Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Illusions of security

Published: 2006-01-18
Last Updated: 2006-01-19 15:54:09 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

First off, I'm not bashing vendors, pet operating systems or even people. Just trying to make people realize they might have illusions. So stop reading here if you cannot deal with disillusions.


I recently purchased a computer for my wife at a small shop. I really like the shop. They customize off-the-shelf hardware to make extremely silent high performance PCs. So after the waiting for this new monster's parts to be collected and customized, I went to the shop to pick it up.  The shopkeeper takes the time to open up the case to show their work, turns it on, and I verify the hardware properties to make sure my custom build machine has all the right parts. All good, I still like them.

Before he turns it off though he tells me something very worrisome. It went like: "We turned off the windows automatic updates". I wasn't sure if I'd wipe the harddisk or not at that point, but as such things would convince me to wipe, I answered "No problem, I'll enable it when I get home, thanks for the warning". Then he goes on to explain they do that always as "In our experience windows update and all those patches break more than the viruses harm you. Just add a good anti-virus program, we've already tightened up the windows firewall. You'll be safe, don't worry. In our experience it is best to install the service packs Microsoft brings out, but stay away from the crap in between". Painfully wrong advise in my opinion, from a shop I like a lot for their hardware.

I'm very worried about the less security savvy consumer. I'm not convinced other shops give that much better advise. Sure they might want to try to sell me an anti-virus and personal firewall bundle. So we need to get the word out to the world at large. Do not believe all to easily you are safe, no matter the fancy explanations.

  • A personal firewall will help, but it will not protect you from everything out there.
  • An anti-virus program will help, but it will be unable to protect you from everything out there, especially new things go undetected very easily.
  • Updates from Microsoft are critical to be installed as soon as possible after they have been released. Microsoft does not release patches unless there are exploits against it.
And yes, experience shows installing patches is one of those moments you are more likely to get a blue screens of death. But you'd get them anyway, even if you did not install the patch. It's just a sign your machine was already becoming unstable. And it is a good opportunity to rebuild the machine and install the patches. See: no problem installing the patch on a clean system!
I've seen large IT support departments revert their policy from a shy away from patches to a patch ASAP policy for their desktops/laptops. Their conclusion was simple: we have less work in total and it is more spread out if we encourage immediate patching.

Mac OS X

Myself I use a powerbook. I like it a lot but I see a few things that worry me a lot:
  • Often we get answers -even here at the Internet Storm Center with our much more security minded population of readers- that go like "I'm using a mac, no security worries". Why can you be sure there are worries ? Check the number of security patches you got, they fix vulnerabilities. Well you have security worries, just no (mass) exploits.
  • Apple is switching to Intel CPUs away from the PowerPCs. Most script kiddies out there know Intel CPUs much better than they know a G4 or G5, so exploiting it becomes much easier for them. And yes, that Intel Duo is a dual core centrino, and a centrino is what it's just their cup of tea, plenty of machine code coders for it.
  • Apple uses open source software as a basis. One of the reasons I like OS X is exactly that it's based on BSD unix. But that open source community fixes vulnerabilities documenting the vulnerability in source code and at a very fast rate. Apple takes a bit longer to issue fixes for the same vulnerabilities. And that leaves a relative long window of vulnerability to exploit.
  • Apple is gaining market share. History has shown more popular OSes get attacked more. Exploit developers like to say there are zillions of affected customers. Look at it the other way: Seen any recent high profile exploit against AIX, Windows 3.1, Ultrix, IRIX, ... ? I'm pretty sure they are not 100% vulnerability free, just not that interesting as a target.
  • Anti-virus, anti-spyware, ... software for OS X? There is such software, I tried to buy it.
    • I went to the website of a well know anti-virus vendor, found they had something for Tiger, but when I tried to go to their consumer ordering system, I got a nice message I needed to use Internet Explorer to order anything. Hmm, I'm happy to say I do not have Internet Explorer on my Mac, and want to keep it that way.
    • I went to their business side of the web, and unexpectedly, I could order there the OS X version of their product, and their shopping basket was working for both safari and firefox. Funny, it looks like it's the same software for that basket. But apparently corporate customers are not meeting the roadblock that prevents them from entering that part of the website even if they do not surf the web with MSIE.
    • They only sell their OS X product in bundles of 5 licenses. I don't have 5 Macs, just 2. Nor am I likely to buy 3 more macs in the near future.
So, for as far as they are concerned, I'm still without anti-virus and anti-spyware protection on my Mac, guess the rest of the network will have to live with me not helping in protecting them.

So somehow we'll need to live with the constantly increasing risk and a user community that thinks it is invulnerable.


Many security professionals will try to avoid Microsoft's Internet Explorer (MSIE). We can see this at about 50% of our hits come from MSIE, while less security minded sites get more like 80% of their hits from MSIE.
But are those alternatives safer ? Probably. Are they 100% safe? No, those browsers all have had their share of problems and they all support executing downloaded code and tracking technology (java, javascript, cookies). Add to that vulnerabilities in the code itself and you should not feel safe surfing with any of these browsers to any hacker's website.
Even the tools used to gather known malicious content such as wget and lynx have been suffering from vulnerabilities.

The rest

Please, don't try to convince me your favorite OS is immune to everything.

To take just one example: Linux: sure better security due to most of the users not using it with superuser rights. But is it immune to worms, trojans etc. ? No. And for the rest you'd better reread the Apple story above as most of it applies to Linux as well.

Not even OpenBSD has a zero defect track record.


There are other solutions than unplugging the network permanently. It's called defense in layers. You choose the least vulnerable, the least exposed, the least targeted, the least commonly used solution and you choose them in layers around you so that each layer protects you redundantly.  And if all fails you are ready to mitigate the consequences, learn form the experience and rebuild.

But living with the illusion of security is the worst solution as far as security is concerned.

Swa Frantzen
0 comment(s)

Cisco patch day

Published: 2006-01-18
Last Updated: 2006-01-18 22:11:05 UTC
by Swa Frantzen (Version: 2)
0 comment(s)

Cisco published 3 security advisories relating to their products:

Cisco sgbp DoS

Cisco published a report about a DoS condition on some of their routers.

It is situated in the Stack Group Bidding Protocol (sgbp) wich is used to enable bandwidth on demand using Multilink PPP (MLP).

Full details at cisco

To summarize:

  • Not vulnerable if the router does not support sgbp or if it is not configured (so #show sgbp should give no output or a syntax error message).
  • Workarounds are listed with ACLs to protect UDP/9900 on the affected routers.
  • Upgrade to fix it
  • Traffic to UDP/9900 might now be DoS attempts.

Cisco Call Manager

Cisco Call managers had 2 issues against them:


The issue seems to be twofold with connection not timing out fast enough or with connections filling up the windows message queue.

Full details at Cisco

In summary:
  • TCP/2000 cannection do not time out in certain conditions. Hogging resources. In specific conditions these connections never timeout.
  • Connections to ports  2001, 2002 and 7727 can fill up the windows message queue. Triggering a restart of the call manager after 30 seconds.
  • Workarounds might include separating the VoIP traffic and isolating the Call manager from more generic IP networks.
  • Traffic to TCP/2000, 2001, 2002 and 7727 can now be DoS attempts.

Escalation of Privileges

Cisco Call Managers with Multi Level Administration (MLA) enabled are vulnerable to an escalation of privileges.

Full details at Cisco

In summary:
  • Users in the administrative group with read only access rights can attack the web component of the Cisco Call Manager and gain more rights.
  • Workarounds might include not using the administrative read only access level.
Swa Frantzen
0 comment(s)

Port 13701 spikes

Published: 2006-01-18
Last Updated: 2006-01-18 21:19:38 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Immediately after the FrSIRT public release of the exploit against Veritas NetBackup scanning for TCP/13701 started to increase dramatically.

Date Sources Targets Records
2006-01-18 156 47350 96176
2006-01-17 319 64840 202750
2006-01-16 173 19805 56116
2006-01-15 8 18 39
2006-01-14 4 3 10
2006-01-13 7 7 24
For a more detailed view:

We also provide per autonomous system reports for those managing an AS:[ASN]

Swa Frantzen
0 comment(s)

Worldnic outage

Published: 2006-01-18
Last Updated: 2006-01-18 19:20:33 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
We got reports that worldnic DNS servers were not responding and in our preliminary search we found that all the ns? DNS servers were indeed not responding to requests.

For a while we had trouble reaching the network solutions website (redirection loop), next their website spoke of "a widespread outage" without more detailed information. Now it says "At 10:45 a.m. this morning, we experienced a hardware problem that impeded traffic to our hosting and e-mail servers.  We experienced technical difficulties with an auto recovery system.  At 11:50 a.m. the system was restored. " which would seem to indicate the problems are over.
To the more technical reader it might be clear that the problem that was reported had nothing to do with their email nor their web hosting servers, but with their DNS servers. Or perhaps these servers had issues as well, but that hardly matters to the average user when DNS isn't working as it should.

Also remember this diary about a very similar incident.

Swa Frantzen
0 comment(s)

Oracle patches

Published: 2006-01-18
Last Updated: 2006-01-18 12:16:58 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Oracle released patches on Tuesday, I highly recommend security professionals to check with their DBA and/or Oracle.

This URL might save you some time digging through the website trying to find release notes:
Still such a large chunk of patches at one go is a bit too much. Let's have them more often and a bit fewer please.

Swa Frantzen
0 comment(s)

New mass mailer spreading (Blackmal/Grew/Nyxem)

Published: 2006-01-18
Last Updated: 2006-01-18 03:15:12 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
We got several submissions of new mass mailer worm spreading around. Besides the usual stuff that worms do these days (disable AV programs, scan the local system to find new e-mail addresses) this one is a bit more interesting as the attachment can be either an executable file or a MIME file that contains an executable file.

The sample we received had attachment named Attachments00.HQX - which is actually just an uuencoded file:

begin 664 Attachments,zip                                      .SCR

You can also see a typical "insert a lot of spaces before the real extension" trick.

Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always (Symantec calls this worm W32.Blackmal.E@mm, Trend Micro calls it WORM_GREW.A, while Sophos calls it W32/Nyxem-D - go figure!).
Seems like we'll have to wait more for CME.
0 comment(s)
Diary Archives