Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-10-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Open-source Newsbits

Published: 2005-10-07
Last Updated: 2005-10-07 22:31:59 UTC
by Kevin Liston (Version: 1)
0 comment(s)
I don't want to compete with slashdot, but there were two announcement made yesterday that impact the Open-source Security tool market.

Tenable announced yesterday that Nessus 3 will be closed-source: http://news.com.com/Nessus+security+tool+closes+its+source/2100-7344_3-5890093.html?tag=nefd.hed

Checkpoint announced the purchase of Sourcefire, but promises to keep Snort open-source: http://www.checkpoint.com/sourcefire/index.html

kliston -AT- isc sans org
Keywords:
0 comment(s)

Fingerprinting Phishers

Published: 2005-10-07
Last Updated: 2005-10-07 20:56:32 UTC
by Kevin Liston (Version: 1)
0 comment(s)
Over the past couple of months, the number of phishing attacks targeting my client's customers has increased tremendously.  They began to ask me: "why us?"

I haven't answered that question yet, there are still a number of theories, and very little evidence to sort.  But I have made some progress in addressing the "who is attacking us?" question.

First, there is the bait-message.  This is the email that is sent out with the hopes of finding appropriate targets.  Each of these can be investigated as a spam campaign.  They have their spam relays, they have their target list, they have their subset of subject messages, and they may or may not have a permutation of body.

I think it's possible that the people managing the spam campaign are separate from those managing the actual phishing attack.  It's possible that separate phishing groups could employ a single spamming outfit.  That's just a theory at the moment.

Secondly, there is the hook-site.  This is where the link in the bait-message initially takes the victim.  The hook-site may also be the collection-site, but it could forward the victim on to a separate collection server.  This technique is especially common in cases where a phisher has a network of collection sites.

Use of network of sites, is an identifying quality of a phisher.  I argue that given a set of phishing attacks, one can partition them to identify certain habits or modus operandi of the criminal actor.  This actor may be an individual or a group.

There are two main ways that I use to build these partitions or clusters.  You can compare how the hook-site or collection-site is built.  By collecting copies of the phishing sites during your investigation and keeping them on hand, an investigator can go back and identify "repeat offenders."  By comparing the fake website, to the target-firm's original site, you can examine any changes that the criminal applied.  You could also approximately date when the site was copied?if you have a suitable change-control process on your web content.

Clusters and habits can also be detected in the URL used for the hook-site.  How the criminal compromises, purchases, or otherwise acquires the hosting space can be evident in this URL.  Are they creating suspiciously long domain names (implying they control the DNS,) or are they using doted directories in an attempt to hide the space from visual detection?  Are the sites hosted off of cgi-bin space, or in directories of a BBS application?  All of these qualities can be used to cluster a number of attacks into a smaller set of attackers.

Clustering along where a hook- or collection- site is hosted can sometimes illuminate a pattern; I did not find this to be the case in this population of URLs.  I did find some interesting correspondences in the registrar used for some of the domains.  This appeared to be indicative of an issue in the registrar's validation policies.

In an attempt to automate the detection and classification, I wrote some routines that calculate the "lexical distances" between the URLs used in the attacks.  Then we built clusters based on arbitrary thresholds on these distances to see if the system was any better at classifying similar attacks than they humans.  Needless to say, the trained human analyst will outperform my pathetic Perl script any day of the week, but they did find it helpful.  Which is what it's all about.

Sadly, identifying clusters and forming a behavioral fingerprint of a criminal is a long way from identifying said criminal.

kliston -AT- isc sans org


Keywords:
0 comment(s)

Activity on UDP/50032 (explained?)

Published: 2005-10-07
Last Updated: 2005-10-07 20:22:49 UTC
by Kevin Liston (Version: 2)
0 comment(s)
Take a gander at this graph of activity on port 50032.  Starting 9/18/2005 increased use of this port was detected.  Packet captures that have been submitted look to belong to the Ares P2P operating in "firewall bypassing mode."  My thanks to those who submitted captures.

Now, and open letter to P2P protocol creators: if you think you're the first one to come with a brilliant way to tunnel yet another protocol on top of UDP or TCP, think again.  Much like the budding chef who thinks that they're the first person to come up with the peanut-butter, mayonnaise and pickle sandwich-- there might be good reason that such an abomination hasn't caught on yet.  P2P is about peering, and leveraging the power of that network.  It's not about getting past the perimeter (unless you talking about bypassing censorship, which doesn't do silly things with protocols-- it leverages the network of participants to anonymize requests.)  Also, throwing another layer of abstraction on top of the exiting layers is not going to make your file transfers more efficient. 

I'm sorry that your employer doesn't allow you to download your Dr. Who episodes on their FAT PIPE. 

Thanks.

kliston -AT- isc sans org
Keywords:
0 comment(s)

Adventures in Hunting Rogue Wireless Access Points

Published: 2005-10-07
Last Updated: 2005-10-07 19:46:04 UTC
by Kevin Liston (Version: 1)
0 comment(s)

This week I had to opportunity to hunt down some rogue WAPs at a client's campus.  It was a very target-rich environment.  Out of the 62 talker's that I spotted on the hunt, 39 of them were not the main, accepted infrastructure.  Out of these 39, we were looking for only one.  Not quite a needle-in-a-haystack problem, but more like something-under-a-desk-in-a-sea-of-cubicles problem.

The Playing Field
The search area consisted of an extremely large low-rise facility with cubicles reminiscent of poultry factory farming.

The Players
Myself, with my trusty combat-laptop running Debian and Kismet 2005.04.R1 with an Orinoco Gold PCMCIA card, and an external directional antenna.

Vs.

The engineer who designed the wireless infrastructure with his Windows XP laptop, Cisco Aironet card, and AiroPeek from WildPackets.

Well, it was more of a team effort.

The Strategy
Based on the results that we were seeing from the Engineer's WLSE (http://www.cisco.com/en/US/products/sw/cscowork/ps3915/) interface we knew that two of his WAPs could see the target, and we knew approximately where these WAPs were installed.

He went with the back-pack, cary-the-laptop around method, while I appropriated a cart to wheel around.

We went down to the area and wandering ensued.  Eventually, kismet detected the beacon packets.  The best way to use Kismet in hunting a single WAP is to bring up the details (the 'i' key in this version,) and keep an eye on the power rating.  The 14dBi gain antenna wasn't as much use in the environment as I had hoped it would.  It did help in determining if we were on the right floor, and which WAP is was most likely close to.  It got us into the general area.  Eventually you get too close to the transmitter for the antenna to be helpful.

Attenuation is Your Friend
As you get closer to the transmitter, the signal is hot enough that you can't see the subtle changes in intensity to help guide you in the correct direction efficiently.  You need to "knock the signal down" a bit so that it fits better on your meter, so that you can read the changes.

My first step was to pull out the directional antenna.  In what turned out to be good luck, the only cart that was available for me was a high walled metal cart used to transport hanging-files.  This held my laptop and it's PCMCIA card in the bottom of a metal box.  So it was shielded from the signal rather well.

Once I was in the right area, I would effectively worm my way around the cubes until I spotted the blinky box that we were after.

Follow-up
My initial plan to solve the rogue access point problem was to buy some prizes and have a few "Fox and Hound" contests on the weekend where some of the appropriately-minded employees could "compete."  I still like that plan, but any time that you have people looking through cubes, you have to operate in teams so they can both keep-an-eye-on and vouch-for each other.

For more information on general transmitter hunting, I recommend Moell and Curlee's Transmitter Hunting: Radio Direction Finding Simplified.  Although their focus is on a different frequency range, the general concepts apply.

kliston -AT- isc sans org
Keywords:
0 comment(s)

Microsoft October Security Bulletin Advance Notification

Published: 2005-10-07
Last Updated: 2005-10-07 18:16:45 UTC
by Kevin Liston (Version: 2)
0 comment(s)
Microsoft released their advance notification (many thanks to all of the grammar help--English is my first attempt at a natural language) yesterday promising a release of nine security bulletins next Tuesday.  The highest rating is projected to be "critical," and there will be reboots required.

I can't wait.

kliston -AT- isc sans org
Keywords:
0 comment(s)

Bluetooth Followup Links

Published: 2005-10-07
Last Updated: 2005-10-07 18:15:17 UTC
by Kevin Liston (Version: 1)
0 comment(s)
Last Saturday I posted a bit more about my andventures in Bluetooth scaning.  I left out a link that I had intended, and a few more interesting links were sent in by the readers.

I failed to provide a link to btscanner by Pentest in the UK  I did not use it in my tests, but I've heard good things about it.

Other intersting links that were sent to me:

http://www.digitalmunition.com/projects.html
http://3eyes.co.uk/views/public/?doc=Loca

and something interesting form slashdot:
http://www.placelab.org/

kliston -AT- isc sans org
Keywords:
0 comment(s)
Diary Archives