InfoSec News

From a support point of view, when someone calls the Helpdesk with a there's something going on with my pc question, very early in the process you'll want to know what is installed on that computer, and then what versions of each installed application. It's also handy to know *when* things were installed - if things just started to go wrong, knowing what was just installed is a must-know. Of course, the person making the call will always say I didn't install anything, but once you have that list, the hasty oh, except for that is generally quickly forthcoming.

So a software inventory is useful for support, but why is it second on the Security Critical Controls list? Well, if one of your users has rights to install their own software, they will. As time goes by is it likely that they'll install patches and updates? What about version updates? Did they pay for that app at all? This highlights the big gaping hole in the I'll admin my own machine end-user argument. 6 months after they are given rights to administer their own computer, their software will be 6 months out of date, and the machine will have 6 months worth of security vulnerabilities on it (and most likely the exploits to match them). Not a good thing to plug back into the head office LAN.

So, in a Windows environment, how can you easily get a listing of installed software? Luckily, you can script all this stuff, and better yet, script it to run daily, from a central location, and store the results centrally.

Note, all the script examples are pretty much lifted from a semi-recent GIAC Gold Paper of mine ( http://www.sans.org/reading_room/whitepapers/auditing/admins-documentation-hackers-pentest_33303 ). I won't put it forth as the be-all and end-all reference for this (I didn't invent any of this stuff), but it was a handy place for me to go to for these stuff, since it's all in one place.

We'll use WMIC (Windows Management Interface Command Line)for the Windows software inventory. No surprise there - years ago, I would have used VBS files (and I still keep them around, just in case), but these days WMIC is just too easy for this type of reporting. What you'll also find is that many of the fancy-dancy, for-sale-for-real-dollars inventory applications out there are simply a collection of WMI calls with a tuxedo on (a cool menu and pretty reports) - so you can save yourself some budget dollars and run these reports yourself, using your knowledge of your environment and a little bit of script development time.

To get all installed software in a Windows Domain or subnet range, you'll only need a few commands:

wmic os get name

Get the OSinstalled on the station

wmic os get servicepackmajorversion

Next, the Service Pack

wmic qfe list brief
And the list of patches and updates (QFE = QuickFix Engineering)

wmic service list
Next, list the services installled

wmic product get vendor, name, version, installdate, packagecache, description, identifyingnumber

Finally, for all installed applications, list the information we might find useful in this context

For all of these commands, we'll tack on a formating option to pretty up the output, presenting the report in an HTMLtable:


Now, we have the bare bones of a script. Let's put it all together, in a short script we'll called inven.cmd (short for inventory)

inven will run all the associated reports, and drop them into a separate subdirectory named for each hostname being inventoried. (note from the environment variables that I pulled this little script out of a much larger one).

=========== inven.cmd =========


set DIRNAME=%1

set UID=%2

set PWD=%3

wmic /output:%DIRNAME%\patches.htm /user:%UID% /password:%PWD% /node:%HOST% qfe list brief /format:htable

wmic /output:%DIRNAME%\os.htm /user:%UID% /password:%PWD% /node:%HOST% os list full /format:hform

wmic /output:%DIRNAME%\products.htm /user:%UID% /password:%PWD% /node:%HOST% product get vendor,name,version,installdate,packagecache,description,identifyingnumber /format:htable

wmic /output:%DIRNAME%\services.htm /user:%UID% /password:%PWD% /node:%HOST% service list /format:htable


Wait, but I said we'd run that for the entire Windows AD Domain - how do we do that?

First, get a simple list of all computers in the domain - we'll use DSQUERY for that. The easiest way to run this is from a Domain Controller. Note that I'm using cut to only give me just the names of the computers in a list - you can get cut by installing Microsoft Services for Unix (SFU), or use GNUTILS like throwbacks like me (I'm still getting around to installing SFU everywhere I need it, whereas the GNU utilities are all self-contained exe's)

dsquery computer -s DCname -u domainname\administrator -p adminpassword -limit 10000 | cut -d , -f1 | cut -d = -f2 hostlist.txt

(you could use dsquery servers to inventory server class computers)
Now that we have inven.cmd and the list of hosts in hostlist.txt, let's combine them and get the full report, by creating DOMLOOP.CMD, which will contain a single line (Note that USERIDand PASSWORD will need rights to login to the remote hosts and run the WMICcommands)

Now, you say, what about malware? Oddly enough, lots of the malware out there (many of the FAKE-AV packages for instance), actually use the Windows installer and register themselves. You can any apps that *don't* register using variations on dir c:\*.exe /s, or, if you are looking for hidden and/or system files, you can use variants on attrib c:\*.exe /s (or whatever file type, not just exe's).

What's that, you have Linux stations and servers? Even easier, there are only about a dozen ways to get the same info out of Linux. I'll hit one method for each of the variants I normally see

============ Redhat ==============

For startup services (and when they are configured to start), use chkconfig list

[[email protected] ~]$ chkconfig --list

NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:off

abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off

acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off

atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off

bluetooth 0:off 1:off 2:off 3:on 4:on 5:on 6:off

btseed 0:off 1:off 2:off 3:off 4:off 5:off 6:off

... and so on ...

to list all installed packages:

rpm -qa














... (and so on)

for more information on a specific package, use rpm -qi

[[email protected] ~]$ rpm -qi python

Name : python Relocations: (not relocatable)

Version : 2.6.4 Vendor: Fedora Project

Release : 27.fc13 Build Date: Fri 04 Jun 2010 02:22:55 PM EDT

Install Date: Sat 19 Mar 2011 08:21:36 PM EDT Build Host: x86-02.phx2.fedoraproject.org

Group : Development/Languages Source RPM: python-2.6.4-27.fc13.src.rpm

Size : 21238314 License: Python

Signature : RSA/SHA256, Fri 04 Jun 2010 02:36:33 PM EDT, Key ID 7edc6ad6e8e40fde

Packager : Fedora Project

URL : http://www.python.org/

Summary : An interpreted, interactive, object-oriented programming language

Description :

Python is an interpreted, interactive, object-oriented programming

language often compared to Tcl, Perl, Scheme or Java. Python includes


(and so on)

For more information, on all packages (perhaps too much), use rpm -qia

================ Debian, Ubuntu and the like ===================

To get a list of installed applications:

dpkg --get-selections

to get more information in the list:

dpkg -l
Name Version Description


acpi-support 0.136.1 scripts for handling many ACPI events

acpid 1.0.10-5ubuntu2.1 Advanced Configuration and Power Interface e

adduser 3.112ubuntu1 add and remove users and groups

adium-theme-ubuntu 0.1-0ubuntu1 Adium message style for Ubuntu

adobe-flash-properties-gtk GTK+ control panel for Adobe Flash Player pl

.... and so on ....

to get startups, I often just install chkconfig, and run it as on Redhat variants:

sudo apt-get install chkconfig

chkconfig --list

alternatively, sysv-rc-conf is an alternate package to do this (this will often also need an install)

sudo apt-get install sysv-rc-conf

sysv-rc-conf --list

Finally, we're interested in how you tackle the software inventory problem. Please use our comment form - let us know of any cool tools you use, or post any scripts you may have written to help out !

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Yes, Tuesday's Apple event will almost certainly center around iOS 5 and the iPhone, as both rumors and fact have intimated. But what about Apple's other planned fall unveiling, iCloud?
LightSquared may take legal action if it is denied permission to build its planned LTE network because of concerns over interference between that network and GPS, an executive said Monday.
Hewlett-Packard has secured enough shares of Autonomy to take control of the U.K. software company, HP announced Monday.
Banana Dance 'id' Parameter SQL Injection Vulnerability
iPhone 4 trade-in business has been very brisk at companies that buy older smartphones, an early indication of how Apple's next model will sell, the firms said.
Adobe plans to release six applications designed to be used exclusively on touch-based devices, including apps to execute creative tasks such as photo editing and Web page design, the company announced Monday.
Oracle's new Big Data Appliance should appeal to enterprises looking for more efficient ways to capture, organize and analyze vast amounts of unstructured data, analysts said.
Oracle is making the open-source MySQL database more stable and feature-rich through a shift in development philosophy, MySQL Vice President of Engineering Tomas Ulin said during a keynote address Monday at the OpenWorld conference in San Francisco.
Sprint is expected to get the iPhone 5 exclusively from Apple to run over its 4G Wimax network, according to a report Monday from BGR.com.
Just weeks after opening up membership to Google+, visits to the new social network are booming.
Puppet X.509 Certificate Signing Requests Directory Traversal Vulnerability
Puppet Multiple Security Vulnerabilities
Computer Associates Total Defense Multiple SQL Injection Vulnerabilities
The Kindle Fire tablet costs $209.63 for materials and manufacturing expenses, more than $10 above its $199 price tag, according to a virtual teardown by IT research firm IHS iSuppli.
Google updated Chrome over the weekend to help users affected by Microsoft's errant flagging of the browser as malware.
One feature of today's mostly electronic, mostly Internet world is that governments tend to assume that it is legally OK to do many things that they would never have considered to be OK in the pre-Internet world.
If Sprint joins AT&T and Verizon Wireless in selling iPhones, which company will have the greatest advantage? Answer: Apple.
Macworld will cover Apple's expected iPhone announcement as it unfolds from the company's Cupertino headquarters. Bookmark this page and check back at 1 p.m. ET on Tuesday
One thing became clear at Oracle's OpenWorld conference on Monday: The vendor is intent on drilling the benefits of its hardware-plus-software systems into a customer base that largely remains invested only in Oracle's applications, databases and middleware.
Cisco IOS Network Address Translation Multiple Denial of Service Vulnerabilities
Microsoft's Windows XP lost an unprecedented amount of online usage share last month, according to Web metrics firm Net Applications.
Coverity has updated its development testing suite so that its results can be displayed directly from within the HP Application Lifecycle Management (ALM) suite software, Coverity announced Monday.
Oracle unveiled the Big Data Appliance, the newest addition to its line of products that combine software and hardware, during the OpenWorld conference in San Francisco on Monday.
If Sprint joins AT&T and Verizon Wireless in selling the iPhones, which company will have the greatest advantage? Answer: Apple.
Adobe is planning to launch a series of Internet-hosted services, called Creative Cloud, designed for creators of digital content, the company said Monday.
Phorum 5.2.18 Cross-site scripting vulnerability
[SECURITY] [DSA 2314-1] puppet security update
DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal
DDIVRT-2011-36 Cybele Software, Inc. ThinVNC Product Suite Arbitrary File Retrieval
Cisco Identity Services Engine Database Default Credentials Security Bypass Vulnerability
In a Bloomberg Businessweek article, Google CIO Ben Fried reflects on the benefits of letting employees have their way with technology. Forrester Research agrees that IT managers should relinquish control, but not before methodically analyzing workers' wants and needs.
Watch out for whaling, smartphone worms and social media scams, not to mention attacks targeting your car and house.
Perl Fast CGI Module CGI Variables Authentication Security Bypass Vulnerability
Drupal Views Bulk Operations 'Modify node taxonomy terms' Action HTML Injection Vulnerability
Vulnerabilities in GenStat
Vulnerabilities in Cytel Studio 9
Netvolution referer header SQL injection vulnerability
Facebook has partnered with security vendor Websense to protect its users from third-party malicious URLs spammed on the social networking website, the companies said on Monday.
Revelations by researchers over the weekend that several HTC Android phone models contain a "massive security vulnerability" are being examined by the mobile handset maker.
SonicWall Viewpoint v6.0 SP2 - SQL Injection Vulnerability
[ MDVSA-2011:142 ] mozilla-thunderbird
[ MDVSA-2011:141 ] firefox
[ MDVSA-2011:140 ] mozilla-thunderbird
Many firms rely on antivirus and antimalware technologies to address social networking risks, according to a survey by the Ponemon Institute.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
[ MDVSA-2011:139 ] firefox
Elastix PBX Extensions Enumeration
It was one of THOSE gigs: an internal penetration test against a client that, considering the amount of personal information they held on their customers, should have been well prepared. And yet, we went from you-can-plug-your-laptop-in-over-there to Domain Admin in... well, let's just say a shockingly small number of hours. And it just went downhill from there...

For me, writing up the resulting report, triggered what I could only describe as a crisis of faith. While, as a security community, I don't fool myself that we have it all figured out, I had up until now strongly believed that we were making progress. And yet, I had just spent a week immersed in a corporate culture that seemed to have focused itself on so many higher-level security issues that the basics the Security 101 stuff was just plain overlooked.

The more I thought about it, the more it bothered me. It wasn't some fancy-schmancy 'leet [email protected] 0-day that let us take down this organization from the inside: it was stupid-simple low-hanging fruit. I spent a bit of time chatting over Twitter with the ever-insightful Brian Honan (@BrianHonan) and came to the conclusion that the security community may have reached an awkward age at which we're grown up enough to be focusing on the golly-gee/whiz-bang/cool stuff (vis--vis the APTification of all that passes for security discussion) and, as a result, we're neglecting the basic, Security 101 stuff that raised the bar in the first place.

Think about it: Over the past year, how many high-profile hacks have been the result of awesome cutting edge skillz? How many have happened because someone just flat-out did something dumb? Take a quick gander at back issues of SANS NewsBites and I think you'll be convinced as well: We truly are neglecting the basics.

Since October is Security Awareness Month, a few weeks back, I sent out a call on Twitter for folks to submit pithy, 140 character-long, chunks of Security 101 wisdom. Below, I've compiled together the resulting list, along with the Twitter name of the submitter.

If you're feeling a little shaky on your security knowledge, then heeding this advice might just save your behind. Even if you're confident that you know it all, a quick review might have you discovering stuff you've inadvertently overlooked. Either way, I heartily recommend that you read (and heed) this advice. Also, if something particularly strikes your fancy, you might consider following the author on Twitter... you never know you might learn even more.
One last housekeeping note: I lightly edited these to remove some of the more blatant Twitterisms used to stuff big thoughts into limited character lengths. If anything got messed up, I'll take the blame.

If you can guess where PHPmyAdmin is installed, then so can attackers.

You are already pwn3d. The question is, What will you do about it?

Don't leave default passwords on the administrative interfaces of your 3rd party web applications.

Know your network - and all devices in it - well enough to spot unusual activity.

Users are almost always the weakest link. Make it a priority to educate them. Do most of yours even know what phishing is?

Security 101: If you don't need it, turn it off.

Passphrases are the new passwords. Make a sentence that is long, hard to guess, and easy to remember. ihatepasswordsseewhatididthere?

Patch your systems and disable any unused services to reduce attack surface.

Never trust a host you can't trust.

Computers remember a lot. Even more if you contact security personnel before you reboot.

Dedicate personnel to prevention AND detection. Preferably the same personnel in rotation to breed familiarity and contempt.

It's more important to know what you don't know than it is to know what you do know.

Try to avoid saying We are investigating... why equipment that we have a destruction certificate for was... sold online to the media.

Assets using secure authentication are directly and adversely impacted by your assets using plain text authentication.

Complacency: 1) Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. 2) You will be hacked.

Default SSL Certs for internal management interfaces should be replaced with valid certificates associated with the organization.

Don't be afraid of your incident response plan. Conducting investigations will give your team experience and eventually reduce costs.

How do you Find Evil in your organization? Seriously, go Find Evil and report back to me.

IT environments are complex systems. They require a System Development Life Cycle to effectively manage AND secure.

If your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want.

Monitor and alert to new accounts and accounts being added to Domain Administrator, SUDO, or root groups.

Product certification does not mean it has been deployed correctly. Review placement, logging, access, input validation, etc...

Service accounts should adhere to corporate password policies and be monitored for modifications including lockout.

Make sure you're protecting the right thing. A belt AND suspenders doesn't help if you're not wearing pants.

A backup is not a backup until you do a restore. #sysadminkoan

Attack vectors and regulatory requirements change. That's how we've always done it is a poor and lazy excuse.

Scanner infos can turn up bigger issues than you'd guess. Look at overall results, not just singles.

Five missing patches across 100 devices does not equal five vulnerabilities.

It's cheaper to consult a security professional from conception than mere days before go live.

Security professionals should be empowered to point the business towards good decisions and reserve the power of No for a last resort.

In your encryption system, your key is the weakest link. If it isn't, you're doing it wrong.

Security is not a box you buy or an app you write. It's an emergent property, a sum greater than its parts.

Dear User: Millions of $$ of software won't keep you from clicking that link. Only YOU can prevent link clicking.

When it comes to security controls, Trust But Verify... nah, forget the Trust... just Verify.

If you don't log accepts in your FW logs for admin protocols you will have no way of knowing when those accounts are abused.

An encryption algorithm that has to be hid from the public is by definition a weak algorithm...

That successful PCI DSS Report On Compliance will not save you from Zombies.

When setting up any new system, Step 1: Change default admin password.

Security through obscurity, or the practice of hiding flaws hoping they won't be found, has proven time and time again not to work.

Just because your security teams work from 9-5, doesn't mean attackers aren't looking the rest of the time.

The attitude that it won't or can't happen to us because we're too small/big/have nothing to offer is dangerous.

The attitude that I can't do anything about it so I won't even bother with security or reporting is also dangerous.

Analyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover.

Give only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions.

Best: using high-speed trend analysis with custom searches as well as automated reporting AND followup.

Security teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt - audit, ops risk, etc...

Those that store passwords in plain-text invite catastrophe.

We can't implement strong passwords/two-factor authentication. Our users aren't capable, says more about your competence than theirs.

Developers: Never roll your own encryption, authentication or session management schemes. You're not that smart. Trust me.

If you don't have written authorization to perform security-type testing in your organization, don't. You're too pretty for prison.

If you're not putting as much thought into your outbound firewall rules as you are for your inbound rules, you're doing it wrong.

If you're not supporting a legacy Windows OS, for the love of all that is Holy, turn off LANMAN hashes.

If you've never tested restoring from your backups, then you don't have backups - you have a crapload of data and hope.

If your internal security posture is based on,our employees wouldn't know how to do that, then you're likely already 0wned.

Remember: As an attacker, I exploit misplaced trust. There's nothing mystical or magical about it.

Run scans against your network. It's the only way to really know what's out there. I've yet to see a fully accurate network diagram.

Sanity check security spending. A $500 lock on a cheap wood door doesn't buy security. It just gives a thief something to laugh at.

Security isn't just about preventing compromise. It's about maintaining confidentiality, integrity availability despite compromise.

Security-through-obscurity doesn't work against anything with intelligence, but there's lots of dumb sh*t out on the 'net.

Taking nude photos of yourself? Don't store them on an always-connected device with little-to-no security. #forscarlett

Teach your users not to click on unknown links. DON'T send links to your users in email. More info: http://t.co/bdNTRI3O

Web developers: Give the exact same answer whether you're given a bogus username or password on logins. EXACT. SAME. ANSWER.

WebApp Devs: Just because you have a SELECT with A, B, C, D as options doesn't mean you'll only ever get A, B, C, or D back.

Webhosting Companies: Web servers shouldn't be making many *outbound* connections. TCPDump is your friend.

Your organization's AUP should explicitly prohibit Copyright abuse. You do HAVE an Acceptable Use Policy, right?

Centralize your logging - you have no idea how helpful it will be.

Companies who use the same Windows Local Admin password on large numbers of machines are ripe for picking by malicious insiders

Developers: Input, even data you think you control, can never be trusted. Consider all input a threat and process accordingly.

Diligent change management practices have saved more asses than a Beverly Hills plastic surgeon.

Ensure that user accounts are disabled as part of your termination process. Audit all accounts at least semi-annually for misses.

High privilege level accounts should be used only for administrative functions, not for day-to-day activities.

High privilege level accounts should have kick-ass passwords or two factor authentication. Or both.

If at all possible, disable password authentication for SSH. SSH is a huge brute force target. Keys are your friend.

If it plugs into your network, know why. The last thing you ever want to hear an admin say is, That thing has a web interface?!?

Learn how to manipulate text files. Learn how to use sed, cut, wc, and grep as a minimum. Text is your friend.

Logging authentication failures is NOT enough. Log successes and failures.

Mr. CxO: Your employees are not a family. Some are untrustworthy. FYI: Some of the people in your real family are pretty sketchy too.

Never rely on the fact that you own anything: data, a communication path, etc... If you do - I 0wn it, I 0wn you. Trust nothing.

Nothing is more important to the long-term survivability of your organization than a fully functional backup process.

Packets to or from RFC-1918 addresses should not be allowed to traverse your border firewall in either direction.

Passwords are no longer security measures. They are merely speed-bumps. Treat them accordingly.

Physical access trumps most security measures.

Remember to always think in terms of defense in depth. A belt AND suspenders is always better than a belt OR suspenders.

Shared accounts are never a good idea.

Telnet, FTP, and any other clear-text protocol developed in simpler, more naive times has no business on a modern network.

There is no excuse - NONE - not to use full disk encryption on laptops. Data breaches due to lost/stolen laptops are inexcusable.

Unencrypted WiFi is never secure. WEP = Unencrypted WiFi. Trust me. Stop using it. Now. Really.

Web Developers: Remove comments from your production website code. They serve NO purpose and can give away too much info.

Total loss of Sony Breach $171M, I wonder how many salaries, code reviews, software, hardware that could have bought.

Assign only those privileges that are required to do the job.

Also, I want to extend a great big thank you to all of the people who submitted these tweets using the #sec101 hash tag. I tried really hard to grab them all... If I missed anyone, I apologize.
Tom Liston

Senior Security Consultant, InGuardians, Inc.

Handler: SANS ISC
Note: Matt (@0xznb) has kindly made a fortune-mod zip file available here of the #sec101 wisdom.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Yahoo, looking to fight its way back to being an A-list online player, announced today that it is teaming up with ABC News
Back in the day, downloading software over the Internet and installing it was only for the most techy among us. Paying for that software was even more outlandish. But since Apple launched the App Store in 2008, users of the iPhone, iPod touch, and iPad have discovered that shopping for, downloading, and even paying for software isn’t just easy, but fun.
Fusion-io today released the first upgrade to its flash drive hardware in four years, increasing throughput to 3GBps and the capacity of a full-length flash card to 2.4TB.
Toshiba announced a new home media server with five terabytes of storage on Monday. It has enough capacity to store 15 days of digital TV broadcasts from six channels.
Security researchers say they've uncovered a flaw in several smartphone models produced by HTC that gives any application that has Internet access the keys to a trove of information on the phone, including e-mail addresses, GPS locations, phone numbers, and text message data.

Infosec world remembers Dr. Eugene Schultz
CSO (blog)
by CSO, Salted Hash – IT security news analysis, over easy! Dr. Eugene Schultz, respected veteran of the information security scene, passed away over the weekend. He's been enormously helpful to me in the past, breaking down complex security issues in ...

Smartphones and tablets are demanding more computing power, and chip company Adapteva hopes to bring server-type performance to the devices with a chip it is announcing on Monday.
The tech inferno is not buried deep within the earth -- it's just down the hall. Let's take a tour
Airlines and financial services firms have their own clouds, or will shortly. Here's what you need to consider before jumping.
There's heightened interest in agile BI, a rapid development methodology for creating BI systems that involves the end user as early and as often as possible -- and thus saves time and effort. Insider (registration required)
Jack Ma, chairman and CEO of Alibaba Group, said on Friday at an event at Stanford University that he was interested in acquiring Yahoo, according to reports, making this the first public overture by the Chinese company which is about 40 percent owned by Yahoo.
(This is a bit longer diary if you are just interested in conclusion and recommendations, skip below to the Is SSL broken? section. I recommend that you read the whole diary and let us know if you have any comments).
Unless youve been hiding on a deserted island, you heard about the latest attack on SSL, named BEAST. We wrote several diaries (first, second, third) on this topic. I got interested into the attack a lot and finally had some time to go through all the details.
So, first of all big props to Duong and Rizzo for implementing this in practice. While the idea itself is really cool (a bit more about it below), the implementation is what really impressed me, and all the effort they invested into the research here.
Some basics about the attack
As has been already written on million places, the BEAST attack attacks SSL 3.0 and TLS 1.0, in particular their implementation of the Cipher-block chaining (CBC) block encryption algorithms.
This is probably the most widely used mode for block encryption algorithms today, so it is obvious that any attack on this (and SSL/TLS overall) can have huge impact.
In a nutshell, BEAST very cleverly uses predictable IV (initialization vector) values in order to set up particular input vales for SSL. By very carefully modifying these input values, the attacker can exploit BEAST to guess what value 1 byte in an encrypted block had. Block encryption algorithms fragment input messages into blocks, usually 8 or 16 bytes long.
The IV is initially a random number and then every next block uses the previous cipher text as the IV. The IV is XORed with the input plain text this produces input for the encryption algorithm. So normally, in a block encryption algorithm, encrypted block C4 = encryption ( C3 XOR P4), where C is an encrypted block and P is a plain text block.
According to this, the last blocks (CN) IV will be CN-1: CN = encryption (CN-1 XOR PN). Doung and Rizzo cleverly used this so they leave the channel open and add the next block (N+1) whose content will be of one of the previous blocks. Imagine that we supply P4 (with only 1 byte modified), XORed with CN and its original C3:
CN+1 = encryption ( CN XOR ( CN XOR C3 XOR P4 ))
This results in:
CN+1 = encryption ( C3 XOR P4)
For which we know the result as it is C4! Now, if we can influence P4 to give us the opportunity of guessing one byte (by supplying, for example, 7 known bytes) we can try to guess what the last byte was: if CN+1 is equal C4, we guessed the byte, otherwise we didnt.
This is just a brief overview for more information read the leaked paper it is written very well.
Guessing HTTP values
As youve seen above, the attacker can now guess byte by byte. With HTTP creating this boundary is actually simple since we know what each HTTP request will look like:

If we want to guess the first character of Header, we can make the previous line 23 bytes long (if blocks are 8 bytes each):
Notice how only H will make it into the 3rd block. The attacker now knows the content of the first two blocks and can try to guess the first character by using the attack described above.
Attack prerequisites and implementation
As if the attack itself was not impressive enough, Doung and Rizzo managed to actually do all this in the browser. Let us revisit what they have to do for this attack:

They need to pull a MITM attack on the victim. This is needed for two things: first, they need to monitor the network traffic in order to guess bytes. Second, they need to somehow influence the browser to make it issue requests such as the one shown above that will let them do the guessing. For the demo they used a Java applet, but there are other ways of exploiting this (more below).

Once they injected the Java applet into the victims browser, they wait for the victim to log in to the target site. Now the Java applet will open an SSL connection to the target site and send a specially crafted request as above (i.e. GET /AAAAAAA ). The SSL connection must stay opened so they can feed new blocks in real time, as they monitor network traffic. This will allow them to guess content of bytes encrypted by the browser. So, their Oracle in this case is the browser itself the web server that they are attacking is irrelevant, it is the victims browser that lets them guess encrypted content.

As you can see from 2), the crucial requirement is that the SSL connection is open (so they are able to append the data and use the last block as the IV). This proved to be very difficult to do (and is one of the things in Doungs and Rizzos research that impressed me the most).
There are many ways that can be used in a browser to open a new connection. The easiest way is to use JavaScripts XmlHttpRequest (XHR). There are some limitations here though. First, Internet Explorer does not support XmlHttpRequest level 2 (which is needed in order to send cookies) and instead has an XDomainRequest object. XDomainRequest will never send cookies so, in theory, Internet Explorer users are more protected than Mozilla Firefox or Chrome users (is this a first or what!?!).
Firefox and Chrome support XHR level 2. It is worth pointing out here that the attacker is not able to read the request response through active scripting due to the fact that the server will not set the correct Access-Control-Allow-Origin header, but the attacker does not care about that since he just wants to be able to use the browser as an Oracle for guessing encrypted stuff. Similarly, settings such as Secure or HttpOnly will not help with this attack (but will with other).
The biggest problem with this is, it appears, that XHR cannot be used to create streaming requests, which are needed to perform the guessing (the attacker needs to be able to append those pre-calculated blocks to a request). Many other possible exploitation vectors, such as plain IFRAMEs, Websockets or Silverlight have similar issues that prevented Doung and Rizzo from using them keep in mind that this does not mean these are safe against BEAST, just that current attempts to use them failed.
Is SSL broken?
Simple question, simple answer NO. As you can see above, there are many prerequisites that the attacker needs to do in order to conduct the BEAST attack.
While the attack is inherent to block encryption algorithms, it requires the attacker to be able to append these specially crafted input blocks into an active session. In other words, it is very difficult, or impossible to exploit BEAST on other protocols that use SSL, such as POP3s, IMAPs and similar. Doung and Rizzo did it with browsers because there are many scripting (extending) possibilities with browsers and the HTTP protocol.
Couple of things I would suggest doing:

- Be careful about switching to TLS 1.1 or TLS 1.2 because you might break things for many clients. While this definitely fixes the vulnerability, be very careful.
- Move to RC4 over CBC. RC4 has also its own issues but just the fact that Google prefers RC4 says something too you can use the nice sslscan utility to see what ciphers are supported by a server, here are the results for mail.google.com:

# sslscan --no-failed mail.google.com:443


___ ___| |___ ___ __ _ _ __

/ __/ __| / __|/ __/ _` | '_ \

\__ \__ \ \__ \ (_| (_| | | | |

|___/___/_|___/\___\__,_|_| |_|

Version 1.8.2


Copyright Ian Ventura-Whiting 2009

Testing SSL server mail.google.com on port 443

Supported Server Cipher(s):

Accepted SSLv3 256 bits AES256-SHA

Accepted SSLv3 128 bits AES128-SHA

Accepted SSLv3 168 bits DES-CBC3-SHA

Accepted SSLv3 128 bits RC4-SHA

Accepted SSLv3 128 bits RC4-MD5

Accepted TLSv1 256 bits AES256-SHA

Accepted TLSv1 128 bits AES128-SHA

Accepted TLSv1 168 bits DES-CBC3-SHA

Accepted TLSv1 128 bits RC4-SHA

Accepted TLSv1 128 bits RC4-MD5

Prefered Server Cipher(s):

SSLv3 128 bits RC4-SHA

TLSv1 128 bits RC4-SHA
- Do not accept any unsigned Java applets and allow them to run. You should always do this, not only in this case. Same goes for any other active technology.
- When accessing sensitive sites, close all browser windows (not tabs, all windows) and open a fresh new one and use it only to access the sensitive site. After youre done, close it again and reopen it for further surfing. This should make exploitation a bit difficult, but keep in mind that as of Java 6 Update 10 an attacker can potentially trick a victim into dragging applets out of browser windows so they continue running after the browser is closed (Im not sure if this can be used to help BEAST).
- If you are a sensitive server owner keep an eye on errors on your server. The BEAST attack needs to issue quite a bit of requests (generally each byte has a 1/256 chance of being guessed, so in average 128 blocks need to be appended to a single request). One request is needed for a byte so if you see a lot of 404 requests with similar patterns (/AAAAA) that should raise some flags. Of course, you should always monitor and correlate your logs, not only now :)
At the end, I must again admit I like the attack a lot - the idea is really cool, amazing how they came up with everything. That being said, as you can see above, there are a lot of prerequisites for successful exploitation so I don't think that the resulting risk is very high at the moment.

(small update):There have been some comments about recommending RC4. While there have been plenty of bad/broken/failed implementations of RC4 (take a look at WEP), I-), USCERTis also recommending that RC4 is prioritized in their advisory available at http://www.kb.cert.org/vuls/id/864643.



@bojanz on Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
View and compare smartphone models by size, weight, OS, carrier, screen and more.

Posted by InfoSec News on Oct 03


By John Leyden
The Register
30th September 2011

A switch with networking configurations and passwords for the UK traffic
control centre was offered for sale on eBay, raising serious security

The £20 Cisco Catalyst switch was bought by security consultant Michael
Kemp, co-founder at Xiphos Research Labs, who quickly discovered that it
has been used at the National Air...

Posted by InfoSec News on Oct 03

Takedowncon 2, December 2-7 in Las Vegas, will focus on mobile &
wireless security. Takedowncon - organized by EC-Council - is a new
series of topic-specific IT security events that takes deep technical
dives into the hottest security segments. The format consists of
hands-on training, a two-day conference and exhibits. TDC is designed
for researchers, engineers and technical managers. Register early foe
the best rates. Register with...

Posted by InfoSec News on Oct 03


By Alex Zdan
The Times
September 30, 2011

LAWRENCE -- A duo of enterprising thieves who took a nearly $150,000
Porsche for a test drive Monday may have returned that night to steal
the car after they passed a set of dummy keys to the salesman, police

The four-door Porsche Panamera was stolen off the lot of Princeton
Porsche on Route 1 sometime between the...

Posted by InfoSec News on Oct 03


By Jaikumar Vijayan
September 29, 2011

Sensitive data including Social Security Numbers, names, addresses,
phone numbers and personal health data belonging to about 4.9 million
active and retired U.S. military personnel may have been compromised
after backup tapes containing the data went missing recently.


Posted by InfoSec News on Oct 03


By Alistair Osborne
30 Sep 2011

Among 13 pages of risk factors was the generic heading: "Failure to
adequately protect customer account information could have a material
adverse effect on Betfair."

In one sentence the betting exchange, then shooting for a £1.39bn
valuation, admitted it had...

Posted by InfoSec News on Oct 03


By Rakesh K Singh
New Delhi
The Pioneer
03 October 2011

The NTRO is a tactical intelligence gathering agency that relies on technology
for collection of information for securing the country’s security interests,
including threats to critical infrastructure and reports directly to the Prime
Minister’s Office.

The plan, sources...

Posted by InfoSec News on Oct 03


The Secunia Weekly Advisory Summary
2011-09-22 - 2011-09-29

This week: 74 advisories

Table of Contents:

1.....................................................Word From Secunia...
Mozilla Firefox CVE-2011-2997 Remote Memory Corruption Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2011-3232 YARR Remote Code Execution Vulnerability
Mozilla Firefox and SeaMonkey CVE-2011-3002 Remote Buffer Overflow Vulnerability
Adobe Photoshop Elements CVE-2011-2443 Multiple Memory Corruption Vulnerabilities
Internet Storm Center Infocon Status