Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2012-02-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ISC Feature of the Week: Handler Diaries

Published: 2012-02-22
Last Updated: 2012-02-22 21:48:50 UTC
by Adam Swanger (Version: 1)
0 comment(s)

Overview

Internet Storm Center features daily handler diaries with summarizing and analyzing new threats to networks and internet security events. Diaries range from 0day vulnerability announcements to the latest software update releases. If it's security related, we'll probably put up a diary about it!

The ISC homepage https://isc.sans.edu always displays the last 24 hours of diaries. The top and bottom of every diary, wherever it is listed, contains a previous/next navigation link that will iterate through all the diaries in order. You can click the title to view the full diary page.

What's in a Diary?

A Diary title is always an active link so you can right-click and copy to send to a friend or co-worker you think would be interested in the information. Alternatively, there is a "Share" menu to the right of the title if you want to publicly share on any number of social networking sites!!

Under the title you will see the original published date and the last updated date if any changes have been logged to the diary. Below that you will see the name of the handler that authored the diary and version number. The "Rate this diary" is currently disabled but should be back soon.

The number of comments displays how many comments have been added and is a link that will take you straight to the comments section below the diary. You can leave a comment if you are logged to your ISC/DShield account. Not logged in? No worries, just click the link, login and you should be brought right back to leave your comment. The Alias will default to what you have set in Your Information https://isc.sans.edu/myinfo.html but you can change it to whatever you want. Every comment is vetted by the handlers and inappropriate or blatant ads are removed.

The diary content will vary. It can contain anything from just a few lines of text, sometimes with web links, to a full tutorial with illustrated graphics. A handler will have their own custom signature at the end of every diary posted. If an announcement is short and doesn't require a lot of detail, a handler may post a "oneliner" which is highlighted with a different background/border and generally just one sentence.

A Keywords list follows the diary content. This is a individually linked list that will take you to a page displaying a table of all the diaries that contain that same keyword, along with the date published and author.

How can I find past dairies?

 The easiest way to find past diaries is to search for keywords as explained here https://isc.sans.edu/diary/ISC+Feature+of+the+Week+ISC+Search/12496. ALL the diaries can be listed by date on the Diary Archives page https://isc.sans.edu/diaryarchive.html. This is useful if you know the general timeframe or title text of a specific diary or just want to skim titles as an entire month is shown at once.

The site footer always contains some of the most recent Diary Archives in the center as well as a link to all the archives page. The homepage also lists some more of the most recent diaries as well as a link to the Diary Archives page https://isc.sans.edu/diaryarchive.html. There is also a link to the archives after every comment section on the diary page. 

How can I get these diaries you speak of?

Well, you can make https://isc.sans.edu your default browser page so you don't miss anything.

You can also receive full or title only diaries by subscribing in your favorite RSS reader. The links can be found here https://isc.sans.edu/xml.html#rss 

 

Let us know in the section below if you have suggestion or feeback about our diaries or send us any questions or comments in the contact form at https://isc.sans.edu/contact.html

--


Adam Swanger, Web Developer (GWEB)


Internet Storm Center (http://isc.sans.edu)


Keywords: ISC feature
0 comment(s)

Apache 2.4 Features

Published: 2012-02-22
Last Updated: 2012-02-22 13:59:08 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

The Apache Foundation released version 2.4.1 of its popular web server, including a number of interesting changes [1]. Among the features, I would like to highlight some of the security relevant changes:

- more granular logging. Logging is always a tedious and often overlooked security component. Apache 2.4 will allow for log levels to be configured on a per-directory level.

- various changes to timeouts. We had a number of tools over the last few years that attacked web servers by exhausting connections. The new timeout changes may help with that, but over all, I don't think there is a simple fix for this problem.

- changes to the proxy configuration. Some use apache not just as a web server, but as a proxy to restrict access to resources, or as a load balancer. This can help with security, but in the past, bugs in Apache's implementation of these features has caused problems. 

- Apache now includes a "mod_session" that will have Apache take care of sessions. This includes support for encrypted sessions, and support for session based authentication. Really have to see how this will all work in more detail. It appears that headers will be used to add data to sessions. This could be a new opportunity to exploit http response splitting. Note that the session information may be stored on the client, not just the server. Unencrypted sessions on the client could pose interesting security issues.

- mod_ssl has been improved to allow it to check for invalid client certificates via OCSP.

Version 2.4.1 is now available for download. I recommend you start testing it, but hold off on using it in production until some of the features have been debugged.

[1] http://httpd.apache.org/docs/2.4/new_features_2_4.html 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: apache
0 comment(s)
ISC StormCast for Wednesday, February 22nd 2012 http://isc.sans.edu/podcastdetail.html?id=2344

How to test OS X Mountain Lion's Gatekeeper in Lion

Published: 2012-02-22
Last Updated: 2012-02-22 02:16:20 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

While I started working on comparing various OS X hardening guides (see the prior diary from a couple of days ago), Apple announced one important new security feature in OS X 10.8 (Mountain Lion). The new operating system to be released this summer will include a white listing system based on iOS. iOS has received a lot of criticism for its closed nature, but so far, I have to admit it has worked pretty well. We have heard very little about iOS malware while Android malware appears to start steal the show from Windows malware (it got a while to go, but all the news lately appears to be about Android malware).

iOS uses a pretty simple and effective security model to fight malware: Whitelisting. All software installed on an iOS device has to be digitally signed. In order to be digitally signed, the software has to be reviewed by Apple. Only software that uses standard Apple vetted APIs is considered trustworthy to be signed, making it difficult to sneak in malicious code. If malicious software slips through, it can be recalled later. 

Over the last few years, the opposite model, blacklisting ("Anti Malware") has failed spectacularly. Even many desktop users now use third party whitelisting software which is usually more granular then what Apple proposes.

Apple's approach allows for essentially three different "settings":

- Only allow Apple approved software (pretty much what iOS does)
- allow Apple approved software, but also allow software signed with specific additional certificates (you could use this to sign your own software. Kind of like accepting the certificate from an iOS developer for testing)
- allow all software (pretty much "unlocked" in iOS terms)

There are some specific limitations to Apple's approach:

- the signatures are only tested during install. If malicious software passes the install, it will not be inspected further.
- only executables are checked. A malicious PDF may still cause havoc, even if it may no longer be able to then download and install additional malware

The best part in my opinion is that the functionality was already pushed out to systems as part of the last OS X update (10.7.3). So you can already experiment with the feature and see how well it works (or doesn't work). I am running it now for a while off and on and so far, haven't experienced any ill effects, aside from it blocking me once or twice from installing software. Each time, I just disabled it temporarily (which could be considered a weakness).

The command line utility spctl can be used to enable or disable the feature. spctl --enable will enable it, spctl --disable disable it. You need to be root to run the utility.

 
 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: apple lion spctl
2 comment(s)
Diary Archives