Diaries

Published: 2007-10-31

Salesforce.com issue?

We've had a number of readers report that they have received very specifically targeted EEOC or FTC SPAM emails.  Several commented that some of the email addresses were only available from salesforce.com DB.   Most of the emails contained full names of the recipient.   We're trying to confirm this through several sources, the Washington Post has also tagged onto the story. 

If you have info that may assist let us know through the contact form and we'll keep you posted.

 

Mark H

 

1 Comments

Published: 2007-10-31

Don't download the Dancing Skeleton!

Halloween malware is SUPPOSED to be scary. Thanks roseman.

Watch out for the dancing skeleton now!  Seems the Storm gang are out and about for Halloween then. Thanks Alan.

Cheers,
Adrien de Beaupré
Bell Canada

0 Comments

Published: 2007-10-31

Happy Samhain / All Hallows Eve

Things do go bump in the night, on the Internet at least. 

Cheers,
Adrien de Beaupré
Bell Canada

 

0 Comments

Published: 2007-10-31

Cyber Security Awareness Tip #31: Legal Awareness (Regulatory, Statutory, etc.)

Scary stuff! Well for me anyways. As a security geek with a technical background the legal, regulatory, privacy, and liability issues revolving around Information Security are quite daunting. They speak a different language and have completely different concerns. For todays tips can you let us know what are the issues you are facing? Which laws or regulatory compliance are you facing? How are you dealing with them? Are they distracting you from doing actual security work? Are you dealing with attempting compliance with conflicting and vaguely worded interpretations of statutes and industry regulatory bodies?

Cheers,
Adrien de Beaupré
Bell Canada

0 Comments

Published: 2007-10-30

Soon to come: IRS Spam

Our friends at iDefense/Verisign shared a template with us for a new IRS phishing e-mail which they expect to be mail out soon (today). The template looks like it will be sent as a multipart mime encoded email with plain text and html part.

The '%' keywords in the template will be replaced with customized content. Expect URL like this to be used:
http://ads.tvfly.com/banner/.error_log/b.php

note that the directory starts with a '.' in order to hide it on compromised unix systems. Another common directory name is '.bbb'. file names to expect are b.php, kit.zip, update.exe

 

Here is the top part of the template:

From=IRS e-file <efilesubmission@irsefile.gov>
Reply-To=IRS e-file <efilesubmission@irsefile.gov>
Subject=Known e-file Issues and Solutions (2007 tax year), for %comp%!
%TEXT_TEMPLATE_DELIMITER%

Binary Attachments

___________________


It has come to the attention of the IRS Modernized e-File office that
some transmitters/software developers/return originators are creating
binary files incorrectly. In some instances, the IRS was unable to
display the PDF document because of improper formatting.
Effective immediately, please ensure that binary attachments are created
according to the PDF standards in this correspondence.
The internal identifier (first five bytes of the file) must be the
standard PDF identifier, "%PDF-".
Please download the correct PDF form for your business needs here:

%link%

 

 

0 Comments

Published: 2007-10-30

Cyber Security Awareness Tip #30 - Blogging and Social Networking

First of all - thanks to our fearless leader, Johannes, for getting this diary started.  I am becoming an absent minded old grandma I guess and forgot that I started my Tour of Duty last night.  Anyway, I am here today and ready for all of the fun.

 

Now for my 2 cents on the subject of Blogging and Social Networking.

I will not even try to kid you, I don't like the rooms that the kids are hanging out in.  I work very hard to discourage them from hanging out in some of these places. Unfortunately it is not easy. Many of these rooms contain numerous dangerous, not the least of which is sexual predators.  We all know what a danger these can be for kids. And if that is not enough to worry you, let's see if this does.

A few weeks ago we had some computers at our stores that had been infected. Now all of our stores had AV software installed and running.  During my monthly audit I discovered that we had some PC's that the AV had been disabled on and they were laden with bad things not the least of which was a worm.  As I began the job of cleaning these up and getting the AV going again I discovered that the common thread was that all of the infected machines had accessed one popular social networking site (not one page... the site).

Upon further investigation I discovered that the machines also contained a keylogger. Customer data as well as company data may have been at risk. Luckily we caught it before damage was done, however it could have been a big problem. I explained to management the dangers of the sites that the folks were visiting and we put a dollar value to the amount of time it took me to cleanup the problem by formatting and reloading all of the computers. We also took a look at the potential loss of revenue if a breach had of occurred and we had compromised valuable customer data. What about the possibility of a law suit? What about the loss of goodwill, faith in our service and our company?

We have now put in web filtering and we no longer allow access to certain sites and types of sites.  For instance music or video download.  What the employee does at home in their own time, I can't control. What happens in one of our facilities, I can.

The important thing is to talk to your employees, explain to them why you do what you do.  When they realize the cost they are more likely to cooperate.  When they realize that a breach can result in a significant loss of revenue which equates to less money for raises and bonuses and they see that it does affect their bottom line they don't complain, or at least complain silently.

Educating your users about the dangers on the Internet can go a long way in impacting your bottom line.

0 Comments

Published: 2007-10-30

Cyber Security Awareness Tip #30 - Blogging and Social Networking

Yesterday we talked about the "insider threat". Blogging and Social Networking can be seen as a variation of this issue. But unlike the clandestine (and intentional) activities performed by a malicious insider, the threatening actions from blogging and social networking are usually unintentional and frequently well intended.

So how do you (or your organization) deal with this threat? Do you review your employees blogs for proprietary information? This may be an area where user education will actually work. However, it is also a area where the lines between a person's professional and personal life blur. What about the reputation of a company? Would it be affected by a well known employee of the company voicing radical political views in his personal blog?

The threat from social networking is similar. By mixing personal and professional contacts in your social network, you allow for "data leaks". Another issue is that with social networking, terminated employees retain access to customer and collaborator contact information.

As always: contact us with your tips on how to mitigate this threat.

----------
Johannes B. Ullrich, Ph.D. SANS Institute.
Interested in web application security? We still got seats in my next class: SEC519 Web Application Security, Virginia Beach, November  14-15th.

0 Comments

Published: 2007-10-29

VoIP Spam (Vonage?)

I just may have gotten my first VoIP spam. My VoIP line (which I have with Vonage) rang once. It should be configured to forward calls to my "real" phone. But this didn't happen. Instead, shortly after the phone rang, I received a new voicemail. The voice mail was about 4 minutes long and consisted of a recording of some comedian. Nothing particular special or offensive. Mostly the usual joke referring to US political issues like healthcare and Iraq. The recording starts and ends suddenly without introduction and it sounds like it is part of a larger program. Haven't listened to the full recording yet.

Has anybody else experienced this issue?

Two more details: My Vonage console shows the call duration as exactly 5 minutes and the caller id as 1111111111

 

Update: John pointed to an older article in a Vonage user forum. That, and some additional Googeling kind of leads to the idea that '111-111-1111' is a frequently used caller ID used by companies with the ability to adjust the caller ID. Larger phone systems will allow you to adjust caller IDs for outbound calls. "all 1" appears to be a popular configuration for such systems.

0 Comments

Published: 2007-10-29

Cyber Security Awareness Tip #29: Insider Threats

I find this to be one of the hardest to mitigate threats in information security. Frequently, fighting insider threats prevents people from doing work. Another problem is that too much restrictions and surveillance leads to distrust between employer and employee. So what's the right balance? What worked for you? In my opinion, the following idea usually work:

  • keep good logs. Logs should show who is doing what to your data. In particular, if insiders use admin level access to change data or review users data.
  • avoid "loaners". Have people work in teams. Not only is this good for cross training in case an employee is out on vacation, but it also provides a second set of eyes to catch intentional or unintentional mistakes.
  • keep good backups. If things go bad, its good to be able to recover. Of course, backups are made by insiders as well.
  • stay in touch with your employees and care about them. Make sure they are paid well and don't have a reason to be mad at you. If they are: make sure you are able to discover issues early. But treating your employees well goes a long way to mitigating insider threats.

An even worse problem I don't even dare to cover: Insiders who get blackmailed. Again, if they trust you maybe they will come forward first. But that's a lot of trust.

So any good ideas you have to implement insider protections like that? Trust me... I will publish them. After all, I am an insider here ;-) (Thanks to Bill for pointing this out).

--------
Johannes B. Ullrich Ph.D., SANS Institute.

 

 

0 Comments

Published: 2007-10-28

Cyber Security Awareness Tip #28: Cookies

It's tuesday morning, and your morning briefing is for a group of new employees.  You have a bunch of network and security topics to cover in a short time, and the audience is generally non-technical.
        
What do you tell them about cookies?  What risks are there, and what risks have been blown out of proportion?  What straightforward practical steps can they take to minimize privacy issues?  Have you done some behind-the-scenes work for them in setting up their applications to similarly protect their privacy?

I'll update the diary with your tips; please submit them at http://isc.sans.org/contact.html .

-- Bill Stearns, http://www.stearns.org

 

0 Comments

Published: 2007-10-28

Daylight Saving Time Reminder for the USA

For our USA readers, don't forget that the start and stop of daylight saving time changed this year.  You've got one more week to go before you move back one hour.  Of course, if you keep your watch on Zulu time then this is not an issue for you.

Details:  http://aa.usno.navy.mil/faq/docs/daylight_time.php

Marcus H. Sachs  
Director, SANS Internet Storm Center

0 Comments

Published: 2007-10-27

Cyber Security Awareness Tip #27: Online Games and Virtual Worlds

Today's Cyber Security Awareness tip is for Online Games and Virtual Worlds.

 

Quick story, then I want to hear your comments. 

I recently quit WoW (World of Warcraft for those of you that haven't used a computer in the past couple years ;).  Just didn't have enough time.  Spent awhile getting my character (Human Warlock) up to level 70, and found out, that basically..  I just spent the whole time getting /ready/ to play the game.  The game doesn't start until you hit the highest level.  Then it's all about honor, keys, and instances.   WoW in particular, like alot of online MMORPG's, consumes a lot of free time.  I recently watched a CSI: NY where half the story took place inside of "Second Life" and the other half took place in "Real Life"  (or RL).  This raises security implications and personality implications.

 

What happens when what you do at home (in the game), comes out to real life?  What about the other way around?

 

Like to hear what you guys have to say!  Write into us here at the Storm Center at the Contact Link at the top or the bottom of the page.

(I also installed OSX Leopard yesterday, and will be posting some thoughts about that a bit later, stay tuned, I'm still playing)

Joel Esler

http://handlers.sans.org/jesler

0 Comments

Published: 2007-10-26

Request for info, IPs, exploit examples on PDF mailto documents

Hi all,

we are looking for examples of the PDFs being sent out, snort signatures, the IP addresses sending them out, the IP addresses they download malware from, and examples of the malware.

Please upload here: http://isc.sans.org/contact.html

Cheers,
Adrien de Beaupré
Bell Canada

 

0 Comments

Published: 2007-10-26

Cyber Security Awareness Tip #26 – Safe File Transfer

The Internet has provided us with a convenient method to share information with each other and one thing we all do is to move files around.  Whether they be documents attached to emails, music, movies or programs we install, it is all about files, files, files.  So how do you safely transfer files from one location to another?  We're talking important stuff, the super secret info that your business relies on in order to stay afloat or information that keeps the country safe, but things you need to share with others in order to function. 

We've had plenty of examples over the last year or so on what not to do, especially with backup tapes and credit card numbers.  So we need some tips on what people should do or should not do.  I'll kick it off.

DO:

  • Have a policy on how information can be exchanged between organizations
  • Encrypt sensitive information on backups, removable media or in emails
  • Use SFTP or SCP to transfer files
  • Set up a secure file exchange facility within the corporate infrastructure to securely exchange files with others. 

    UPDATES:
    1. "Use secure thumb drives. They don't cost that much more.
    2. Use strong passwords.
    3. Store the password and data separately.
    4. Don't e-mail the password with the data.
    5. When sending data by courier make sure they are trust worthy, we have had customers send data that just never made it to us.
    6. Password protect all storage devices, including cell phones they can hold a lot of data now a days." (Paul)
     

Don't:

  • Allow services such as the free file transferring facilities to be used by staff.
  • Put the information on a CD and then leave it in the kiosk computer at the airport.

 Send us some good tips on what to do (bad ones are acceptable as well, but have to be amusing)

 

Cheers

Mark H - Shearwater

 

0 Comments

Published: 2007-10-26

URL Update to Internet Explorer URL Handling Vulnerability

Earlier this month, Microsoft published KB943521. This article acknowledged that third party software had to validate URLs before passing them to Internet Explorer, as Internet Explorer will not validate them. Today, Microsoft published an update to the advisory, suggesting limited exploitation of this vulnerability.

Microsoft does not appear to plan to fix the issue in Internet Explorer. Instead, it asks vendors releasing tools that pass URLs to Internet Explorer to validate them.

 Thanks to Chris and Gilbert to alert us of the update! Let us know if you see an exploit in the wild, or if you encounter any 3rd party applications which are not protecting Internet Explorer.

Links:

www.microsoft.com/technet/security/advisory/943521.mspx

blogs.technet.com/msrc/archive/2007/10/25/ msrc-blog-october-25th-update-to-security-advisory-943521.aspx

 

0 Comments

Published: 2007-10-26

Wildfire Scams

As with any disaster in the past, we expect some scams related to the California wildfires. So far, we are happy to report that we see almost no activity. But if you come across something, please let us know!

Basic tips:

  • only donate to charities you know.
  • do not respond to donation requests that you may receive via e-mail.
  • If in doubt, make your donation via mail or phone using a well published phone number.
  • The IRS operates a registry of charities apps.irs.gov/portal/site/pub78

Our best wishes are with the victims of the fire.

 

0 Comments

Published: 2007-10-25

Cyber Security Awareness Tip #25: E-mail (PGP, Attachments, etc), IM, IRC

Today's issue revolves around the various thin communication mechanisms of e-mail, instant messaging, and IRC.  With spam taking up about 90% of all e-mail going across the Internet, what can be done to make it a reliable mechanism?  Instant messaging is increasingly being used to exploit end users and with phishing striving to look more "legitimate", instant messaging provides a crucial attack vector.  IRC is not just for botnets, how can those who use it do so safely?

Send in your tips here and I'll update the diary with the best of the best as the day goes on.

--
John Bambenek, bambenek -at- gmail [dot] com
University of Illinois

0 Comments

Published: 2007-10-24

Cyber Security Awareness Tip #24: Not all patches are released on a Tuesday

Big kudos to Microsoft, really. Even my not overly tech savvy dad knows by now that he must make sure to get his patches on the second Tuesday of the month. While one might argue over the sorry state of software development that makes monthly patching a must, I still think that the concentrated effort and foghorn message of Microsoft for monthly patching has done a lot of good.

So much good, in fact, that plenty home users are carefully updating their anti-virus, are downloading their Windows patches once a month, and still end up providing their online banking credentials in blissful ignorance to the latest key logger. How it got onto the system? Either through not-so-free freeware that the user obligingly installed, or, increasingly, through drive-by downloads that lurk on certain web pages. These drive-bys used to go after the Microsoft vulnerability-du-jour a year or so ago, but nowadays seem to primarily target third party software.

Only last week, we unraveled an obfuscated web page that tried to exploit Baofeng (10.Sep), Powerplayer (31.Aug), ThunderDap (28.Sep) and Yahoo Webcam (5.Jun). All are media players of some sort, and certainly not overly popular. The date in brackets indicates when the corresponding vulnerability/PoC was documented, so some of the sploits were pretty "fresh". The bad guy nowadays has a choice - to try to find those user PCs that didn't do anything on Patch Tuesday by going after a well documented Microsoft vulnerability, or to attack software components that are relatively rare, but where pretty much everybody who has the component installed will also be exploitable. It is clearly the latter that's on the upswing.

Since there is (to my knowledge) no clear cut approach available that would tell a home user that his machine is ripe for exploitation and which third party patches are needed, the best advice I can usually give to a home user is to every quarter or so check the software installed, to throw out all those pieces never used, and to check the web sites of the remaining components for newer versions. Yes, this is a herculean task, but in my opinion necessary. If you don't do it for all your software, at least check the components which routinely talk to the net (chat software, music and video players, browser plugins, web browsers, filesharing apps, mapping software, etc). Some of them might do "auto update", but most don't, or at least don't do it right.

Surfing the Internet with a browser that doesn't speak ActiveX helps as well, in most cases. But we don't want to solely rely on a single line of defense now, do we?

0 Comments

Published: 2007-10-23

Vulnerability in JRE VM

A vulnerability in the Virtual Machine of the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Solution, upgrade.

From the Sun advisory.

Cheers,
Adrien de Beaupré
Bell Canada

0 Comments

Published: 2007-10-23

PDF mailto exploit documents in the wild

The vulnerability initially reported here http://isc.sans.org/diary.html?storyid=3406 and confirmed here (with workaround) http://isc.sans.org/diary.html?storyid=3477 and patched here http://isc.sans.org/diary.html?storyid=3531 now appears to have been spotted in the wild. The proof of concept code had been released, and a number of people have reported receiving the PDFs which exploit the vulnerability. Obviously please patch, apply the workarounds, and/or ensure you can detect and block the exploit. File names seen so far are "BILL.pdf" and "INVOICE.pdf".

Thanks Juha-Matti!

Cheers,
Adrien de Beaupré
Bell Canada

 

 

 

0 Comments

Published: 2007-10-23

Cyber Security Awareness tip #23 Using Browsers, SSL, Domain Names

Today's issue revolves around trust, implied, explicit, and undeserved. AKA the bad, the worse, and rather ugly. The question is, can a web server be trusted, and under what conditions? Can a web browser determine the trust value assigned to a web server, and what are the criteria for doing so? What reputation can be assigned to the URL based on IP address, SSL certificate, domain name or other parameters? What is the paradigm for using the Internet for business?

Please let us know your thoughts on the subject.

Update 1 our first example already! Irfanview is a popular graphic image viewer, and is free for personal use, available at its web site: http://www.irfanview.com/ interestingly enough other web sites seem to charge for the 'Pro' version. Are they legit? I'll leave that as an exercise for the reader. Thanks Curt for writing in.

Cheers,
Adrien de Beaupré
Bell Canada

0 Comments

Published: 2007-10-22

Adobe Reader 8.1 update available

Thanks to Roseman for bringing this to our attention.

From http://www.adobe.com/support/security/bulletins/apsb07-18.html

"Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

Release date: October 22, 2007

Vulnerability identifier: APSB07-18

CVE number: CVE-2007-5020

Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed

Affected software versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier
Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier"

The acrobat  patch is available here http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

The reader patch is available here http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

Fellow handler Swa covered this vulnerability and a workaround for it in this diary http://isc.sans.org/diary.html?storyid=3477

 

0 Comments

Published: 2007-10-22

SSH scanning changes to a more distributed (coordinated?) model.

We have seen reports in the past where a single victim was attacked by multiple source IP addresses in an ssh bruteforce attempt but usually it has been a single or at most a few source IP addresses.
Today we had 4 separate reports of an increase in ssh bruteforce attacks. Two of those reports stated that they were seeing lots of source hosts against a single victim. The isc.sans.org port 22 graph supports this as there has been a large increase in the source hosts seen in ssh scans during this month. If you can verify that this is a distributed, coordinated attack as some of us suspect that would be helpful. The type of coordination I would expect in this case is different systems using different account/password pairs.

“Almost every hour logcheck is emailing me about failed SSH logins. In the past the failed logins usually came from just one host at a time. fail2ban on my server would take care of this and I wouldn't worry. But now I'm seeing multiple servers all trying within minutes of each other and they'll only try a few times so fail2ban isn't working very effectively. It only appears to be for user "root" and "mysql".” (David)

“We're seeing unusually high inbound SSH scanning across our networks. The activity showed up on our radar 10/21 around 18:30 CDT (23:30 GMT). Some of the reverse lookups on scanning hosts suggest that these systems are compromised themselves (e.g. nagios.blah.tld or mail.blah.tld); many reverse lookups do not suggest this... At first blush, it appears that the majority of these remote scanners are in Europe or Eastern Europe.” (Bert)

“I see 2 or three ssh attempts in a day, and
suddenly I'm seeing one about every 3 minutes start almost an hour ago.
(reported around 6am MDT).
Anyone else seeing this stuff? Thanks.
“ (James)

From the ascii version of dshields port listing
We can see reported sources of ssh attacks have been climbing fairly steady with the highest number of sources reported occurring yesterday. Of course today’s data is not complete.

date               records    targets      sources tcpratio
2007-10-01    606506      151949    875    100
2007-10-02    1317888    88940        882    100
2007-10-03    828467      112525    881    100
2007-10-04    1344606    53047        843    100
2007-10-05    541713     107031    873    100
2007-10-06    346431    92291        797    100
2007-10-07    282205    47498        848    100
2007-10-08    756005    130631    887    100
2007-10-09    915582    53250        868    100
2007-10-10    321079    85194        860    100
2007-10-11    608362    125370    837    100
2007-10-12    225450    87848        772    100
2007-10-13    147506    60599        829    100
2007-10-14    380275    148700    909    100
2007-10-15    749183    319528    930    100
2007-10-16    1558853    1027756    896    100
2007-10-17    1879869    1564587    901    100
2007-10-18    195446    56762        929    100
2007-10-19    139687    50711        932    100
2007-10-20    249887    96917        933    100
2007-10-21    542479    104323    1012    100
2007-10-22    561213    101314    810    100

0 Comments

Published: 2007-10-22

RealPlayer patch for Zero day vulnerability

From http://service.real.com/realplayer/security/191007_player/en/

"RealNetworks has issued a fix for a vulnerability, identified here http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html by Symantec, that affects the import method of an Active X control."

This vulnerability was covered by Fellow handler William Stearns here:

http://isc.sans.org/diary.html?storyid=3519

Patches are available at the real.com link above.

0 Comments

Published: 2007-10-21

Cyber Security Awareness tip #22 Detecting and Avoiding Bots and Zombies

Today is the 22nd day of our Cyber Security Awareness month which means we will be covering Detecting and Avoiding Bots and Zombies. If I had created the list I would have put this on the 31st in honor of Halloween.
One problem solving technique I like is divide and conquer.

So divide this task into two sections one for detection and one for avoiding the Bots and Zombies.
Then let us break it again one network based and one for host based.
Detection Network based:
How does one detect Zombies?
One way is to watch network traffic for unusual destinations, services, packet type, or packets per second.
Enterprise networks often have the ability to look at firewall, IDS and other logs for network anomalies.  
Home users may not have or may not know how to use their network devices to look for anomalies. Purchasing a network detector or using currently available network based reporting tools would help many home users detect Zombies.


3rd party reporting services:
Many enterprises have a 3rd party service that assists them in detecting Botnet members within their network.
Home users frequently do not have such resources or do not know they have access to those resources.
Most home users do not have static IP addresses. Their IP address change with some frequency. There are a number of services that will report your external IP address. Given the external IP address a home user can type it into the main Internet Storm Center page and type their external IP address into the “port/ip lookup/search: box and click GO.
This way home users can see if their address has been reported by any of the dshield users. They can also use a well known trusted Remote Black Listing service (RBL).

Detection Host based:
There are many great host based network detection tools. They all have the same basic flaw once the system is compromised by an unknown, undetected exploit they can be disabled or circumvented.

Most enterprises monitor various host or application logs for significant system events.

Most home users do not. They either don’t know how or don’t have the tools.

Avoiding Bots and Zombies:
Network based:
Block unknown or untrusted services and content.
Enterprises often do this by having an enforced network policy.
Most home users do not have a network policy or a method to enforce one.

Human filtering:
Many bots or zombies are installed by the end user. Usually this occurs unknowingly due to some social engineering trick. Being a bit paranoid or untrusting can significantly improve your odds in avoiding Bots and Zombies.   

I am sure a lot of you have some great ideas on how to avoid or detect Zombies and Bots please contribute your comments via the contact link @ http://isc.sans.org/contact.html.

0 Comments

Published: 2007-10-21

Cyber Security Awareness Tip #21: Understanding Online Threats

Its day twenty one of Cyber Security Awareness month and today is Understanding Online Threats.

My main function in life is the security of kit with plugs on. Application security I leave to a different bread of people. However, I have learnt one application security mantra over the years and it fits into todays theme perfectly - In the client / server model -  Never Trust The Client.

In an ever increasingly hostile online world, how do you do business with what could be a hostile client, which could be your PC, or the PC of one of your customers.

In the last few days, I've read some amazing tips presented around how to perform authentication. A lot of these are targeted at preventing phishing fraud. Phishing, for those recently returned from a distant planet, is the collection and fraudulent use of credentials to make money. During my day job with a financial institution I have experienced a wide and varied methods used by organised phishing gangs. Probably the most prolific of those in wide spread use is Rock Phish, and it is a good example to gain an understanding of the scale of the problem. Check out f-secure's blog entry, they have a video (here) which shows some of the numerous online banking sites being targeted.

The principal a phisher uses is the time delay between the fraud being performed, and the fraud being detected. This attack method is made more effective by the length of time it takes to take down a phishing web site and as we've seen Rock Phish has increased the effectiveness by increasing the number of web sites being hosted at any one time.  Supporting this is a huge organised crime subsystem to get the money into the hands of the bad guys. So, as a user of online banking, auction house, etc, always look for unexpected information. Does the web site show the date of last log in, does it tally with your activities? If not, contact their customer help desk and have your account checked.

Customer education is the first line of defense in the fight against phishing. Teaching your customers not to expect e-mails from your organization ever requesting your credentials is paramount.  CyLab have recently released an anti phishing educational game, check it out here .

Phishing often uses URL Obfuscation techniques to make that link you click on all that more real. Ed Skoudis compiled a list of techniques often used by phishers and it is hosted here at the ISC. The page is here and the source code of the attack techniques here 

To get over this threat, the use of modern browsers with built in rogue site detection or add on toolbars which alert users to potential phishing sites should be considered. But be careful about how you recommend your customer base to do this, as the phishers could jump on your "download and install now!" bandwagon to distribute trojans. Communication of this sort is only recommended once  the customer has authenticated to you, and equally that you have authenticated to them.  There are a few examinations of this sort of technology on the web, such as CERT's report .

However, Phishing needs the banks customer to give away their credentials, and customers are becoming more aware of the dangers. So the fraudsters are moving to trojans, and to other areas to cast their phishing nets. The area's of the Internet that phishers are covering is colossal, from Banking, to identify theft, from auction sites, to online gaming, any where a credential is used, and money can be made, phishers are targeting. There will be more on online gaming safety later in the month.

In the financial world, trojans are the 'soup de jour'. If your system has been infected with a modern banking trojan it is game over, it is often safer to format, and reinstall. The trojans are now so advanced as to render what you see through your browser as totally unbelievable. 

To protect yourself against this sort of threat, have a good antivirus product installed and update signatures daily, make sure you are patched, and that you are running an effective firewall product. Check with your bank, some of them are giving away AV/Firewall products so you might not even have to buy one. Look back through the last few days to get tips on how to configure your operating system of choice.

The move from username and password authentication to two-factor authentication is underway, some banks and organisations such as e-bay . There are multiple standards in play here, and we will all - maybe in the short term - end up with multiple tokens to use to authenticate as your bank, and your auction site may use different technologies. If your financial organisation of choice uses such two factor authentication for log on, but not for marking your transactions to third parties as valid, then trojans are an active threat to any transactions you make.

How do you protect your online commerce? What steps do you take to protect yourself from the bad guys online? What do you tell you family members and friend to do to stay safe online? Send your suggestions to us here and we may put your idea up in lights.

Update #1

Ray sent in the following tips:

I stress to my friends and relatives to unwaveringly adhere to the following rules:

  • Never respond to unsolicited emails regardless how authentic the email appears.
  • Never click on a provided url or dial a provided telephone number. Ever.
  • If you think an unsolicited email may be authentic then contact that organization through a previously established communications channel. This could be from a phone number off a bill or contact information from their website (but the website access has to be made from a new browser window using a saved Favorites link that YOU previously established).

0 Comments

Published: 2007-10-20

Cyber Security Awareness Tip #20: Software Authenticity

Software authenticity: If it runs, it's right.  Simple enough, no?  Not quite.  You downloaded the latest and greatest network app, text editor, or whatever your CPU desires.  The software program you downloaded installed clean, runs great, works exactly as advertised.  Is the new application you installed the only new thing running?  Did you get exactly what was advertised, and *only* what was advertised?  In the previous scenario I implied that a Trojan accompanying the new application may have been downloaded and installed.  How do we protect ourselves from something like this occurring?  One way is by using only software purchased from reputable vendors (99% of the time 'shrink-wrapped' software is a safe bet.  There is that 1% that is not safe.)  Another is Software Authenticity.

Software Authenticity, a.k.a. Digital Signatures, is defined by Wikipedia as "a type of asymmetric cryptography used to simulate the security properties of a signature in digital, rather than written, form".  In the realm of Information Assurance there are three aspects which digital signatures are typically used, and they are authenticity, integrity, and non-repudiation.  In short, when we download a digitally signed message or piece of software, we know the data is exactly what the originator intended it to be, it has not been altered in transit, and the originating source of the item is never in question.

This is just one example of the use of software authenticity.  In the spirit of the month, I ask for inputs from you, the readers.  Simply go to our "Contacts" page and submit tips with a subject similar to "Tips #20 - Software Authenticity"

 

Update #1

Matt Smith brought up a good point that needs to be emphasized:  Just because a piece of software has a signature assosciated, and the local signature matches the source signature, doesn't mean that it is malware free; it only means that the software is exactly as the originator intended.  If the originator created the software with malicious code built in, then the signature does nothing more than tell you that the malicious portion is still in there!

0 Comments

Published: 2007-10-19

Realplayer vulnerability with active exploit

We're getting multiple reports of a fresh vulnerability in RealPlayer.  We understand there is some active exploitation of it.  Details:
http://www.securityfocus.com/bid/26130
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043319

 

0 Comments

Published: 2007-10-19

Firefox 2.0.0.8 released

Firefox 2.0.0.8 has been released with support for Mac OS/X 10.5 (Leopard) and fixes for a number of bugs.  There are more details at http://en-us.www.mozilla.com/en-US/firefox/2.0.0.8/releasenotes/ and http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.8 .

0 Comments

Published: 2007-10-19

(Currently unpatched) Iphone vulnerability with exploit

Secunia has put out an advisory about a vulnerability in the Iphone and Ipod touch.  Viewing a malformed TIFF image can cause attacker-supplied code to be run.  As of 10/19/2007, it does not appear that Apple has released a patch for this; the only workaround of which we're aware is not viewing TIFF images from unknown sources.  We understand there is active exploit code in the wild for this vulnerability.

There are more details at http://secunia.com/advisories/27213/

0 Comments

Published: 2007-10-19

Cyber Security Awareness Tips #19: Linux tips

Picture yourself sitting down with a first time Linux user.  This is someone with a lot to learn over the next few years.  *smile*

What straightforward suggestions would you give them about how to secure their Linux system?  Obviously, there's overlap between the different operating systems ("Use a strong password" applies just as well to Linux boxes as to the others), but we're particularly interested in Linux-specific tips.

I'll update the diary with your tips; please submit them at http://isc.sans.org/contact.html
        

-- William Stearns, http://www.stearns.org

0 Comments

Published: 2007-10-18

Cyber Security Awareness Tip #18: Mac Tips

Welcome to day 18 of Cyber Security Awareness Month. Today we're welcoming your tips on securely working with Apple Mac systems. Let's start off with a bit of sage guidance I already received: Don't assume that your machine is secure simply because it's a Mac. While OS[789X] doesn't enjoy the sheer volume of badguy attention as other operating systems, the number certainly isn't zero and you can expect it to grow.

It's amazing how many Mac users and admins are submitting tips.  What is even more amazing is how many of those tips are repeated by the majority of you.  Can you spell c-o-n-s-e-n-s-u-s?

The vast majority of them are Mac versions of general Best Practices, but with a few software-specific tweaks.  Here is a list sent in from Kim at Pepperdyne:

1. Keep your firewall up - the Mac firewall is decent - use it consistently.
2. Keep patched - its better for Jobs' engineers to do a job on your computer, than for an intruder to do so. If you want to check for patch problems because your system has critical uptime, I find macintouch.com to be a prompt bellwether for patching issues. Oh, and see #3
3. Back up your system - an external HD and Carbon Copy Cloner is an effective solution for single computers. Back up to an encrypted HD image and/or physically secure your backup disk.
4. Do updates and installs with an administrator account; do your web and email with a different account.
5. Keychain is a huge advantage on the Mac, but definitely use a strong password. I advise one that is over 15 characters to defeat the behind-the-scenes LANMAN hashing that takes place on Macs that provide windows fileshares.
6. Turn on Filevault home directory encryption. As strong as your password x 128-bit AES. Make a strong master password and put it in an envelope and place it with your secret papers (tell your partner/lawyer/boss/spouse where it is, as appropriate).  I've been using FileVault under Tiger for over a year. My home directory has survived crashes and forced reboots (yah, they happen on Macs) on both Intel & PPC architectures.

If you have a tip, shoot it in using our contact form and I'll post them here throughout the day.

Cheers!

g

 

0 Comments

Published: 2007-10-17

The future of security, trust and e-commerce

I wrote a little "bloggish" article for a site called "Thinkernet" about see: www.internetevolution.com. The site is not as hard-core security and technical as ISC, but if you like it or dislike it, let me know.

 

 

0 Comments

Published: 2007-10-17

ICE Update

For those of you that saw my diary on Sunday regarding the ICE Exercise that I participated in while attending the SANS Security 2007 Conference in Las Vegas, I have some new info to share.  Our friends at pauldotcom - www.pauldotcom.com/ recorded the event and have taken the recordings and condensed it into a 35 minute audio presentation giving the highlights.  I have listened to the recording and I can tell you as a participant it brings back lots of memories of the event and my team mates. If you have some spare time and what some laughs give it a listen. 

The audio link is at:

www.pauldotcom.com/2007/10/08/pauldotcom_security_weekly_ice.html

For those of you that missed the original posting you can read the whole story at:

isc.sans.org/diary.html

Once again I want to thank Paul Asadoorian and his team from pauldotcom and all of the sponsors and participants for a tremendous experience.

0 Comments

Published: 2007-10-17

Cyber Security Awareness Tip #17 - Windows XP & Vista Security

[welcome our new handler, Mari Kirby Nichols! JBU]

One of the first ways to start a security discussion is with physical security.  Yes, I know this is a technical forum, but really, is the system secure physically?  Make sure the location can be secured.  Utilize some type of locking mechanism to keep the machine safe.  This may be a cable lock for a laptop computer or a lock on the CPU case.  This is a pretty basic rule, but surprisingly many people forget this essential component of cyber security.  One of the ways to increase your information security effort is to combine your program with the physical security department.  Have you met with them and pooled your resources?  Are you able to obtain audit logs of physical access as easily as you are able to pull up an event log? 

Second, remember to configure the administrator password.  Most likely the system will come with no administrator password, or a default password common to many systems.  Before you go ahead, think about a good password.  A good password is long and uses a diverse set of characters, numbers and special characters (~!@#$%^&*()_).  One approach to a good password is a pass-phrase.  A pass-phrase is a short, easy to remember sentence. No worries, it’s easy.  Just think of a phrase that is on your mind like: 

No hurricanes for Norfolk!
Your password could be:   (Nh4ORF!)
See, the first N is capitalized, lower case h for hurricanes, a numeral 4 = “for”, ORF is the airport code for Norfolk and a special character exclamation mark.

Here are some other ideas I like:

Use a food or product they like then modify it.  Like Roast Beef
Your password would be:  (R0@s1b33f)

Use a thing, like a USB Device
Your password would be:  usbdevice (uSBd3^1ce)

It’s easy to come up with a complex though easy to remember pass phrase. If you need help remembering your password, just write down a word (hint) that reminds you of the phrase, NOT the password.  Next, don’t forget to write down your administrator password and keep it in a safe place (for example a safe, safety deposit box or store it in a sealed envelope with a friend or relative).  It makes sense to keep one copy of the password in your safe and another copy off site.

While we on the subject of the administrator account, let’s discuss the idea of having two accounts.  While you may need an administrator account to accomplish loading software and making updates, do you really need administrator access to write e-mail and surf?  No.  So make yourself a regular account without administrator access and use it as your “normal day-to-day” account.  Only use your administrator account to accomplish administrative duties. 

Well, now that I have droned on about pass phrases and administrative accounts, let's get on to XP Vista specific tips.  We would like to hear from you warriors out there in MS land, especially for Vista.  E-mail your tips here and we will keep posting them here all day.
 


XP Tips from one of our Canadian readers:

-install latest patches, and enable Windows Update
-disable file and print sharing, disable DCOM
-turn off several Windows services
-use autoruns and msconfig to disable more stuff
-disable extension hiding and file sharing in Explorer
-secure IE, then install and use Firefox & noscript plugin
-install a firewall (PCTools Firewall Plus, or Comodo)
-install antivirus, antispyware, and Security Task Manager
-install a new hosts file (MVPS, accs-net, yoyo) to block ads and malicious sites
-create and always use an unprivileged account
-if my kids will be using the computer, then I use Microsoft's SRP (Software Restriction Policies)

Vista Tip from Boris:

  • Don't turn off UAC (User Access Control).  It's annoying sure, but isn't your data and your machine worth that little bit of hassle.

0 Comments

Published: 2007-10-16

Cyber Security Awareness Tip #16: Protecting Portable Media

Today's topic is a bit an extension of yesterday's "protecting laptops" tip. Derek wrote in saying:

"I actively teach my users to put nothing on portable media that contains anything that would meet out criteria for sensitive data. If it is sensitive, it should always be stored on a secure device with access controls in place. In the cases where someone MUST carry sensitive data on portable devices, I advise them to use a flash drive like IronKey, or use TrueCrypt to create a virtual volume, or to encrypt the device itself. "

I have used the "Ironkey" mentioned in his note. It is a USB stick designed with security in mind. The user has the option to "escrow" the password with the manufacturer. Of course, you can also just write it down. But the device will self destruct after the password has been entered wrong 10 times.

Back to the topic. One particular difficult task is off site backups. The SANS Newsbites newsletter is littered with reports of backup tapes getting lost. Some commercial backup solutions now include encryption. One challenge with backup tapes is the fast obsolescence of backup hardware. Proprietary encryption schemes will make it only harder to recover older backups. But its a valid solution if you need to protect backup tapes. Of course, many organizations move now to network based off site disk-to-disk backups. In this case, you can control physical security at each end point and protect the tunnel in between using some sort of encrypted vpn.

Backup tapes are usually performed by trained admins. Portable drives are a different challenge. I had hard drives fail on the road. Traveling with two laptops saved the day. But having a second hard drive handy is nice as well and lighter. There are now a number of commercial solutions with biometrics or other build in security features. You have to check however if the biometrics can be bypassed just by removing the hard drive from its enclosure. The data on the drive should be encrypted.

Other then that, a lot of the solutions mentioned in our prior diary apply to portable media as well. Truecrypt, dm_crypt, Bitlocker and knox are just some of the technologies. Fortunately, these portable devices are usually not boot drives, which makes encryption easier. Over the last few years, this has become a very competitive commercial market with many options to choose from. If you evealuate a solution thing about how you can recover a misplaced password. Is there a master password or key escrow option to recover data after an employee leaves? Is *all* the data encrypted? And don't forget Derek's advice: If you don't need it on the road, don't take it on the road.

Scooter wrote in with these points to consider was you evaluate a disk encryption product:

  • Can a solution audit and record the serial number of any USB device plugged into a managed system?
  • Is there an audit trail of what data moved to the drive.
  • Does it require local admin rights to use (encrypt/decrypt)?
  • Can you restrict/authorize access by device/system/user?
  • Is is centrally administered so you can revoke access for violating policy?
  • Does it generate alerts for strange behavior? (Why is this device being plugged into systems all over the company?)
  • How does it handle "disk" based portable media (since it is not recognized as removable media by Windows).
  • Can the solution restrict running of executables from the portable media?
  • Does the encrypted content expire if not reauthorized within a certain time period?

Any comments? Ideas? Please use our contact page.

 

 

0 Comments

Published: 2007-10-15

Updated Daily Sources Feed

I updated and cleaned up a bit our "daily sources" feed. This feed is created around 4am GMT daily, and includes a summary of all the source IPs for which we received reports the prior day.

you can retrieve the feed at http[s]://isc.sans.org/feeds/daily_sources.

The link is not click-able for a reason: its 70MBytes (varies from day to day of course). I recommend a tool like curl/wget to download it once a day. Its usually created around 4am GMT, so pull it at 4:30-5:30am GMT to get it "fresh and warm".

Its a plain tab delimited ASCII file. Comments (e.g. header/footer) are indicated by a '#' as first character. The columns are:

- IP Address (we use our "sortable" 0 padded format... 10.1.100.10 -> 010.001.100.010 ).
- targetport.
- protocol.
- reports (each "packet" counts as one report).
- targets (each distinct target IP reporting this particular source IP / port combination counts as one).
- first seen: the time (UTC) of the first packet we received for this source/port.
- last seen: the time (UTC) for the last packet we received for this source/port.

NOTE! This is not a "blocklist". It needs further processing to be used as such. The data is distributed under a "Creative Commons Share Alike" license. You may use it for non-commercial use for free as long as you attribute DShield or the SANS Internet Storm Center as the source of the data. We always like to hear how our data is used.

 

 

 

0 Comments

Published: 2007-10-15

Cyber Security Awareness Tip #15: Protecting Laptops

Laptops have made our life much easier. We can now work when we want to, and where we want to – and do a better job. However, INFOSEC practitioners also suffer a bit due to that same advantage. Laptops are much more likely to leave company premises, and are relatively expensive and as such an interesting object for thieves. While the cost of a laptop fleet is significant to organizations, what we are most worried about is the data contained on them.

There are several issues related to laptop security:

  • Physical protection of the device;
  • Maintaining control over the networks it connects to;
  • Preventing malicious code from being introduced in other settings than the “protected office”;
  • Preventing leakage of data despite the higher risk of theft.

The risk posed to a laptop can also differ significantly based on location. For example, suppose you use full disk encryption. When you are logged in, such encryption is of little value. In the average American/European environment, we use full disk encryption as a means to gard the data on our device when it is ‘out of sight’. While we are watching the laptop, all data is relatively safe. Is this also valid for our oil executive travelling to Nigeria ?

I’m looking forward to all your ideas, suggestions and comments, and will update the diary continuously when they arrive! Write to us here.

Boris wrote in how he avoids having any data at all on the endpoint. They are inherently prone to theft, and by enabling a connection to the home base and uploading work data there, one can maximally reduce risk of data theft on the endpoint. While this is not possible in all locations (try getting your oil exec a stable connection in Port Harcourt, for example), the increasing availability of internet is making this more of a reality for many companies.

0 Comments

Published: 2007-10-14

Cyber Security Awareness Tip #14: Data Encryption

Today’s Security Tip of the Day deals with a subject that is pretty abstract to most people.  Cryptography is referred to as the science of secret writing. This is not a new concept that came about with the development of the Internet.  Cryptography has been around for hundreds of years dating back to the days of the pyramids and the Ancient Egyptians. Today we use the concept introduced by them to develop a safe, secure method of communicating, exchanging and validating data between computer systems. 

Whether it is very sensitive information that needs to be transmitted via an email, online financial or banking transactions, or any other data that you would rather not have the whole world knowing about, encryption can help you protect the data.  When email, data, etc is transmitted via the Internet with no encryption, it is possible that someone could eavesdrop and intercept the communication.  Good encryption assures that the data remains intact and maintains the confidentiality, integrity, authentication and non-repudiation of the data received.

There are 3 general types of crypto algorithms:

                 Secret Key – Symmetric containing single or 1-key encryption

                Public Key – Asymmetric containing dual or 2-key encryption

                Hash – One way transformation with no key encryption

There are many different methods of data cryptography and a variety of vendors providing encryption software.  All of the encryption programs perform two distinct operations: Encryption, encoding the data in such a way as to conceal the information and Decryption, the process of transforming the data back to its original form. 

There are advantages and disadvantages to each and differing opinions of which is best and when each should be used, but most everyone agrees that encryption plays a crucial role in data protection.  And in most environments today you will see a mixture of algorithms in use.  Each situation has its own set of requirements.  In today’s world all Security Administrators and users need to be conscious of the significance of the data they are dealing with and the need to secure that data.  

 Tell us what you think.  What if anything is your company doing?  Have a good program you are using, let us know.

 

Update: 

A couple of responses that we received regarding encryption provide good insight into the use of Encryption. Here they are in part:

 

Email 1

From Lyal: Not all are right in every situation. We typically find our clients chose 2 or 3 of the above methods, just to ease deployment and ensure compatibility.

It doesn't look like open source crypto tools (and there are some good ones) are oriented towards server protection - they all operate in user land, or are oriented to personal key management, not dual control, split knowledge etc.  If the adopted StrongKey or similar, it'd be much easier in the corporate world.

Email2

From a reader that does not want their name published:

I look forward to seeing what comes of the proposed discussion about which crypto, SecKey/PubKey/Hash is "best."  

Me thinks the answer is none...  But that's only one dweeb's vote.  

What matters more to me is the context in which crypto is being used to protect data.  

When crypto is used there are several necessary bases also need to be covered:  

1)  for data "on disk"
 - strong user authentication
   (for the obvious reasons, but also for granular,
   role-based access to encrypted assets
 - full disk encryption  
   (strong FDE means you can Secure Delete by good key
   management and delete-by-destruction of keys, rather
   than resorting to DoD overwrites -- which isn't Good
   Enough for Top Secret or better;  more and more caches
   are being implemented as encrypted stores, with
   decryption occurring only as data moves into "volatile
   memory")
 - folder/file encryption  
   (for granular, role-based access to sensitive/regulated
   assets on otherwise encrypted disks/partitions)
 - never store passwords on the devices to be protected
 - never store keys in-in-the-clear (store hashed keys,
   if they have to be stored on-device)  

2)  for data "in motion"
 - two-way authentication and two-way encryption on the
   "wire"  
   ideally with unique *client* and "server" certificates
 - don't use known-to-be broken encryption (SSL1/2)

Most sensitive/proprietary/regulated data will require both sets of protection.  What useful data that resides on disk is not accessed over some kind of network as part of production???...  Almost none.  Yet both bases are rarely covered.  

Take away any one of these elements and the crypto effort will not be for much more than naught.  

 ...  

Gartner has recently begun beating the drum that FDE, alone, Ain't Good Enough.  This after thoroughly trouncing F/FBE-only, for years, for inadequately protecting data.  

It takes both forms of "at-rest" crypto to significantly mitigate risks of data loss/leakage.  

Crypto also has to be *relatively painless* for the end-user to live/work with, otherwise there will be devastation from pilot error.  Single sign-on, and, for the vast majority, integration with Windows Active Directory, will have to play a role in easing some of the burden on end users.  

There is some cool stuff from Seagate (Momentus) and Wave Systems for integrating HW-based, managed FDE with Windows Authentication.  It's even cooler when there's TPM 1.2 to mash/mesh with.  I'm not the only one who thinks this stuff is good -- it's being fast-tracked for "Federal"-use approval, outside of FIPS.  

There's also some interesting use of crypto in VMware's ACE2, which isn't your mammy's or pappy's ACE1, that integrates slickly with Windows AD -- if you're thinking about leveraging managed desktop clients.  

 ...  

Hashes bring up another problem...  

Has anyone figured out how to write "good" ones?  

The big problem with today's hashing algorithms are hash collisions.  It's an elephant in the room that most InfoSec practitioners simply ignore.  

 ...  

TLS1.0/SSL3 is undergoing thorough analysis and attack.  
I keep hearing about side-band attacks, etc. that are
*almost* there, in terms of what White Hats know.  

What do we have waiting in the wings for when TLS1 is broken???...  

That day is coming...  and I, for one, don't know...  

0 Comments

Published: 2007-10-14

SANS Security Conference 2007 and ICE ICE Baby

What a time I had in Las Vegas, outstanding.  I had the pleasure of attending my first SANS conference and meeting some of my fellow Handlers in the flesh.  All I can say is that neither SANS or the “boys” disappointed me.  My extreme thanks to Dr Eric Cole for an incredible educational experience.  I took the SANS Essentials Bootcamp and let me just tell you, this is about as action packed a class I have ever taken.  After returning home it took me several days to “ring this sponge” that I call my brain and begin to assimilate what I had learned.  Now I have turned my thoughts to studying so that I can take the test and make it official.

The culmination of this awesome week came on Friday night and Saturday morning.  There were a group of attendees that signed on for the first ever Integrated Cyber Exercise (ICE).  I have to say without a doubt that this was one of the most valuable “exercises” that I have ever participated in.  There were about 20 “players” in the game.  I was on the Defenders team (The Blue Team) and what a terrific team it was.  Among the team were Chris Hoke, Jeff Tchang, Amy Hagerman, Glenn "Blue 6" Larratt as well as some that wanted to remain anonymous.  Our job was to defend our little network against the “bad guys” that were attempting to attack us and break into our computers.  Our computers included Linux and Windows based OS, both servers and workstations. The players for the attack team were Joseph Bagdon, Brandon Greenwood, and some individuals that prefer to remain anonymous.  And of course we defenders had the deck stacked against us because the attackers ( the Red Team) had a little help from some pretty powerful friends, namely my fearless instructor Dr Eric Cole, Tim Rosenburg from Whitewolf Security, the folks from F5 and Core Technologies.  The defenders used some pretty sophisticated tools to snoop on our network and figure out where our vulnerabilities lay and then unleash their evil on our network. 

I have to say, my team – the Blue Team, did a fantastic job.  We were limited in the tools that we could use.  Basically the only tools we were allowed to use were the ones offered default by the OS manufacturer. We were not allowed to install any patches or updates from the manufacturer and had no access to the Internet to download anything.  We could not plug in our thumb drives, use CD ROMS, or any other extras.  And yet my awesome team was able to stave off our attackers within just a couple of hours.  We were feeling really proud of ourselves. Then the other shoe fell.  We had to leave the room to attend a “meeting” with management.  While we were out everything we had done was undone, and a bunch of programs, holes and such were installed on our machines.  We were in big trouble they had us dead to rights.  I for one was a little irritated….  We had worked so hard and they got in anyway.  They had done a lot of damage and left a real mess behind.  They ended up, by Saturday morning completely taking us over and we were done.

When I returned home, I started thinking about the exercise and what it really had taught me.  At first I felt that it was really unfair that they were able to come in and undo all that we had put in place to keep them out. They were allowed inside our network to do their dastardly deeds.   However, is that not what actually happens in the real world?  Just one user doing one stupid thing can open the door and undo everything that you have done to secure your network. And once the bad guy’s get in, it may be too late, it may take days to find them and lock them out again. This exercise led me to realize that this was just the tip of the iceberg and in the real world the frustration level will be much worse. 

Some comments from other attendee’s:

Brandon Greenwood - I really enjoyed my experience as a part of the Red Cell and the ICE Games.  This was one of the most well put together exercises that I have been a part of.  From working directly with Eric Cole for the length of the games, the impromptu visit form some of the top SANS instructors, to being able to get some shop talk in with Tim Rosenberg and the White Wolf Security team I think allowed everyone to really take something positive away from the games and it made for an interesting time.  I plan on being back next year in either role as it was a positive experience.

Tim Rosenburg, Whitewolf Security - We consider the event a success and are working on ways to make it more spectator friendly.  We'd like to thank all who made it possible including SANS, F5, Core, Paul Asadoorian and of course the players.  We are looking forward to a bigger and better game next year and will incorporate VOIP and RFID and some more tricks up our sleeve.

 

I want to echo Tim and thank all of those who participated.  To Whitewolf Security, F5, SANS Institute -  Stephen Northcutt, Eric Cole,  Core and Pauldotcom, I want to give my heartfelt thanks for a tremendous experience. I highly recommend that all Computer Security personnel attend this event and I look forward to participating again in the future.

0 Comments

Published: 2007-10-13

Cyber Security Awareness Tip #13: Patches and Updates

When I first started thinking about how to approach this topic, my mind instantly went to the technical side such as centralized patch management and staggered deployments etc. It would be very easy to present a checklist of do's and don'ts pertaining to updates and patching. However, when you think about it, the "non-technical" side is just as important. 

Consider this statement made by Robert Conquest in his book called "Reflections on a Ravaged Century": 

"What does not need to be done needs not to be done - though, of course, there are things that need to be done, and situations so dangerous that quick and major action is required. But it is not enough to show that a situation is bad; it is also necessary to be reasonably certain that the problem has been properly described, fairly certain that the proposed remedy will improve it, and virtually certain that it will not make it worse."

Patching and updating is an area that can cause a massive flurry of activity and chaos, especially when there is a dangerous unpatched exploit(s) waiting to take advantage of unsuspected users (seems like it’s an all too regular of an occurrence these days). The usual reaction is to protect the network and systems which usually equates to "we needed those systems patched yesterday!!!!" (This also doesn't help to foster a "one big happy family" atmosphere between the security team and all the SAs since the SAs are usually the ones having to drop what they are doing to apply "security's" patches.) However, as stated above, you have to be certain that your actions will not make a bad situation worse. I bet if I took a poll, everyone reading this has experienced systems that have reacted badly to a patch or an update. It may have even been something as simple as a bad virus update. Having a procedure in place that will facilitate a methodical process for patching AND change management (though not the direct topic of this conversation, it is very intertwined) will help keep things organized and in control when you really want to run from the room screaming like chicken little. You have to have a method to ensure that your attempts to prevent a disaster don't create one in the short term or long term. 

I'd really like to hear from some folks who have implemented good processes for patching as well as change management related to those patches and updates. If anyone has implemented ITIL or perhaps some portion of it or maybe you have achieved your ISO20000 certification, please shared what you have found worked and didn't work when it came to a methodical method of patching and updating. For anyone wondering if the "non-technical" side really matters, please take a few minutes and read "The Visible OPS Handbook". Being someone who has kept her head buried in the technical side, it was an eye opening read for me.

Please don't get me wrong, I will be happy to include discussion on the technical side if folks would like to send it in. If you have found a great method or solution to central patching or maybe have tips for deploying multiple patches to large organization geographically spread out, etc, please send them in!!   My main goal is to not just focus on the technical side of patching, but to emphasis the equal importance of having controls and processes in place before changes are made.

To quote Robert Conquest again:

 "We must keep a balance, and not allow these to get out of hand and take over. They must be our servants, and not our masters. In fact, as in all our arrangements, we must once again seek a balance."

0 Comments

Published: 2007-10-13

OpenSSL bulletin

The OpenSSL folks have just issued an advisory affecting  DTLS in OpenSSL 0.9.8 prior to 0.9.8f and SSL_get_shared_ciphers() in both 0.9.8 prior to 0.9.8f and 0.9.7 prior to 0.9.7m.  DTLS is a UDP version of TLS described in RFC 4347.

Recommendations: If you are running 0.9.8 can't upgrade to 0.9.8f immediately, you should disable DTLS.  If you are running 0.9.7 and can't upgrade to 0.9.7m, don't use the SSL_get_shared_ciphers() routine.

Advisory: http://www.openssl.org/news/secadv_20071012.txt

CVE entries: CVE-2007-4995, CVE-2007-5135

0 Comments

Published: 2007-10-12

Cyber Security Awareness Tip #12: Managing and Understanding Logs on the Desktop or Laptop (AV, Firewall, or System Logs)

Today is day 12 of Cyber Awareness month. Today's topic is managing and understanding logs on the laptop or desktop.  I'm working on a few thoughts of my own and I'll add them to this story later in the day, but I figured I'd post this early in the shift to solicit thoughts from our readers.  Use the contact form to let us know your thoughts.  Which logs are on the laptops and desktops in your organization and how do you use them?

0 Comments

Published: 2007-10-11

Tip of the day: File System Backups

As this is Cyber Security Awareness Month lets discuss the topic of the day: File System Backups. 

Backups are one of the staples of the operations teams that is oft overlooked and even more often under rated.  Backup and recovery are essential to the organizations IT health.  That very statement should resound with our audience with a big DUH!  But through the years of consulting, I have been shocked at how little attention and operational practice is put towards proper backup and recovery.

First of all, imho, file system back ups are for data, not OS/Applications.  The two are different in my books because so often we run into the problem of recovering a compromised system with compromised backups.

Second: As more organizations move to virtual infrastructures, which some refer to as *gasp* applistructure, back up and recovery of systems becomes almost trivial.  Anyone familiar with Vmware ESX/Infrastructure and even Workstation sees the benefits of exporting virtual disks and bringing clones back online.

Given that its "Cyber Security Awareness Month" and this is the Internet Storm Center, I shouldn't have to beat the message of "thou shalt backup your systems properly" down your throats.

Tip #1: Back it up or loose it for ever.

We have all been there and done that when it comes to loosing files on a system when it dies, because we were not as diligent as we should have been in regards to backups.

Tip #2: Test your recovery procedures at minimum 1 time per quarter

As a consultant, I have walked into a data center and asked if all the systems are properly backed up.  When the client says yes, I ask if they mind if we test the recovery procedure (as part of the scope of engagement of course).  They often get very squirrelly that that point.  Point is, you have to know that recovery is going to work, because you never know when you are going to need it.

Many of us in the industry were pleasantly surprised when more financial data was not lost during 9/11.  Financial organizations are required to have proper offsite backup/replication processes in place, and what do you know... they did!

Tip #3: Ensure that your backup software (agent and server) are properly patched

All one has to do is look at Metasploit's exploit list to see that backup software has had a rough couple of years.  Why go after each individual server when we can go after the backup server and the storage device.  At the ISC and at Intelguardians we have seen hundreds of large organizations get pwn3d via backup software.

Tip #4: Protect your backup tapes

On many occasions while visiting client data centers I encounter this bizarre situation:

Biometric cages to get access to systems, armed guards, firewalls, laser beams (well, no laser beams but it sounded cool) all protecting client systems.  Then, on the loading dock of the data center, a box with tapes labled: For Iron Mountain or similar.

Just think of what happened back in 2002:

Backup tapes stolen from group digitizing military medical records.

Backup tapes stolen from Japanese company van that was creating national ID cards.

Backup tapes stolen from a military shipment going through international customs.

All of these incidents happened within 2 months of each other.  Were they related... who the heck knows.  Point is, protect your backup tapes as if they were the actual systems they came from.

TTFN,

Mike Poor, Handler on Duty, Intelguardians, Inc

0 Comments

Published: 2007-10-10

How to authenticate customers on the phone?

A recent question on the GIAC-Alumni mailing list asked about the mechanisms financial institutions use to authenticate customers calling on the phone. I wanted to pose the question to the wider audience of ISC readers, in case we can summarize some of the best practices regarding this challenge. What have you observed? If you set up such a system, what are some of the recommendations you'd make to other financial instututions based on your experience?

Many organizations use "mother's maiden name" as the standard phone password, combined with additional questions about the caller's address, phone numbers, and perhaps the last four digits of the social security number.  Unfortunately, such personal details are not difficult for the scammers to obtain. Some organizations assign a phone PIN; in this case, they still need to develop procedures for situations when the caller forgets the PIN.

I recently called my financial institution without specifying the PIN. They asked me to answer a multiple choice quiz of 4 questions. The quiz was based on data from my credit profile, and inquired about transactions or company names from my profile that had nothing to do with the institution I was calling. An common alternative is to ask about recent transactions the customer had with that institution; this works particularly well with accounts that have a high volume of transactions.

I am not sure how I feel about the credit profile-based method of authentication: On the one hand, an impostor would not know those answers without seeing the victim's credit profile. On the other hand, it's not too difficult for an impostor to get the credit profile.

I am also concerned about internal fraud: how could the financial institution's employee misuse the information he or she is using to authenticate the caller? I like the idea of being prompted for recent transactions with the organization. That information has a built-in expiration data (it will not matter much a few months from now); while personal information such as a social security number and date of birth will not expire.

Financial websites are beginning to ask personal questions of an unusual nature, such as "What's your father's uncle's name?" or "What car does your best friend drive?" or "What's your favorite spice to cook with?" It's nice that they are moving beyond the standard "mother's maiden name" question, but now I wonder how long until the customer's details get leaked and someone builds a profile on the customer that includes information not only about his relatives' names, but also about his cooking preferences and his friends' possessions. What an attractive target for scammers such a profile would be!

If you can share with us caller authentication mechanisms that have worked particularly well or badly for you, tell us.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.
www.zeltser.com

0 Comments

Published: 2007-10-10

Cyber Security Awareness Tip #10: Authentication Mechanisms

In the spirit of October being the Cyber Security Awareness Month, we have been sharing tips for educating end-users on important security issues. Today's topic is the practices we can discuss with end-users regarding authentication mechanisms.

When it comes to authentication from the perspective of end-users, passwords are usually the primary area of concern. How to select them? How to use them? How to store them? I like the tips that Microsoft published, and recommend reviewing them. Here are a few additional pointers.

Selecting a Good Password

Make sure the end-users recognize how good the attackers are at guessing passwords for remote access if the passwords use common words or patterns, password, iloveyou, 123abc, and so on. If the user is asked to select a secret word or phrase for password recovery, that question or answer should be difficult to guess as well; an attacker will not take long to figure out an answer to the question "What's my favorite season?" (We touched upon this in an earlier diary.)

My favorite mechanism for selecting passwords that are difficult to guess, but are easy to remember involve picking a sentence that is familiar to me, and using parts of the words from that sentence as my password. It helps to add complexity to the resulting word or phrase by mixing capitalization and adding punctuation.

Also: Long passwords are good for security, but they are a pain to type. Offer your end-users some guidance for how long is long enough. The consensus seems to be that a password shorter than 8 characters is not advisable.

Using Passwords

Educate your end-users about the dangers of using logon credentials carelessly. The biggest challenges are logging into services without an encrypted channel (e.g., no HTTPS; only HTTP) and not knowing the authenticity of the system that's asking for the credentials (e.g., lack of valid a SSL certificate and the issues exploited by phishers). Offer concrete tips for establishing when it is "safe" to logon to the system or a website, and when it is not. For example, it's not safe to type a password for accessing a sensitive website when:

  • You are surrounded by people who may be looking over your shoulder.
  • The website's SSL certificate does not validate properly (this one is tough to explain to non-techies)
  • There is no "https" in front of the website's address
  • You are uncertain whether the system from which you're logging on is trustworthy

Educate the end-users about the importance of periodically changing passwords, and about not reusing passwords across different types of systems. For instance, the user should not use the same password for a personal webmail account as for the corporate domain account.

Finally, explain why it is a bad idea to share logon credentials with other users. This violates the accountability principle that is at the heart of many security and anti-fraud initiatives. It may also make the person sharing the credentials responsible for the misdeeds of another person.

Storing Passwords

The biggest question is whether it's OK to write down the passwords. Writing them on a post-it note and pasting the note to the monitor or the bottom of the keyboard is a big no-no. (Thanks, Leandro, for pointing this out to us.) But how about placing the note into the wallet? Bruce Schneier blogged on this a couple of years ago:

"Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."

I am concerned that wallets are a target of theft, particularly in crowded urban environments. I recommend using a password storage program, such as KeePass. KeePass is available for multiple operating systems, and even runs on mobile devices, so the users can keep the passwords with them at all times while having them protected with a single (and carefully-chosen) master password. Forcing people not to write or type down their passwords is asking for trouble, considering the number of passwords the end-users need to track.

Do you have tips to share regarding authentication mechanisms for end-users? Drop us a note.

-- Lenny


Lenny Zeltser
Security Consulting - SAVVIS, Inc.
www.zeltser.com

0 Comments

Published: 2007-10-10

Vishing, Skype, and VoIP-Based Fraud

The spring of 2005 brought us early reports of phishing activities conducted over the phone, rather than email. The victims received phone calls from a 727 number, with the caller asking for personal information regarding a student loan or a banking account. A year later we observed activities that involved automated VoIP systems, rather than humans speaking to the victims. WebSense referred to the practice as "vishing" when describing one such attack, and provided a recording of the attacker's VoIP system in action.

That was the last we've heard of such activities. Where have all the vishers gone? People tend to trust phone more than they do email, so I was expecting VoIP phishing to increase in popularity for targeted high-payoff scams. Perhaps traditional phishing has been so effective, that the attackers saw no need to invest in VoIP phishing schemes? (Let us know what you think.)

I was reminded of VoIP's role in fraud after seeing a report last month of phishing activities that targeted Skype users. This was a traditional, email-based phishing attack, but its goal was to hijack Skype accounts, which are capable of VoIP and other communications. What for?

It turns out, Skype phishers been quite active in the recent months.

The earliest report of the Skype scam mentioned above dates to May 2007. Another instance dates to June 2007. The most recent report I found dates to September 2007. The text of the message does not change despite the typo: "your skype account informations needs to be updated." I suppose the original message was sufficiently effective, and the attacker saw no need to tweak with it. The destinations of the links embedded into the messages were changing, probably because the phishing sites were being disabled. The fraudulent websites presented the victims with a logon page that closely resembled that of the real Skype website, according to a screen shot captured by one of the messages' recipients. One of the victims didn't realize he was scammed until it was too late: he got locked out of his own Skype account.

Another, phishing campaign for Skype accounts was seen in July 2007. Its messages began with the phrase "We have to notice that your account is suspended because Skype major Terms are being changed" and pointed the victims to a a Skype copycat website that looked like the real thing.

In April and May 2007 there were reports of Skype phishing websites written in Simplified Chinese at domains such as www.skypve.com, according to one of the reports I found on Skype forums. CISRT translated the fraudulent site, explaining that the site lured its victims with a promise of a prize.

So Skype accounts are being phished. Why? ISC handlers and I had a lively discussion on the topic. The consensus was that email fraud can be significantly enhanced, from the scammers' perspective, with the addition of voice:

According to Internet Crime Complaint Center (IC3), "Internet auction fraud was by far the most reported offense, comprising 44.9% of referred complaints." Email was the most popular mechanism by which the fraudulent contact took place. The scammers may be looking to enhance their abilities to defraud auction participants with voice communications, particularly for high payoff deals. (Remember the synergies between the auctions and voice, which eBay touted when acquiring Skype for $2.6 billion? It's a bit like that.)

The IC3 report describes an investigation into a Romanian crime ring that targeted eBay users, often by contacting the individuals who lost an auction with a second chance offer. "Victims then wired money one of the defendants who posed as the seller or the seller’s agent." Providing a US-based phone number to the victim would add an air of legitimacy to the transaction; a hijacked Skype account can help with this.

Skype offers a level of anonymity that regular phone doesn't, making it particularly difficult to trace the origin of the call. Perhaps it's not surprising that at least one report describes a Nigerian-style scam where the victim was urged to contact the scammer via Skype in August 2007: "I am Naushad Asif Kermalli, a Banker here in U. A. E. I believe it is the wish of God for me to come across you on Skype now." Quite likely, the scammer was using a Skype account that was hijacked.

Furthermore, let's not forget that Skype offers powerful IM functionality, in addition to voice. Attackers may use hijacked Skype accounts for spamming victims via chat messages. This may be particularly useful for seeding automated infection campaigns, such as the Skype worm that was reported in April 2007.

Finally, a hijacked Skype account may have resale value, not only to someone conducting the fraudulent activities described above, but also someone interested in making free phone calls. Strangely, we have come a full circle, fusing phishing with phreaking--a term from which "phishing" probably derived its name.

What are your thoughts on the Skype phishing activities outlined above? Let us know.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.
www.zeltser.com

0 Comments

Published: 2007-10-09

Deobfuscating javascript

Obfuscated javascript is something you run into as soon as you start to look at suspicious websites.

Marco wrote in to suggest an approach with code added to it on how to use javascript itself to change the actions of eval() and document.write() statements we might want to try to replace with a less action minded alert(). Obfuscated scripts often have self referencing code that make the de-obfuscation fail if you touch the code itself.

eval:

/*override eval*/
function eval(st){
  alert(st);
}
/*original code goes below*/

Similarly for document.write(), add the following before the obfuscated script:

/*override document.write*/
document.write=function(st){
  alert(st);
}
/*original code goes below*/

Do take care when playing with potentially malicious javascript that the attacker didn't change alert() to do something else ... so always walk through it all and do this on an expendable machine.

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-10-09

Storm - the paper

Some interesting analysis about "Storm" from SRI International:

http://www.cyber-ta.org/pubs/StormWorm/

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-10-09

October Black Tuesday overview

Overview of the October 2007 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS07-055 An input validation failure allows remote code execution.
Windows - Kodak image viewer

CVE-2007-2217
KB 923810
No publicly known exploits Critical Critical Important
MS07-056 Input validation failure in the NNTP protocol allows remote code execution.
Updates MS06-076.
Outlook express and Windows mail (vista)

CVE-2007-3897
KB 941202 No publicly known exploits Critical Critical Important
MS07-057 Memory corruption in Internet Explorer lead to remote code execution.
Multiple address bar spoofing vulnerabilities.
Cumulative patch for IE, replaces MS07-045.
MSIE

CVE-2007-3893
CVE-2007-3892
CVE-2007-1091
CVE-2007-3826
KB 939653 Some vulnerabilities have been publicly known since February 22nd 2007. Critical Critical Important
MS07-058 NTLMSSP authentication can be abused to cause the RPC service to stop in a way that it also prevent the system from restarting the service.
Replaces MS06-031 (information leak).
Windows RPC

CVE-2007-2228
KB 933729 No publicly known exploits Important Important Important
MS07-059 XSS issues on the sharepoint server cause elevate privileges problems on the server itself and information leaks on the client connecting to such server.
Sharepoint

CVE-2007-2581

KB 942017

Publicly known exploit since May 4th 2007. Important Less urgent(**) Important(**)
MS07-060 Input validation problem allows remote code execution with the rights of the logged on user.
Word

CVE-2007-3899
KB 942695 Abused in targeted exploits Critical Critical Important

 

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): Typical for XSS issues: it's mostly important for the client, but the actual problem is on the server. The risk is mainly linked to the data to be protected and it can vary wildly depending on the organization and its needs.

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-10-09

Adobe mailto vulnerability

On October 5th, Adobe confirmed the vulnerability we reported on on September 20th.

While there is no patch available yet, there is a workaround available and slowly some details about the vulnerability are being made public as well. So applying the workaround might be very wise:

[quoting Adobe]
Acrobat:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\8.0\FeatureLockDown\cDefaultLaunchURLPerms

Reader:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockDown\cDefaultLaunchURLPerms

If tSchemePerms is set as follows:
version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|
disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:2

To Disable mailto modify tSchemePerms by setting the mailto: value to 3
version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|
disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2

While at it, sign up for the adobe vulnerability alerts.

--
Swa Frantzen -- NET2S

 

0 Comments

Published: 2007-10-09

Cyber Security Awareness Tip #9: Access Controls, Including Wireless, Modems, VPNs, and Physical Access

This topic is wide enough to write at least half a dozen books on the subject, so let's focus on those things you know to work that are a bit out of the ordinary.

Please send your tips regarding access control awareness towards end-users here.

--
Swa Frantzen -- NET2S

0 Comments

Published: 2007-10-09

Follow the Bouncing Malware: Columbus Day

[This FTBM is created in honor of Columbus day, celebrated in the US on October 8th]

 

“I Know India Is Around Here SOMEWHERE”

 

Joe Sixpack leaned back in his chair and glared at the photo of his son sitting on his desk.  It was nearing midnight, and Joe had spent the last several hours building a model depicting the landing of Christopher Columbus’ ship, the Niña.  Earlier tonight, at dinner, Joe junior had announced that he needed a diorama for school in the morning.  

Admittedly, it wasn’t Joe’s best work, but he was on a deadline.  He had scavenged through Junior’s toy chest and had made do with what he could find.  The brown paint didn’t completely cover up the red plastic on the toy pirate boat, and you could still see the outline of the skull and crossbones underneath the name “Niña,” hastily scrawled in black Sharpie marker.  He felt, however, that the action scene that he had created with Junior’s plastic Indian figurines more than made up for the poorly disguised boat.  There was a slight scale issue (the Indians on horseback, surrounding Columbus’ men – who were dressed remarkably like cowboys and WWII combat soldiers – were about as tall as the boat) but if you squinted your eyes up just right, it looked pretty good.  The centerpiece of the work, Columbus reared up on horseback, six-shooter blaring, single-handedly gunning down several bloodthirsty savages, would at least get Junior a “B.”  Besides, he wasn’t going to go crazy trying to get everything perfect – Junior needed to learn that leaving his assignments until the last minute had consequences.

Joe turned his attention to the worksheet that accompanied the diorama assignment.  It was full of questions about names and dates and it appeared as though Junior had made a half-hearted attempt at answering them.  One question was left blank:

“How were the ships Columbus used constructed?”

Joe was pretty sure he knew the answer, but he decided to take the matter to a higher authority.  He reached over and tapped on the keyboard of his trusty computer, watching as the monitor slowly came to life.

At the dentist’s office, the week before, Joe had been stuck reading some science magazine to pass the time (it was that, or several back issues of Cosmo, which, despite the sexy, half-dressed model on the cover, weren’t all that interesting to actually read).  In the “geeky/computer” section of the science magazine he had found a description of some techniques to get better search results out of Google.  The article had been somewhat interesting and he thought that now would be a good time to try out the stuff that he could remember.  

He was interested in finding out “information”, and he remembered that you could restrict your Google search in some way that that had something to do with “domains”.  Since the search results that he was looking for was “information”, he would use the “.info” domain.  He was interested in the construction of Columbus’ ships, specifically the fasteners used to hold them together, so he used the first two words that popped into his head.  His search term string looked like this:

“site:.info nina screw”

The search results that he got back didn’t seem to be all that much better than when he didn’t put that “site” stuff in there.  In fact, they seemed to be more than a little “off topic.”  He couldn’t help but chuckle to himself as he looked at his search string… what had he been thinking?

Then again, though Joe, perhaps he would take a little voyage of discovery of his own.

Two hours later, Joe was in a quandary.  There was a “Video ActiveX Object Error” sitting in the middle of his screen, and he didn’t know how to get rid of it.

Your browser cannot display this video file,” it proclaimed, and went on to tell him, “You need to download new version of Video ActiveX Object to play this video file.”  Below that, it said. “Click Continue to download and install ActiveX Object.”  

Before all this pop-up nonsense began, Joe had been hoping to see some VERY active X, but this was just annoying.  If he clicked “Cancel,” another box popped up, this time from Internet Explorer telling him that his browser couldn’t play the video and telling him to “Click ‘OK’ to download and install missing Video ActiveX object.”  If he clicked “Cancel” on that box, another window opened saying “Please install new version of Video ActiveX Object” and only offering him the option of clicking “OK”.  Clicking “OK” took him back to the previous screen.  Around and around he went.

Joe was so frustrated and angry that he finally decided to just click “OK” and install the software.  Internet Explorer popped up a warning screen, telling him that some files could harm his computer, but then again, it did that when he downloaded things from other places too.  Besides, he was running antivirus software… at least he thought he was.  He couldn’t remember if he’d re-enabled it the last time some program had told him that he should disable it while installing… but he was pretty sure he had.  He clicked on “Open” and held his breath.

A “License Agreement” popped up on his screen.  He glanced through it quickly… reaffirmed his decision that law school would’ve been a bad idea, and clicked on “Install.”

Several things appeared to happen all at once.  Windows opened and closed, and finally, when things settled down, a new, shiny, slick-looking window opened on the middle of his screen.

“AntiVirGear v.3.8,” the window declared.  “Warning! 4 threats found!”

What had started out as a voyage of discovery had ended up with Joe washed up on some strange foreign shore.

It was going to be a long, long night.
 

Land Ho!

(or, more politically-correctly: Land Lady-of-the-Evening!)

According to the history books, Columbus, before he moved to the great state of Ohio and set up shop as a state capitol, sailed the ocean blue in fourteen hundred ninety two, with the lofty goal of finding an ocean passage to India.  

As it turned out, he missed by a long shot.

Like most really big screw-ups, Columbus blundered his way through life so incredibly self assured that even when he’d obviously made a mistake of historic proportion he just… well… went with it.  Rather than admit that he fell awfully dang short of his intended goal, he decided to go ahead and drop names on things to try to convince the folks back home that he knew exactly what he was doing.  Thus, the “West Indies” were born. (Which, to be entirely correct should have been called the “Waaaaaaay West Indies”.)
 
Five hundred and a few years later, much like Chris, Joe Sixpack found himself in the middle of a mess-up of his own making and decided to simply bowl ahead as though he knew it would all work out just fine in the end.

Today, we’ll only take a look at the single most obvious portion of Joe’s misadventure. But, like that whole “Native American / Indian” debacle that Columbus left for us to straighten out, Joe’s expedition into the unknown has some long-term ramifications that we’ll discuss in a later installment.

But for now, let’s see what Joe’s carelessness has wrought.  In the course of clicking his way around the globe, Joe encountered a new and interesting download: a “Video ActiveX object” from the fine folks at “kimsoftware.com” who, based on the wording of their License Agreement, apparently like to go by the rather off-putting nickname “Licensor.”  It also seems that “Licensor” has a bit of an inferiority complex and something of a “thing” for self-deprecation… but we’ll get into that in a minute.

One result of installing this “Video ActiveX object” is a cascading download and installation of several files onto Joe’s machine, one of the most interesting of which goes by the name AntiVirGear3.8.exe.  

Weighing in at 3,262,914 tasty bytes it’s dropped onto Joe’s desktop machine like a wet sail hitting the deck of a ship. After grinding the hard drive for some period of time, it suddenly pops up a message saying that it has found four indications that Joe’s machine is infected with “Win32.Trojan.Click.Spywad.b”

The program then offers to “clean” the infection … for a fee.  You see, the “unregistered” version of AntiVirGear will only TELL you about the infections on your machine.  If you want to get rid of the infections, then you need to shell out fifty bucks to the folks at antivirgear.com

Not that I have anything against people wanting to make a buck… but in the past, I’ve investigated other “antivirus” programs that “found” malware even on a fresh install of Windows.  Those programs also would only remove the “found” items for a fee.  Could this be the same scam?

Through the magic of virtual machines and snapshots, I was able to return to the moment before all of the downloading and installing on Joe’s machine began.  Having extracted AntiVirGear3.8.exe from the downloaded traffic, I moved it back in time (so to speak) and installed it on Joe’s machine BEFORE Joe said “yes” to installing the big bundle o’fun from the kimsoftware.com/Licensor folks.

What did it find?  Nothing!  AntiVirGear didn’t find anything bad on the clean version of Joe’s machine.

Hmmm…. That’s strange.

Let’s recap for a moment:  you’re a software developer that markets your wares under the brand “kimsoftware.com”… so let’s assume (for the sake of argument) that you’re a young, blond, 23 year old named Megan.

No… no… wait…

Kim.  

Let’s say your name is Kim.

So… you create cutting edge software…. perhaps something like a “Video ActiveX object.”  You obviously have a bit of trouble with the English language and a penchant for porn.  Perhaps you failed out of law school, or are dating someone who did.  That might explain your twisted need to be called things like “Licensor” and the almost brutally lengthy “License Agreement” that you bundle with your “Video ActiveX object.”

So far, so good.  You’re a little strange, perhaps “quirky”, but you still fall somewhere within the big center portion of that bell curve we like to call “normal.”

But then it all comes crashing down.  

Kim, Kim, Kim…  Where did it go wrong?

What happened?  What drove you to the pits of self-loathing in which you obviously now seethe?  What inner daemons have driven you to the depths of depraved self-deprecation? How is it that you could possibly bundle a piece of software with your “Video ActiveX object” that would… dare I say it?... brand the child of your keyboard, the fruit of your software loins… as a virus?

Oh, the humanity.

Dear readers, pity poor, poor Kim.

Or… perhaps there might be another explanation.  Perhaps Kim has a cunning, almost evil plan.  What if there was some way that Kim might benefit if unsuspecting denizens of the Internet were to be convinced to register AntiVirGear?  What if there was some sort of “system” where Kim would make money every time a version of AntiVirGear that she installed got registered?

But how could a system like that ever exist?  For one thing, it would take someone at AntiVirGear willfully ignoring the obvious potential for abuse that such a system would create.  For another, you would have to have someone so completely morally bankrupt that they would purposefully infect someone else’s computer for their own financial gain.  How could such people possibly exist?

Sheesh… the next thing you’ll be telling me that the earth is round.

 ------------------------------------------------------------------

Tom Liston - Handler on Duty - Intelguardians

 

0 Comments

Published: 2007-10-08

Cyber Security Awareness Tip #8: Anti-Virus, Anti-Spyware, and Other Protective Software

Perhaps the single most important line of defense available for your computer today is a good, up-to-date anti-virus program.  Anyone who uses a computer in this day and age without adequate anti-virus protection enabled is simply asking for disaster to strike.

Anti-spyware software works to do much the same stuff as anti-virus software, but it targets a different class of malicious code – malware with a business model.

Together, these programs fall into a class that, for the remainder of this diary entry, we’ll refer to as “anti-malware”.

While anti-malware vendors go to great lengths to try to differentiate their products, touting various tests that prove that their software is the best, when dealing with typical end-users, I tend toward a rather more pragmatic selection method:

Choose an anti-malware program that you’ll use.  Choose something that you understand and that you feel comfortable with.  Choose a program that you can figure out how to keep updated.  Don’t worry about anything else: just choose something you’ll use.

Because, you see, these anti-malware programs create a sort of software Maginot Line to keep the bad stuff off of your computer.  If you choose software that someone else thinks is best, and you can’t figure out how to use it, then best or not, it won’t do you any good.

All anti-malware tools all suffer from neglect.  New malicious software is created every single day, and in order to be able to recognize these new programs, anti-malware software needs a constant supply of “signatures” – information that helps it recognize the bad stuff.

That’s why, more important that any or all of the features that anti-malware vendors want to sell, being able to actually use and update your anti-malware program is the most important feature of all.

0 Comments

Published: 2007-10-08

TOTALLY OT! Happy Thanksgiving Canada!

Cheers from the great white north Canuckistan, on the
day of our Thanksgiving. Tryptophan? What's that?
Does it mix well with beer?
ZZZzzzzzz........

Cheers,

Adrien

0 Comments

Published: 2007-10-08

Dirty O.W.!

One of my all-time favorite movies is the 1965 classic, "A Thousand Clowns" starring Jason Robards as the unforgettable Murray Burns. Murray is a rather unconventional character, and the film's plot revolves around his struggles with a child welfare department threat to remove his twelve-year old nephew Nick from his custody unless he "conforms" to what they consider to be an appropriate role model for the young man.  Nick is Murray's sister's child, born out-of-wedlock and thus referred to (by a social worker) as an "O.W." child.  One of the best lines in the movie is when Murray calls one of the child welfare workers "a dirty O.W.".

The point of all of this?  Well, I have a quick "quiz" for our loyal readership.  No prizes beyond a shot at ISC Handler's Diary glory: The first person who correctly answers will be have their name or initials enshrined here and can thus use that ISC mention to claim all of the rights and honors they so richly deserve.  In perpetuity.

Here we go:

The other day, I was at a client site, setting up and locking down a Solaris 10 box.  In the process of doing that, I needed to move some scripts that I had written on my Linux laptop over to the Solaris machine.  When I popped my USB key into the Solaris box, it was auto-recognized and appeared on the desktop.  I immediately (and erroneously it turns out...) accused my friend, colleague, and fellow ISC Handler, Ed Skoudis of being "a dirty O.W."

Why?

UPDATE 1: Since the answers I've received so far have been somewhat disappointing (to say the least...) here's Hint #1: There is a very specific reason that I chose Ed Skoudis as the target of my accusation.  Normally, I blame the ISO Standard Scapegoat, Mike Poor, for pretty much anything that goes wrong/bad/viral with a computer.

UPDATE 2: Arrrgh!  You guys are really disappointing me.  Hint #2: Perhaps my accusation might have something to do with the default name assigned to the device...

UPDATE 3: We have a winner! Ok... so reader David Lesperon didn't get it EXACTLY right, but he was on the right track... Here's the skinny: I plugged my USB key into the machine and what name was assigned? /dsk/c0d0!  But the funky window manager attempted to remove what it assumed were "escaped" characters, and left it as: sk0d0! I immediately unplugged it from the Solaris machine and plugged it into my Linux laptop, mounted it, and saw that it was identified it as the normal "tliston" name I've assigned to the drive.  Pulled it from the Linux box and reinserted it in the Solaris machine and "sk0d0" returned.  Strange... very strange...

And to those who felt compelled to write in with the "obvious" answer, Ed is a very nice man.  You should be ashamed of yourselves...

0 Comments

Published: 2007-10-07

Cyber Security Awareness Tip #7: Host-Based Firewalls and Filtering

Host-Based Firewalls and Filtering

 

Increasingly I have seen Host-Based firewalls being brought up on the corporate radar in those arenas that have to deal with such things at VPN's, other remote computing solutions, and thusly trojans, worms, and other auto-spreading malware.

 

Host-Based firewalls are basically exactly what they sound like (excuse me for taking a step back for everyone's benefit), a firewall that resides on the HOST itself.  Your computer.  The Machine you using right now.  Whether it be Windows, OSX, *nix, or *bsd variant, there is a firewall available for every OS, and every OS has one built in.  Some better then others (in the interest of full disclosure, I am typing this on a PowerMac, which has a built in firewall, and one that needs a bit more tweaking).  As firewalls should be (IMHO) "Deny All, Permit by Exception". 

 

When my parents or a friend asks me what kind of "free firewall" to install on their Windows machine, I usually go with "at least turn on the built in one! (Which is now on by default as of XPSP2)", and then if more assistance is needed I usually go with ZoneAlarm.  I'm not partial to any one firewall in particular, whichever gets the job done quickly and efficiently.  Basically I say all that to make this point:  Host-Based firewalls (especially for home users) are a great idea, they come in alot of variants, and should be deployed.

 

Several years ago I was asked (along with several of my other co-workers at the time) to test various host-based firewall solutions on my work desktop.  I was stuck with Symantec's offering at the time (this was about 2001), and was not impressed.  I have no touched it since then, and had no desire to.  The firewall was not centrally managed, as it was only a test, and the ability to block things like "port 445 to 10.0.1.5" was available.  I played "user" and what did I click?  "Accept"!   (You know the user I am talking about in your network that says "Oh, Gator Wallet!  Of course I'll accept".  Guess what 10.0.1.5 was?   Domain Controller.  It let me block my Domain Controller! Guess what happened the next time I wanted to log onto my machine?  You guessed it..  Nada.  (In all fairness, how was the firewall to know that that IP was our Domain Controller?  (yes, I am being sarcastic))

So, obviously with any security solution (like anti-virus), you'd need to have central management to keep "users" from doing things like what I did in my test.  Is it necessary for you to deploy firewalls in your corporate environment?  That's something that you need to access by looking at your corporate landscape.  Do you have problems with Worms?  Viruses?  Do you have perimeter security on your network?  Can you mitigate the threat?  How do you mitigate the threat.

 

I'm not making a case in either direction, simply saying that both avenues need to be explored and a decision made.  Does this help me do my job in a more efficient manner and generally make my life easier?

 

Filtering solutions (ex: Websense, etc) have a special place in my heart as well.  I had a bad experience in my previous job with a filtering solution, so I am biased to NOT being a fan.  But the same assessments as before need to be made.  Does this make my life easier?  Does this make it easier to do my job, as the security person?  Are you defending your networks against bad websites?  Or are you defending the corporation against your users?  Are you keeping people from doing their jobs, or are you keeping them doing their jobs?  (By keeping them on task).

 

Good Luck!

 

Joel Esler

http://handlers.sans.org/jesler

0 Comments

Published: 2007-10-06

Cyber Security Awareness Tip #6: Developing policies and Distribution

One of the cornerstones of security is policy and as much as most of us dislike writing them, without them we are all pretty much floundering around.  So today’s tips relate to developing and distributing policies. 

We’ll get the basics out of the way.  Why do we need policies?  Policies outline the do’s and don’ts for the organisations.  Staff and management both know where they stand in relation to important issues.  Policies also help modify behaviour, people are surfing for porn, you put a policy in place to help modify that behaviour.

So what do we need?  These are the few of the duh points, but important nonetheless:

  • Make sure you have senior management support.
  • Write SMART policies. Specific, Measurable, Achievable, Realistic, Time based policies
  • Keep the audience in mind when writing policies. 
  • If it doesn’t have the word MUST in it maybe move it to a guideline or standard. Or in other words keep policies as policies, guidelines as guidelines and procedures as procedures.  You’ll only confuse the message if you mix them.
  • Make sure you have a compliance statement, people need to know what happens if the policy is not followed.
  • Make sure it is available to everyone
  • Regularly review the policy
  • Get legal to check them out.
  • Collaborate with stakeholders in developing the policy.
  • Make sure you cover items of specific risk in the organisation
  • Make sure the policy is in line with the corporate objectives and overall security posture
  • Get people to sign that they have read and understood the polices.
  • Reinforce the message regularly

After writing the polices you will need to make sure it is disseminated.  There have been plenty of examples over the years where people have been sacked and then re-instated because of weak or policies that weren’t enforced or enforced inconsistently.   The traditional methods are publishing on the intranet, as part of the induction process, document management systems, etc.  A good idea is to develop a quiz which must be taken by staff.  That way the lessons are reinforced and you have a register of who has read and understood the policy. 

So which polices do you need?  It depends on the organisation and if you are working to standards like ISO/IEC 27001, or SOX, etc.  The basic ones I think you should consider are:

  • Information security policy
  • Acceptable usage policy (make sure you cover internet and email usage)
  • Remote access
  • Access control policy
  • Information Classification Policy

That’s a quick start to the day, send in tips for disseminating policies, reinforcing the message, some good practices and the bad. 

Cheers

 

Mark   H - Shearwater

 

0 Comments

Published: 2007-10-05

Cyber Security Awareness tips #5 - Social Engineering and Dumpster Diving Awareness

Welcome to day 5 of Cyber Security awareness month.  

You won’t find much argument in the Security community that people are the generally considered to be the weakest link.   White, grey and black hats take full advantage of this at times, to verify, test or exploit.   Phishing and SPAM are just two profit making examples of social engineering and no doubt we can all come up with more or less embarrassing examples.  But what we really need to start thinking about is how we deal with this in the corporate environment as well as at home. 

Some tips:

  • Information classification – Classify your information, stipulate how things are to be handled and what can and can’t be talked about, copied, emailed and so on.   Once people become familiar with the classifications and follow the guidelines, you should find that loose lips no longer sink ships.
  • Policy –We all get those phone calls where someone asks about your servers, firewalls, etc.  Have a policy in place to outline who deals with those kinds of things.  A bit too obvious, but the sentence “don’t tell anyone your password” should also appear in your policy.
  • More Policy - make sure you cover disposal of things such as CDs/DVD, hard disks etc.  Many a company or government department has been inconvenienced in the press because of one of this.  (thanks Craig for the tip).
  • Get a shredder, preferably a cross cut one (might want to start thinking about one of these for at home as well)
  • Teach staff to challenge people they don’t recognise (politely of course).
  • Put up a poster next to doors, “check badges”, “Watch for tail gating”.
  • Provide Phishing education.
  • Teach people to pick up their printouts and faxes from the various stations
  • Don’t click on links (yep some people need to be reminded)
    • Just for fun (with permission of course) set up a targeted “SPAM” attack on your own organisation.  See how many people will click the link.
  • Have a dumpster auction.  Go down and collect some of the papers in your corporate dumpster (the one not used for secure shredding) and see what you can find.  Then publish the info (suitably anonymised).  You’d be amazed what you can find.
  • Watch for people who “just” want to fix a printer urgently. 

So plenty of room left for some of your tips, send them in and I’ll collate them at the end of the shift.

Might even include one or two “war” stories, but they have to be good.

 

Mark  - Shearwater

0 Comments

Published: 2007-10-04

Cyber Security Awareness Tip #4: Enabling the Road Warrior

Those pesky mobile users.

They are all too often the bane of security folks everywhere as they regularly seem to be system 0 for malware infections, tend to be administrative users on their systems more frequently, can go months (or years) at a time between office visits and of course, can never be without their systems as no laptop = no productivity and since many times they are the ones who sell the goods and provide the services that provide for our (or at least my) paycheck ...

So how to let them do what they need to do while making sure their system is secure as is the corporate network they VPN into?

Unless you have great policies including enforceable HR policies that make users accountable for thier actions, and a defense in depth approach that ensures AV and patches are up to date and checked before connecting to the network, renamed administrative accounts, proper file system permissions etc... you are at some level at the mercy of the action(s) of your users.

If you find yourself short a few policies and technical controls, user education becomes key.

Message #1 - "With great power comes great responsibility".  Sure, it's kind of corny and maybe being a local admin on your own system isn't "great power" but you get the idea.  Educating your mobile users as to what is acceptable and allowed (policy or no policy) can bring a big return on a small investment assuming they actually do as you request.

because ...

Message #2 - "Just because you can, doesn't necessarily mean that you should."  Yes mister user, I know you're an admin on your machine.  Yes I understand you're experiencing poor performance but that doesn't mean you should uninstall your AV software, install every spyware remover, registry cleaner and any other widget guaranteed on some web page somewhere to do what you want.  For the record, you can format your hard drive.  I wouldn't suggest it though.  ;)

Of course many of us are mobile users and we would never do anything insecure, right?

So what are your tips and tricks for keeping your mobile workforce working and not bringing down the rest of the network?  If you have any good stories surrounding mobile users, send them in as well and we'll publish the best ones changing the names as needed to protect the innocent -and- the guilty.

-Christopher Carboni

 

Update #1:

Thanks to everyone who has written in so far.  Most of the tips sent in so far were technical tips centering around user management.  Creating regular users and then using various techniques (seperate account, runas, scripting ...) to allow them to do things like set up network from hotels, change power settings ...

Dave summed up those tips and also offers a tip on keeping users accountable.

"Here are some things I've found useful regarding mobile users who insist on having admin access.

First create a policy of n strikes and you're out as admin on the system. If the user is running as admin and his machine is compromised as the result of some action that didn't have a defined business need (i.e. installing some new game they downloaded or cute screen saver or reading some electronic postcard, etc.) that's one strike. If it happens n times, they have their admin access revoked for a period of m months or weeks."

I think I'll try that one myself.  Thanks Dave! 

0 Comments

Published: 2007-10-03

Solaris Kernel memory leak in named pipes

There's a bug reported in Solaris kernels' handling of named pipe.  An unchecked function parameter allows an attacker to use up large amounts of memory.

More details about the vulnerability and patch can be found at the following:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=603
http://blogs.sun.com/security/entry/sun_alert_103061_security_vulnerability
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103061-1

0 Comments

Published: 2007-10-03

DHS "Spam" List

The US Department of Homeland Security sends out a daily Open Source Intelligence Report to a subscription list of hundreds, perhaps thousands of recipients.  This morning a reader replied to the list address with a request for a change and his note got re-sent to all of the list subscribers.  In the next hour or so, dozens of readers have replied, creating a mini-DDoS of sorts to the subscriber's inboxes.  This points out an important point - if you maintain a broadcast mailing list make sure that the address will not reflect email from sources other than the owner of the list.  Otherwise, you will become a training example for SANS.

While this is not a Cyber Security Awareness tip, it comes mighty close.

(DHS has been notified.)

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2007-10-03

Cyber Security Awareness Tip #3: Getting the Boss Involved

Readers, October 3rd's topic for Cyber Security Awareness Month is "Getting the Boss Involved."  Let us know how you do it - what methods, techniques, ideas, or approaches have you used that work?  As most of us know, a good security awareness program will not work unless the leadership is involved.  So pass along your thoughts via our contact form and we'll post them as updates to this diary.

 

0 Comments

Published: 2007-10-02

Cyber Security Awareness Tip #2: Multimedia Tools, Online Training, and Useful Websites

Today marks Day 2 of Cyber Security Awareness month. Today's topic off the agenda we compiled from over a hundred excellent submissions from readers.
Agenda: http://isc.sans.org/diary.html?storyid=3429

Multimedia Tools, Online Training, and Useful Websites

User education and awareness training requires creativity. There are a number of good sources for public materials and many sites end up tailoring their own.
This is a multi-part call for input. The first question would be what sources have you found most useful?
What public materials do you see lacking?
And for folks that create their own materials or awareness and training programs what have you found most useful to get points across?

Here's a few links to resources to get things started:
http://www.dhs.gov/xprevprot/programs/gc_1158611596104.shtm
http://www.educause.edu/7479
http://www.staysafeonline.info/

Sharing of URLs is helpful, but it would provide even more benefit to describe experiences using some of these sites and materials or providing feedback on what is lacking in this space.

Many schools have been providing computer security and cyber-ethics education starting at a young age. Maybe our kids can teach us cyber security after they reset the clock on the DVD player and get the wireless router working.

So send us your tips, stories, suggestions and we'll update this diary for Day2 of Cyber Security Awareness Month.

Update #1

 

Theresa sent us these suggestions:

The following are handy and can help the general user.  I had linked to some as additional resources on an organization's Intranet and for a security awareness program that has not yet gotten off the ground (can't say I haven't tried...)

1.  SiteAdvisor  quizes - spam and spyware.
http://www.siteadvisor.com/analysis/   (see quizes links)

2.  Internet security advice from the RCMP (Canada, eh?)
http://www.rcmp-grc.gc.ca/qc/infos_gen/publications/cybercrime/sec_web_e.htm 

3.  Internet safety advice from the Government of Canada
http://www.safecanada.ca/topic_e.asp?category=3

 

4.  CNet news Personal security dashboard (okay, a little advanced for the general user)
http://www.news.com/2009-1009-6038680.html

 

0 Comments

Published: 2007-10-01

Anti Virus industry and VBScript/JavaScript detection

As almost all of our regular readers are aware, browser exploits are lately delivered heavily obfuscated. The main reason for this is, of course, to evade AV or IDS detection.

As the Anti Virus industry moved a step forward and improved detection of obfuscated exploits, the attackers started a trend of creating obfuscated exploits on the fly. I wrote about this before when I encountered dynamic JavaScript obfuscation (see http://isc.sans.org/diary.html?storyid=3219) – every time a client requested the web page containing exploits, the server side PHP script picked random variable names that, in this case, caused the whole function to be different since it was using the infamous arguments.callee() method so it depended on the function body.

This time I stumbled upon dynamic VBScript obfuscation. The exploit wasn’t interesting at all (it was the old MS06-014 Internet Explorer (MDAC) Remote Code Execution exploit), but the server side script that was generating the VBScript code was indeed interesting.

The server side script basically did two things:

  • Randomly change all variable names
  • Randomly split strings into multiple concatenated smaller strings

Below you can see two results of this obfuscation:

      rub="Mic"+"r"+"o"+"s"+"oft"
      jleptfo="XML"+"H"+"TTP"
      set ugdd = CreateObject(rub & "." & jleptfo)
      gljxbkx = "G" & "E" & "T"
      dsoswt = ugdd.Open(gljxbkx,nmqqa,0)
      ugdd.Send()
      On Error Resume Next
      lpuvkay = ugdd.responseBody

--

            lwyfqe="Mi"+"cr"+"osof"+"t"
      pnqf="XM"+"L"+"H"+"TTP"
      set jbg = CreateObject(lwyfqe & "." & pnqf)
      qcr = "G" & "E" & "T"
      rjtp = jbg.Open(qcr,osjypz,0)
      jbg.Send()
      On Error Resume Next
      gwwtvo = jbg.responseBody

--

As this caught my attention, I decided to spend more time on this and see how AV programs are doing against this simple obfuscation.

First of all, detection of such exploits still seems to be only in the early phases. Only 5 out of 32 AV programs represented on VirusTotal were able to detect this file as malicious (and of those 5 some share scanning engines so the number is even lower!).

To be fair to the AV vendors, properly detecting VBScript and JavaScript obfuscated exploits is not a trivial thing. Since there are multiple obfuscation ways they can rely on signatures only for basic detection. So, to detect things like string splitting they would have to implement some kind of an interpreter (or optimizer) that will detect things like this and create proper strings. This is one of the reasons why I was interested in how good they will cope with this obfuscation so I did a little test.

I retrieved 100 samples of the same script (directly from the compromised server so this is how it happens in the wild) and confirmed that all of them are functionally same, but have different variable names and that string obfuscation was used. And I was pleasantly surprised – all 5 programs detected 99 samples (only 1 was missed by 2 products that share the same scanning engine).

From this little test it seemed like the AV vendors have good interpreters or found a reliable signature. Unfortunately, my pleasant surprise didn’t last long. About 5 minutes later I found out that the signature wasn’t that reliable at all (except for this particular exploit) – by modifying the exploit slightly (and I really mean slightly – the details will be sent only to the AV vendors if they request them) I was able to easily evade all 5 AV programs while the exploit functionality remained the same.

So, the conclusion after this test (which is really small and not representative of any AV program’s abilities) is that the cat and the mouse game will continue for quite some time. As we are seeing more client side exploits I hope that the AV vendors are working on improving their detection in the background and that we’ll see some progress there soon.

--

Bojan

0 Comments

Published: 2007-10-01

Cyber Security Awareness Tip #1: Penetrating the This Does Not Apply To Me Attitude

As you are hopefully aware, October is the Cyber Security Awareness month. We will focus on one security awareness subject per day. Marc published the agenda at http://isc.sans.org/diary.html?storyid=3429 so let’s start with the first tip.

What are your tips for system administrators and others trying to get the word out to user? How did you get past the “This Does Not Apply To Me” attitude? Submit your ideas and stories here.

You might have heard this from your managers and CEOs multiple times – that they are not the target and that certain vulnerabilities don’t apply to them. An example of security not taking personally hit the news couple of days ago when Francis Ford Coppola’s laptop got stolen (http://www.nydailynews.com/gossip/2007/09/28/2007-09-28_francis_ford_coppolas_laptop_stolen.html). The laptop’s value in the whole story is negligible – the main issue here is that it contained the script for his upcoming movie and that there was no backup (at least it appears like so since Coppola pleaded for the return of the laptop).

Alan M. sent us another real story:

“I was called to help remove a phishing site from an ISP's apache server. It was not an easy offsite fix as the hacker was no script-kiddie and very actively fought from many countries' ips to retain "his" server.
One digi-macho guy let the hacker have a major advantage over me...
I setup a new linux machine offline to replace the bad server then put it online on an unused address of the ISP. I ssh'ed into it. While I was working, I noticed something odd in an lsattr directory listing. I ran "who" and found another me on the machine as root. Time from my login until hacked  <10 minutes. The hacker was playing man in the middle.
I fired up Nesus and ran a scan on the ISP staff machines and found one was infected. I went to that computer and its user and found the ANTIVIRUS program removed from the machine. I asked why? The reply, "I don't keep anything important on this machine. It doesn't need to be Fort Knox. I can reformat it if it gets infected."
I had to explain to him that his machine wasn't "Fort Knox" but the hacker had stolen his machine and used it as a bulldozer to break into the ISP.
"Well I didn't know that could happen. I thought the viruses just sent spam."

0 Comments