2006-3441

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Apply the update immediately

Affected Software:

Windows 2000 SP4
Windows XP SP1 and SP2
Windows XP for x64
Windows Server 2003 (including SP1)
Windows Server 2003 for Itanium (including SP1)
Windows Server 2003 for x64

There are two vulnerabilities covered in this bulletin:

Winsock Hostname Vulnerability - CVE-2006-3440:

There is a remote code execution vulnerability in Winsock that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. For an attack to be successful the attacker would have to force the user to open a file or visit a website that is specially crafted to call the affected Winsock API.

DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:

There is a remote code execution vulnerability in the DNS Client service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.


Marcus H. Sachs
SRI International

0 Comments

...
Marcus Sachs
Published: 2006-08-08

MS06-047: Office & Visual Basic for Application

MS06-047 - KB 921645

CRITICAL

Visual Basic for Applications (VBA) is vulnerable to crafted documents that could yiled remote code execution.

This is exploitable though email in Outlook and by visiting website that host such documents. The user could also  obtain and open the document in another way (thumb drives, CDs etc.)

This replaces MS03-037.

CVE-2006-3649

--
Swa Frantzen -- section 66


0 Comments

...
Swa Frantzen
Published: 2006-08-08

MS06-043: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)

MS06-043:  Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)

https://www.microsoft.com/technet/security/bulletin/ms06-043.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2766

Affected Software:
• Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition
 
Impact:  Remote Code Execution
Severity:  Critical


Description:  There is an issue in the way the MHTML protocol is parsed.  The MHTML protocol allows for the use of embedded objects such as images.  This is another a cross-domain scripting vulnerability in which code is allowed to be run in the wrong security zone (i.e. on the system or local) which is should not be allowed to do.  There are MANY ways to exploit this and you should patch immediately!
 

0 Comments

...
Lorna Hutcheson
Published: 2006-08-08

MS06-049: W2k Kernel Bug

MS06-049

This is another privilege elevation vulnerability.

By exploiting this vulnerability, on MS own words: "...An attacker could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To attempt to exploit the vulnerability, an attacker must be able to log on locally to the system and run a program."

According to the advisory this occurs due an unchecked buffer bug that affects the Windows 2000 kernel.

Althought this vulnerability can only be exploited locally, we recommend you to test it and apply as soon as possible. As this vulnerability is already known for a while and by reading the advisory it really doenst look so hard to exploit it, so if you have systems running 2k, patch it!

---------------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org )

0 Comments

...
Pedro Bueno
Published: 2006-08-08

Other Microsoft Updates Released

Beyond the 12 Security Bulletins released today,  Microsoft released a few other updates that should be noted.

Update for InfoPath 2003 - KB920103
This high priority (non-security) update addresses some issues discussed in KB917510 and KB920914.  To the best we can tell, this is primarily a post Office 2003 SP2 reliability patch for the InfoPath product.

Malicious Software Removal Tool (MSRT) - KB890830
The MSRT underwent its monthly update to add detection for W32/Banker and W32/Jeefo.

Outlook 2003 Junk E-Mail Filter Update KB920907
This update provides the Outlook 2003 client a more current definition of which e-mail messages are considered junk e-mail.


--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas

0 Comments

...
Scott Fendley
Published: 2006-08-08

MS06-046: HTML Help Remote Code Execution

Vulnerability in HTML Help Could Allow Remote Code Execution
MS06-046 - KB922616  (CVE-2006-3357)

Severity:  Critical (except on Server 2003)
Replaces:   MS05-001   for Windows 2000, XP SP1, XP SP2, Server 2003, and Server 2003 SP1

Affected Software:
       Windows 2000 SP4
       Windows XP SP1 and SP2
       Windows Server 2003 and 2003 SP1
       Windows XP Pro and  Server 2003 x64
       Windows Server 2003 Itanium Based Systems

Description:

 A vulnerability exists in the HTML Help ActiveX control which could allow attackers to run remote code execution. An attacker could construct a malicious Web page which could exploit this flaw if an end user visits the page.  Those users with reduced privileges would be less impacted.

Microsoft has offered the following workarounds until this update can be applied.  Each workaround has a set of known issues related to them. 

    * Disable the HTML Help ActiveX control from running within IE6 for XP SP2.
    * Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls and scripting in these zones.
    * Restrict Web sites to only your trusted Web sites.
    * Temporarily disable the HTML Help ActiveX control from running in Internet Explorer

As this vulnerability has been publicly disclosed and has somewhat complicated workarounds, it is recommended that this patch be applied immediately.

--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas

0 Comments

...
Scott Fendley
Published: 2006-08-08

MS06-045: Windows Explorer Remote Code Excution Vulnerability

Vulnerability in Windows Explorer Could Allow Remote Code Execution
MS06-045 - KB921398  (CVE-2006-3281)

Severity:    Important
Replaces:    MS05-016   for Windows 2000, XP SP1, XP SP2, and Server 2003

Affected Software:
       Windows 2000 SP4
       Windows XP SP1 and SP2
       Windows Server 2003 and 2003 SP1
       Windows XP Pro and  Server 2003 x64
       Windows Server 2003 Itanium Based Systems

Description:

A flaw in the handling of Drag and Drop events of Windows Explorer could allow attackers to take complete control of a computer.  User interaction is required for this attack to be successful.  The attacker will only have the privileges of the logged in user.  So, users with reduced account privileges will be less at risk then those logged on with administrator or power-user. 

Disabling the Web Client service manually or through group policy can help block known attack vectors until the patch can be applied. 

As this vulnerability has been publicly disclosed, it is recommended that this patch be applied immediately.

--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas

0 Comments

...
Scott Fendley
Published: 2006-08-08

Vista reviewed by Symantec

Fellow handler Lorna tossed me an article written by Symantec analysing the security in Microsoft's upcoming windows release called "Vista".

In the article Tim Newsham and Jim Hoagland, look at the new Vista from a network perspective.

It's interesting to note that Vista supports IPv6 and will be try to build tunnels exposing its interfaces even if you have a IPv4 firewall and/or NAT unless you make sure those IPv6 tunnels cannot get out. (It's IPv6 tunneled in a IPv4 udp stream that can traverse NAT [Teredo] ). So beware of outgoing udp traffic!

--
Swa Frantzen -- Section 66



0 Comments

...
Swa Frantzen
Published: 2006-08-08

MS06-044: Microsoft Management Console Cross Site Scripting.

MS06-044

CRITICAL (remote code execution)

A cross site scripting attack against the Microsoft Managment Console (MMC) could be used to inject hostile code on a system used to access the MCC. Only Windows 2000 SP4 appears to be vulnerable, and the exploit is not trivial.

The advisory is a bit vague on how an exploit exactly works. But it appears that the remote site would offer a link. Clicking on the link would open MMC and include the malicious code. It is likely possible to redirect a user to the link via javascript without user interaction.

Urgency:
Clients: HIGH for Windows 2000 SP4. Patch now.
Servers: LOW. Carefully test patch first.



0 Comments

...
Johannes Ullrich
Published: 2006-08-08

MS06-042: Internet Explorer Rollup Patch

MS06-042  (CRITICAL)

The usual monthly set of fixes for recently discovered Internet Explorer vulnerabilities. Exposing Internet Explorer to malicious HTML code could allow an attack to execute arbitrary code. Vulnerabilities like this are freuntly used by "drive by downloads" to install spyware, adware and bots.

Three of the vulnerabilities have been disclosed publically:
- CVE-2006-3280 (Redirect Cross-Domain Information Disclosure).
- CVE-2006-3637 (HTML Rendering Memory Corruption Vulnerability)
- CVE-2004-1166 (FTP Server Command Injection Vulnerability).

In particular note the date (2004!) of the FTP server command injection vulnerablity. Exploiting this vulnerability is rather easy and exploits have been available back in December of 2004. The attacker would have to include an 'ftp://' URL which includes a URL encoded newline character (Newline=%0a). It is also important to note that the KDE web brower (konqueror) had the same issue.

A well crafted exploit for the FTP vulnerability would not require any user interaction beyond exposing the browser to malicious code. A compromissed web server, banner ads or image tags in public web sites could be used to trigger this vulnerability.

Urgency:
Client: HIGH! Apply patch after expedited testing.
Server: Low. Apply patch after exhaustive testing.








0 Comments

...
Johannes Ullrich
Published: 2006-08-08

MS06-040: Server Service

MS06-040 - KB921883

CRITICAL

This fixes a buffer overrun in the server service in Windows that allows for remote code execution.

The suggested workaround is to block port 139/tcp and 445/tcp with a firewall.

This sounds like it could be developed into a worm or used as a second stage once it's behind a corporate fireewall.

CVE-2006-3439

--
Swa Frantzen -- section 66


0 Comments

...
Swa Frantzen
Published: 2006-08-08

Microsoft Black Tuesday Patches

Microsoft's patches that are released today include:
See our overview rating for clients and servers.

We'll update this story with links to our more detailed discussion as soon as we've had a chance to form an opinion.

It's interesting to note that US-CERT mentions that one of these vulnerabilities is actively being exploited, (before the patches got released).

--
Swa Frantzen --Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-08

Tip of the Day: mount options

Well today might be the day of the 12 Microsoft patches, but to balance that out a little bit, we'll do a unix minded tip of the day.

John wrote in a few days ago and suggested using mount options on different filesystems to tell the operating system not to allow certain kinds of operations or files to be used in that filesystem.

To use options that allow for
  • noexec: do not allow executables
  • nosuid: do not allow suid executable
  • nodev: do not allow devices
  • rdonly: do not allow writing to this filesystem
you need to create sufficient slices to start with.

This can lead to some tries before you get their size right, but once you can a separate / , /usr, /tmp, /home, /var, ... you can set different options to prevent certain uses of certain filesystems. The trick to get the sizes right is to oversize them deliberately and keep a few 2Gbyte sized spare slices around. After a few years, or even months you'll love the space and flexibility in shuffling things around as they need to be without so much as a reboot.

The tricky part that remains is to find which options you cannot use where, e.g.:
  • the filesystem containing /dev (usally /) needs to allow devices.
  • the filesystems containing /bin and /usr/bin need to allow executables and most likely suid programs as well.
  • read-only mounting has great advantages, but make sure you can still patch the files and then downgrade the rights again before taking such a system in production.
While on the subject, it's smart to create a partition for the target of a chroot jail.  You might need to allow some devices inside the chroot environment's /dev. It's also harder to break out of the hail if the new root is also the root of filesystem.

A sample, -but you can always change it to suit your needs- fstab file could be like:
/dev/sd0a / ffs rw 1 1
/dev/sd0b /tmp mfs rw,nodev,nosuid,noexec,-s=153600 0 0
/dev/sd0d /usr/src ffs rw,nodev,nosuid,softdep 1 2
/dev/sd0e /var ffs rw,nodev,nosuid,softdep 1 2
/dev/sd0f /home ffs rw,nodev,nosuid,softdep 1 2
/dev/cd0a /cdrom cd9660 ro,noauto 0 0
/dev/sd1a /data1 ffs rw,nodev,nosuid,noexec,softdep 1 2
/dev/sd1b none swap sw 0 0
/dev/sd1d /data2 ffs rw,nodev,nosuid,noexec,softdep 1 2
For those wondering, this comes from an OpenBSD fileserver. Attentive readers might note a mountpoint revceiving far less protection. That's because I consider this server to be physicaslly rather safe and don't use the cdrom drive at all. Manual pages to check on your system would include mount(8) and fstab(5).


Our next Tip of the Day will be about patching, how do/did you handle the patches coming out from Microsoft today (or how do you handle those form Mozilla, Sun, Oracle, Linux, ...). Let us know your best practices and Mike Poor will summarize them into a tip tomorrow.
Remember, the Tip of the Day is about sharing positive experiences in order to outsmart the bad guys.

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-08

AOL: the Good, the Bad and the Ugly

The Good

http://www.activevirusshield.com/

AOL is giving away free Anti Virus software powered by Kaspersky. It's called Active Virus Shield. There are already some free offerings, but more cannot be a bad thing and over the years I've personally grown to like the speed and quality of signature releases of Kaspersky, so I'm happy to see a free offering using this.

The Bad

Well, you have seen it move from blogs to more mainstream media by now, but AOL leaked some search logs.

Interesting to note that many people seem to be outraged by such a leak and feel their privacy violated, yet those same people don't bother/ask to encrypt the connection to search engines. Somehow there seems a lack of balance to me.
Worse, once you searched for something and click on the search results, the referer header will reveal the search terms you used to the website you are heading to.

The Ugly

AOL also announced a few days ago another free service. They intend to offer free storage of 5Gbyte. The warez dudes will love this: more than a DVD full of illegal copies. I'm happy to say I'm not the one who'll have to play "whack-a-mole" on this project. I do hope they build in loads of measures to prevent this before they go public with this.

--
Swa Frantzen -- Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-07

ClamAV versions up to 0.88.3 DoS

A Secunia bulletin earlier today alerted us to a potential denial of service in the popular open-source anti-virus package ClamAV.  The vulnerability is in the pefromupx() routine for unpacking a UPX packed PE executable.  The advisory states that all versions up to, and including, 0.88.4 are vulnerable.  The front page of http://www.clamav.net states that the latest stable version is 0.88.4, but the "stable" page only mentions 0.88.3 released last month.  The sourceforge download page lists a clamav-0.88.4.tar.gz (and .sig), but at the time of this writing, actually clicking on the link results in a "file not found" error.  So, it looks like they are scrambling to fix this one and the new version should be available shortly.

---------------------------
Jim Clausing,  jclausing --at-- isc.sans.org

0 Comments

...
Jim Clausing
Published: 2006-08-07

Fedora Core 4 goes into maintenance mode, FC1 and FC2 end-of-life

The Fedora folks announced that with the release of FC6 Test 2, FC4 moves to maintenance mode and support is transferred to the Fedora Legacy Group.  They also point out that FC1 and FC2 are now end-of-life.  So, if you haven't upgraded yet, now would be a good time.  See http://fedoralegacy.org/ for more info.

0 Comments

...
Jim Clausing
Published: 2006-08-07

Tip of the Day: Read e-mail in plain text (as God intended) :)

I was reminded of today's tip of the day by one of our readers, Jim Hendrick.  I personally get really annoyed at all the "cutesy" HTML e-mails I seem to get these days whose only real purpose is to take up space.  Why send a 6K text message when you can fancy it up and send a 150K message instead, after all we all have bandwidth and disk space to burn these days, right?!  I've used e-mail for more about 25 years, first on Compuserve, and then as a business tool beginning in about 1987.  Early on I used elm on various Unix machines and when I first got a POP account, Eudora on my old Mac.  For the last 10 years or so, I've used pine and PC-Pine and more recently, occasionally, Thunderbird for most of my IMAP e-mail, but for work, the corporate standard at my day job is Outlook 2003.  I haven't gone back and counted recently, but I'd wager a guess that in the last 2 years there have probably been at least a dozen vulnerabilities in Outlook and/or IE, where the suggested workaround (by Microsoft) was to read e-mail as text only.  My first recommendation (which I realize is not proactical in many corporate environments, including mine) is to switch to a different e-mail client (partially for the diversity reasons mentioned in yesterday's Tip of the Day), but if you can't at least switch to plain text as your default (you can always render the HTML for those messages that are completely indecipherable as text).  This isn't that hard to do, even in Outlook and even if you feel the need to use the preview pane.  In Outlook 2003 (the only version I have available to me at the moment), this is pretty simple.  From the Actions menu choose Options.  In the box that pops up, choose the Preferences tab and click on the E-mail Options button.  In the subsequent box there are a number of checkboxes in the top half of the dialog.  Check the bottom two "Read all standard mail as plain text" and "Read all digitally signed mail in plain text".  Click okay and you're half done.  I also recommend that you click on the "Mail Format" tab and *send* all your e-mail as plain text, too.  Finally http://support.microsoft.com/kb/307594 describes a registry key (that can be set via Group Policy) for Office XP SP1 and later that forces the default to read all e-mail as plain text.

--------------------------------
Jim Clausing, jclausing <at> isc.sans.org

0 Comments

...
Jim Clausing
Published: 2006-08-06

Tip of the Day: Be unpredictable and diverse

Many of today's attack, including most of the targeted attacks depart from the premise that there is a monoculture in the software most users use to do a given task.

The trick to get there is not to enforce a single specific alternative platform, as you will still be very predictable to the targeted attackers. The trick is to embrace openness and allow a set of solutions to be used and try to get the users to make the choice individually.
Yes, the helpdesks will not like it at first, but they might like it a lot more after you point out that the peaks in problems they face when all users break down will also be spread out a lot better.

Using very uncommon hardware is a way to get rather unpredictable, but unfortunately it's hard to get away from a typical Intel x86 architecture now that Apple has switched to hardware that can actually run windows natively. There are luckily still unix platforms that don't use the Intel x86 architecture. So it's an option in high security environments, but less so in most general office environments.

For operating systems the alternatives on a desktop in a corporate environment are generally limited to Mac OS X or some Linux distribution. On servers there is a wider choice of very viable operating systems. Personally I really like OpenBSD on servers as a security conscious choice.

For Browsers there is Firefox, Opera, Netscape, Safari and for added bonus: mozilla compiled from source.  That sounds like plenty of choices, but there are more than those as well to choose from.

For email clients I personally prefer pure text based clients as they tend to have far less vulnerabilities and won't try to load e.g. an image or accidental click to confirm a live mailbox to a spammer, or worse. But you might need a GUI and then OS X's Mail.app or Thunderbird might be one of the choices.

Office productivity tools are the hardest to get away from the monoculture, but there is OpenOffice and StarOffice to create some diversity aside from the less compatible choices.

So how do you use e.g. Firefox? We'd suggest to add a few add-ons:
  • noscript (blocks javascript and java by default, but allows them to be enabled on a site-by-site bases as needed)
  • netcraft toolbar or google toolbar (warn for known phishing sites)
  • If you need business-wise access to sites that aren't working in anything but MSIE: IE view can be used to set a number of sites that will be opened in IE by default.
It becomes even more important to be less predictable when dealing with known bad content, so keep lynx, wget, curl and your openssl and telnet skills in shape if you analyze malware every so often.

If you have more tips on how to be less predictable and less of a monoculture, please let us know and we'll expand this story as needed. Remember it's about sharing tips and making them work for  you, much less about debating why the tips don't work for you.

--
Swa Frantzen - Section 66

0 Comments

...
Swa Frantzen
Published: 2006-08-05

Anomaly Detection

Ron Gula, of Dragon IDS and Tenable fame, has an interesting blog entry on monitoring large networks looking for suddent surges in atypical network traffic destined specific IPS or protocols.

Scenario: mobile malicious code compromises 150 hosts on your network.  Those hosts are loaded with bot software.  Bots need to talk to a command and control channel, and by observing these surges of bots connecting within a threshold of time... we can detect this anomolous pattern.

Ron has released code and screenshots on his research.  Definitely worth checking out.

Mike Poor    mike   <at>  intelguardians.com


0 Comments

...
Mike Poor
Published: 2006-08-05

Tip of the Day: Use ssh keys

Probably the easiest way to avoid passwords is ssh keys. SSH keys are a public/private key system that can be used instead of passwords to authenticate yourself to remote ssh servers. SSH provides a number of nice systems to manage your keys. For example you can store them in memory using 'ssh-agent'. This way, you only need to enter the key passphrase once. Even better: Keep your private ssh keys on a USB stick, connect them to the PC only once to add them to your ssh-agent. Once this is done, the keys will stay protected in memory and you can disconnect the USB stick again.

Limit logins to ssh keys, whcih eliminates the problem of password brute forcing. SSH keys can be used to limit access by IP address, or you can limit a user to execute a specific command based on what ssh key they use (great for automatic backups).


0 Comments

...
Johannes Ullrich
Published: 2006-08-04

MS Patch Tuesday Advance Notice

Microsoft released their Security Bulletin Advance Notification on Thursday afternoon.  Next Tuesday appears to be a very active day as there are 12 security bulletins that will be released as well as 2 High Priority (though not security based) updates.  In addition, the Malicious Software Removal Tool will have its monthly update.

From http://www.microsoft.com/technet/security/bulletin/advance.mspx:

* Ten Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.

* Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.


0 Comments

...
Scott Fendley
Published: 2006-08-04

Defcon, vendor-hacker-shmoozing, and Storm Center Handlers in the Desert

Greetings ISC readers.  Being out here at Vegas for a certain hax0r fiesta that will go unmentioned, I figured Id give the readers that are not here a glimpse of the bruhaha and the goings on.

Defcon is a fascinating collection of minds bringing hacker and fed, experts and wanabees.  The talks are interesting, but what I found fascinating was amount of shmoozing that vendors were bestowing upon security researchers.

Think back six years ago or so... 
1. security researcher finds flaw in product Z
2. researcher contacts vendor, and gives them a timeframe for release
3. vendor makes changes
4. researcher  publishes flaw to bugtraq

Post 9-11, post DMCA, post PATRIOT Act...
1. security researcher finds flaw in product Y
2. researcher contacts vendor, and gives them a timeframe for release
3. vendor accuses researcher of violating DMCA
4. researchers start to horde malware

Defcon 13 (last year)
1. security researcher finds flaw in product X
2. researcher contacts vendor, and gives them a timeframe for release
3. resercher faces potential arrest... goes to worrk for the competition

Decon 14 (this year)

1. security researcher finds flaw in product W
2. vendor shmoozes him (as in wining and dining) at fabulous parties, interviews, PR opportunities, etc.

Microsoft, Apple, and many other mega-vendors were present to diffuse the FUD.

On that note, a big thank you to Microsoft for a fabulous party :)

Last but not least we spotted several handlers in Vegas... from Cory, Jason, Ed, Marc, Kevin, Adrien, Kyle, and me... (I probably forgot about 300 people, sorry)....

Mike Poor mike   < at >  

0 Comments

...
Mike Poor
Published: 2006-08-04

Grisoft AVG False Positive


We have heard that earlier today there was a false positive involving Grisoft AVG antivirus product and certain files related to Windows XP SP1.  From the report received, AVG was reporting the file C:\i386\REG.EXE, installed under some XP SP1 based systems, as a virus.   As there is a free version of AVG used/installed on many K12 school, College/University and home computers, some of our readers may experience issues with this false positive.

Unfortunately, I do not see any confirmed information on the AVG website.  If anyone can confirm the details shared to us earlier, or finds a news entry at Grisoft, please share with us and we will update this diary.

0 Comments

...
Scott Fendley
Published: 2006-08-04

Packet Analysis Challenge: The Solution

First off I'd like to thank everyone who took the challenge and submitted their thoughts on the capture!  The response was overwhelming and I tried to answer everyone's email.  If I missed someone, please accept my apologies.  A thanks as well to Jon Wohlberg from Towson University who submitted this capture and allowed me to use it for the challenge.

I would also like to send a congratulations to the four individuals who figured it out:  Brandon Greenwood, Jean-Philippe Luiggi, Peter Koch and Richard Bejtlich.  As a side note,  Richard has a great paper entitled "Interpreting Network Traffic: A Network Intrusion Detector's Look at Suspicious Events".  Specifically look at the last part "A Final Case" which talks about this type of traffic.  

Last, but definately not least, thanks to Johannes Ullrich who looked at the initial traffic with me and helped to determine the initial answer .  Also, Scott Fendley who sat up very late with me one night while we dug through the second capture Jon submitted and worked to confirm our initial observations.  It was a great team effort!

Now for what you have really been waiting for....the answer to this traffic. (Drum roll please)

The tentative solution was initially determined from the capture that I posted with this challenge.  A later capture from Jon allowed it to be confirmed.  As a summary from what you were given: the traffic came from multiple IPs and all destined for one primary DNS server.  There were six characteristics of the traffic that you needed to take note of:

1.  The repeating IP ID which rotated using only 1, 2, or 3
2.  The windows size was a constant 2048
3.  The TTLs which were usually 44/45 or very close to that.
4.  It was always TCP connections to the primary DNS server.  No UDP traffic was captured from those IPs.  
5.  The 24 0x00 data bytes (keep in mind that these are SYN packets)
6.  The time stamps and source ports were also helpful in determining that these were not TCP retries.

Based on these characteristics and armed with Google, it is possible to solve the puzzle.  After much research, I found there were other folks questioning very similar traffic, but not totally sure of what it was.  There was alot of speculation to read through.  However, looking at the characteristics of the traffic, an answer quickly emerged.  It appeared to be traffic generated by a load balancer.  Here is the study that really led to our initial conclusion, although it did not match totally: 
http://www.sans.org/resources/idfaq/dns.php

Jon then sent us a second, more complete, capture that contained other information and allowed the initial conclusion to be confirmed and identify the load balancer being used.   F5 has a product called BIG-IP and one of the modules to that product is the Global Traffic Manager (formally known as 3-DNS, same functionality) is what generated this traffic.

Here are some other URLs of exactly the same traffic (to include
source IP) in order of reading recommendation:

http://archive.cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00123.html
http://lists.dshield.org/pipermail/intrusions/2004-June/008100.html
http://lists.grok.org.uk/pipermail/full-disclosure/2004-August/024687.html  (read the entire thread)

Thanks again everyone for your participation and I hope that you learned as much from this capture as I did.  We automatically tend to assume traffic anomalies are up to no good when in reality, there may be a very logical explanation.  I have had many requests for more of these challenges.  It's good to know there are other folks out there who love to look at packets as much as I do.  I hope to do more of these in the near future so stay tuned!

UPDATE:  Frank Knobbe sent us the following.  Thanks Frank!

Ever since that fateful thread in FD, we had added Snort signatures for these probes to the BleedingSnort rules. They are in the SCAN category with SIDs 2001609-2001611.

A direct link is:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/SCAN/SCAN_F5_BIG-IP_Probe?rev=1.9&view=log

Latest version:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/SCAN/SCAN_F5_BIG-IP_Probe?view=markup


0 Comments

...
Lorna Hutcheson
Published: 2006-08-04

Tip of the Day: Turn off your Computer

A computer can not be compromissed while turned off. In particular home computers are typically only used a couple of hours a day. So why not turn it off while you don't use it?  Some DSL/Cable modems have a 'disconnect' switch. This switch will usually turn off the ethernet interface of the modem. Turning off the modem alltogether is another option.

You have to be a bit careful turning off your PC making sure you still get necessary patches. Typically, the DSL/Cable modem will check for updates whenever you turn it on. For the PC: It should still regularly check for updates while turned on. Rebooting the PC may be useful to make sure all the new code is loaded. In corporate environments: Do not turn off your PC unless you talked to the network administrator first. Techniques like 'Wake on Lan" can be used to turn on the PC remotely if needed to perform backups and to patch.

A turned off PC with a BIOS password is also a reasonable deterant to protect your PC from unauthorized use. In particular at home if you would like to prevent other household members from using your PC. (note however that this will usually not protect you from more sophisticated attacks and theft)

And don't forget that this will save energy as well.

If you have any tips to share, please send them to us via the contact form. 

0 Comments

...
Johannes Ullrich
Published: 2006-08-03

PWS Bankers 2.0

PWS-Bankers 2.0

Some time ago I was reading about Phishing 2.0 , as the evolution of Phishing attacks. In that case, the miscreants were making use of multiple and different attacks tying to beat the new security methods adopted by the financial institutions, like One Time password. According the news report, Horward Schmidt said "...as more people become aware of current "phishing" scams, the cyber criminals often get even more clever, and create new, more sophisticated techniques,". That's the famous cat and mouse game.

The new security methods adopted by banks were created in response to the huge amount of attacks suffered by their customers and the huge amount of money that they are loosing over the years, and it was working, until the miscreants decided to create new techniques to defeat them.

Well, I´ve been talking to my fellow handlers before put this here, because I don't want someone calling me 'hype maker',:) ,and I would like to present you another term: Banker 2.0.

 But what is Banker 2.0?

This represents the evolution of the banker trojans as well, to try to defeat the new bank security measures implemented for their customers.

Yesterday I was playing with a pws-banker trojan sample. In short, it was telling that it was a Bank Application to 'update' the bank digital certificate. Some Brazilian banks are adopting digital certificates for some large customers, so some transactions can only be done with those certificates.

 The interesting characteristics were:

  • was targeting just one south american bank
  • was asking for the bank digital certificate password
  • was harvesting the hard-drive for all *.key and *.crt files
  • was sending the Cert password and all *.key and *.crt files to a gmail account.

 McAfee AvertLabs has a good description of it, with screenshots:

So, banks are trying, with OTP, Tokens, Digital Certificates...but the bad guys are doing it as well creating new techniques to defeat them...the question is, where are the banks failing?

Pedro Bueno <pbueno //&&// isc. sans. org >

0 Comments

...
Pedro Bueno
Published: 2006-08-03

XP local privilege escalation demonstated

An excellent Flash animation showing the latest XP local privilege escalation has been published and it clearly demonstrates how trivial it is to "upgrade" from an unprivileged user to SYSTEM.  Fundamentally until this is patched there is a simple "route to power" for any user sitting in front of a Windows sytem.

How does it work?

It is actually quite simple: normally a scheduler is used for running non-interactive programs unattended, for example Anti-virus updates (in the "baddies" world it is used for scheduling netcat backdoors but this is hardly "normal usage"). 

In this example the user decides to schedule running "cmd.exe" (the Windows command line prompt) rather than a non-interactive program.  When the scheduler triggers it starts cmd.exe which opens a new command-line window.

The problem is that the scheduler runs as the "SYSTEM" user which under Windows is an all-powerful user used for system tasks (the Windows equivalent of "root" under Unix) and, as this video demonstrate, it does not "drop privileges" (that is to say: "take on the privileges of the user requesting the scheduled job") before running the command.

When the command is finally run at the specified time it therefore hands you a command line prompt with SYSTEM privileges.

Is there a fix? The simplest "fix" would be to disable the scheduler system-wide as starting it requires administrative privileges although this then ends up preventing Anti-Virus updates which are normally run in this way... so I guess we have to wait for Microsoft to release a patch.

Important note: do not watch this at work with your loudspeakers turned on (bad language disclaimer...).  Headphones strongly recommended.

0 Comments

...
Arrigo Triulzi
Published: 2006-08-03

Security Tip of the day: Handling brute-force login attempts

        Dustin wrote in to say that he had an ssh brute-force login program making over 4500 attempts over 2.5 hours today.  It appears none of them were successful.

        Brute-force login tools exist for just about any service that allows remote access.  How do you fight these?  Here are a number of approaches that can be used separately, or better yet, use all of them.  Make sure you have permission to do these.

- Make sure none of your user accounts have easy to guess passwords. Run a password cracker like crack or John the Ripper against your password collection to see if any are simple english words or easily guessed.

- Use a one-time password program or hardware password generator like those from Cryptocard or RSA.  Even if a password is viewed, it can't be re-used later.

- Disable remote root/Administrator logins on your systems.  It will still be possible to log in as a non-priviledged user and become the super-user, you just can't log in directly.

- Provide ssh key based logins to all your users, and when everyone's comfortable using them, disable password logins entirely.

- Run SSH on a different port.  SSH has no trouble doing this.  You need to tell the ssh server to run on a new port, tell any firewalls in front of those machines to allow connections to the new port, and tell any ssh client programs that need to connect to those machines to use the new port.

- Ban the IP addresses of tools that try to do brute-force logins.  Also, submit your logs to Dshield so that attackers can be identified from their attacks on multiple systems.

- Limit logins to just the IP addresses of your known client machines.

0 Comments

...
William Stearns
Published: 2006-08-02

WiFi Device Driver Issues

Last weeks Intel Centrino issues where just the beginning. Today, Jon Ellch and David Maynor presented more wireless device driver issues at Blackhat. As a demo, they compromised a MacBook using one of the wireless device driver issues they discovered.

The highlights:
  • This is less of an OS problem, but a firmware/driver issue. While the demo was done on a Mac, it would have worked on other OS's as well.
  • Various wireless cards have problems, not just the once demoed at Blackhat.
  • You do not have to be associated with a wireless network in order to be exposed.
  • A firewall will not protect you.
What can you do:
  • Turn off the wireless card (and bluetooth while you are at it).
  • Watch for patches.
  • To prepare for any patches, learn what type of wireless card you have.
More details:

Washington Post "Securityfix" blog (Brian Krebs)
the video

0 Comments

...
Johannes Ullrich
Published: 2006-08-02

Firefox 1.5.0.6 release imminent

It appears that the Mozilla folks are about to release Firefox 1.5.0.6 (don't rush out and try to download it yet, the main Firefox page doesn't show it yet and for most of us, the automatic check will alert us to its availability).  No details at the moment on what this one fixes, but coming so quickly on the heals of 1.5.0.5, I would imagine that there must be some security implications.  We'll update this story as soon as the Release Notes are available.  And thank you to our ever faithful reader, Juha-Matti for alerting us to this.

Update 20:27 UTC:  If Bugzilla can be belived, all this update does is fix an issue with "mms://" and related multi-media URLs that have been broken in 1.5.0.5. Apparently, not all updates rushed out while a Blackhat conference is going on have a sinister reason :-).

0 Comments

...
Jim Clausing
Published: 2006-08-02

named/bind error messages - solved

ISC readers report a significant increase of "odd" error messages in their named/bind logs.

server named[18013]: dispatch 0x8face08: shutting down due to TCP receive error: [IP REMOVED]#53: connection reset.
named[8428]: dispatch 0x81eb2b0: shutting down due to TCP receive error: <unknown address, family 48830>: connection reset

Update 18:30 UTC:  It looks like we got the solution, or at least parts of it:
  • Some DNS servers of "secureserver.net" are apparently broken and sometimes return incomplete records. Two DNS servers in particular, 64.202.165.202 and 68.178.211.201, are implicated in the majority of the "TCP receive error" packet traces that we have received.
  • What happens is that "named" sends a UDP DNS query to one of the broken servers and receives a truncated UDP response. By nature of the DNS protocol, "named" re-tries the same query in TCP, which is answered by the broken servers with a rude "tcp reset" packet, which in turn again triggers "named" to write the above log line. This behaviour can be reproduced with "dig" as shown below:
    daniel@debian:$ dig whatever.net @68.178.211.201
    ;; Truncated, retrying in TCP mode.
    ;; communications error to 68.178.211.201#53: connection reset
  • Lookups against ISIPP's IADB spam / sender database seem to have ended up on the broken servers listed above from time to time, causing the "link" between receiving email and seeing the named log entries as reported by some readers
  • The IP address in the named log does not seem to have anything to do with the IP that causes the problem. I have no idea where this logged IP comes from, but seeing that some versions are printing "address unknown" instead of an IP, I suspect that this error print statement is broken in several (older?) Bind releases
A big thank you to all the readers who have volunteered their packet traces and time to help with this analysis!

0 Comments

...
Daniel Wesemann
Published: 2006-08-02

Tip of the Day: Remove Default Route

This tip comes from Mark Goudie:

Not having a default route in the router network is a great way to minimise the impact of malware on the corporate environment. This practice enforces that gateways are used for all external communications.

Advantages

  1. Enforces the use of proxy gateways for external communications.
  2. Malicious packets can be dropped or sent to a centralised server for analysis.
  3. Reduces the potential impact of misconfigured software through enforcing no internet connectivity.
  4. Makes malware infection easy to spot (if analysing all dropped packets).
I'd recommend implementing this with a split DNS to increase the difficulty of malware "phoning home" as the internal network cannot resolve external addresses. The DNS server could be configured to log all unresolved addresses for further malware indication.

Note that the above tip does not ask you to remove the default route off your end systems (user workstations) - chances are that many services needed in a corporate environment (like financial news feeds) will need to have a default route on the workstation. But if, in your network core, you can get away with only advertising and routing those external networks that are actually needed, you have made a huge step to secure your network. As indicated above, the newly un-used "default route" should then be made to point to a "darknet" where you have nothing except logging and packet collection capability.

0 Comments

...
Daniel Wesemann
Published: 2006-08-01

GnuPG 1.4.5 released - remote execution possible

A new version of GnuPG has been released addressing memory allocation problems.

From the ChangeLog:
 *    Fixed 2 more possible memory allocation attacks.  They are
      similar to the problem we fixed with 1.4.4.  This bug can easily
      be be exploted for a DoS; remote code execution is not entirely
      impossible.
At the time of writing this version was still trickling down to mirrors.

0 Comments

...
Arrigo Triulzi
Published: 2006-08-01

*Intel Centrino Vulnerabilities

Intel has released driver security updates for Centrino device drivers for Windows and for the PROSet
management software.
http://support.intel.com/support/wireless/wlan/sb/CS-023068.htm

There are three issues identified:
Intel® Centrino Wireless Driver Malformed Frame Remote Code Execution
http://support.intel.com/support/wireless/wlan/sb/CS-023065.htm
Intel® PROSet/Wireless Software Local Information Disclosure
http://support.intel.com/support/wireless/wlan/sb/CS-023066.htm
Intel® Centrino Wireless Driver Malformed Frame Privilege Escalation
http://support.intel.com/support/wireless/wlan/pro2100/sb/CS-023067.htm

The first and the third seem to be most severe. At this point we don't know of any public exploits for these vulnerabilities. The second one (PROSet info disclosure) has been around for a while and is known but local only.

The announcements contain details on which drivers are vulnerable as well as links to patches and a tool to determine which version you have-
http://support.intel.com/support/wireless/wlan/sb/cs-005905.htm

Below are the summaries of the affected platforms
Intel® Centrino Wireless Driver Malformed Frame Remote Code Execution
    * Intel® PRO/Wireless 2200BG Network Connection
    * Intel® PRO/Wireless 2915ABG Network Connection

Intel® PROSet/Wireless Software Local Information Disclosure
    * Intel® PRO/Wireless 2100 Network Connection
    * Intel® PRO/Wireless 2200BG Network Connection
    * Intel® PRO/Wireless 2915ABG Network Connection
    * Intel® PRO/Wireless 3945ABG Network Connection

Intel® Centrino Wireless Driver Malformed Frame Privilege Escalation
    * Intel® PRO/Wireless 2100 Network Connection

The details of which drivers are listed on the pages and we recommend you look there.

Before you download and install these, we strongly suggest you talk to your system vendors and see if they are coming out with custom versions of the patches.

On a related note- there will be a talk on exploiting device drivers on Wednesday 8/2/06 at Blackhat Vegas. Anyone who can make it should go.

0 Comments

...
Toby Kohlenberg
Published: 2006-08-01

Apple OS X patches out

Time to run Software Update for OS X users... Security update 2006-004 is out!

The patch clocks in at around 8.5 Mbyte (Intel) or 5.5 Mbyte (PPC) and covers a lot of vulnerabilites. The bold ones are critical (remote code execution):
  • more authentication issues with AFP (the good ol' Mac file-sharing protocol),
  • an interesting increase in the length of the Bluetooth auto-generated passkey for pairing (from six to eight characters),
  • dynamic linker update (probably the "usual" trickery involving LD_PRELOAD which has been applied successfuly to many Unix systems in the past)
  • gunzip file permission issues and overwriting files with the -N option,
  • Bom decompression executing malicious code,
  • more image viewer trouble with Canon RAW format (malicious code execution, again),
  • same as above but with GIFs,
  • same as above but with TIFFs,
  • Safari troubles with Javascript,
  • OpenSSH DoS attack when someone tries brute-forcing usernames (this is a regression bug since apparently it only affects 10.4 upwards),
  • the good ol' "telnet hands out environment variables to servers" now hitting OS X's telnet client,
  • Webkit giving access to de-allocated objects,
  • and finally DHCP (bootpd actually) giving nice access with a malformed query.
My initial reaction to most of this is "haven't we seen this before?" because quite frankly most of the holes above have been seen in older *nixes a while back (the telnet one was a classic, not to mention the LD_PRELOAD trickery).

Although we aren't aware of any exploits we recommend upgrading immediately since there are so many remote code execution vulnerabilities.

Now the problem is that your Handler on Duty can't apply the patches until I'm done with my shift...

0 Comments

...
Arrigo Triulzi
Published: 2006-08-01

MySQL MERGE Table Privilege Revoke Bypass

Secunia published today an advisory regarding MySQL, in their words:

"The vulnerability is caused due to a design error in the user privilege verification for MERGE tables. This can be exploited to keep access to a table via an in advance created MERGE table even after the privileges has been revoked for the table."

They rate the vulnerability as "not critical".

0 Comments

...
Arrigo Triulzi
Published: 2006-08-01

Heads Up: new flaw in McAfee

The ISC has received several notifications of an upcoming security advisory regarding McAfee products.  The flaw provides remote execution of code in the following software:
  • McAfee Internet Security Suite 2006
  • McAfee Wireless Home Network Security
  • McAfee Personal Firewall Plus
  • McAfee VirusScan
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee AntiSpyware
Apparently 2007 editions of the products, released this past Saturday, are not affected.  There is also an article on the Toronto Globe and Mail covering the issue.

Thanks to Jacques and Bruce for drawing our attention to the issue.

Word from McAfee is that a patch will be automatically released tomorrow.

0 Comments

...
Arrigo Triulzi
Published: 2006-08-01

Tip of the Day: Strong Passwords

This is the first in our "Security tip of the day" series. Guess since I mentioned strong passwords, I got a lot of tips about how to pick them. So lets get that out of the way with our tip #1:

Probably the easiest way to pick a better password is to move to pass-phrases. Instead of a word, a pass-phrase is a sentence. For example: "This is a good password" vs. "password". Obviously, passphrases are much harder to brute force. The can still be guessed. But "My favorite pet's name is Fluffy" is much harder to guess then just "Fluffy".

You may still play the usual tricks and substitute certain letters with "leet speak". "My f@vorit3 pet's name is Fluffy".

In some cases the size of your password may be limited by the system. In these cases, you can use just the first letter of each word in your passphrase.

Not everybody agrees with it, but I do recommend to use a set of passwords for different uses. Use a throw away password for all the random web sites you have to register (e.g. your favorite news paper and such). A second password for things like online forums you contribute to (a bit more tricky as if someone gets that password, they could damage your reputation by posting in your name). Lastly: Be careful what you allow the web site to store. You may not care if anybody knows your order history for an online store. If so, you could chose one of your commodity passwords. But its different if you allow the site to keep your credit card number.

How to store passwords: There are a number of "password safe" applications that are usually pretty good. I am not too concerned about how well they protect your password once a person broke into your system (either physically or remotely). If they do, then its usually "game over" anyway as they will not get the info they need via keyloggers and means like that. Same for writing down passwords. You probably don't want to use Post-It notes at work. Too many people usually have easy access to your desk. But at home: Write your passwords down and keep the sheet close to the PC. Maybe obfuscate them a bit by writing them down backwards. But if a burglar breaks into your house, a lost online banking password is probably not a huge deal compared to the other damage and easily changed.

For your awareness program: A couple universities came out with nice "Passwords are like Underwear" posters. (a Google search will reveal others if you don't like this particular version).

Fellow handler Don Smith also noted that in the Denver area a number of car break ins have been linked back to identity theft.

With that: No more tips on strong passwords! I want tips on how to avoid using passwords ;-). Or if you got an other security tip, please let us know via the contact form. After all: August is security tip month!

I would like to thank for contributions for this tip:
Micha Pekrul, Frank Hieber, Dan Kirk, Christopher Vera and my fellow handlers.

0 Comments

...
Johannes Ullrich
Published: 2006-08-01

Bleeding Snort Domain.

The folks over at Bleeding Snort have released an alert titled "Domain Gone."  They owned the "bleedingsnort.org" domain, but the domain was inadvertantly allowed to expire and someone else purchased it and may be using it to distribute malware or other unwanted programs. The Bleeding Snort team provides lots of SNORT signatures and other useful security information. Their official web site is (and always has been) http://www.bleedingsnort.com.
 
Please, until we know more about what's behind it, do not visit the "bleedingsnort.org" site (or, if you do, be very careful).

Update:  We have confirmed that the .org site has been dropping malware (not identified by all A/V) in the last 24 hours, so chalk one up for the bad guys and cybersquatters. :(

0 Comments

...
Kevin Hong
Top of page