Information Security News

From a support point of view, when someone calls the Helpdesk with a there's something going on with my pc question, very early in the process you'll want to know what is installed on that computer, and then what versions of each installed application. It's also handy to know *when* things were installed - if things just started to go wrong, knowing what was just installed is a must-know. Of course, the person making the call will always say I didn't install anything, but once you have that list, the hasty oh, except for that is generally quickly forthcoming.

So a software inventory is useful for support, but why is it second on the Security Critical Controls list? Well, if one of your users has rights to install their own software, they will. As time goes by is it likely that they'll install patches and updates? What about version updates? Did they pay for that app at all? This highlights the big gaping hole in the I'll admin my own machine end-user argument. 6 months after they are given rights to administer their own computer, their software will be 6 months out of date, and the machine will have 6 months worth of security vulnerabilities on it (and most likely the exploits to match them). Not a good thing to plug back into the head office LAN.

So, in a Windows environment, how can you easily get a listing of installed software? Luckily, you can script all this stuff, and better yet, script it to run daily, from a central location, and store the results centrally.

Note, all the script examples are pretty much lifted from a semi-recent GIAC Gold Paper of mine ( http://www.sans.org/reading_room/whitepapers/auditing/admins-documentation-hackers-pentest_33303 ). I won't put it forth as the be-all and end-all reference for this (I didn't invent any of this stuff), but it was a handy place for me to go to for these stuff, since it's all in one place.

We'll use WMIC (Windows Management Interface Command Line)for the Windows software inventory. No surprise there - years ago, I would have used VBS files (and I still keep them around, just in case), but these days WMIC is just too easy for this type of reporting. What you'll also find is that many of the fancy-dancy, for-sale-for-real-dollars inventory applications out there are simply a collection of WMI calls with a tuxedo on (a cool menu and pretty reports) - so you can save yourself some budget dollars and run these reports yourself, using your knowledge of your environment and a little bit of script development time.

To get all installed software in a Windows Domain or subnet range, you'll only need a few commands:

wmic os get name

Get the OSinstalled on the station

wmic os get servicepackmajorversion

Next, the Service Pack

wmic qfe list brief
And the list of patches and updates (QFE = QuickFix Engineering)

wmic service list
Next, list the services installled

wmic product get vendor, name, version, installdate, packagecache, description, identifyingnumber

Finally, for all installed applications, list the information we might find useful in this context

For all of these commands, we'll tack on a formating option to pretty up the output, presenting the report in an HTMLtable:

/format:htable

Now, we have the bare bones of a script. Let's put it all together, in a short script we'll called inven.cmd (short for inventory)

inven will run all the associated reports, and drop them into a separate subdirectory named for each hostname being inventoried. (note from the environment variables that I pulled this little script out of a much larger one).

=========== inven.cmd =========

set HOSTNAME=%1

set DIRNAME=%1

set UID=%2

set PWD=%3
md %DIRNAME%

wmic /output:%DIRNAME%\patches.htm /user:%UID% /password:%PWD% /node:%HOST% qfe list brief /format:htable

wmic /output:%DIRNAME%\os.htm /user:%UID% /password:%PWD% /node:%HOST% os list full /format:hform

wmic /output:%DIRNAME%\products.htm /user:%UID% /password:%PWD% /node:%HOST% product get vendor,name,version,installdate,packagecache,description,identifyingnumber /format:htable

wmic /output:%DIRNAME%\services.htm /user:%UID% /password:%PWD% /node:%HOST% service list /format:htable

=============

Wait, but I said we'd run that for the entire Windows AD Domain - how do we do that?

First, get a simple list of all computers in the domain - we'll use DSQUERY for that. The easiest way to run this is from a Domain Controller. Note that I'm using cut to only give me just the names of the computers in a list - you can get cut by installing Microsoft Services for Unix (SFU), or use GNUTILS like throwbacks like me (I'm still getting around to installing SFU everywhere I need it, whereas the GNU utilities are all self-contained exe's)

dsquery computer -s DCname -u domainname\administrator -p adminpassword -limit 10000 | cut -d , -f1 | cut -d = -f2 hostlist.txt

(you could use dsquery servers to inventory server class computers)
Now that we have inven.cmd and the list of hosts in hostlist.txt, let's combine them and get the full report, by creating DOMLOOP.CMD, which will contain a single line (Note that USERIDand PASSWORD will need rights to login to the remote hosts and run the WMICcommands)
FOR /F %%G IN ( HOSTLIST.TXT ) DO CALL INVEN.CMD %%G USERID PASSWORD

Now, you say, what about malware? Oddly enough, lots of the malware out there (many of the FAKE-AV packages for instance), actually use the Windows installer and register themselves. You can any apps that *don't* register using variations on dir c:\*.exe /s, or, if you are looking for hidden and/or system files, you can use variants on attrib c:\*.exe /s (or whatever file type, not just exe's).

What's that, you have Linux stations and servers? Even easier, there are only about a dozen ways to get the same info out of Linux. I'll hit one method for each of the variants I normally see

============ Redhat ==============

For startup services (and when they are configured to start), use chkconfig list

[[email protected] ~]$ chkconfig --list

NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:off

abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off

acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off

atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off

bluetooth 0:off 1:off 2:off 3:on 4:on 5:on 6:off

btseed 0:off 1:off 2:off 3:off 4:off 5:off 6:off

... and so on ...

to list all installed packages:

rpm -qa

libsepol-devel-2.0.41-3.fc13.i686

wpa_supplicant-0.6.8-9.fc13.i686

system-config-keyboard-1.3.1-1.fc12.i686

libbeagle-0.3.9-5.fc12.i686

m17n-db-kannada-1.5.5-4.fc13.noarch

pptp-1.7.2-9.fc13.i686

device-mapper-multipath-libs-0.4.9-14.fc13.i686

dracut-005-5.fc13.noarch

comps-extras-20-1.fc13.noarch

report-config-bugzilla-redhat-com-0.20-0.fc13.i686

PackageKit-gtk-module-0.6.6-2.fc13.i686

gsm-1.0.13-2.fc12.i686

perl-ExtUtils-ParseXS-2.20-121.fc13.i686

... (and so on)

for more information on a specific package, use rpm -qi

[[email protected] ~]$ rpm -qi python

Name : python Relocations: (not relocatable)

Version : 2.6.4 Vendor: Fedora Project

Release : 27.fc13 Build Date: Fri 04 Jun 2010 02:22:55 PM EDT

Install Date: Sat 19 Mar 2011 08:21:36 PM EDT Build Host: x86-02.phx2.fedoraproject.org

Group : Development/Languages Source RPM: python-2.6.4-27.fc13.src.rpm

Size : 21238314 License: Python

Signature : RSA/SHA256, Fri 04 Jun 2010 02:36:33 PM EDT, Key ID 7edc6ad6e8e40fde

Packager : Fedora Project

URL : http://www.python.org/

Summary : An interpreted, interactive, object-oriented programming language

Description :

Python is an interpreted, interactive, object-oriented programming

language often compared to Tcl, Perl, Scheme or Java. Python includes

....

(and so on)

For more information, on all packages (perhaps too much), use rpm -qia

================ Debian, Ubuntu and the like ===================

To get a list of installed applications:

dpkg --get-selections

to get more information in the list:

dpkg -l
Name Version Description

====================================-===============================================-============================================

acpi-support 0.136.1 scripts for handling many ACPI events

acpid 1.0.10-5ubuntu2.1 Advanced Configuration and Power Interface e

adduser 3.112ubuntu1 add and remove users and groups

adium-theme-ubuntu 0.1-0ubuntu1 Adium message style for Ubuntu

adobe-flash-properties-gtk 10.3.183.10-0lucid1 GTK+ control panel for Adobe Flash Player pl

.... and so on ....

to get startups, I often just install chkconfig, and run it as on Redhat variants:

sudo apt-get install chkconfig

chkconfig --list

alternatively, sysv-rc-conf is an alternate package to do this (this will often also need an install)

sudo apt-get install sysv-rc-conf

sysv-rc-conf --list

====================================================================================
Finally, we're interested in how you tackle the software inventory problem. Please use our comment form - let us know of any cool tools you use, or post any scripts you may have written to help out !

===============
Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Yes, Tuesday's Apple event will almost certainly center around iOS 5 and the iPhone, as both rumors and fact have intimated. But what about Apple's other planned fall unveiling, iCloud?

LightSquared may take legal action if it is denied permission to build its planned LTE network because of concerns over interference between that network and GPS, an executive said Monday.

Hewlett-Packard has secured enough shares of Autonomy to take control of the U.K. software company, HP announced Monday.

Banana Dance 'id' Parameter SQL Injection Vulnerability

iPhone 4 trade-in business has been very brisk at companies that buy older smartphones, an early indication of how Apple's next model will sell, the firms said.

Adobe plans to release six applications designed to be used exclusively on touch-based devices, including apps to execute creative tasks such as photo editing and Web page design, the company announced Monday.

Oracle's new Big Data Appliance should appeal to enterprises looking for more efficient ways to capture, organize and analyze vast amounts of unstructured data, analysts said.

Oracle is making the open-source MySQL database more stable and feature-rich through a shift in development philosophy, MySQL Vice President of Engineering Tomas Ulin said during a keynote address Monday at the OpenWorld conference in San Francisco.

Sprint is expected to get the iPhone 5 exclusively from Apple to run over its 4G Wimax network, according to a report Monday from BGR.com.

Just weeks after opening up membership to Google+, visits to the new social network are booming.

Puppet X.509 Certificate Signing Requests Directory Traversal Vulnerability

Puppet Multiple Security Vulnerabilities

Computer Associates Total Defense Multiple SQL Injection Vulnerabilities

The Kindle Fire tablet costs $209.63 for materials and manufacturing expenses, more than $10 above its $199 price tag, according to a virtual teardown by IT research firm IHS iSuppli.

Google updated Chrome over the weekend to help users affected by Microsoft's errant flagging of the browser as malware.

One feature of today's mostly electronic, mostly Internet world is that governments tend to assume that it is legally OK to do many things that they would never have considered to be OK in the pre-Internet world.

If Sprint joins AT&T and Verizon Wireless in selling iPhones, which company will have the greatest advantage? Answer: Apple.

Macworld will cover Apple's expected iPhone announcement as it unfolds from the company's Cupertino headquarters. Bookmark this page and check back at 1 p.m. ET on Tuesday

One thing became clear at Oracle's OpenWorld conference on Monday: The vendor is intent on drilling the benefits of its hardware-plus-software systems into a customer base that largely remains invested only in Oracle's applications, databases and middleware.

Cisco IOS Network Address Translation Multiple Denial of Service Vulnerabilities

Microsoft's Windows XP lost an unprecedented amount of online usage share last month, according to Web metrics firm Net Applications.

Coverity has updated its development testing suite so that its results can be displayed directly from within the HP Application Lifecycle Management (ALM) suite software, Coverity announced Monday.

Oracle unveiled the Big Data Appliance, the newest addition to its line of products that combine software and hardware, during the OpenWorld conference in San Francisco on Monday.

If Sprint joins AT&T and Verizon Wireless in selling the iPhones, which company will have the greatest advantage? Answer: Apple.

Adobe is planning to launch a series of Internet-hosted services, called Creative Cloud, designed for creators of digital content, the company said Monday.

Phorum 5.2.18 Cross-site scripting vulnerability

[SECURITY] [DSA 2314-1] puppet security update

DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal

DDIVRT-2011-36 Cybele Software, Inc. ThinVNC Product Suite Arbitrary File Retrieval

Cisco Identity Services Engine Database Default Credentials Security Bypass Vulnerability

In a Bloomberg Businessweek article, Google CIO Ben Fried reflects on the benefits of letting employees have their way with technology. Forrester Research agrees that IT managers should relinquish control, but not before methodically analyzing workers' wants and needs.

Watch out for whaling, smartphone worms and social media scams, not to mention attacks targeting your car and house.

Perl Fast CGI Module CGI Variables Authentication Security Bypass Vulnerability

Drupal Views Bulk Operations 'Modify node taxonomy terms' Action HTML Injection Vulnerability

Vulnerabilities in GenStat 14.1.0.5943

Vulnerabilities in Cytel Studio 9

Netvolution referer header SQL injection vulnerability

Facebook has partnered with security vendor Websense to protect its users from third-party malicious URLs spammed on the social networking website, the companies said on Monday.

Revelations by researchers over the weekend that several HTC Android phone models contain a "massive security vulnerability" are being examined by the mobile handset maker.

SonicWall Viewpoint v6.0 SP2 - SQL Injection Vulnerability

[ MDVSA-2011:142 ] mozilla-thunderbird

[ MDVSA-2011:141 ] firefox

[ MDVSA-2011:140 ] mozilla-thunderbird

Many firms rely on antivirus and antimalware technologies to address social networking risks, according to a survey by the Ponemon Institute.

[ MDVSA-2011:139 ] firefox

Elastix PBX Extensions Enumeration

It was one of THOSE gigs: an internal penetration test against a client that, considering the amount of personal information they held on their customers, should have been well prepared. And yet, we went from you-can-plug-your-laptop-in-over-there to Domain Admin in... well, let's just say a shockingly small number of hours. And it just went downhill from there...

For me, writing up the resulting report, triggered what I could only describe as a crisis of faith. While, as a security community, I don't fool myself that we have it all figured out, I had up until now strongly believed that we were making progress. And yet, I had just spent a week immersed in a corporate culture that seemed to have focused itself on so many higher-level security issues that the basics the Security 101 stuff was just plain overlooked.

The more I thought about it, the more it bothered me. It wasn't some fancy-schmancy 'leet [email protected] 0-day that let us take down this organization from the inside: it was stupid-simple low-hanging fruit. I spent a bit of time chatting over Twitter with the ever-insightful Brian Honan (@BrianHonan) and came to the conclusion that the security community may have reached an awkward age at which we're grown up enough to be focusing on the golly-gee/whiz-bang/cool stuff (vis--vis the APTification of all that passes for security discussion) and, as a result, we're neglecting the basic, Security 101 stuff that raised the bar in the first place.

Think about it: Over the past year, how many high-profile hacks have been the result of awesome cutting edge skillz? How many have happened because someone just flat-out did something dumb? Take a quick gander at back issues of SANS NewsBites and I think you'll be convinced as well: We truly are neglecting the basics.

Since October is Security Awareness Month, a few weeks back, I sent out a call on Twitter for folks to submit pithy, 140 character-long, chunks of Security 101 wisdom. Below, I've compiled together the resulting list, along with the Twitter name of the submitter.

If you're feeling a little shaky on your security knowledge, then heeding this advice might just save your behind. Even if you're confident that you know it all, a quick review might have you discovering stuff you've inadvertently overlooked. Either way, I heartily recommend that you read (and heed) this advice. Also, if something particularly strikes your fancy, you might consider following the author on Twitter... you never know you might learn even more.
One last housekeeping note: I lightly edited these to remove some of the more blatant Twitterisms used to stuff big thoughts into limited character lengths. If anything got messed up, I'll take the blame.

@ChrisJohnRiley
If you can guess where PHPmyAdmin is installed, then so can attackers.

@DavidJBianco
You are already pwn3d. The question is, What will you do about it?

@Keldr1n
Don't leave default passwords on the administrative interfaces of your 3rd party web applications.

@Keldr1n
Know your network - and all devices in it - well enough to spot unusual activity.

@Keldr1n
Users are almost always the weakest link. Make it a priority to educate them. Do most of yours even know what phishing is?

@averagesecguy
Security 101: If you don't need it, turn it off.

@bowlesmatt
Passphrases are the new passwords. Make a sentence that is long, hard to guess, and easy to remember. ihatepasswordsseewhatididthere?

@bowlesmatt
Patch your systems and disable any unused services to reduce attack surface.

@bradshoop
Never trust a host you can't trust.

@bradshoop
Computers remember a lot. Even more if you contact security personnel before you reboot.

@bradshoop
Dedicate personnel to prevention AND detection. Preferably the same personnel in rotation to breed familiarity and contempt.

@connellyuni
It's more important to know what you don't know than it is to know what you do know.

@cutaway
Try to avoid saying We are investigating... why equipment that we have a destruction certificate for was... sold online to the media.

@cutaway
Assets using secure authentication are directly and adversely impacted by your assets using plain text authentication.

@cutaway
Complacency: 1) Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. 2) You will be hacked.

@cutaway
Default SSL Certs for internal management interfaces should be replaced with valid certificates associated with the organization.

@cutaway
Don't be afraid of your incident response plan. Conducting investigations will give your team experience and eventually reduce costs.

@cutaway
How do you Find Evil in your organization? Seriously, go Find Evil and report back to me.

@cutaway
IT environments are complex systems. They require a System Development Life Cycle to effectively manage AND secure.

@cutaway
If your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want.

@cutaway
Monitor and alert to new accounts and accounts being added to Domain Administrator, SUDO, or root groups.

@cutaway
Product certification does not mean it has been deployed correctly. Review placement, logging, access, input validation, etc...

@cutaway
Service accounts should adhere to corporate password policies and be monitored for modifications including lockout.

@eternalsecurity
Make sure you're protecting the right thing. A belt AND suspenders doesn't help if you're not wearing pants.

@hal_pomeranz
A backup is not a backup until you do a restore. #sysadminkoan

@hy2jinx
Attack vectors and regulatory requirements change. That's how we've always done it is a poor and lazy excuse.

@hy2jinx
Scanner infos can turn up bigger issues than you'd guess. Look at overall results, not just singles.

@hy2jinx
Five missing patches across 100 devices does not equal five vulnerabilities.

@hy2jinx
It's cheaper to consult a security professional from conception than mere days before go live.

@hy2jinx
Security professionals should be empowered to point the business towards good decisions and reserve the power of No for a last resort.

@itinsecurity
In your encryption system, your key is the weakest link. If it isn't, you're doing it wrong.

@itinsecurity
Security is not a box you buy or an app you write. It's an emergent property, a sum greater than its parts.

@jarocki
Dear User: Millions of $$ of software won't keep you from clicking that link. Only YOU can prevent link clicking.

@jarocki
When it comes to security controls, Trust But Verify... nah, forget the Trust... just Verify.

@jimmyzatl
If you don't log accepts in your FW logs for admin protocols you will have no way of knowing when those accounts are abused.

@jimmyzatl
An encryption algorithm that has to be hid from the public is by definition a weak algorithm...

@ken5m1th
That successful PCI DSS Report On Compliance will not save you from Zombies.

@kentonsmith
When setting up any new system, Step 1: Change default admin password.

@kill9core
Security through obscurity, or the practice of hiding flaws hoping they won't be found, has proven time and time again not to work.

@mattdoterasmus
Just because your security teams work from 9-5, doesn't mean attackers aren't looking the rest of the time.

@omegadefence
The attitude that it won't or can't happen to us because we're too small/big/have nothing to offer is dangerous.

@omegadefence
The attitude that I can't do anything about it so I won't even bother with security or reporting is also dangerous.

@omegadefence
Analyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover.

@omegadefence
Give only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions.

@omegadefence
Best: using high-speed trend analysis with custom searches as well as automated reporting AND followup.

@rob_bainbridge
Security teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt - audit, ops risk, etc...

@tccroninv
Those that store passwords in plain-text invite catastrophe.

@tliston
We can't implement strong passwords/two-factor authentication. Our users aren't capable, says more about your competence than theirs.

@tliston
Developers: Never roll your own encryption, authentication or session management schemes. You're not that smart. Trust me.

@tliston
If you don't have written authorization to perform security-type testing in your organization, don't. You're too pretty for prison.

@tliston
If you're not putting as much thought into your outbound firewall rules as you are for your inbound rules, you're doing it wrong.

@tliston
If you're not supporting a legacy Windows OS, for the love of all that is Holy, turn off LANMAN hashes.

@tliston
If you've never tested restoring from your backups, then you don't have backups - you have a crapload of data and hope.

@tliston
If your internal security posture is based on,our employees wouldn't know how to do that, then you're likely already 0wned.

@tliston
Remember: As an attacker, I exploit misplaced trust. There's nothing mystical or magical about it.

@tliston
Run scans against your network. It's the only way to really know what's out there. I've yet to see a fully accurate network diagram.

@tliston
Sanity check security spending. A $500 lock on a cheap wood door doesn't buy security. It just gives a thief something to laugh at.

@tliston
Security isn't just about preventing compromise. It's about maintaining confidentiality, integrity availability despite compromise.

@tliston
Security-through-obscurity doesn't work against anything with intelligence, but there's lots of dumb sh*t out on the 'net.

@tliston
Taking nude photos of yourself? Don't store them on an always-connected device with little-to-no security. #forscarlett

@tliston
Teach your users not to click on unknown links. DON'T send links to your users in email. More info: http://t.co/bdNTRI3O

@tliston
Web developers: Give the exact same answer whether you're given a bogus username or password on logins. EXACT. SAME. ANSWER.

@tliston
WebApp Devs: Just because you have a SELECT with A, B, C, D as options doesn't mean you'll only ever get A, B, C, or D back.

@tliston
Webhosting Companies: Web servers shouldn't be making many *outbound* connections. TCPDump is your friend.

@tliston
Your organization's AUP should explicitly prohibit Copyright abuse. You do HAVE an Acceptable Use Policy, right?

@tliston
Centralize your logging - you have no idea how helpful it will be.

@tliston
Companies who use the same Windows Local Admin password on large numbers of machines are ripe for picking by malicious insiders

@tliston
Developers: Input, even data you think you control, can never be trusted. Consider all input a threat and process accordingly.

@tliston
Diligent change management practices have saved more asses than a Beverly Hills plastic surgeon.

@tliston
Ensure that user accounts are disabled as part of your termination process. Audit all accounts at least semi-annually for misses.

@tliston
High privilege level accounts should be used only for administrative functions, not for day-to-day activities.

@tliston
High privilege level accounts should have kick-ass passwords or two factor authentication. Or both.

@tliston
If at all possible, disable password authentication for SSH. SSH is a huge brute force target. Keys are your friend.

@tliston
If it plugs into your network, know why. The last thing you ever want to hear an admin say is, That thing has a web interface?!?

@tliston
Learn how to manipulate text files. Learn how to use sed, cut, wc, and grep as a minimum. Text is your friend.

@tliston
Logging authentication failures is NOT enough. Log successes and failures.

@tliston
Mr. CxO: Your employees are not a family. Some are untrustworthy. FYI: Some of the people in your real family are pretty sketchy too.

@tliston
Never rely on the fact that you own anything: data, a communication path, etc... If you do - I 0wn it, I 0wn you. Trust nothing.

@tliston
Nothing is more important to the long-term survivability of your organization than a fully functional backup process.

@tliston
Packets to or from RFC-1918 addresses should not be allowed to traverse your border firewall in either direction.

@tliston
Passwords are no longer security measures. They are merely speed-bumps. Treat them accordingly.

@tliston
Physical access trumps most security measures.

@tliston
Remember to always think in terms of defense in depth. A belt AND suspenders is always better than a belt OR suspenders.

@tliston
Shared accounts are never a good idea.

@tliston
Telnet, FTP, and any other clear-text protocol developed in simpler, more naive times has no business on a modern network.

@tliston
There is no excuse - NONE - not to use full disk encryption on laptops. Data breaches due to lost/stolen laptops are inexcusable.

@tliston
Unencrypted WiFi is never secure. WEP = Unencrypted WiFi. Trust me. Stop using it. Now. Really.

@tliston
Web Developers: Remove comments from your production website code. They serve NO purpose and can give away too much info.

@vaudajordan
Total loss of Sony Breach $171M, I wonder how many salaries, code reviews, software, hardware that could have bought.

@zanis1
Assign only those privileges that are required to do the job.

Also, I want to extend a great big thank you to all of the people who submitted these tweets using the #sec101 hash tag. I tried really hard to grab them all... If I missed anyone, I apologize.
Tom Liston

Senior Security Consultant, InGuardians, Inc.

Handler: SANS ISC
Note: Matt (@0xznb) has kindly made a fortune-mod zip file available here of the #sec101 wisdom.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Yahoo, looking to fight its way back to being an A-list online player, announced today that it is teaming up with ABC News

Back in the day, downloading software over the Internet and installing it was only for the most techy among us. Paying for that software was even more outlandish. But since Apple launched the App Store in 2008, users of the iPhone, iPod touch, and iPad have discovered that shopping for, downloading, and even paying for software isn’t just easy, but fun.

Fusion-io today released the first upgrade to its flash drive hardware in four years, increasing throughput to 3GBps and the capacity of a full-length flash card to 2.4TB.

Toshiba announced a new home media server with five terabytes of storage on Monday. It has enough capacity to store 15 days of digital TV broadcasts from six channels.

Security researchers say they've uncovered a flaw in several smartphone models produced by HTC that gives any application that has Internet access the keys to a trove of information on the phone, including e-mail addresses, GPS locations, phone numbers, and text message data.

Infosec world remembers Dr. Eugene Schultz
CSO (blog)
by CSO, Salted Hash – IT security news analysis, over easy! Dr. Eugene Schultz, respected veteran of the information security scene, passed away over the weekend. He's been enormously helpful to me in the past, breaking down complex security issues in ...

Smartphones and tablets are demanding more computing power, and chip company Adapteva hopes to bring server-type performance to the devices with a chip it is announcing on Monday.

The tech inferno is not buried deep within the earth -- it's just down the hall. Let's take a tour

Airlines and financial services firms have their own clouds, or will shortly. Here's what you need to consider before jumping.

There's heightened interest in agile BI, a rapid development methodology for creating BI systems that involves the end user as early and as often as possible -- and thus saves time and effort. Insider (registration required)

Jack Ma, chairman and CEO of Alibaba Group, said on Friday at an event at Stanford University that he was interested in acquiring Yahoo, according to reports, making this the first public overture by the Chinese company which is about 40 percent owned by Yahoo.

(This is a bit longer diary if you are just interested in conclusion and recommendations, skip below to the Is SSL broken? section. I recommend that you read the whole diary and let us know if you have any comments).
Unless youve been hiding on a deserted island, you heard about the latest attack on SSL, named BEAST. We wrote several diaries (first, second, third) on this topic. I got interested into the attack a lot and finally had some time to go through all the details.
So, first of all big props to Duong and Rizzo for implementing this in practice. While the idea itself is really cool (a bit more about it below), the implementation is what really impressed me, and all the effort they invested into the research here.
Some basics about the attack
As has been already written on million places, the BEAST attack attacks SSL 3.0 and TLS 1.0, in particular their implementation of the Cipher-block chaining (CBC) block encryption algorithms.
This is probably the most widely used mode for block encryption algorithms today, so it is obvious that any attack on this (and SSL/TLS overall) can have huge impact.
In a nutshell, BEAST very cleverly uses predictable IV (initialization vector) values in order to set up particular input vales for SSL. By very carefully modifying these input values, the attacker can exploit BEAST to guess what value 1 byte in an encrypted block had. Block encryption algorithms fragment input messages into blocks, usually 8 or 16 bytes long.
The IV is initially a random number and then every next block uses the previous cipher text as the IV. The IV is XORed with the input plain text this produces input for the encryption algorithm. So normally, in a block encryption algorithm, encrypted block C4 = encryption ( C3 XOR P4), where C is an encrypted block and P is a plain text block.
According to this, the last blocks (CN) IV will be CN-1: CN = encryption (CN-1 XOR PN). Doung and Rizzo cleverly used this so they leave the channel open and add the next block (N+1) whose content will be of one of the previous blocks. Imagine that we supply P4 (with only 1 byte modified), XORed with CN and its original C3:
CN+1 = encryption ( CN XOR ( CN XOR C3 XOR P4 ))
This results in:
CN+1 = encryption ( C3 XOR P4)
For which we know the result as it is C4! Now, if we can influence P4 to give us the opportunity of guessing one byte (by supplying, for example, 7 known bytes) we can try to guess what the last byte was: if CN+1 is equal C4, we guessed the byte, otherwise we didnt.
This is just a brief overview for more information read the leaked paper it is written very well.
Guessing HTTP values
As youve seen above, the attacker can now guess byte by byte. With HTTP creating this boundary is actually simple since we know what each HTTP request will look like:
GET /AAAAA HTTP/1.1crlf

header
If we want to guess the first character of Header, we can make the previous line 23 bytes long (if blocks are 8 bytes each):
GET /AAAAAAA HTTP/1.1crlfH
Notice how only H will make it into the 3rd block. The attacker now knows the content of the first two blocks and can try to guess the first character by using the attack described above.
Attack prerequisites and implementation
As if the attack itself was not impressive enough, Doung and Rizzo managed to actually do all this in the browser. Let us revisit what they have to do for this attack:

They need to pull a MITM attack on the victim. This is needed for two things: first, they need to monitor the network traffic in order to guess bytes. Second, they need to somehow influence the browser to make it issue requests such as the one shown above that will let them do the guessing. For the demo they used a Java applet, but there are other ways of exploiting this (more below).

Once they injected the Java applet into the victims browser, they wait for the victim to log in to the target site. Now the Java applet will open an SSL connection to the target site and send a specially crafted request as above (i.e. GET /AAAAAAA ). The SSL connection must stay opened so they can feed new blocks in real time, as they monitor network traffic. This will allow them to guess content of bytes encrypted by the browser. So, their Oracle in this case is the browser itself the web server that they are attacking is irrelevant, it is the victims browser that lets them guess encrypted content.

As you can see from 2), the crucial requirement is that the SSL connection is open (so they are able to append the data and use the last block as the IV). This proved to be very difficult to do (and is one of the things in Doungs and Rizzos research that impressed me the most).
There are many ways that can be used in a browser to open a new connection. The easiest way is to use JavaScripts XmlHttpRequest (XHR). There are some limitations here though. First, Internet Explorer does not support XmlHttpRequest level 2 (which is needed in order to send cookies) and instead has an XDomainRequest object. XDomainRequest will never send cookies so, in theory, Internet Explorer users are more protected than Mozilla Firefox or Chrome users (is this a first or what!?!).
Firefox and Chrome support XHR level 2. It is worth pointing out here that the attacker is not able to read the request response through active scripting due to the fact that the server will not set the correct Access-Control-Allow-Origin header, but the attacker does not care about that since he just wants to be able to use the browser as an Oracle for guessing encrypted stuff. Similarly, settings such as Secure or HttpOnly will not help with this attack (but will with other).
The biggest problem with this is, it appears, that XHR cannot be used to create streaming requests, which are needed to perform the guessing (the attacker needs to be able to append those pre-calculated blocks to a request). Many other possible exploitation vectors, such as plain IFRAMEs, Websockets or Silverlight have similar issues that prevented Doung and Rizzo from using them keep in mind that this does not mean these are safe against BEAST, just that current attempts to use them failed.
Is SSL broken?
Simple question, simple answer NO. As you can see above, there are many prerequisites that the attacker needs to do in order to conduct the BEAST attack.
While the attack is inherent to block encryption algorithms, it requires the attacker to be able to append these specially crafted input blocks into an active session. In other words, it is very difficult, or impossible to exploit BEAST on other protocols that use SSL, such as POP3s, IMAPs and similar. Doung and Rizzo did it with browsers because there are many scripting (extending) possibilities with browsers and the HTTP protocol.
Couple of things I would suggest doing:

- Be careful about switching to TLS 1.1 or TLS 1.2 because you might break things for many clients. While this definitely fixes the vulnerability, be very careful.
- Move to RC4 over CBC. RC4 has also its own issues but just the fact that Google prefers RC4 says something too you can use the nice sslscan utility to see what ciphers are supported by a server, here are the results for mail.google.com:

# sslscan --no-failed mail.google.com:443

_

___ ___| |___ ___ __ _ _ __

/ __/ __| / __|/ __/ _` | '_ \

\__ \__ \ \__ \ (_| (_| | | | |

|___/___/_|___/\___\__,_|_| |_|

Version 1.8.2

http://www.titania.co.uk

Copyright Ian Ventura-Whiting 2009

Testing SSL server mail.google.com on port 443

Supported Server Cipher(s):

Accepted SSLv3 256 bits AES256-SHA

Accepted SSLv3 128 bits AES128-SHA

Accepted SSLv3 168 bits DES-CBC3-SHA

Accepted SSLv3 128 bits RC4-SHA

Accepted SSLv3 128 bits RC4-MD5

Accepted TLSv1 256 bits AES256-SHA

Accepted TLSv1 128 bits AES128-SHA

Accepted TLSv1 168 bits DES-CBC3-SHA

Accepted TLSv1 128 bits RC4-SHA

Accepted TLSv1 128 bits RC4-MD5

Prefered Server Cipher(s):

SSLv3 128 bits RC4-SHA

TLSv1 128 bits RC4-SHA
- Do not accept any unsigned Java applets and allow them to run. You should always do this, not only in this case. Same goes for any other active technology.
- When accessing sensitive sites, close all browser windows (not tabs, all windows) and open a fresh new one and use it only to access the sensitive site. After youre done, close it again and reopen it for further surfing. This should make exploitation a bit difficult, but keep in mind that as of Java 6 Update 10 an attacker can potentially trick a victim into dragging applets out of browser windows so they continue running after the browser is closed (Im not sure if this can be used to help BEAST).
- If you are a sensitive server owner keep an eye on errors on your server. The BEAST attack needs to issue quite a bit of requests (generally each byte has a 1/256 chance of being guessed, so in average 128 blocks need to be appended to a single request). One request is needed for a byte so if you see a lot of 404 requests with similar patterns (/AAAAA) that should raise some flags. Of course, you should always monitor and correlate your logs, not only now :)
At the end, I must again admit I like the attack a lot - the idea is really cool, amazing how they came up with everything. That being said, as you can see above, there are a lot of prerequisites for successful exploitation so I don't think that the resulting risk is very high at the moment.

(small update):There have been some comments about recommending RC4. While there have been plenty of bad/broken/failed implementations of RC4 (take a look at WEP), I-), USCERTis also recommending that RC4 is prioritized in their advisory available at http://www.kb.cert.org/vuls/id/864643.
--

Bojan

INFIGO IS

@bojanz on Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

View and compare smartphone models by size, weight, OS, carrier, screen and more.