Diaries

Published: 2006-09-30

Yellow: WebViewFolderIcon setslice exploit spreading

History

On Friday 29th (and for nearly all of our readers past their working day), we saw the WebViewFolderIcon setslice exploit spreading in the wild. We raise our Infocon to Yellow for 24 hours in order to increase the awareness of the problem and call for action. Without further spectacular evolutions we will go back to to Green after 24 hours. We will remind our readers on Monday.

This exploit started in the Month of Browser Bugs on July the 18th as a Denial of Service, however its author released recently a code executing variant of it.

Reason for Yellow

The WebViewFolderIcon setslice exploit is becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove.

Actions

We suggest following actions (do them all: a layered approach will work when one of the measures fails):
  • Update your antivirus software, make sure your vendor has protection for it (*).
  • Install following killbits (**):
{844F4806-E8A8-11d2-9652-00C04FC30871}
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}

make sure you set both.
  • Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
We are aware of 3rd party patches, but our recommendation is to use the killbits above.

References


(*): It's important to note the difference of your antivirus solutions detecting the exploitation itself (very rare) and detecting the payload of known exploits (common). Only the first will offer real protection against new threats.
(**): There are currently no reports of side effects on other application when stopping this ActiveX control.



--
Swa Frantzen -- Section66

0 Comments

Published: 2006-09-30

SunJava 1.5.0_09 Released

One of reader shared with us that SunJava 1.5.0_09 has been released. You can get it from:

Java Runtime Environment (JRE) 5.0 Update 9
Release Notes
Test your installation

Update: As of Sun Oct 1 09:00:00 EDT 2006, neither the locally-installed, nor the on-line Java version tester seems to be aware of the 1.5.0_09 update. In one test, the on-line updated reported that 1.5_0_06 is the latest version. Also, Jim Manico reported that in his test, version 1.5_0_08 was reported as being up-to-date as well.



Perhaps the updater only detects major version changes? In this case, we saw no important security reason to rush with the 1.5_0_09 update. However, we hope that the update mechanism will work as advertised when an important security vulnerability needs to be patched.

(Original diary entry by Koon Tan; update by Lenny Zeltser)

0 Comments

Published: 2006-09-30

*WebViewFolderIcon ActiveX control exploit(s) in the wild

Rise and shine. This vulnerability is being actively exploited in the wild.

Here is some preliminary info from the folks who got the jump on this at Exploit Prevention Labs.
http://explabs.blogspot.com/2006/09/webviewfoldericon-setslice-exploit-in_30.html

Mitigation:
On the client side "killbits" can be used to unregister the vulnerable control
See http://isc.sans.org/diary.php?storyid=1742 for more details.

On the network side it might be worth considering taking control of hostname lookups on your network through a technique like blackhole-dns: http://www.bleedingsnort.com/blackhole-dns/
The exploit URLs mentioned in the explabs blog have so many IP addresses behind them that blocking by IP or netblock becomes an uphill battle.

Update: I realize this is an incomplete suggestion if the hostname is unknown. However there are legitimate reasons to not release the full URL of easily portable/unpatched exploits. I do think it is still worthwhile for sites to consider reviewing their DNS logs and considering options such as blackhole-dns. In this case you'd just have to blackhole *.biz if the hostname is unknown.

More Info:
Advisory from Microsoft
MoBB #18
OSVDB(27110)
CERT(VU753044)

Updates will be posted here as they become available.
If anyone has information to share please do so via the contact link: http://isc.sans.org/contact.php
and indicate whether the info should be kept private or not.

Update:
The exploit is detected as:
JS/Exploit-BO.gen  by McAfee
JS_PLOIT.BC by TrendMicro
Bloodhound.Exploit.83 by Symantec

Background info on malicious ActiveX controls and killbits

0 Comments

Published: 2006-09-29

Apple updates to 10.4.8 and Security Update 2006-006

Looks like it's time to click on the Apple in the top left of your screen, then followed by "Software Update..."  (or however you choose to update)

Lots of Updates today for Apple:

The entire iLife Suite gets an update.

Plus OSX goes from 10.4.7 to 10.4.8 and Security Update 2006-006 is bundled in too.  Lets take a look at whats in the update:

The 10.4.8 Update is recommended for all users and includes general operating system fixes, as well as specific fixes for the following applications and technologies:

- connecting to wireless networks using the EAP-FAST protocol
- Apple USB modem reliability
- using OpenType fonts in Microsoft Word
- compatibility with 3rd party USB hubs
- scanner performance
- RAW camera support
- printing documents with Asian language names
- performance of the Translation widget
- broadband network performance

Security Update 2006-006 says:

CFNetwork
CVE-ID: CVE-2006-4390
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: CFNetwork clients such as Safari may allow unauthenticated SSL sites to appear as authenticated

Flash Player
CVE-ID: CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Playing Flash content may lead to arbitrary code execution

ImageIO
CVE-ID: CVE-2006-4391
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted JPEG2000 image may lead to an application crash or arbitrary code execution

Kernel
CVE-ID: CVE-2006-4392
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Local users may be able to run arbitrary code with raised privileges

LoginWindow
CVE-ID: CVE-2006-4397
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: After an unsuccessful attempt to log in to a network account, Kerberos tickets may be accessible to other local users

CVE-ID: CVE-2006-4393
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Kerberos tickets may be accessible to other local users if Fast User Switching is enabled

CVE-ID: CVE-2006-4394
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Network accounts may be able to bypass loginwindow service access controls

Preferences
CVE-ID: CVE-2006-4387
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: After removing an account's Admin privileges, the account may still manage WebObjects applications

QuickDraw Manager
CVE-ID: CVE-2006-4395
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Opening a malicious PICT image with certain applications may lead to an application crash or arbitrary code execution

SASL
CVE-ID: CVE-2006-1721
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Remote attackers may be able to cause an IMAP server denial of service

WebCore
CVE-ID: CVE-2006-3946
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted web page may lead to arbitrary code execution

Workgroup Manager
CVE-ID: CVE-2006-4399
Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Accounts in a NetInfo parent that appear to use ShadowHash passwords may still use crypt

Updates we are still waiting on from Apple:
php
SSL/SSH (those just came out, but still)


Read all about the update here.

0 Comments

Published: 2006-09-29

A Report from the Field

Kevin Shea wrote in to report:

Yesterday morning (9/27) when dropping off my son at school, I told his first grade teacher about the VML exploits and patch availability. She said she had computers at home and would call her husband to make sure they were patched.


When my signifigant-other picked him up around 5:30, the teachers were all talking about how her husband checked and found out they were infected with one of the trojans. Their bank accounts had been drained, by electronic withdrawals and money transfers. Since it had occurred the day before, the bank (unknown) was able to reverse the transfers and replace the money in their accounts. They won't even bounce a check.

After receiving the report, I had a few questions and I received a prompt follow-up.  What the thieves did with the money was interesting.  Most of the funds were transferred out using one of those services where you can wire cash to people.  I'm not sure if these were wired to other accounts using the intermediary, of it people actually walked up to a counter to retrieve the funds.  They also used funds in this account to purchase background checks at certain people-search/information-broker companies.  Most likely this is an attempt to gather further identities in a way that won't tip-off the broker.

Thanks for the report Kevin, study hard and get good grades next week at SANS Network Security in Las Vegas!  Don't poke your eye out with the antenna in SEC617


0 Comments

Published: 2006-09-28

Openssl patches ASN.1 flaw

Openssl released patched versions today to fix security flaws in the 0.9.7 and 0.9.8 branches of their code.  Read the full advisory here

You can test what version of Openssl you have by using the following command:

# openssl version

One thing to remember is that many distributions fail to follow the projects patching nomenclature, so refer to the distribution's openssl patch to test for vulnerability.

Mike Poor   ekim   #@#  intelguardians.com
Handler on Duty

0 Comments

Published: 2006-09-28

OpenSSH 4.4 (and 4.4p1) released

Version 4.4 (and 4.4p1) of OpenSSH was released yesterday.  Among other things, it fixed the vulnerability announced earlier this week (CVE-2006-4924) in the CRC compensation attack detector that allowed for a denial of service if using SSH protocol verion 1 (which hopefully no one is using anymore anyway due to the other weaknesses in the protocol).

See http://www.openssh.com for more details.

0 Comments

Published: 2006-09-28

Setslice Killbit Apps

Well... here we are again...  seems like only last week, I was putting up killbit apps for "daxctle.ocx"... 

(and really, it was 10 days ago... sheesh, how time flies!)

Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue.  Note: we've tested these settings against the Metasploit project's test page, and they work.  Because MS hasn't released any information as of yet, we're sortof flying blind here...  However, that being said, the killbit method is great, because it is completely reversable.

There are two versions of the app, one a standard Windows program, the other a command-line version. 

The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)

Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22

The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r").  It will return 0 on success and 1 on failure.

Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271

Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians

1 Comments

Published: 2006-09-28

MSIE: One patched, one pops up again (setslice)

If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE.

So: No, surfing with MSIE is still not safe.

References

Defenses

  • Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
  • Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)
  • Set the killbit:
    {844F4806-E8A8-11d2-9652-00C04FC30871}
    [unconfirmed at this point it's the right killbit, so proceed with caution]
  • Keep antivirus signatures up to date.
  • Keep an eye out for a patch from Microsoft.
  • ...
--
Swa Frantzen -- Section 66

0 Comments

Published: 2006-09-28

Powerpoint, yet another new vulnerability

Microsoft confirms yet another powerpoint vulnerability that leads to code execution.

References

Detection

McAfee has a writeup of the exploit they detected against this vulnerability to connect back to http:// mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places.

Affected

It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable.

Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs, ...

Defenses

  • Do not to open ... but we all know how easy it is to social engineer people into opening things anyway.
  • Use the PowerPoint Viewer 2003 (nah, not an option if you have a Mac).
  • Filter and/or quarantine powerpoint files in the perimeter (prevent powerpoint email attachments and getting powerpoint files on the web), but it's not easy as it has genuine uses and it has the potential of not needed the ".ppt" file extention.
  • Keep antivirus signatures up to date.
  • Keep an eye out for a patch from Microsoft.
  • ...
If you do run into a sample we're interested in obtaining one (to add to our collection ;-) )

--
Swa Frantzen -- Section 66

0 Comments

Published: 2006-09-26

MS06-049 re-release

When Microsoft release the out-of-cycle patch for the VML exploit, they also re-released MS06-049 (again) which was responsible for causing corruption of compressed NTFS files on Windows 2000 systems.  You can find more info from Microsoft here

0 Comments

Published: 2006-09-26

* VML Update Released

Microsoft has just released an update to address the VML (VGX) issue

The update can currently be found on Microsoft Update and is titled
Security Update for Windows XP (KB925486)

This URL should point to the right place: http://go.microsoft.com/fwlink/?LinkID=73174 (not live as of 1:38PM EST)

It is recommended that the patch be applied immediately (after testing) unless a suitable mitigation strategy is in place.

Thanks to everyone that submitted analysis, news, samples, malicious website reports, etc

More info:
http://isc.sans.org/diary.php?storyid=1727

0 Comments

Published: 2006-09-26

Deja Vu - Request for W32.Pasobir Malware Sample

If any of ISC participants have a sample of W32.Pasobir we'd really appreciate a submission via our contact page.

Thanks!

**snip**
"Periodically checks for both fixed and removable drives starting with drive D: that are attached to the system and copies itself as the following file:

[DRIVE LETTER]:\sxs.exe

Creates the following file containing instructions to start the worm when the drive is attached to the system:

[DRIVE LETTER]:\autorun.inf"

0 Comments

Published: 2006-09-25

De-registering vgx.dll in an enterprise

The following is one experience in a global enterprise environment sent in by a reader.

=========

The following post is my experience with de-registering vgx.dll in a large, corporate and R&D environment with sites around the globe.

The purpose is to present our actions and findings.  I make no promises, guarantees, etc. that this will work for others. So please be sure to do your own testing and risk analysis.

All of that said ... I hope that my point of view helps to possibly aid others in their efforts to find and effective mitigation strategy for this vulnerability.

Since the early whisperings of exploits for the vulnerability, and then 'suggested' work-arounds, de-registration of the vgx.dll has been at the top of our list of possible mitigations.

Starting (very) early on Friday morning, and going through an 11 hour day, our InterOp team tested the affects of the de-registration on as many different system configurations as they could.  In the end they found no issues and supported this recommendation for mitigation.  Early Friday evening we put our plan in place and commenced with the de-registration of vgx.dll from all of our ~38,000 corporate and ~8,000 R&D systems.  By late-evening 1/3 of our targets had the dll de-registered; there were no reported issues with business critical systems and applications, there were calls to the help desks and there were no issues from our R&D folks.

Two and a half days after putting the plan in place 98% of our systems have had the dll de-registered and things remain stable and quiet on all fronts.

There have been some reports of system slow-downs by employees but after investigation there no clear linkages between the actions taken and the symptoms observed.  In most cases a simple reboot solved the problem.

We continue to monitor the situation as well as staying in contact with Microsoft to ensure that our environment remains stable and malware free.

=========

Thanks for sharing Eric.

Cheers,
Adrien de Beaupré
Cinnabar Networks/BSSI

0 Comments

Published: 2006-09-25

VML vuln being actively exploited

Messagelabs has reported that E-cards are being used as an attack vector, exploiting the VML vulnerability in MS Internet Explorer to download malware. There has been an upswing of web sites hosting the exploit, and of course downloading malware.

A reader wrote in after having seen a VML exploit and reviewing his firewall logs. The following web site URLs are deliberately munged and obfuscated until the site owners respond to emails and phone calls advising them of the problem, do not click on them using any web browser on a Microsoft platform.
The first site is
http:// www .allied(snipped) parts .com
The bottom of tha page contains an iframe which loads:
http:// www .traffl(snipped) .info/out.php?s_id=1
Which goes and gets:
http://www .webmasters(snipped) .com/s_test/test/ vml_sp2_gamer .htm

Which contains the VML exploit. The fun doesn't stop there!
By now this system is thoroughly owned, and more malware follows.

vml_sp2_gamer.html pulls gamer.exe off the same site, which in turn grabs gamer1.exe and counter.exe and also reports successful infection to another URL, raff loads.info.  gamer1.exe is a password stealer that is even seen by Clamav: Trojan.Spy.Goldun-141

Many thanks to Daniel and Swa and the other ISC handlers.

Cheers,
Adrien de Beaupré
Cinnabar Networks/BSSI



0 Comments

Published: 2006-09-25

Using ISA to help block VML exploit

For those of you that use MS ISA as a proxy, or even as a perimiter protective mechanism, Microsoft has posted an article on "Learn How Your ISA Server Helps Block VML Vulnerability Traffic (925568)"
This would be highly recommended measure in a Microsoft centric environment, as one of the defence-in-depth layers of protection, not by itself. Please see the earlier diary entries on the VML vulnerability and its current exploitation here.

Cheers,
Adrien de Beaupré
Cinnabar Networks/BSSI

0 Comments

Published: 2006-09-24

VML exploits with OS version detection

We are seeing samples of the VML exploit that are coded to include browser / OS detection, and are able to trigger working exploits for Win 2000, 2003 and XP. Some reports indicate that client-side anti-virus is not sufficient to protect, some AV apparently only catches the VML exploit code once Internet Explorer writes the temp file to disk, which can be too late. The exploits versions seen so far usually pull and run an EXE file, but adding patterns for new EXE payloads is an arms race the AV vendors can't win. If you have the option, we suggest you use the work around of unregistering the DLL as indicated in our earlier diary entry.

0 Comments

Published: 2006-09-23

Netcraft Report - HostGator servers exploited via cPanel, allowing redirection & VML exploitation

Netcraft's Rich Miller is reporting on VML related exploitation, details at "HostGator: cPanel Security Hole Exploited in Mass Hack.". The article also contains links to their earlier coverage.

"By early Saturday morning, HostGator managers were assuring users that the cause of the redirections had been isolated, and was due to a new exploit targeting cPanel.".

The article details and references a fix that is at the cPanel site.

0 Comments

Published: 2006-09-23

Mailbag Q&A concerning MS Desktop Search add-on vulnerabilities

 We received an inquiry from Ricardo Calina which asked if FolderShare (Diary item here) was  "used on the new MSN Live Messenger ?". After an inquiry to Microsoft about this and related questions (where else may it be, is it default enabled anywhere?) we received an answer that said "The one in MSN Messenger is different." and "FolderShare is not installed by default in any systems.".

Thanks for the question Ricardo, and MS, thanks for the answer!

0 Comments

Published: 2006-09-23

MSN-Worms exploit MS pif filter vulnerability

Kaspersky's blog, always a great read, is reporting that there are some "epidemic level" MSN-Worms (see Do you like photos?) that "spread using links to .PIF files.". They go on to say;

"But some of you might remember that Microsoft blocked messages containing ".pif"?

Yes they have, but... the MS block is case sensitive!

So the criminals used capital letters, ".PIF" and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.".

While you're there also check out their excellent Kaspersky Security Bulletin, January - June 2006: Malware Evolution released 09/22.

Thanks for the heads up Kaspersky!

And readers please remember (sticking tongue firmly in cheek) Microsoft says "Microsoft is aware of third party mitigations that attempt to block exploitation of vulnerabilities in Microsoft software. While Microsoft can appreciate the steps these vendors and independent security researchers are taking to provide our customers with mitigations, as a best practice, customers should obtain security updates and guidance from the original software vendor. Microsoft carefully reviews and tests security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. Microsoft cannot provide similar assurance for independent third party security updates or mitigations."
 

0 Comments

Published: 2006-09-22

Issues with e-mail notifier

Those of you who have signed up for e-mail notifications of infocon changes have noticed you've gotten multiple e-mails saying that infocon changed to yellow then green then yellow then green.....  We're aware of the problem and looking into it.  Right now we are at yellow and will remain so far at least 24 hours.

0 Comments

Published: 2006-09-22

Yellow: MSIE VML exploit spreading

Yellow

The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites.  The risk of getting hit is increasing significantly.

Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well.

Weekends are moreover popular moments in time for the bad guys to build their botnets.

Actions

We suggest following actions (do them all: a layered approach will work when one of the measures fails):
  • Update your antivirus software, make sure your vendor has protection for it.
  • Unregister the vulnerable dll:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
  • Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
Reregistering a DLL is done with the same command as unregistration, but without the "-u".

Quotes

Ken Dunham from iDefense claims they have seen a significant increase in attacks over the last 24 hours and "[at] least  one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains". Those domains pointed visitors to a VML exploit. We're happy to note they join us in recommending "implementing a workaround ASAP" and see the upcoming weekend as a factor in it.

References

--
Swa Frantzen -- Section66

0 Comments

Published: 2006-09-22

Zeroday Emergency Response Team (ZERT)

Several readers have written to us about the newly formed Zeroday Emergency Response Team (ZERT).  It looks like they will endeavor to create, test, and distribute patches (yes, we know about all the controversies of third-party patches... so please don't flood us with rants for or against them).  Still, we find the ZERT concept interesting, and thought you might want to read about it.  You can read more about ZERT and the people running it an article by eWeek here.  Gadi Evron, operations manager for ZERT, points out that they have recently released a third-party patch for the VML vulnerability.

0 Comments

Published: 2006-09-22

Security Challenges and Games

I'm a big fan of using challenges and games as learning tools, especially in the information security world.  One of the most common of these types of challenges, of course, is a Capture the Flag (CtF) game.  In May 2005, I posted a diary requesting readers to send in links to hacking and security challenges that they had actually played and learned from.  We got a good set of results, but many of those sites have gone down.  In the SANS class I teach, a good list of hacking challenges is one of the most commonly asked questions.

Speaking of that, I once had an attendee in my SANS class that did great throughout the first five days of class.  But, on the last day, he didn't want to play the CtF game that we had been building up to for the whole week.  When I asked him why he wouldn't play, he said, "I don't play games."  He seemed to imply that games were beneath him.  I found that to be very sad... Well-constructed games can help us learn, and have fun at the same time.  I build capture the flag game challenges for the neighborhood kids that they play around my house with my own children.  These games include computer challenges, audio quizzes, simple ciphers (that an 8-year old can crack), video puzzles, and so on.  They are a lot of fun.

So, I'd like to renew my request.  Have you seen and actually played any publicly available (i.e., on the web) security/hacking challenges?  Please submit only ones that you've played and found useful, interesting, or at least fun.

I'll get the ball rolling by mentioning these, and I'll add to the list as I get recommendations from you all day:

- The Defcon CtF Prequalification Challenges from this year, created by Kenshoto.  The folks from 1@stplace, this year's Defcon CtF winning team (congrats, guys... GREAT WORK!), compiled these challenges and posted them on the 'net.  Note that the target servers are off-line, but all of the fantastic file-based challenges are available at this site.  This set of challenges is really wonderful, especially with the mix of technologies brought to bear, and the different mindsets needed to play in the diverse categories.
- Skillz challenges, hosted at ethicalhacker.net.  I write these, along with my buddies Mike Poor and Tom Liston.  The latest, Netcat in the Hat, was created by Tom, and you can still enter to win a prize.
- My archive of movie and TV themed challenges (17 in all) on my website.

Reader Aaron mentioned the very nifty project Webgoat from OWASP.  I really like this one a lot.  It provides a simulated e-commerce application that you download and install on your own machine.  Then, you get to attack it, using techniques such as SQL injection, weak session cookies, Cross Site Scripting, etc.  It's a _great_ learning tool for people mastering the art of web app penetration testing.  Thanks, Aaron!

An anonymous reader points us to www.hackr.org, where several challenges are available at different skill levels.

PJ mentioned http://quiz.ngsec.com and http://pulltheplug.org/wargames.  Both are classics in this genre, worthy of your attention.

Reader Peter mentions the www.hackthissite.org, which has a very large collection of hacking challenges and sort-of "real-world" scenarios.   Peter cautions, though, "However be warned and stay on the beaten track as you would not want to be firing malicious payload at a 'challenge' site that is redirecting to a .gov site!"  That's good advice.  Always, always, always double check your targets before firing in any such activities, whether hacker challenges or full-blown professional penetration tests!  Also, note that some people may find some of their stuff offensive.  You have been warned!

Beau pointed us to a fabulous collection of games and challenges that the Foundstone guys have pulled together here

Diligent reader Tyler points our our very own Pedro Bueno's malware analysis challenges, which are really fun and well thought-out.  Read them here.

Tyler also mentioned the Honeynet Project's scan of the month challenges.  Reader Brian points out that one of their very best challenges was the Forensics Challenge.   Truly a classic!

Although I was focusing on web-based challenges, several folks have written in with some live challenges that have tickled their fancy at hacker conferences or other venues.  

Chris Compton, a great friend and very bright guy, mentions: "While I'd certainly agree with the merits of web-based games, I also think there's something unique that can be learned from the highly charged, collaborative, competitive environment of in-person games.  I find I not only get good practice, but I also get to shoulder-surf my way to a better understanding of what some of the best 'competitors' are doing these days, and how they're approaching different problems.

Now, inevitably I'm going to plug Hack-or-Halo at Shmoocon as a good event for all skill levels... but I would also encourage the ISC readership to make an effort to attend and play at any or all of these such events/games." 

Well said, Chris.  These can be very worthwhile games.  A list of a few live, hands-on games was compiled by our reader Ronaldo, who mentions:

"Welcome to the DEF CON 13 WarDriving Contest
http://www.securitytribe.com/dc13wardrive/index.html

The 2005 UCSB International Capture The Flag (Giovanni Vigna)
http://www.cs.ucsb.edu/~vigna/CTF/

HITBSecConf2006 - CAPTURE THE FLAG OVERVIEW & RULES
http://conference.hackinthebox.org/hitbsecconf2006kl/?page_id=61

ToorCon 8 - RootWars
http://www.toorcon.org/2006/rootwars.html"

Ronaldo also mentioned OpenInfreno - An Open Source Root War Engine
http://openinfreno.sourceforge.net.  This is a very cool engine on which to build CtF games.  Nice work, gents!

Thanks--
--Ed Skoudis
Intelguardians.

0 Comments

Published: 2006-09-21

Apple updates Airport Drivers

Apple today released an urgent update for OS X, fixing arbitrary code executing issues with its airport drivers. This is likely going to fix the issues demoed at Blackhat. This demo ignited a controversy as Apple never actualy acknowledged that such a vulnerability exists. The researchers at the time where careful not to demo the exploit outside of a controlled lab in order to not release the exploit (after all... its "wireless").

The full advisory notes 3(!) arbitrary code execution issues fixed by this patch. The advisory mentions that there is no known exploit, and does not give credit to anyone for discovering the vulnerability.

I recommend applying the patch ASAP. However, you will only be able to download the full patch "as is". Patches for the individual vulnerabilities are not provided. Interestingly, OS-X update labels the patch a "wireless network reliability fix".

For more background from Brian Krebs, see his latest blog.




0 Comments

Published: 2006-09-21

Updated MSIE VML Remote Buffer Overflow Exploit Code Released

Juha-Matti sent a note telling us that exploit code for the Internet Explorer VML Remote Buffer Overflow vulnerability Swa reported on in Tuesday's diary has been released on one of the usual sites.

The site contains a modified version of the code that was originally released on Tuesday that has now been tested on:
  • Windows XP SP1 + IE6 SP1
  • Windows XP SP0 + IE6
  • Windows 2000 SP4 + IE6 SP1
  • Windows 2000 SP4 + IE6

0 Comments

Published: 2006-09-21

2222/tcp Probes

In yesterday's diary  Jim showed Dshield data pointing to a drastic increase in probes to tcp port 2222.

Today, the data drops back down to 'normal' levels



We did recieve quite a few e-mails listing applications that use tcp 2222 by default including, Allen-Bradley SLC-505 PLCs, Direct Admin, Ethernet connected Allen Bradley Programmable Logic Controllers, and the pubcookie key server among them.

That port is also a known to be used by a couple of trojans.

We've also received a few packets, and based on what we can see, it is a syn packet that may be crafted.  One of the handlers noticed some irregularities in the source port and sequence numbers.

I'll post the packets as soon as I can properly anonymize them to protect the innocent.  ;)

We'll keep an eye on this over the next few days.

0 Comments

Published: 2006-09-21

MS Desktop Search add-on vulnerabilities - Trustworty Computing gone too far

  So I'm checking the usual vulnerability announcement sources and once again the folks at NISCC have posted info on a beauty. Their NISCC Vulnerability Advisory 693564/NISCC/FOLDERSHARE - Security Implications of the FolderShare Program details huge vulnerabilities (https tunnel, EFS bypassing, and more) in FolderShare, an "add-in tool for Microsoft Desktop Search" which enables "remote access to files stored on Windows and Mac OS X based computers.".

MS's KB "Best practices and security issues to consider when you use FolderShare" is weak, it's only useful recommendation is;

"you can effectively block outgoing traffic to FolderShare. To permanently block the FolderShare satellite from running in a particular environment, block access to the following host name on port TCP/443:
redir1.foldershare.com ".

The folks at NISCC credit "Ben Rexworthy of Securinet UK and white-hats.co.uk for reporting these issues to NISCC".

0 Comments

Published: 2006-09-20

2222/tcp Probe Increase

Earlier today I detected some probes that caused me to investigate further.  My ipf logs on my handy little sparc logged hits on port 2222/tcp.  I might have glossed over it, except I have sometimes used port 2222 for secure shell daemon in the past.  This was primarily to keep people from constantly hitting my unix boxen trying to brute force passwords and giving me tons of logs to process daily.  (Yes, I know that security by obscurity doesn't work, but in this case it was more of a data reduction function for the overworked and underfunded security guy.)

Well in any case, it caught my attention a bit.  I investigated a bit further and looked at secure shell logs further to see if everyone else in the world had used the same "bright idea" which I had a few years back causing the hackers to look there as well.  Amazingly enough, no logs whatsoever in any of the systems I know are still listening on that port.

After I scratched my head a bit, I went over to the Dshield data and sure enough we are seeing the same type of probing there. 



As you can see, there has been no substational increase in sources. just records and targets.  Further investigation seems to indicate that a single IP is responsible for the majority of the records. But it doesn't clear up what were they trying to find.   Is it the old rootshell left behind by the circa 1999 linux amd exploit?  Is it something else?

So with that,  "anyone got packets?"   If you have a netcat or ssh listener and have captuered packets, or have other ideas, please contact us.

0 Comments

Published: 2006-09-19

PDF vulnerabilities

Several new Adobe pdf vulnerabilities were recently announced.
The author claims these are basic vulnerabilities in the pdf api or architecture. The author tested his poc's against Acrobat reader and Adobe professional.
 
The details are available here.
http://michaeldaw.org/
http://www.eweek.com/article2/0,1895,2016606,00.asp

Here is a quick risk assessment.

How widely deployed is the application?
Adobe reader is widely used and deployed. (9)

Are vendor patches available?
No patches currently available (10)

Is mitigation available and if so how complete is the mitigation?
No mitigation is currently available. (10)

Is user participation required?

Yes. The user first has to download or click the link to a pdf. (5)
So some user interaction takes place.
I have not tested the POCs but several people have and their results do not match. Depending on who tested it you may have to click allow.
See this discussion on who tested the pocs and their results.
http://www.networksecurityarchive.org/html/FullDisclosure/2006-09/msg00252.html

Is the vulnerability cross platform?

Yes. Any exploits will still have to run system dependant malware on the end host but there are plenty of malware binaries that could be used. (8)

Is proof of concepts or exploit code available?
The poc for two of the vulnerabilities are publicly available (10)

Overall risk score 8.7 on a scale of 0 – 10 with 10 being the highests.
This is based on the numbers I assigned.
Your risk might be slightly higher or lower depending on the numbers you would assign and any mitigation factors. In most risk assesments I do I include the value of the system that is vulnerable. In this case that is difficult to do so I have left that out.

 

0 Comments

Published: 2006-09-19

0day this, 0day that, I've got the 0day blah's, as does Microsoft Office 2000 PPT

In today's storm of email announcing vulnerabilities (*Yes, pun intended*), we have received multiple forwards of a new Power Point vulnerability currently focused on the Chinese localization of the Microsoft Office 2000 product.  It is unconfirmed at this time whether later versions of Power Point are vulnerable.  There has been no notice disclosed regarding active exploit of other localized versions of Power Point, but safe money says that they are.  One AV vendor is classifying a discovered variant as "Trojan.PPDropper.E".

Let me ask.  Do I even have to state the following among this readership?  Though it may be up to you to educate others.

* Don't open untrusted, unvetted or otherwise unexpected attachments. *  Especially not if they were found on a usb stick that was laying on the ground outside your office!

Personally, I have instructed my parents to stop using the internet altogether, since they seem unable to stop browsing strange websites and opening attachments from strange sources. </sarcasm>


Have I mentioned that I'm tired of using terms that have lost their meaning?

0day it to the front, uh-uh-uh
0day it to the back,  uh-uh-uh
0day to the right, 0day to the left
0day it up, up all night, uh-uh-uh  
</REALLY /sarcasm>
Handler on Duty (who solemnly swears NEVER to use the term '0day' ever again)
W

0 Comments

Published: 2006-09-19

Malware analysts rejoice! A public submission interface for the CWSandox

The public availability of a submission interface into the CWSandbox is finally at hand.

The CWSandbox has been a somewhat closely held tool in the professional security and AV researcher community for many months now.  The CWSandbox results offer near immediate insight into the actions of malicious code execution on win32 based systems which in turn offers you, the affected party some quick intel on what might be happening on your network!

Please be kind and submit samples that you have vetted in some way as malicious.  I'm sure this project would not be interested in receiving copies of your %SYSTEM% directory.

You can submit your malicious code samples via the sample web submission form at:
https://luigi.informatik.uni-mannheim.de/submit.php

CWSandbox results containing the sandbox/AV results are emailed to the submitter address.

This sandbox environment currently tracks malicious code variants against only three free/unnamed AV products at the moment.  I'm confident that this project would be interested in hearing from commercial AV vendors willing to offer unix based solutions to further their detection effort.

Handler on duty
W

0 Comments

Published: 2006-09-19

Rant-of-the-day: on the dangers of orphaned software (the dark side of open source)

Earlier today, one of our readers (who asked not to be identified) alerted us that a number of Linux and BSD distros were releasing new versions of gzip which address several new vulnerabilities (CVE-2006-4334 through 4338).  A quick look at the Mitre site shows those vulnerabilities as still 'under review' so there are no details as to what underlying problems are being fixed.  I decided to take a look at the "official" site for gzip to see if there was any info there.  I first went to www.gnu.org and found info on gzip.  They said the "official" site was www.gzip.org, so I went over there for a look.  That is when I became very discouraged.  The last official version of gzip listed on that site is 1.2.4 (dated Aug 1993, well 1.2.4a is on the FTP server dated Feb 1999) and the latest "beta" listed is 1.3.3, but all of the Linux distros, FreeBSD, even Sunfreeware are on 1.3.5 (I finally found the 1.3.5 source on the alpha.gnu.org FTP server, dated Sep 2002).  Looking at the bottom of the page, I see that the page itself hasn't been updated in over 3 years.  Is there someplace that one can find the current definitive source for gzip?  I don't know.  I found a Windows version on Sourceforge.  I know there have been vulnerabilities in both gzip and zlib over the last 3 or 4 years and I know that most vendors have patched them, but if there is no authoritative owner for the software, are the vendors patching the same way?  Do all the patches actually work?  How have the various vendor versions diverged over the last 3+ years?  This is the downside of open source software.  What happens to it when the original maintainers tire of it, move on to other things, get hit by the proverbial bus,...?  I admit that I have not yet tried contacting support@gzip.org or the original authors of this excellent tool to find out if they have passed maintenance on to anyone else.  I am reasonably certain that the various vendor versions could be reconciled and an official version could be produced again, but who should/would take ownership of it?

Anyway, from what I can tell from the FreeBSD and Ubuntu bulletins, these issues can result in gzip (or, I believe more accurately, gunzip/gzip -d) crashing, causing high CPU utilization, and possible code execution from a properly crafted .gz file, so you'll probably want to update your gzip as soon as your favorite distro provides the update.

----------------------------
Jim Clausing, jclausing /at\ isc dot sans dot org

0 Comments

Published: 2006-09-19

Are you a security pirate?

While not of any particular security significance, I do enjoy my low brow humour maybe a little more than the next person.

It has been reported that September 19th is International (talk like a) Pirate Day!  Arrr!

If you have any need to don your Security BoFH hat for the remainder of your day to speak with anyone regarding actual significant security matters, I am informing you that you do have the option to do so with a new hook in your voice.  Just think of the fun you can have while you speak with the next individual reported to have unleashed a botnet on your internal networks:

"Arrr!  Did ya click on that URL sent in IM, Matey!!!  Grrr... Now why'd ya go and do that!  Now yee'll be walkin' the plank!"

I consider myself to be of the disco bandit pirate variety, and just what kind might you be matey!

W


0 Comments

Published: 2006-09-19

Yet another MSIE 0-day: VML

We got multiple readers telling us in they noticed reports about a new MSIE 0-day abusing VML. VML stands fot Vector Mackup Laqnguage and is basically a XML structure. It was submitted to W3C in 1998.

This 0-day apears to be different from last week's 0-day abusing daxctle.ocx (BTW: it's still unpatched).

The researchers claim it allows remote code injection (i.e. anything the local user could do).

Since we know of no killbit or other easy solution, your options are limited in mitigating this attack. And with a possible solution far off, looking into alternate browsers isn't the worst way to spend the next half hour.
One of the easaiest ways to make it work might be to use Firefox with a plugin to allow certain sites (such as windowsupdate.com) to transparently use MSIE to get back the ActiveX functionality without bothering the user over the choice and differences. If you do go that road, also add noscript, and a toolbar to block funny sites.
See also the diary on diversity.

There is some posibility to lessen the impact by reducing the rights the user has but it'll only mitigate drive-by shootings at best. The targeted attacker is probably more than happy to get the rights (and access to information) the user has as part of his/her daily tasks.

Thanks to all who sent in a note about this.

Update:
We have recieved requests for additional background information.  Today's  US-CERT Vulnerability Note provides useful background offering links to the specific vulnerable technology.

--
Swa Frantzen -- Section 66

0 Comments

Published: 2006-09-18

Log analysis follow up

I posted a story a little over a week ago asking for reader input on their favorite log analysis tools and followed up with some of my own.  I promised that I'd post a summary of what you provided me.  I was hoping to do that last week, but life got in the way.  So in the spirit of "better late than never", here is my wrap-up.

The one open source tool that was mentioned most often was ossec and frankly, I'm not sure how that one slipped my mind when I did my own list.  I started using it a few months ago and really like it.  Daniel Cid, the maintainer, pointed out to me that there are quite a few rules for it that can be found at http://www.ossec.net/rules/ and they are updated/added to on a daily basis.

Beyond that, most of the folks who wrote in said that they wrote their own scripts to search/parse/summarize their logs because with experience they've learned what it is they want to look for.  I guess this points out one of the problems in the area though.  Folks with lots of experience, who have managed their machines/networks for a long time develop a feel for what is normal and what they need to watch for, but how much bad stuff happened on the way to developing all that experience?  Also, is their intuition, correct?  As I mentioned to fellow handler, Swa, when he wrote up his audit story last month, in some ways, automated summarization/reporting on logs based on experience is a lot like signature-based anti-virus or IDS, you'll catch the known stuff, but may miss the new stuff.  That's why it is important to also look at the unusual stuff.  Not just, the "top 10" reports, but also the "bottom 10".

I was kind of surprised that few of our readers wrote in about any of the commercial tools out there.  I don't know if that is because our readers all are strong believers in open source, or don't have experience with the commercial tools, or if the commercial tools just don't do what they need.  I personally have almost no experience with the commercial tools because in most of my paid jobs, there was no budget for log analysis, so we were stuck with open source, stuff I wrote, or doing without.

I'll wrap this up, by pointing you to a report that was released at the SANS Log Analysis Summit after SANSFIRE in DC in July.  I was able to attend part of the summit, including the talk by Chris Brenton and Mike Poor where they discussed the Top 5 Essential Log Reports.

-------------------------------
Jim Clausing, jclausing --at-- isc dot sans dot org

0 Comments

Published: 2006-09-16

Update/Fix for MS06-049

Microsoft has re-released a bulletin, or rather published an update to an existing bulletin, which originally only had a risk of privilege elevation.  The latest revision of Knowledge Base article 920958 outlines problems that *may* occur with the installation of MS06-049.  According to MS "After you install security update 920958 (MS06-049) on a computer that is using NTFS file system compression, compressed files that are larger than 4 kilobytes may be corrupted when you create or update the files."  We here at ISC now have confirmation of the problem with a reader submitting that yes, indeed, it does exist.  MS has also published a fix for this in KB 925308 in case "you are severely affected".  IMHO you're either affected or you're not and would want to take steps accordingly.

0 Comments

Published: 2006-09-16

Haxdoor Incident Details at Honeyblog.Org

The folks at Honeyblog.Org have an great write up on a malware incident involving Haxdoor, see On the Economics of Botnets - Part 2. "In total, more than 39,000 different IP addresses fell victim of this particular Haxdoor infection.".

0 Comments

Published: 2006-09-16

Citrix Access Gateway Advanced Access Control remote and local vulnerability reported

FrSIRT is reporting a serious remotely and locally exploitable vulnerability, Citrix Access Gateway Advanced Access Control LDAP Authentication Bypass, "which could be exploited by attackers to gain unauthorized access to a vulnerable application without supplying valid credentials.". At this time FrSIRT's links to Citrix are dead and I can't find any related information at Citrix.
UPDATE We were notified by Jerry that the FrSIRT links were working as of Saturday evening, September 16. Thanks Jerry.

0 Comments

Published: 2006-09-16

Multiple vulnerabilities fixed in Firefox, Thunderbird and Seamonkey

Mozilla has issued updated versions of  Firefox, Thunderbird and Seamonkey with fixes for multiple vulnerabilities. Descriptions of the vulnerabilities that were addressed with this update can be read at;
Firefox 1.5.0.7 Release notes
Thunderbird 1.5.0.7 Release notes
SeaMonkey 1.0.5 Release notes

Downloads for these updated Mozilla products are at Firefox Thunderbird and SeaMonkey

0 Comments

Published: 2006-09-15

Snort rule update

Sourcefire's VRT has published rules to catch attacks targeting the following vulnerabilities:

Microsoft Security Bulletin MS06-054 Microsoft Publisher
Microsoft Security Bulletin MS06-053 Microsoft Indexing Service
Microsoft Security Bulletin MS06-008 Microsoft Web Client Service (Webdav)
Microsoft Security Bulletin MS06-007 The Microsoft Windows Operating system suffers from a Denial of Service (DoS) condition that is present when handling malformed IGMPv3 data

Also Snort 2.6.0.2 was published today that includes a new DNS preprocessor that will catch:
Microsoft Security Bulletin MS06-041 The Microsoft Windows DNS Client

Get your fresh Snort rule updates here.  For complete information about the rule pack, please go here.  Finally, to download Snort 2.6.0.2, go here.

Update #1
-------------------------------------------------------------------------------------------
Joel Esler, from 35,000ft in the air, has added a note to this story, and that is...

The above listed rules, available from Sourcefire, are subscription only at this time.  After a period of time they will be available to the public, for free.

For Joel Esler,

Tony Carothers
Handler on Duty

0 Comments

Published: 2006-09-15

Killbit apps for current IE exploit

Update: I posted this late on Friday (9/15) evening, so I wanted to pull it back onto the front page again.  This looks to me like a perfect avenue for malware drive-bys, and with the likelihood being that this won't be addressed until the next MS monthly patch cycle (gee... who would EVER have thought that the bad guys would start timing THEIR releases to maximize exposure until the next patch-day?!?) we're probably going to be seeing a whole lot of this stuff:

To make life a little easier, I put together two small apps to set and unset the appropriate "kill bit" to block the actions of the current "daxctle.ocx" IE exploit.  They can be found here:

http://handlers.sans.org/tliston/DAXCTLE.OCX_KillBit.exe  - Standard Windows executable
(MD5: 599a2e48602f63a5330eea8259216584)

http://handlers.sans.org/tliston/DAXCTLE.OCX_KillBit_cmd.exe - Command line version
(MD5: 571a19cf51f713b81545ebd6a007d792)

The command line version, when run without any parameters, will set the "kill bit".  When run with any parameter (i.e. something like "/r"), will remove the "kill bit."

The standard Windows executable, when run, will tell you the current status of the kill bit and offer you the option of changing it.

Hope these help...

--------------------------------------------------------------------------
Tom Liston
ISC Handler
Senior Security Analyst - Intelguardians (http://www.intelguardians.com)

0 Comments

Published: 2006-09-15

MSIE DirectAnimation ActiveX 0-day update

Microsoft released a security advisory regarding the 0-day we reported on earlier.

Timeline:
Workarounds:
  • Use an alternate browser (see also diversity)
  • Disable ActiveX scripting in MSIE
  • Modify the ACL on daxctle.ocx to remove rights to use it
  • Set the KillBit for "{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}"
  • Make MSIE prompt before executing ActiveX
Please note that windowsupdate needs an ActiveX enabled browser, but you can do that with settings to the security zones and trusting Microsoft.

With thanks to the readers writing in to remind us.

--
Swa Frantzen -- Section 66

0 Comments

Published: 2006-09-15

Adaware corrects their false positives

Robert writes in to tell us that Lavasoft has corrected the problem they had with Adaware dishing out a few false positives.

Seems like if you update to the newest detection file, you should be fine.  Check out the thread here.

A reader named Jim did write in and tell us about the error, thanks Jim.  He told us.. "Following the registry to the executable file reference, I find a MSINET.OCX in the windows system32 directory which was digitally signed by Microsoft in 2000."

As a quick reminder, anyone who wishes to contact the ISC may do so by clicking "Contact" at the bottom right of the page, or clicking on the "Handler of the Day"'s name at the top of the screen.

0 Comments

Published: 2006-09-15

Get your fresh Firefox updates

My Firefox just jumped up at me and said "You have some updates".

Version 1.5.0.7 to be exact.  So what's new?  Well, Mozilla tells us over here.

MFSA 2006-64 (which, by the way, stands for Mozilla Foundation Security Advisory)
Looks like a memory corruption bug.  "Crashes with evidence of memory corruption", Mozilla says, "...we presume that at least some of these could be exploited to run arbitrary code with enough effort."  So, lets hope not.

MFSA 2006-62 -- Popup-blocker cross-site scripting (XSS)
More XSS stuff, except this time against the Popup-blocker feature.  Mozilla doesn't really view this as a big threat: "The malicious page would first have to get itself framed by the target page, attempt to open a popup, and then convince the user that the popup contents were so important or interesting that it must be opened manually."

MFSA 2006-60 -- RSA Signature Forgery
Looks like Philip Mackenzie and Marius Schilder over at Google found this one. 
"Because the set of root Certificate Authorities that ship with Mozilla clients contain some with an exponent of 3 it was possible to make up certificates, such as SSL/TLS and email certificates, that were not detected as invalid. This raised the possibility of the sort of Man-in-the-Middle attacks SSL/TLS was invented to prevent."
Good, I read about this one not too long ago on a couple mailing lists that I lurk on.

MFSA 2006-59 -- Concurrency-related vulnerability
Mozilla has this to say: "We have seen no demonstration that these crashes could be reliably exploited, but they do show evidence of memory corruption so we presume they could be."

MFSA 2006-58 -- Auto-Update compromise through DNS and SSL spoofing
DNS and SSL spoofing vulnerability.  Mozilla does offer some good advice on this one:
"Do not accept unverifiable (often self-signed) certificates as valid. If you must, accept them for the session only, never permanently."  Rule of thumb.

MFSA 2006-57 -- JavaScript Regular Expression Heap Corruption
"...a regular expression that ends with a backslash inside an unterminated character set (e.g. "[\\") will cause the regular epression engine to read beyond the end of the buffer, possibly leading to a crash." 

... and since Thunderbird uses the same browser engine as Firefox, you need to update it too!

Thunderbird update can be found here.
Firefoxes update can be found here.

OR!!!  (and better IMO), you can click on Help (in the title bar), and click on "Check for Updates...", and the program will update itself.  (At least that's where it is on my Mac)

Happy updating!

(ISC would like to thank Jack, Robert, Juha-Matti, and Brian for emailing us to let us know..  and in case you were wondering, Brian emailed us first.  He wins!)


0 Comments

Published: 2006-09-14

Another 0-Day Exploit - CVE-2006-4777


We have received word that FrSIRT has issued another advisory on a 0-Day Exploit.  This vulnerability has CVE ID 2006-4777 and appears to be related to Microsoft Internet Explorer and causes a memory corruption and consequential browser crash.  FrSIRT has successfully exploited this vulnerability on a fully patched Windows XP SP2 system.

FrSIRT Advisory for CVE-2006-4777

CVE Advisory

0 Comments

Published: 2006-09-14

CSO Online E-Crime Survey Results


CSO Online E-Crime Survey Results

The survey results are in and the findings are quite intriguing (at least to me).  As a Security Administrator for a smaller company I realize what a task it is to implement any kind of security with a very small budget.  It is often difficult to impress on top management the importance of data protection, network protection and getting them to allocate funds for software/hardware to protect the data.

As I reviewed the information in the survey one of the items that jumped out at me, that really caused me to pause and think was the insider breaches that ended in lost revenue/damage.  The different ways that the breaches occurred were all very logical and I guess not so surprising.  When I looked at the reasons that were given for why legal action was not taken I at first was surprised at the high percentage that said "Lack of evidence".  As I began to think about it, began to really think about whether or not we would have enough evidence, I am beginning to rethink my response.  Perhaps I need to really look at my ability to provide evidence in the event that an insider breach does occur. 

I have to say, this is an outstanding survey and I think an outstanding tool for Security/System Administrators to begin to ask themselves the very important question, "How safe is your data?"

I for one am going to use this as a tool for doing a self evaluation.

I want to thank Karen Fogerty at CSO Online for giving me permission to post a link to the survey in today's diary.  Hopefully everyone will take a look at the results of the survey and use it to analyze their own security or lack thereof and the impact that a breach may have on their system.


0 Comments

Published: 2006-09-14

cisco vtp vulnerabilities

FX reported three vulnerabilities for cisco vtp.
http://www.securityfocus.com/archive/1/445896/30/0/threaded

Cisco responded with this public response.
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

CSCsd34855/CSCei54611 -- Buffer Overflow in VTP VLAN name possible remote code execution.
VTP passwords mitigate this one somewhat as long as the passwords are not easily guessable or well known.

CSCsd52629/CSCsd34759 -- VTP version field DoS
VTP passwords do not mitigate this vulnerability as this takes place before the vtp password would be used.

CSCse40078/CSCse47765 -- Integer Wrap in VTP revision
This one appears to be a cosmetic issue not a DOS.
Cisco was unable to recreate a DOS condition one in their testing.

FX in the original posting provided a text version of the packet needed to perform the buffer overflow in vtp vlan name. That can easily be converted to a pcap. I consider that to be a public release of the exploit.

If you have not set a vtp mode then VTP server is the default mode.
If not set to transparent mode the vtp could be vulnerable depending on code level.

To set a vtp password execute the command

vtp password $PAssw0rd_th@t_15_h@rd_2_guess

From the cisco response:
"Products affected by these vulnerabilities:

Switches running affected versions of Cisco IOS® software that have VTP Operating Mode as either "server" or "client" are affected by all three vulnerabilities

Switches running affected versions of Cisco CatOS that have VTP Operating Mode as either "server" or "client" are only affected by the "Integer Wrap in VTP revision" vulnerability

Products not affected by these vulnerabilities:

Switches configured with VTP operating mode as "transparent"

Switches running CatOS with VTP Operating Mode as either "server" or "client" are not affected by the "Buffer Overflow in VTP VLAN name" or "VTP Version field DoS" vulnerabilities"

0 Comments

Published: 2006-09-13

Happy birthday, disk drive

Today is the 50th anniversary of the first computer system that had a disk drive.  See here for more info.

0 Comments

Published: 2006-09-13

PHP - shared hosters, take note.

PHP is a popular server side scripting language.

PHP's (security) settings are typically controlled from a php.ini file. This allows the system administrator to control settings such as such as safe_mode and open_basedir.

People managing shared hosting machines often control the settings on a more granular level in the apache configuration (httpd.conf) as they can set it there per directory and allow for the different hosted sites to have different settings.

This latter method of limiting scripts can be overcome from inside the scripts themselves. Details are trivially available.

So that leaves:
  • Control PHP settings from the php.ini file if possible;
  • If you are a shared hosting provider: check the CVS repository, reportedly the needed fixes have been checked in (unconfirmed);
  • Cross your fingers and wait for the next release of PHP (the current releases are reportedly affected).
CVE-2006-4625

--
Swa Frantzen -- Section 66 

0 Comments

Published: 2006-09-13

Qwest having problems?

We've started noticing some problems with Qwest's network.  We've had no reports as to the cause, and we are sure that Qwest is working on it.

The Internet Health Report confirms the outage.  Click here.

More to come as we know more. 

0 Comments

Published: 2006-09-12

Adobe Flash player upgrade time

Adobe released its APSB06-11 advisory on some patched versions of it's flash player today. These upgrades address multiple vulnerabilites in relation to input validation. They lead to arbitrary code execution.

Upgrading to the latest greatest version: 9.0.16.0 is highly recommended.

Apple Mac OS X users as well as Windows users are urged to upgrade. It's important as content vectors are something the dark sides likes to embrace.

CVE-2006-3014
CVE-2006-3311
CVE-2006-3587
CVE-2006-3588
CVE-2006-4640

--
Swa Frantzen -- Section 66

0 Comments

Published: 2006-09-12

Apple Quicktime 7.1.3 released

Apple released today Quicktime 7.1.3. It fixes 7 vulnerabilities, all leading to arbitrary code execution. Clearly our worries from insufficient validated content in media files are not over yet.

So one more item to install on reboot wednesday if you want to wait that long.

And Mac OS X users also have to patch so there is some equality after all.

CVE-2006-4381
CVE-2006-4386
CVE-2006-4382
CVE-2006-4384
CVE-2006-4388
CVE-2006-4389
CVE-2006-4385


--
Swa Frantzen --Section 66

0 Comments

Published: 2006-09-12

Microsoft Security Bulletin MS06-053

There is an information disclosure vulnerability in the Indexing Service because of the way that it handles query validation. The vulnerability could allow an attacker to run client-side script on behalf of a user. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site.

Mitigating Factors:
By default, Internet Information Services (IIS) is not installed on Windows XP or on Windows Server 2003.

On Windows Server 2003, the Indexing Service is not enabled by default.

On Windows Server 2003, even when the Indexing Service is installed, by default it is not accessible from IIS. Manual steps are required to enable IIS to become a Web-based interface for the Indexing Service. By default the Indexing Service is used only to perform local and remote file system queries.

Recommendations: Evaluate urgency based on your installation, and apply the patch.

0 Comments

Published: 2006-09-12

Microsoft Security Bulletin MS06-052

This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Affected Systems: Windows XP with Microsoft Message Queuing Services (MSMQ) installed.

Recommendation: Patch Immediatly if you are running MSMQ.

0 Comments

Published: 2006-09-12

Microsoft security patches for September 2006

Overview of the September 2006 Microsoft patches.

# Affected Known Problems
Known Exploits Microsoft rating ISC rating
clients servers
re-released MS06-040 Server Service

CVE-2006-3439
Re-released to fix known problems

KB921883
Multiple botnets actively exploiting this. Critical
PATCH NOW
PATCH NOW
re-released MS06-042 Internet Explorer (MSIE)

CVE-2006-3280
CVE-2006-3450
CVE-2006-3451
CVE-2006-3637
CVE-2006-3638
CVE-2006-3639
CVE-2006-3640
CVE-2004-1166
CVE-2006-3869
new:

CVE-2006-3873
Re-released to fix  the known problems with MSIE6SP1

KB918899
Well known vulnerabilities
Critical
PATCH NOW
Important
MS06-052 Reliable Multicast  Program (PGM)

CVE-2006-3442
No reported problems

KB919007
No known exploits yet
Important
Critical Critical
MS06-053 Indexing Service

CVE-2006-0032
No reported problems

KB920685
No known exploits yet Moderate
Less urgent
Important
MS06-054 Publisher

CVE-2006-0001
No reported problems

KB910729
No known exploits yet Critical
Critical Less urgent

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY


--
Swa Frantzen -- Section 66

0 Comments

Published: 2006-09-12

Microsoft Security Bulletin MS06-054

A remote code execution vulnerability exists in Publisher. An attacker could exploit this vulnerability when Publisher parses a file with a malformed string.

If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Mitigating Factors:
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.

By default, Publisher is only installed on the Professional Suites of Office.

Recommendation: If you use publisher, patch now, consider limiting user rights for day-to-day use, even for those that need administrative access.

0 Comments

Published: 2006-09-11

TOR servers seized by police in Germany

Several sources report that last Thursday, a handful of TOR anonymizing proxy servers were seized by the law enforcement in Germany, apparently because the anonymizers were (next to their normal, privacy-protecting use) also abused to stealthily access and propagate child porn. A short write-up is posted on http://tor.eff.org/ , most of the other information (like in the Heise Blog ) is in German.

0 Comments

Published: 2006-09-11

Log analysis and marketing decisions don't mix

As Jim wrote in yesterday's diary, there are several good tools available to check for suspicious patterns in your log files. But every now and then, vendor marketing decisions will throw you a curve ball - like happened to me when we upgraded a Cisco PIX to one of the shiny new "Adaptive Security Appliances (ASA)" from same vendor. Yes it does come with a few new features, but pretty much still looks like a PIX.  Except for one little detail:

Sep 10 08:22:07 raz1-fw Sep 10 08:22:07 %PIX-3-313001: Denied ICMP type=8, code=0 from 67.x.y.z on interface outside
Sep 10 23:45:15 raz1-fw Sep 10 23:45:15 %ASA-3-313001: Denied ICMP type=8, code=0 from 64.x.y.z on interface outside

Anyone spot the difference? At least exchanging %PIX against %ASA in all log filtering regexpes is something that can be done with a script on SEC and its Bleedingsnort rules. But if you are using an off the shelf (closed source) log "correlation" product and happen to upgrade your Cisco Firewall, be wary of the peace and quiet that will set in on your alert screen...


0 Comments

Published: 2006-09-11

Microsoft August 2006 Patches: STATUS

Overview of the known problems and publicly known exploits ofthe August 2006 Microsoft patches.

# Known Problems with this patch
Known Exploits
client rating server rating
MS06-040 Issue with:
  • Huge memory allocations on Windows 2003 server SP1 (32bit & 64bit), XP (64bit) and 32bit application.
  • Microsoft Business Solutions–Navision 3.70 on above platform.
  • Websense Manager when using terminal services
Fix:
  • Hotfix available by calling Microsoft.
More information:
Botnets actively exploiting this in  the WILD

Exploit available in easy to use package



read more...
PATCH NOW
PATCH NOW
MS06-041 No reported problems

Critical Critical
MS06-042 Critical issue:
  • This patch introduces a new arbitrary code execution vulnerability on MSIE 6 SP1.
Fix:
  • Microsoft re-released MS06-042 on Aug 24th 2006.
  • It is unclear if the hotfix that was available earlier fixes this problem as well.

More info:

Issue #1:
  • MSIE 6 SP1 crashes while using multiple application such as Peoplesoft, Siebel, Sage CRM and websites using HTTP 1.1 and compression such as the register.
  • Roll-up patch so it has all older issues as well.
Workaround:
  • Workaround to disable HTTP/1.1
  • Use alternate browser (for problem sites)
Fix:
  • Upgrade to MSIE 6 SP2
  • The re-release of the August 24th is intended to fix this. The fix was supposed to be published by Microsoft on August 22nd, 2006 but was delayed.
More Information:
Issue #2:
  • CA Unicenter Service Desk can cause MSIE to crash, on XP SP2 and Windows 2003 SP1
Workaround:
  • Use the supported Firefox or Mozilla browsers
  • KB923996
Fix:
  • The re-release of MS06-042 is not fixing this problem as far as we know.
More information:

Original MS06-42: fixes a.o. a  FTP vulnerability that;s well-known since 2004

First revision of the MS06-042  patch's buffer overglow has details public.
  • Microsoft released it first on the 22nd
  • actual code fragments were publicly released on the 24th after the patch was updated
PATCH NOW
Important
MS06-043 No reported problems
Important Less urgent
MS06-044 No reported problems
Critical Critical
MS06-045 No confirmed problems
Critical Less urgent
MS06-046 No reported problems
Critical Important
MS06-047 No reported problems Trojan dropper reported in word document by Symantec, Trendmicro(1) and Trendmicro(2).  The dropper loads a backdoor: Trendmicro, Symantec

See also diary.
Critical Less urgent
MS06-048 No reported problems Trojan dropper in Powerpoint Critical Less urgent
MS06-049 Unconfirmed reports about corruption of files on compressed volumes.
[Windows 2000 only patch]

Important
Less urgent
MS06-050 No reported problems
Critical Important
MS06-051 Although unconfirmed by Microsoft so far, there seem to be problems related to Terminal Services and multiple users loading certain DLLs as part of some applications. Details and fixes or workarounds are too sketchy so far.

See also the problem with .ini files and citrix at the citrix support forum.

We're still lookign for a more detailed discription of the problems.

Critical Critical

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

0 Comments

Published: 2006-09-10

Off-Site Backup for Home Users

A few musings about off-site backup for home users and the usefulness of TrueCrypt...

Off-site backup hasn't been an issue for many home users. Perhaps this is because most people haven't assembled enough critical digital data to justify the effort of implementing off-site backup. They haven't even set up an on-site backup scheme. Many home users may never have to deal with off-site backup at all, considering the increasing popularity of free ASP services, such as Gmail, Bloglines, and Shutterfly, which manage data on the customer's behalf.

This is different for data power users, whose livelihood depends on the availability of their information. Freelance photographers, musicians, accountants, writers, programmers, and other professionals who maintain important files at home fall in this category. They have a vested interest in performing off-site backup in some manner, and they often do so.

For the longest time my off-site backup scheme involved burning by data into DVDs once in a while, and taking the disks to a friend's house. This scheme wasn't effective because:

  1. Backing up my data was too long. It was a manual process and involved too many DVDs.
  2. I kept forgetting to go through the backup procedure on regular basis. Maybe I was just too lazy.
  3. My off-site data quickly became outdated, because my backups were too infrequent.
When looking for a way to overhaul my off-site backup scheme, I considered a few possibilities:
  1. Network-based off-site backup. This method of backing up data wouldn't require me to fiddle with disks, and lends itself well to automation. The bandwidth to implement this scheme is becoming relatively inexpensive, and off-site data storage costs are decreasing. I didn't choose this method because  storage costs were still too high for me, but I think I will want to move to this mechanism in a couple of years. (I'm doing this for my home user persona, so my budget is pretty limited.)
  2. Tape-based off-site backup. Tapes have been the traditional off-site backup mechanism for a while in the corporate world, and have been adopted by some data power users at home. I didn't have enough data to justify investing in a tape drive and I just didn't want to deal with tapes. They would allow me to implement a sophisticated backup scheme, but I wanted something simple, which brought me to the next option...
  3. External hard drive-based off-site backup. External drives are relatively inexpensive and offer high data storage capacity. The largest disk on the market I came across was 750GB. That was way too much for me, plus I wanted a drive with smaller dimensions, so that it would be easy carry it to my off-site location. A laptop form-factor drive with the 180GB capacity fit the bill, although it was more expensive than its desktop form-factor counterpart. I bought the disk enclosure separately from the disk itself to save a few bucks.
Whatever off-site backup scheme suits your needs, be sure to consider how you will protect the data's confidentiality and integrity. Especially if you're shuttling disks from one location to the other, encrypting the disk's contents is something you'll probably want to do. There are many ways to encrypt data nowadays. The utility that appealed to me was TrueCrypt.

TrueCrypt is an open-source program for encrypting disks. It works on Windows and Unix operating systems. It's free and easy to use. It can run off external media without having to go through the installation process. TrueCrypt allows you to create an encrypted volume, either by storing the volume's contents in a file or in a dedicated partition. I selected the latter option.

I split my disk in two partitions. A small non-encrypted partition contained the TrueCrypt program. I formatted the much larger partition using TrueCrypt, so that it would exist as an encrypted volume:



To mount the encrypted volume, use TrueCrypt to select the desired partition and assign the mount point or the drive letter to it. TrueCrypt will prompt you for the password you established when creating the volume:



Once the encrypted volume is mounted, it will be available as a local disk, so you can use any backup or file-copying utilities to populate the partition with data.

Update: In addition to supporting password-only operations, TrueCrypt also allows the user to specify and optionally generate one or more key files. Without the key file, the encrypted volume would be inaccessible. The idea is that the key file would be stored away from the encrypted volume, so that the authorized user needs to present something he knows (the password) and something he has (the key file):



If you'd like to learn more about TrueCrypt, take a look at its documentation and at a December 2005 thread on the Dshield mailing list titled "Requiring a key-pair to mount a volume." There are also a few user testimonies in the comments at Bruce Schneier's blog.

-- Lenny

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com

0 Comments

Published: 2006-09-10

Early Discussions of Computer Security in the Media

What's the earliest computer security incident reported in the general media? I was curious.

Now that Google's News Archives Search includes 200 years worth of publications, it's easy to search printed records without having to go to the library and sift through micro films. The archive doesn't include all media records, but I think it is a good indication of the general state of the media's coverage of computer security.

I performed a search for articles that match "computer" and "security" and examined the results. Here are the earliest incidents I came across:

  • The earliest computer-aided fraud: National City Bank of Minneapolis, 1966
  • The earliest external intrusion: Federal Energy Administration, 1977
  • The earliest large-scale identity theft breach: TRW Inc., June 1984
The earliest reported fraud incident involving a computer seems to date back to 1966, according the a December 1972 article in the Time Magazine:
Minneapolis Programmer Milo Arthur Bennett, whose firm handled computer work for the National City Bank of Minneapolis, programmed the computer in 1966 to ignore an overdraft in his own account at the bank.
This article highlighted the increasing profitability of computer crimes. It explained that a "handful of keypunch crooks have already thought of some ingenious ways to defraud the Brain, with varying results." The text also mentioned the following incident, which was motivated by the desire to use someone else's computer for monetary gain.
Palo Alto Programmer Hugh Jeffrey Ward learned, from customers of a computer firm in Oakland, code numbers that enabled him to give orders to the firm's computer. ... He told the Oakland computer to print out a program for plotting complex aerospace data in graph form. ... His company presumably planned to market the program, which was valued at $12,000 or more, to the Oakland firm's own customers. ...
Five years later, in August 1977, the Time Magazine published an article that included the earliest mention of an external computer intrusions I could find:
The conviction of one man, accused of stealing confidential information from a Federal Energy Administration computer in Maryland, was possible only because the thief had dialed into a system from his office a few miles away in Virginia.
Another intrusion mentioned in the article occurred at an identified company and involved brute-force password guessing. The article also mentioned the challenge of striking the right balance between security and usability:
One computer, protected by a five-digit code number, was illegally entered in minutes when the thief ordered the computer to begin trying every one of the 100,000 possible combinations. But tighter security would cost both money and time. Says Robert Courtney of I.B.M. "If you're running thousands of transactions a day, you don't want to spend ten seconds or so every time arguing with the computer about who you are."
After a multi-year gap, the next computer security mention I found dates to 1981. A June 1981 article in the New York Times describes how an employee misused a computer to set up a race-track betting system:
His activities were uncovered by the school board's auditor general, who turned the case over to a specialist in computer security for the city's Department ... The arrested programmer 'was described by a New York City investigator as ''a good employee"' ... [Note: This article excerpt was indexed by Google.]
Two years later, in August 1983, an external intrusion caught the public's eye in a way that it hasn't earlier. Multiple media articles described a computer security break-in to the Los Alamos National Laboratory. The intruders were youths, apparently inspired by the War Games movie. Here are a few excerpts from the articles that discussed this incident:
The apparent electronic penetration of an unclassified computer in a nuclear weapons laboratory by a group of young people was not a threat to national security, telecommunication experts said today. But they said the incident illustrated the extraordinary difficulty of guaranteeing the security of any information ...

"There's no security in it or nothing. ... Los Alamos has a computer connected to TELENET, a computer communications network" ...

Officials at the Los Alamos National Laboratory in Los Alamos, N.M., said no classified data had been uncovered by the computer users, who reached a lab computer by telephone from Milwaukee. ...

The Security Pacific National Bank of Los Angeles computer also was entered, apparently by the same young people, but no one's account was affected ...
This incident was a big deal because it demonstrated the importance of computer security to the general public. The sentiment is expressed by an August 1983 article in the New York Times:
Corporate executives and telecommunications experts said yesterday that the recent breach of computer security at the Los Alamos National Laboratory in New Mexico had renewed fears about entrusting proprietary information to data networks that are easily accessible by telephone. ...

Most companies are reluctant to discuss their computer security systems, or even acknowledge the extent to which they are dependent on computer systems ... [Note: This article excerpt was indexed by Google.]
Such factors highlighted the need for commercial computer security products. About a month after the Los Alamos incident, a September 1983 article in the Miami Herald described Datacryptor, which sounds like the first commercial VPN product I came across:
Racal-Milgo, a Miami computer company, thinks its $2,000 black box may be just the answer for businesses worried about computer crime. The Datacryptor, as the device is known, is an electronic scrambler that turns sensitive computer talk into undecipherable gibberish. But even the Datacryptor isn't immune to computer crime.
A New York Times article, published the same month, noted that "the market for computer security software is booming," according to the article excerpt indexed by Google.

Another article, dated to October 1983 and published by the New York Times, introduced the readers to the role of a computer security specialist. The article was titled "New Breed of Workers: Computer Watchdogs" and contained the following description:
Processing manager for a major corporation suddenly notices unusual levels of activity on his company's computer. He investigates, and discovers that the system has been tampered with over telephone lines. Corporate panic follows as company officials try to determine what was disclosed, what was damaged and how vulnerable their ...
If you're wondering when the first identity theft-related breach caught the media's eye, look no further than June 1984. A security breach at credit-reporting agency led to the disclosure of a password used to protect credit reports. Here are a few excerpts from the articles that described the incident:
A password that could permit access to the credit histories of 90 million people was stolen and posted on an electronic bulletin board, TRW Information Systems said yesterday. ...

Through the theft of a code, the credit ratings of the 90 million people tracked by TRW Inc. were used by credit-card thieves armed with home computers, offering the potential to cash in on other people's credit, company officials said yesterday. "We found out about that code a couple weeks ago, and the code is no longer valid," said Geri Schanz of TRW's Information Services Division ...

Computer raiders used a stolen access code to tap into the files of the nation's largest credit rating bureau for more than a year but company officials say the "hackers" could not have altered the records. TRW Information Services, whose computers hold credit ratings and other records on 90 million people, said yesterday the raiders could have used information from the files to fraudulently obtain credit cards.

The subsequent years lead to a surge in computer use, the emergence of the Internet, and the shaping of the computer security landscape as we know it today.

-- Lenny

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com

0 Comments

Published: 2006-09-09

A few preliminary log analysis thoughts

As promised, below are a few of my own favorite resources on log analysis.  Probably the top folks in the industry today working on the log analysis problem are Tina Bird, Marcus Ranum, and Anton Chuvakin.  I've had the privilege of attending talks/classes by each of them at SANS conferences, I hope they'll be teaching more of them in the near future.

Resources

The log analysis mailing list - http://lists.shmoo.com/mailman/listinfo/loganalysis
The log analysis web site created by Marcus Ranum and Tina Bird - http://www.loganalysis.org/
SEC (Simple Event Correlator), which I once described to SANS instructor David Hoelzer as "swatch on steroids" - http://kodu.neti.ee/~risto/sec/ and the SEC rules being collected by the Bleeding Snort project at http://www.bleedingsnort.com/sec/ (thanx to Matt Jonkman for reminding me of this).
Marcus Ranum's nbs tool - http://www.ranum.com/security/computer_security/code/nbs.tar
Logwatch - http://www.logwatch.org

As promised, I'll share our reader's suggestions sometime next week.
--------------------------
Jim Clausing, jclausing --at-- isc dot sans dot org

0 Comments

Published: 2006-09-09

New feature at isc.sans.org

We've received a few e-mails on how to find all the tip of the day stories we did in August.  Obviously, you could just look at all the diaries from August and pick out the ones with "Tip of the Day" in the subject, but we've added a feature to the website to make it even easier than that.  Swa linked to it in his wrap up of last month's tips of the day, but we've added a feature that allows us to add tags to diary stories and we've used that on all the tips of the day from August.  So, if you're trying to find them try this URL http://isc.sans.org/alldiaries.php?tag=ToD.

--------------------------
Jim Clausing, handler on duty

0 Comments

Published: 2006-09-09

Log Analysis tips?

Gang, the Storm Center list is relatively slow today (we don't use the q word because bad things happen when someone says that :) ), so I thought I'd ask for thoughts from readers on one of the topics I'm most interested in, and that is log analysis.  Log analysis was mentioned in some of our tips of the day last month, most notably Swa's final tip of the day for the month, but I wanted to hear what our readers look for, what tools you use, etc.  I'll collect them and post a summary early next week (so that those who don't read this over the weekend have an opportunity to contribute).  I'll also give some of own favorites in another story this evening (US-time).  Use the contact form to send me your suggestions and thanx in advance.

-------------------------
Jim Clausing, handler on duty

0 Comments

Published: 2006-09-08

Is someone watching your internet traffic or telephone calls?

MattM provide this interesting news item to me today.
It is an interesting read.
However given the options to hide the path your packets take that are available to most ISPs today I would be surprised if they would make this monitoring so noticeable. Simply tracerouting to see if you packets go through sffca.ip.att.net is too simple of a detection method.
For more details see the link.

The Newbie's Guide to Detecting the NSA
http://radar.oreilly.com/archives/2006/06/the_newbies_guide_to_detecting.html


0 Comments

Published: 2006-09-08

AOL ICQ vulnerabilities

Core Security released two ICQ related advisories today.
One for ICQ tool bar for IE and another for AOL's ICQ client.
Since Core Security states they used a fuzzier to discover these issues
I suspect there will be other ICQ vulnerabilities discovered and announced by them in the future.

"Advisory ID: CORE-2006-0322
Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1510
Security problems found in the ICQ Toolbar v1.3 may allow attackers to
control and change configuration settings and to inject scripting code
in RSS feed contents and execute it in the contexts of the feed
interface (IE's Local Zone)

Vulnerable Packages:
The following AOL/ICQ software products are affected by these issues:

Remote configuration vulnerability
ICQ Toolbar 1.3 for Internet Explorer

Malicious RSS feed vulnerability
ICQ Toolbar 1.3 for Internet Explorer

ICQ Search Plugin for Mozilla / Firefox is reported as not being vulnerable.

Advisory ID: CORE-2006-0321
AOL ICQ Pro 2003b heap overflow vulnerability
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1509
A vulnerability in AOL's ICQ Pro 2003b instant messenger client could
lead to denial of service attacks and remote compromise of systems
running vulnerable versions of the client.

Vulnerable Packages:
The following AOL/ICQ software products are affected by this issue:
ICQ Pro 2003b Build #3916 and previous.

Non-vulnerable Packages:
ICQ 5.1 and ICQ2Go!

AOL and ICQ recommend that users upgrade to the latest version of the
ICQ client: ICQ 5.1"

0 Comments

Published: 2006-09-07

Microsoft's September Updates

Well, it's that time of the month again, the time of the month that Microsoft prepares us for patch tuesday, and reboot Wednesday.

Well here they are:

Two Microsoft Security Bulletins (MSB) affecting Microsoft Windows.  The Highest Severity rating for these is "Important".

One MSB for Microsoft Office.  The Highest Severity rating for this one is "Critical".  (So let's hope is the new '0-day' in Word.)

They will also update their Software Removal Tool, nothing new there.

Also will be releasing Two NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).

and finally they will release three NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

So overall, it looks like 9 updates, three of which are security related and are "Imporant" or higher.  Looks like a light month.  But still a nationwide reboot.

Read more about it from Microsoft here.

0 Comments

Published: 2006-09-06

Quick plug: Netcat in the Hat

Over the past several months, several of the handlers have written up security-based, "themed" challenges.  This month, I wrote one entitled "Netcat in the Hat," a nod to every child's best friend, Dr. Seuss. (And trust me, having written the challenge in rhyme, I have a new-found respect for the good doctor...)  You can find it here.   Check it out and submit an answer!

0 Comments

Published: 2006-09-06

DUNZIP32.dll Buffer Overflow

Full-Disclosure had an interesting note about IBM's Lotus Notes and a new buffer overflow.  The vulnerability is due to a third party dll, DUNZIP32.dll.    IBM has issued a patch for versions 6, and 7 Users using version 5 are advised not to open zip files within lotus notes. This exploit does allow an attacker to execute arbitrary code should you open an infected zip file.

Many other software packages using old versions of DUNZIP32.dll are affected by this exploit.

0 Comments

Published: 2006-09-06

Internet Systems Consortium BIND Denial of Service Vulnerabilities

Internet Systems Consortium has stated there are a couple vulnerabilities in BIND (DNS server), that can be exploited to cause a DoS.

SIG Query Processing (CVE-2006-4095):
1) An assertion error within the processing of SIG queries can be exploited to crash either a recursive server when more than one SIG(covered) Resource Record set (RRset) is returned or an authoritative server serving a RFC 2535 DNSSEC zone where there are multiple SIG(covered) RRsets.

Excessive Recursive Queries INSIST failure (CVE-2006-4096):
2) An error within the handling of multiple recursive queries can be exploited to trigger an INSIST failure by causing the response to the query to arrive after all clients looking for the response have left the recursion queue.

So ensure you are patched to the current version:  BIND 9.3.3rc2, BIND 9.3.2-P1, BIND 9.2.7rc1, or BIND 9.2.6-P1.

Updates are available here.

As of this time we have not received any information on an exploit for either vulnerability.

0 Comments

Published: 2006-09-06

Updated Packet Attack flash animation

I updated the "Packet Attack" flash animation. It wasn't updating correctly and I added some hints on how to include it in your own page. You also have the choice between two different map images.

The animation shows a geographical representation of all reports received during the last 5 minutes.

(Thanks to Morgan Grant for helping with the update!)

0 Comments

Published: 2006-09-05

The Sleuth Kit (TSK) for Windows released

The Sleuth Kit (TSK) is a pretty famous forensic tools set. I've personally used this numerous times and I find it to be a great successor of the famous Coroner's Toolkit (TCT). The tools set consists of various command line applications that allow you to examine file systems. You can find more information about TSK at http://www.sleuthkit.org/sleuthkit/desc.php.

TSK has been finally released as Windows binaries, so you don't have to compile them manually anymore. You can download the tool kit from http://www.sleuthkit.org/sleuthkit/download.php.

Thanks to Edi for sending us a note about TSK.

0 Comments

Published: 2006-09-05

More about the host based firewall on Windows XP SP2

Two weeks ago, as part of our "Security tip of the day" series, I wrote a diary about using the host based firewall provided with Windows XP.
We received some valuable submissions about this, so it's time to share them with everyone.

One of our readers also asked why I didn't write about any other (commercial or free) third party host based firewall. While other products indeed exist, and typically have more features than the host based firewall provided with Windows XP (which, as I noted in the first diary, lacks in several things), the idea of the original diary was to give you more information about a firewall that is already available. I've found that the integrated host based firewall in Windows XP is usually underestimated (or turned off because it became a problem) in corporate environments.

Now, let's see how our readers use this firewall. Iain Taylor described how he uses GPOs to manage the host based firewall on workstations which have to share printers. Iain uses WMI filtering in GPOs, which allows him some pretty cool deployments (his WMI kung-fu was obviously on a reasonable level).
Here's Iain's e-mail:

One common requirement on business networks is printer sharing from workstations.
Unfortunately the ports used are ones that would normally be closed on all workstations as they are also used for file sharing and are a very common target of attack by all forms of crudware..

To maintain as much protection as possible, we only want to open those ports on a targeted subset of machines - i.e. those that actually both have a printer attached AND share it. To achive this we have used a conditional group policy to open File & Printer sharing ports on the machines which are sharing printers.

Putting those machines into different OUs and applying a specialised GPO with the relaxed firewall settings to them would be one solution, however keeping track of which machines require this behaviour can be challenging. Instead, we use a slighly less-well known feature of GPOs - WMI filtering. This allows the clients to execute a WMI query before deciding to activate a GPO applied to them or not. Now the firewall rules can be 'intelligently' applied, only being relaxed if the Workstation requires the feature, whilst remaining locked-down otherwise.

To achive this there are two firewall rules GPOs. One is the default (restricted) configuration, applied to all systems without filtering. The other, applied afterwards has the WMI query attached to it and contains the same settings, except for the  File and Printer sharing ports being permitted. The query itself works as follows...

select * from Win32_Printer where Local = TRUE and Shared = TRUE

Using the windows built-in 'root\CIMv2' namespace the WMI query first finds whether

the machine has a local printer & then checks whether it is shared. If both are true, then the client will apply the GPO, opening the ports. Otherwise the query returns false, the Policy is not applied & the more restrictive default policy is in play.

Ray also wrote to remind us of a nice tool that Microsoft provides: Port Reporter. This tool installs as a service and logs all TCP and UDP port activity. When used with the Port Reporter Parser tool, it provides a very nice source of information about processes that used any ports on the machine.
You can find more information about Port Reporter at http://support.microsoft.com/?id=837243.

0 Comments

Published: 2006-09-05

Reports of Bots exploiting pmwiki and tikiwiki

HOT
We have received some anonymous reports of Botnets being created out of vulnerabilities found in Pmwiki and Tikiwiki software.

The Tikiwiki exploit is hitting versions that are <= 1.9, and the Pmwiki exploit is hitting version <= 2.1.19.  Both exploits were written and discovered by the same person, and both exploits have been worked into auto spreading bots.

The Pmwiki exploit can only be exploited if you have "Register_globals" turned to "On" in your php installation.  However, the Tikiwiki exploit can be exploited regardless of this setting.

We have no info on where these bots are attempting to connect to, yet.  However, we are seeing them in the wild. 

Tikiwiki has published information on how to temporarily patch your systems to make them invulnerable: Click here for that info. From reading this webpage, it also appears that Tikiwiki is working on a permanent patch.

At the time of this posting Pmwiki had no temporary fixes or patches posted to their website.  So ensure that you turn "Register_globals" to off, and restart Apache.

So, if you are running either one of these two pieces of software, please, make sure you are fixed or patched up!

0 Comments

Published: 2006-09-04

Browzar, the privacy that may not be

Browzar -- a 'wrapper' for IE is supposed to wipe all traces of the sites you have visited, cookies, and history files on your computer.  However, many experts have claimed that it is spyware.  This is due to Browzar setting the home page to their own search page which allows them to insert sponsored links intermixed with regular links.  We suggest you take a look at some of the recent articles about Browzar, like this one over at BBC News, and then make your own decision.

Browzar has received a lot of recent attention on mailing lists like Full-Disclosure, claiming the 'Browzar' leaves the last visited url in a file in the user's LocalSettings directory.  As well as items like cache misses, redirected urls, and click through urls are left on the machine.

Now of course, your ISP can still track you, netflows, IDS's on your network, and pieces of software that may be on your corporate network like Websense can still find where you go.  Let alone if Browzar leaves anything behind on your host system. 

We've looked at other programs like VMware's many free Virtual Browsing appliances or even Sandboxie, which runs programs inside of a virtual 'sandbox'.  Apparently leaving no traces behind on the local machine.

So for you privacy guys..  put your tin foil beenie on, and browse away.

0 Comments

Published: 2006-09-04

Bots looking for FlashChat App

I dont know if you are familiar with FlashChat , but I wasn't until today. One of our readers, Rodrigo Freire, sent  some log traces of those perl based bots.
Tracking it, I was able to get into their botnet, on xx.xx.207.12, running on port 7001.
The default channel found on the perl code was #botnet , and was active at the time of this diary was written. The default command to list channels on IRC is /list.
Besides some dangerous of running commands on customized ircd servers, I run it and found another channel, called #scan .
Finally the FlashChat part...:) On the subject of the #scan channel, there was an instruction to scan on google for sites using FlashChat, ONLY on .co.uk domains!
So, my final instructions to you are:

1- If you run FlashChat, check for patches, security patches, APPLY THEM!
2- If you run FlashChat AND on a .co.uk,.uk, APPLY ANY PATCHES AVAILABLE IMMEDIATELY. Additionally, you might want to look through your system for signs of intrustion.
----------------------------------------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org )


0 Comments

Published: 2006-09-03

Trojan.Mdropper.Q / Email Attachment Practices

Thanks to frequent reader Juha-Matti Laurio for sending us a note about Trojan.Mdropper.Q and the previously undiscovered Microsoft Word 2000 vulnerability that comes with it.  Trojan.Mdropper.Q activates when a file containing it is opened, and then installs a backdoor on the machine.  Fortunatly as with most Office vulnerabilities a user has to actually open the file before the trojan can be activated.  Generally my advice to users is not to open files that they are not expecting even if they know the person that sent the file, but this one has made me curious, what do other system admins recommend to their users?   Do you have a policy on email attachments?  Is this policy automaticly enforced?

0 Comments

Published: 2006-09-03

Media sanitization NIST website

Yesterday's Diary had a article on Media Sanitization that linked to NIST guidelines, questioning conventional wisdom with regards to media sanitization policies.  Yesterday, NIST was having a few problems with their web server, but the guidelines are now back online for your viewing pleasure.

0 Comments

Published: 2006-09-02

UDP Port 47290

In reviewing recent DShield graphs I noticed a sharp and large increase in UDP port 47290 traffic. A quick review of Google and a few other resources left me with no logical conclusion as to the source.



I send this diary out as a call for packets or for any information that might lead to understanding where this traffic uptick comes from. Since this traffic started on 8/28/06, it is interesting to note that the number of reported packets is 226,660 records. The numbers of sources for this traffic is 134,673. The number of targets is 43. So it's possible we are looking at traffic reported from just one subscriber who sends logs into DShield. Nonetheless, this is a rather interesting and sudden increase and it would be useful to know where this is coming from.

Update: We looked further into this and discovered that 99.99% of this traffic is destined for a single target. This makes the call for packets a fairly moot point.

0 Comments

Published: 2006-09-02

Media sanitization

Conventional wisdom tells us that deleting data is an insufficient means of protecting your sensitive information from being obtained from discarded media. However, recently upon reviewing an NIST publication from last month, I ran across an interesting paragraph that reads as follows:

Advancing technology has created a situation that has altered previously held best practices regading magnetic disk type storage media. Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.

This is a signficant change in stance from the often quoted U.S. Department of Defense 5220.22-M disk erasing standard that suggests a minimum of 3 overwrites and a verify is necesarry to properly sanitize data. Now before rushing out and changing all of your purging applications to single pass only, please notice the quoted paragraph from the NIST article is fairly specific about a type of hard drive, size and manufacture date. Nonetheless, this points to what we will hopefully see as a trend as time passes that it will hopefully require less passes to properly sanitize our media.

As a related issue, let's talk a moment about the last time your media sanitization policies were updated. Do they take into account media sources other than hard drives? It is becoming increasingly more difficult to contain and identify all sources where data is stored, but a thorough security program should consider all of these devices in their protection and sanitization routines. Examples of often overlooked devices include cell phones, PDAs, USB thumb drives and digital cameras. Appendix A of the NIST article mentioned above provides a fairly good list of places where data is stored along with the recommended action for sanitizing or destroying them.

Related to the topic of considering other places where sensitive data is stored electronically, reader Cornelius from Australia offers this recent article from The Sydney Morning Herald: http://www.smh.com.au/news/phones--pdas/secrets-spill-from-secondhand-mobiles/2006/08/31/1156817011704.html

0 Comments

Published: 2006-09-02

Another IE Exploit makes the rounds...

We received a report from Gilbert Sebenste, a reader of ISC, (thanks!) of a new IE bug.  Discovered Monday (or rather, published on Monday), and has been apparently assigned CVE number 2006-4446,  that the bug only affects IE 6.0 SP1, according to Bugtraq.

So, we've said it before, and we'll say it again.  Yes, sometimes it's not practical to switch off of IE, but where you can...  do.  Diversify I say!  Even though Mac users aren't affected, use your Safari, Firefox, Opera... 

Windows users..  check out Firefox, Opera, and whatever other nice browsers you can throw out there.  (I'm a Mac/*nix/*bsd user, so I am not familiar with all the Windows offerings)  IE is riddled with countless holes and bugs, so, try and use something else.

Reader Ottmar followed up on this article with a suggestion for folks that just can't follow the advise above and want to try and make the best of the situation with using IE. With respect to this specific issue and other ActiveX based vulnerabilities in IE, the following Microsoft article explains how to modify the registry to kill ActiveX controls from running. Since this does involve modifying the registry, user beware! Without further ado, the Microsoft article can be found here.

----------------
Joel Esler
jesler{at}isc.sans.org

0 Comments

Published: 2006-09-01

CA eTrust Antivirus [was] flagging lsass.e x e

Reader Alan writes in to tell us that apparently "an overnight signature update to the VET engine (30.3.3054) on CA eTrust Antivirus has begun to flag the LSASS.E X E service of Windows 2003 server as being infected with Win32/Lassrv.B."

"Some Win2k3 servers have been failing and unable to re-boot, since the service (exe) was removed by the virus software.

CA has released an update to VET (30.3.3056) that seems to have corrected the problem, but in some cases the damage has already been done."

It seems that CA accidentally flagged Lsass.e x e as a bad file.  Reminiscent of the McAfee .xls debacle of not too long ago.

0 Comments

Published: 2006-09-01

Cogent having problems...

We have received a report of Cogent Communications in Herndon, VA having connectivity problems.  It appears to be localized.

One of our readers, Colin, called into the data center:  "I called their support staff and got through to a guy who described the situation as a network problem 'affecting all traffic in their data center'."

More on this situation if more develops...

0 Comments

Published: 2006-09-01

Fred Flintstone, we'd like to help...

Some of you are going to read this and think that I'm making a joke about trying to contact the stone age...  Unfortunately no.

We have an ISC reader who has submitted some great logs, asking for analysis, unsure of what is really going on, who calls (him|her)self 'Fred Flintstone'.  Which is fine.  We don't mind anonymity.  However, when Fred doesn't leave an email address, and asks us to contact him with any help we can provide, we can't do it.  

So, that being said.  Fred, if you are out there...  email us and provide us your email, we'll promise we'll not tell Mr. Slate.

Update

Thank you Fred for writing in and giving us your email address so that we can respond.

----------------
Joel Esler
jesler{at}isc.sans.org

0 Comments

Published: 2006-09-01

Out Share! Now it's up to you.

Well August is done.

We had a bunch of Tip of the Day diary entries. It was fun. And looking back on the responses so far our readers liked it. But let's go back to the beginning, and read the goal of it all once again. In one sentence:

It's a race, to win you must share.

So no, this is not the end of the tips. However it's up to you now. We will collect your tips and post them on slower days to share with all other readers.

We have an overview of all "Tips of the Day" published in August. Enjoy!

To submit your tips to success, use the contact page.

0 Comments

Published: 2006-09-01

MS06-040 Worm

For the past several days, the Handlers here at ISC have received all kinds of emails about the recent increase in scanning on port 139, as noted by fellow handler Lorna, the other day, yes there was definitely something going on, but we haven't seen any c0de.

Well,  guess what.  One of loyal readers out there on the 'Information SuperHighway', Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it).  It appears, in typical antivirus fashion to be named several things: McAfee is calling it "W32/SDbot.worm!MS06-040", Sophos is calling it, "W32/Vanebot-A", and Symantec is calling it, "W32.Randex.GEL".  (Yes, it's been out for a couple days)

Let's take a look at this bad boy shall we?  How does it spread..  well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.

This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it's about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to "forum.ednet.es" over port 4915.  (Until the next variant changes it, and we know it will).  It has the ability to do a bunch of things including spreading to network shares..

Prevention, as always, (and it should have been done for years now), block 139 and 445 at the router/firewall.  Netbios traffic shouldn't be allowed to exit or enter your network from egress points anyway. 

Update your antivirus.  At least daily.

Patch.  You know the deal by now.

Now, since cleaning botnets, is.. pretty much impossible, prevention is the key.  If you DO get hit with a botnet infection running throughout your network, my general recommendation is..  rebuild the box.  Now, I know that sounds drastic to some of you, but it gets rid of the worm, gets rid of the botnet, and plus you have a brand new box!  So, maintain those images, keep your antivirus up to date, patch your boxes, and make sure your IDS/IPS is up to date.

Cory, one of our ever vigilant readers, notified us that the link to 06-040 was incorrect.  Thanks Cory.  It has been fixed.

0 Comments

Published: 2006-09-01

Tip of the Day: Audit

As the last in the series of tips of the day, I chose the subject Audit.

Audits might sound scary as they verify your work, but they really should not. They can be a great tool into doing the right thing and catching (and correcting) errors before they escalate and become a problem. As a matter of fact, you can audit your own work. Or do it in a team. We all know we cannot find errors in stuff we wrote ourselves while it's obvious if somebody else wrote it.

Audit yourself/co-worker

You can do various audits yourself of your work:
  • Are backups actually able to be read?
  • Can we actually restore a backup from a system if we loose all the harddisks or are we missing information?
  • Are the dates/sizes of system files on all our computers still the same (poor man HIDS, but it can also detect failed patches etc.)
  • Do logs from all our systems actually end up in our central log repository?
  • Did managment acknowledge all incident reports you gave them? Where there changes implemented due to the incidents?
  • Do we have blocklists? Do we update them regularly? Did we check if they are still relevant?
  • Exposed scripts (such as e.g. cgi-bin perl scritps)? Who reviewed them for security? Where they changed afterwards?
  • Is everything you do documented, can co-workers understand it and take over your tasks?
  • ...

Internal Audits

Internal audits can go further:
  • Are all our users in our user database(s) still rightfully there? Does the list match with what e.g. HR has as list of employees/contractors? Are the other users interactively used? Are they regularly re-confirmed as needed users? Do we have users that never log in?
  • Can we actually start a Disaster Recovery without touching the existing equipment and information?
  • Do people inside the company know where to find security policies? Do they know key content of the policies? When were they last reminded of the password policy? Are all our policies easy to read? Are all our policies short enough to be read in under 5 minutes?
  • Is equipement we rely on for being warned about problems (availability, IDS, logs, ...) actually tested regularly? How are we sure?
  • Are policies overruled? Why? By who? How often? Was it investigated? Did the policy change afterwards to fix the problem?
  • Where are incidents logged? What were the conclusions? Do people know incidents that were not logged?
  • If you need to find more cool audit ideas, check ISO27001 (or  ISO17799) it has a bunch of ideas that you can test to see if you have it or not. Without a policy or guideline to get it, this isn't a real audit check as in must have, but it's always good to look for some extra credit to go beyond the minimum what is implied by the policies.
  • Is the inventory complete? Are network diagrams up to date?
  • Is every thing labeled? Do machines with possibly confusing port have labels added to identify the ports? Are cables labeled on both ends with both sides of that they connect?
  • Are logbooks used and filled out? Or are they fileld out just before the audit?
  • ...

External Audits

Well external audits generally should check the same stuff as the Internal audits do, but be independent. Sill they are valuable as they can give you the ultimate magic bullet: management support.

Typically this starts with regulatory and legal requirements, but it can check compliance with standards as well.
  • Can grant a seal of approval.
  • These audits can also audit those persons that are very hard to audit as an employee: the big chief: does (s)he feel the policies do not apply to him/herself?
  • ...
Many times this latter type of audit comes up with the dreaded "logs shall be reviewed".
  • First of all: logs are huge. You do not want them to schrink in size.
  • Computers are pretty good at finding things in large amounts of data - if you can tell them what to look for.
  • The "what to look for" however is lacking in the "review logs" assignment
This results in the equivalent of telling people to search for something "interesting" in a stack of hay, but not telling them what's interesting. For all you know they find pieces of hay exactly 56.789mm long interesting, and they were not looking for the obvious needles.
As soon as you know what to look for, you can automate it in less time than you do it manually once.

So that leaves?
  • Create logs, the more the better, they might be the only trace you have of an incident.
  • Do NOT review it manually, it is pointless.
  • Automatically look through them
    • for known problems (you learn them from past incidents).
    • for never seen before entries using e.g. Marcus Ranum's nbs (never before seen) script/db so when something absolutely new occurred you get a chance to consider it interesting enough to treat as an incident or not.
  • Keep them for the right amount of time
  • Look through them for evidence and further understanding once you have an incident to deal with. 
That leaves dealing with external auditors that never saw how big a log gets and demand manual reviewing of all logs. The best solution is to show them. Print a few boxes worth of logs out on an old printer, ask them to show you what to look for. And then propose to do it smarter.


--
Swa Frantzen -- Section 66

0 Comments