Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
September OUCH! awareness newsletter released - How to use social networking sites safely. http://bit.ly/ja6TMH

SSH Vandals?

Published: 2011-09-15
Last Updated: 2011-09-15 13:56:55 UTC
by Johannes Ullrich (Version: 1)
15 comment(s)

I had an interesting detect in one of my kippo honeypots last week. Kippo, if you are not familiar with, is a script simulating an ssh server. It is typically configured to allow root logins with weak passwords and can be the source of never ending entertainment as you see confused script kiddies. The honeypot logs key strokes and is able to replay them in "real time".

In this particular case, the attacker logged in, and issues the following commands:

kippo:~# w
 06:37:29 up 14 days,  3:53,  1 user,  load average: 0.08, 0.02, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    151.81.3.83       06:37    0.00s  0.00s  0.00s w

kippo:~# ps x
  PID TTY          TIME CMD
 5673 pts/0    00:00:00 bash
 5677 pts/0    00:00:00 ps x

kippo:~# kill -9 -1
kippo:~#

In short, the attacker went in, did minimal recognizance, and then went ahead killing the system (terminating all processes with a PID larger then 1). A real system would be unresponsive as a result.
 
Not clear if this is a vigilante/vandal killing badly configured ssh server, or if this was an intent to detect a honeypot (But then again, the real system would be dead as a result, and there are less destructive ways to detect simple honeypots like kippo.
 
The speed of the attack suggests that it was performed manually. We do not see a big change in ssh probes overall.
 
Any ideas? Has anybody seen similar "vandals"?

-----------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ssh vandals
15 comment(s)

DigiNotar looses their accreditation for qualified certificates

Published: 2011-09-15
Last Updated: 2011-09-15 11:22:49 UTC
by Swa Frantzen (Version: 1)
5 comment(s)

Next to being a provider of SSL certificates (which most browsers now distrust), DigiNotar also issued so-called "qualified" certificates. These are used to create digital signatures and they are much stricter regulated that the run of the mill SSL and EVSSL certificates we all know from web servers and the like.

OPTA, the Dutch independent post and telecommunication authority - think of them as the regulator- , has terminated [in Dutch] the accreditation of DigiNotar as a certificate provider on Sept 14th, 2011. This pertains to their qualified certificates.

It's probably best to give a very short introduction on what qualified certificates, accredited providers are and why this is so important.

The EU has issued guidelines (Directive 1999/93/EC) that have been translated in local law by member states such as the Netherlands that establish legal value in digital signatures. There are a number of levels of trust in this from the legislators. Typically -local laws differ a bit sometimes, but they all implement the same concept- a digital signature is going to be -by law- equivalent to a manual one. At the lowest level a digital signature can be as little as writing your name under an email, but all remains to be proven in court afterwards. It gets more interesting on the higher levels: if the digital signature is proven to be a qualified digital signature, the equivalence to a manual signature is automatic (i.e. no discussion in court). But it still needs to be proven that the digital signature is in fact qualified. The ultimate level however are qualified digital signatures made with the means provided by an accredited provider. There the proof that the digital signature is qualified is automatic as well as it's done up front (in the audits of the accredited providers).

This all is guided under the ETSI TS 101 456 standard from a more technical point of view. This standard sets the requirements.

Since the means provided by an accredited provider can be used to create digital signatures that are almost only disputable if one proofs fraud, it's to all of us -esp those living or doing business in the EU- of critical importance that there are no rogue qualified certificates out there with our name on it as they carry such a high legal weight.

OPTA reports a timeline that's been mostly public knowledge except for their own actions and the interaction with DigiNotar and their auditors. The report concludes that DigiNotar was not only not acting in accordance to ETSI TS 101 456 on quite a few points, but also breaking the relevant local laws.

OPTA also names PriceWaterhouseCoopers as the (regular) auditors of DigiNotar, but does not go as far as to name them the ones that gave them the apparent clean bill of health on July 27th, 2011: "A number of servers were compromised. The hackers have obtained administrative rights to the outside webservers, the CA server “Relaties-CA” and also to “Public-CA”. Traces of hacker activity started on June 17th and ended on July 22nd". Which was later dramatically proven to be untrue.

OPTA reports there are about 4200 qualified (signing) certificates issued by DigiNotar. These will now have to be contacted by DigiNotar under supervision of OPTA. These certificate holders will have to seek another provider if they have not done so already.

The revocation as an accredited provider, also means that DigiNotar doesn't meet the requirements for their PKIOverheid activities anymore.

--
Swa Frantzen -- Section 66

Keywords: breach DigiNotar ssl
5 comment(s)
Diary Archives