Hackin9

*** This is a guest diary by Dylan Johnson ***

In the first installment of this diary topic I showed you how to collect, normalize, store, graph and search events using Logstash, Graphite, Statsd, Kibana and Elasticsearch however an alerting capability was missing.

https://isc.sans.edu/diary/Guest+Diary%3A+Dylan+Johnson+-+There's+value+in+them+there+logs!/15289

So we have all our logs in one place and can search and graph on a per field basis, but what if we want to go home and generate an alert when a threshold is reached?

 The following details a simple yet effective approach to alerting using graphite and Seyren. We covered Graphite in the previous post so we wont revisit this one, however lets talk about Seyren.

What is Seyren ?

Seyren is a nice little alerting application that reads metrics from Graphite and compares them to a threshold you set. If that threshold is met or you approach the threshold it alerts, Simple!

 As per the previous post you will need a working Graphite install plus mongodb and of course Seyren https://github.com/scobal/seyren. You will also need Maven in order to install Seyren but it’s just another step and shouldn’t pose you any problems.

Lets get the basics out of the way so you can get this up and running with minimal fuss in a dev environment. Seyren is a Java app so first off you will need Java.

The next thing you will need to do is set you environment variables, making them persistent is a wise choice.

If you are just going to play with this the mongo install shouldn’t need any additional configuration after you install it, Seyren will play with it nicely with the defaults. Configure the SMTP stuff as suggested.

#### Base

* `GRAPHITE_URL` - The location of your graphite server. Default: `http://localhost:80`
* `GRAPHITE_USERNAME` - The Http Basic auth username for the graphite server. Default: ``
* `GRAPHITE_PASSWORD` - The Http Basic auth password for the graphite server. Default: ``
* `MONGO_URL` - The mongo connection string. Default: `mongodb://localhost:27017/seyren`
* `SEYREN_URL` - The location of your seyren instance. Default: `http://localhost:8080/seyren`

#### SMTP

* `SMTP_HOST` - The smtp server to send email notifications from. Default: `localhost`
* `SMTP_PORT` - The smtp server port. Default: `25`
* `SMTP_FROM` - The from email address for sending out notifications. Default: `[email protected]`
* `SMTP_USERNAME` - The smtp server username if authenticated SMTP is used. Default: ``
* `SMTP_PASSWORD` - The smtp server password if authenticated SMTP is used. Default: ``
* `SMTP_PROTOCOL` - The smtp server protocol if authenticated SMTP is used. Default: `smtp

Download Seyren and follow the install instructions and after this you will need Go to your Seyren base install directory and run.

Nohup java -jar seyren-web/target/dependency/jetty-runner.jar --port 8888 --path /seyren seyren-web/target/seyren-web-1.0.0-SNAPSHOT.war &

This will start up your Seyren application.

Note: You can use the –port option to run this on a port of your choosing.

You should now be able to browse to http://<IP>: 8888/seyren.

WARNING: It’s probably best to run this behind an SSL enabled reverse proxy with authenticati

CREATE  A CHECK

So now you have Seyren up and running you will want to create a check. Seyren polls graphite and pulls back vales in order to make comparisons between the data returned and a threshold value you set by you.

So all you need to do is add a path to your graphite data source in the alerting setup. This is the data source you will be monitoring and alerting on.

An easy way to find this path is to derive it from the graphite graph you want to monitor.

Description: Main:Users:Me:Desktop:graph.jpg

It’s the one that’s ending in. deny above! That’s your data source for your first alert!

Next we create your first check. Use your graphite data source path as found in the previous step and set your warn and error levels. When Seyren pulls back a value that matches your warn / error level from Graphite it will do something!

Description: Main:Users:Me:Desktop:columbus:Untitled.rtfd:createcheck.jpg

Create the check and you should see the following showing what your check is doing.

Description: Main:Users:Me:Desktop:columbus:Untitled.rtfd:aftercheck.jpg

ADD YOUR SUBSCRIPTIONS

If you click on STATE you will be able to add your subscriptions. I just added an email recipient to receive alerts.

Description: Main:Users:Me:Desktop:columbus:Untitled.rtfd:fullcheck.jpg

All this configuration data is saved in the mongodb. Once you have set up your checks you can check the state of these via the main page. The image below shows how the checks move from state to state. In this example this is because the # of denied firewall packets reached a threshold value I set. Don’t worry, you don’t get DDoS’d with messages! You get one for each change in state as below.

The Deny alert state due to values above the set threshold

Description: Main:Users:Me:Desktop:alert11.jpg

The Deny alert state due to values below the set threshold, a total of two messages sent. You can all send to other destinations like hipchat etc !

Description: Main:Users:Me:Desktop:alert2.jpg

ALERT HISTORY

The Seyren home page shows the alert status for all your checks as seen below.

Description: Main:Users:Me:Desktop:columbus:Untitled.rtfd:alerts.jpg

SOME BASIC USE CASES

A couple of alert use cases that could help your PCI: DSS compliance efforts are as follows:

Obviously you have to collect the relevant data from your assets in order to do this and I will show you how to do this and parse all these logs next time!

Use Case                                          Event Source

Failed logins                         -à Auditd / WinEvt / Radius / LDAP / AD

Denied Network traffic         -à IPtables / Syslog

Virus Numbers                     -à ePO registered executable / Defender

Port Scans                            -à portsentry / Snorth

ModSec                               -à rule severity

Snort                                     -à rule type

My previous post showed you how to normalize and analyze massive volumes of data in real-time and this post shows you how to add simple alerting automation. If you have all these components set up you now have a true basic security event management system.

In my next post I am going to use all of the tools and techniques detailed in my last two posts and show you how to use them to create a security event management system enabling an autonomous PCI:DSS and ISO27002 security event management system.

ADDITIONAL CONFIGURATION FOR SEYREN

As per the previous post you will need a working Graphite install plus mongodb and of course Seyren https://github.com/scobal/seyren

The first thing you will need to do is set you environment variables, making them persistent is a wise choice.

If you are just going to play with this the mongo install shouldn’t need any additional configuration after you install it, Seyren will play with it nicely with the defaults. Configure the SMTP stuff as suggested.

#### Base

* `GRAPHITE_URL` - The location of your graphite server. Default: `http://localhost:80`

* `GRAPHITE_USERNAME` - The Http Basic auth username for the graphite server. Default: ``

* `GRAPHITE_PASSWORD` - The Http Basic auth password for the graphite server. Default: ``

* `MONGO_URL` - The mongo connection string. Default: `mongodb://localhost:27017/seyren`

* `SEYREN_URL` - The location of your seyren instance. Default: `http://localhost:8080/seyren`

#### SMTP

* `SMTP_HOST` - The smtp server to send email notifications from. Default: `localhost`

* `SMTP_PORT` - The smtp server port. Default: `25`

* `SMTP_FROM` - The from email address for sending out notifications. Default: `[email protected]`

* `SMTP_USERNAME` - The smtp server username if authenticated SMTP is used. Default: ``

* `SMTP_PASSWORD` - The smtp server password if authenticated SMTP is used. Default: ``

* `SMTP_PROTOCOL` - The smtp server protocol if authenticated SMTP is used. Default: `smtp`

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Aurich Lawson / Thinkstock

It's time to ask yourself an uncomfortable question: how many of your passwords are so absurdly weak that they might as well provide no security at all? Those of you using "123456," "abc123," or even just "password" might already know it's time to make some changes. And using pets' names, birth dates, your favorite sports teams, or adding a number or capital letter to a weak password isn't going to be enough.

Don’t worry, we're here to help. We’re going to focus on how to use a password manager, software that can help you go from passwords like "111111" to "6WKBTSkQq8Zn4PtAjmz7" without making you want to pull out all your hair. For good measure, we'll talk about how creating fictitious answers to password reset questions (e.g. mother's maiden name) can make you even more resistant to hacking.

Why you can’t just wing it anymore

A password manager helps you create long, complicated passwords for websites and integrates into your browser, automatically filling in your usernames and passwords. Instead of typing a different password into each site you visit, you only have to remember one master password.

Read 83 remaining paragraphs | Comments

 
]
 
Twitter was back in working order on Monday afternoon after experiencing multiple technical issues earlier in the day that caused some users' tweet streams to not update, among other problems.
 

We often see how attackers try to exploit our information assets in our company, coming from inside and outside the company. When you locate an internal IP address trying to affect things, it's easy to locate if you have information security controls like Network Access Control (NAC), Dynamic Host Configuration Protocol (DHCP), Firewalls and Network IPS. Problem is: what should we do if the offending ip address is outside in the Internet?

There are five Regional Internet Registry (RIR) entities in the world. For their region, they assign IP address for IPV4, IPV6 and  autonomous system numbers:

IANA RIRSource: IANA web site

  • AfriNIC: Covers the Africa Region
  • APNIC: Covers the Asia Pacific Region
  • ARIN: Covers the North American Region
  • LACNIC: Covers Latin America and some caribbean islands
  • RIPE NCC: Covers Europa, the middle east and central asia

All RIR provides a tool called whois. This tool is able to tell you who is the owner of an IP address or a netblock. All contacts listed in RIR are required to provide an abuse contact. This contact is meant to provide point of contact for any required actions of stopping an attacker or to request evidence for a criminal investigation if you are a law enforcement agency.

Let's see an example. If we look for ip address 66.35.59.202, we can start using ARIN to look up for it. In the main ARIN website (http://www.arin.net), there is a text box after the "Search Whois" string. After entering 66.35.59.202, you obtain the following:

SANS Whois Information

The Abuse contact  information is a URL following the contact ID pointing to the specific information needed to contact the SANS Institute regarding abuse from their IP address range.

Let's see another example. If we look for IP address 200.13.232.33, we find the following:

EPM ARIN Information

This information means that the IP address is not within the ARIN scope and the information must be looked up at the LACNIC RIR. After looking the information into the LACNIC whois, we obtain the following:

EPM LACNIC Information

Using google to lookup information for owership of an specific ip address is definitely not a good idea, as it looks for the IP address string inside all webpages indexed. The information google will give you will provide a lot of false positives and will delay you in your incident response process execution and / or your criminal investigation.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
All that new data flowing into enterprises can bring along an expensive partner: multiple copies.
 
For the kickoff of Microsoft's annual North American TechEd conference, the company is urging administrators and IT professionals to think of it as the provider of the "Cloud OS."
 
When it comes to tablets, Microsoft and its OEMs don't know where they're going, an analyst said today.
 
Telepathy-Gabble CVE-2013-1431 Security Bypass Vulnerability
 
Mesa libGLX CVE-2013-1993 Multiple Remote Code Execution Vulnerabilities
 

Changing the landscape of identity
Network World
I was asked to travel to the 2013 InfoSec security conference in Europe this year, and speak about the trends I am seeing in the identity networking game, and possibly speculate on the future of identity in networking as I see it. So I thought to ...

 
Zynga, the social gaming services company, is laying off 18% of its employees in an effort to reduce its cost structure
 
As riots erupted in Turkey and protesters and government officials took to social media to fire back and forth online, the country's prime minister called Twitter a "curse."
 
Maine is a step closer to becoming the first state in the nation with a law that would require police to obtain a court-issued search warrant in order to obtain a person's cell-phone location data.
 
For the kickoff of Microsoft's annual North American TechEd conference, the company is urging administrators and IT professionals to think of it as the provider of the "Cloud OS."
 
Open-Xchange Security Advisory 2013-06-03
 
Apple has made progress in cutting deals with music labels for an Internet radio service but time is running out, several reports said today.
 
U.S. Army Private First Class Bradley Manning accused of sharing thousands of classified government documents with WikiLeaks, knew that the information would aid enemies of the U.S., a prosecutor argued Monday.
 
Apple has to pay out $6.5 million in home copying levies that it collected but failed to deliver to the appropriate agency, the Paris High Court ruled.
 
The spread of smartphones, powered by fast 3G and LTE networks used to watch ever more video content, are pushing up the volume of mobile data traffic. The challenge for operators will be to turn that into more revenue, as users prefer Wi-Fi networks, an analyst said.
 
[SECURITY] [DSA 2700-1] wireshark security update
 
OpenSSL CVE-2012-2686 Remote Denial of Service Vulnerability
 
IBM DB2 and DB2 Connect Audit Facility Local Privilege Escalation Vulnerability
 
[ISecAuditors Security Advisories] Multiple Vulnerabilities in Telaen <= 1.3.0
 
Vulnerable Microsoft VC++ 2005 RTM runtime libraries installed with "Microsoft Security Essentials" (and numerous other Microsoft products)
 
[SECURITY] [DSA 2701-1] krb5 security update
 
Software AG has signed a deal to acquire IT portfolio management software vendor alfabet AG and plans to combine the company's tools with its own ARIS process modeling products.
 
After months on the market, Windows 8 tablets have yet to rack up the sales Microsoft and PC vendors were originally hoping for. But on Monday Taiwanese PC maker Acer showed what could be the first of many Windows 8 tablets to come in smaller screen sizes, following the success of Apple's iPad mini and Google's Nexus 7.
 
Dell has expanded its range of hybrid devices with the XPS 11, which can transform from tablet to laptop with the flip of a screen.
 
A little more than four months after Twitter unveiled its video service, Vine, the company has launched a version for Android.
 
After announcing a 5mm high series of drives earlier this year, WD said it is now shipping the world's highest capacity 7mm-high laptop drive with up to 1TB of storage.
 
EVE Online's Tranquility server cluster suffered a distributed denial-of-service attack that also affected the first person shooter Dust 514, set in the same game universe. Developer CCP says it has closed the vulnerability
    


 
[ MDVSA-2013:171 ] gnutls
 
X.Org libFS 'FSOpenServer()' Memory Corruption Vulnerability
 
X.Org libdmx CVE-2013-1992 Multiple Remote Code Execution Vulnerabilities
 
X.Org libXrandr CVE-2013-1986 Multiple Remote Code Execution Vulnerabilities
 
Microsoft is updating a number of its IT infrastructure and development tools to work more seamlessly with its Azure hosted cloud services, including Windows Server, System Center, Visual Studio and SQL Server.
 
The first three months of 2013 have seen a surge in spam volume, as well as large numbers of samples of the Koobface social networking worm and master boot record (MBR) infecting malware, according to antivirus vendor McAfee.
 
Microsoft CIO Tony Scott has left the company after five years.
 
LinuxSecurity.com: It was discovered that the kpasswd service running on UDP port 464 could respond to response packets, creating a packet loop and a denial of service condition. [More...]
 
LinuxSecurity.com: Multiple vulnerabilities were discovered in the dissectors for GTPv2, ASN.1 BER, PPP CCP, DCP ETSI, MPEG DSM-CC and Websocket, which could result in denial of service or the execution of arbitrary code. [More...]
 
LinuxSecurity.com: Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, missing input sanitising vulnerabilities, use-after-free vulnerabilities, buffer overflows and other programming errors may lead to the execution [More...]
 
X.Org libXext CVE-2013-1982 Multiple Remote Code Execution Vulnerabilities
 
Openchrome X Window System Client Libraries CVE-2013-1994 Multiple Integer Overflow Vulnerabilities
 
X.Org libXinerama 'XineramaQueryScreens()' Function Remote Code Execution Vulnerability
 
transifex-client CVE-2013-2073 SSL Certificate Validation Security Bypass Vulnerability
 
Google will not add facial recognition software to its futuristic-looking computerized eyeglasses at this point because privacy protections aren't strong enough.
 
Samsung Electronics has extended its Galaxy Tab 3 line-up with 8-inch and 10.1-inch models with dual-core processors and extensive support for LTE networks.
 
The company that brought us the PadFone, an all-in-one smartphone, tablet and laptop device, is thinking a bit bigger. Taiwan's Asustek Computer has now combined a tablet, smartphone and desktop PC into a single product that it calls the Transformer Book Trio.
 
The company will release patches as part of its critical patch updates and halt the running of unsigned and self-signed applets; it plans to strip more libraries from the recently launched Server JRE to further reduce its attack surface
    


 

Strengthening Enterprise Defenses With Threat Intelligence
Dark Reading
... from "Strengthening Enterprise Defenses With Threat Intelligence," a new report published this week on Dark Reading's Security Monitoring Tech Center.] Threat intelligence is emerging as a topic of both interest and debate within the infosec community.

 

Mobile Application Security: New SANS Survey Results Revealed
Dark Reading
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 
China has produced a supercomputer capable of 54.9 petaflops, more than twice the speed of any system in the U.S., according to a U.S. researcher who was in China last week and learned the details.
 
Asustek Computer is extending its Zenbook family of ultrabooks with a new model with a cover made from Gorilla Glass to make it resistant to scratches.
 
Microsoft's Internet Explorer boosted its user share last month by 53% as the company's enforced upgrade for Windows 7 continued to take effect.
 
A Japanese entrepreneur who founded one of the country's largest web portals and was a national celebrity before being jailed for securities fraud is now free and has launched a firm to develop smartphone apps.
 
Microsoft and Apple last week kicked off promotions that may signal inventory clearing as they prepare their next generations of hardware.
 
Samsung Electronics has extended its Galaxy Tab 3 line-up with 8-inch and 10.1-inch models with dual-core processors and extensive support for LTE networks.
 

Blended security threats require a unified response
IT-Director.com (blog)
In a recent survey released during Infosec Europe 2013, 93% of large organisations reported that they had been breached in the past year, as did 87% of small organisations. And the report also shows that they are being breached more often with every ...

 
Innovation, negativity, crazy ideas and the future of technology were on Google CEO Larry Page's mind when he spoke at his company's recent I/O developers conference.
 
Unless you're working at Yahoo, where CEO Marissa Mayer has banned telecommuting, there's a very good chance you are working from home or at a coffee shop.
 
Dell says Windows 8 contributed to a decline in its PC-related revenue during the quarter that ended May 3.
 
The Bitcoin Foundation is seeking a QA pro and a project manager as it aims to expand its staff to four full-timers.
 
In his January 2011 State of the Union address, President Obama said that America was facing a 'Sputnik moment' because declining R&D spending was putting the nation at risk of losing its technological lead. That moment still looms. Insider (registration required)
 
With his H-1B fight over and lost to the tech industry, Sen. Charles Grassley (R-Iowa) lashed out in the minutes before the Senate Judiciary Committee's final vote on the controversial immigration bill.
 
An organizational discipline, now being applied at the Department of Veterans Affairs, aims to create enterprises that can respond dynamically to customer demands because their structure is adapted to fit their mission and goals.
 
Four of this year's Computerworld Honors Laureates are using big data to battle the effects of unemployment and climate change, raise social awareness and help at-risk students.
 
LinkedIn isn't the only social tool you can use when looking for your next job.
 
It's always best when you can do a security review ahead of the due diligence phase, but one will certainly be needed at some point.
 
On The H's radar over the last seven days: Google hacks Windows, structures in place of signatures, a backdoor scanner, musical Android malware, suspicious system files, John the Ripper and - inevitably - Chinese spies
    


 
Wireshark ASN.1 BER Dissector CVE-2013-3557 Denial of Service Vulnerability
 
Wireshark DCP ETSI Dissector Integer Overflow Denial of Service Vulnerability
 
Wireshark DCP ETSI Dissector 'dissect_pft_fec_detailed()' Denial of Service Vulnerability
 
Asustek Computer introduced a new "phablet" device called the Asus Fonepad Note FHD6, which is part Android phone, part tablet.
 
Asustek Computer has fired another shot in the Android tablet price war, putting the starting price for the Asus Memo Pad FHD7 at $129.
 
Monkey HTTP Daemon NULL Byte Denial of Service Vulnerability
 
Apache Struts 'includeParams' CVE-2013-1966 Security Bypass Vulnerability
 
Oracle WebCenter Content CVE-2013-1559 Remote Code Execution Vulnerability
 
Linux Kernel Multiple Local Information Disclosure Vulnerabilities
 
Apache Struts 'includeParams' CVE-2013-2115 Incomplete Fix Security Bypass Vulnerability
 
Mozilla has signed on Foxconn, the world's largest contract electronics manufacturer, to support its Firefox operating system in cellphones.
 
Windows 8 is joining the 8-inch tablet bandwagon with a new device from Acer that will launch later this month and come with a price tag between US$400 and $500.
 
Google will not allow face recognition on its Glass wearable computer for now, until there are strong privacy protections.
 
Yep, I've been writing for Network World for 20 years and a lot has happened in that time ... here are 10 of the most surprising
 

Arabian Gazette

GISEC – Middle East's premier InfoSec show opens
Arabian Gazette
GISEC – Middle East's premier InfoSec show opens. Posted by AG Reporter / June 3, 2013. share. GISEC organised and hosted by the Dubai World Trade Centre (DWTC) and will be held from June 3-5 and the GISEC conference will be held from June 4-5.

and more »
 

Posted by InfoSec News on Jun 03

http://www.darkreading.com/attacks-breaches/hacking-the-tdos-attack/240155809

By Kelly Jackson Higgins
Dark Reading
May 30, 2013

When an ICU nurse refused to pay scammers who insisted she owed money
for a payday loan, they unleashed a robo-dial flood of hundreds of calls
per hour that ultimately shut down the phone system of the hospital's
intensive care unit. In another case, supporters of a popular company
that received a negative...
 

Posted by InfoSec News on Jun 03

http://www.canada.com/entertainment/Evil+empire+USSRs+domain+space+increasingly+attractive+hideout/8459435/story.html

BY RAPHAEL SATTER
THE ASSOCIATED PRESS
MAY 31, 2013

MOSCOW - The Soviet Union disappeared from the map more than two decades ago.
But online an 'e-vil empire' is thriving.

Security experts say the .su Internet suffix assigned to the USSR in 1990 has
turned into a haven for hackers who've flocked to the defunct...
 

Posted by InfoSec News on Jun 03

http://online.wsj.com/article/SB10001424127887323855804578508894129031084.html

By ANDERS FOGH RASMUSSEN
The Wall Street Journal
June 2, 2013

On April 23, the Dow Jones Industrial Average dropped by 150 points within
seven minutes, destroying billions of dollars in value. The reason was a
message on the Associated Press's Twitter account claiming that two explosions
had shaken the White House.

The tweet was quickly exposed as bogus, the...
 

Posted by InfoSec News on Jun 03

http://www.canberratimes.com.au/it-pro/security-it/asio-hacking-failed-officials-say-20130531-2nhgk.html

By Philip Dorling
The Canberra Times
June 1, 2013

Australian national security officials have denied classified plans of
ASIO's new headquarters building were stolen by Chinese hackers and say
the opposition was informed of this in a security briefing.

According to security officials, there were attempted cyber intrusions
against...
 

Posted by InfoSec News on Jun 03

http://thehill.com/blogs/hillicon-valley/technology/302885-lawmakers-to-obama-get-tough-with-china-on-hacking

By Jennifer Martinez
Hillicon Valley
06/02/13

Congressional pressure is mounting for President Obama to talk tough
this week to his Chinese counterpart Xi Jinping on cybersecurity.

House Intelligence Chairman Mike Rogers (R-Mich.) is calling on Obama to
explicitly warn the Chinese president that cyberattacks waged by the...
 
Apple appears to face an uphill battle as it goes to trial Monday in New York on e-book price fixing charges brought by the U.S. government.
 
Internet Storm Center Infocon Status