InfoSec News

Notorious spam king Sanford Wallace is facing federal fraud charges for allegedly breaking into Facebook accounts and sending 27 million spam messages in 2008 and 2009.
 
Notorious spam king Sanford Wallace is facing federal fraud charges for allegedly breaking into Facebook accounts and sending 27 million spam messages in 2008 and 2009.
 
cw test abstract
 
Flash storage vendor Fusion-io has agreed to buy IO Turbine for up to $95 million to extend its on-server cache products to virtualized environments.
 
U.K. startup Movirtu plans to help 3 million or more people in poor countries use mobile services by giving them personal phone numbers, not phones.
 
For those of you that weren't at SANSFIRE 2 weeks ago, this was the title of the talk Igave there. At the time, Isaid Iwanted to start a dialog with our readers, so this evening, I'd like to start that. At the IPv6 summit just before SANSFIRE, Iheard IPv6 referred to as Y2K without the hard deadline and, in some ways, Ihave to say Iagree with that. I've spent the last few months looking at my automated malware analysis environment and the honeypots/honeynets that Iam responsible for at the day job and working on updating them to handle IPv6 traffic. In some cases, Iwill need some hardware upgrades before Ican continue too far down that road (old boxes that happily run XPSP2 with 256MBof memory aren't nearly as happy when you try to throw Win7 on them). In the meantime, Istarted looking at the tools that Iuse and whether or not they can handle IPv6. Ihave broken the tools down into a couple of categories (that seem useful to me). Then Ilooked at the tools that Iam currently using, or have used in the (recent)pass to accomplish these tasks and examined them to see how they fared with regard to IPv6. Iwasn't sure when Ibegan this process, what Iwould find. Iguess Iwas, mostly, pleasantly surprised that most of the tools could handle IPv6 to some degree, at least, if Iupdated to the current version. Iknew that most of the tools/scripts that Ihad written didn't handle IPv6 and in several cases, Ihave done a first cut at adding IPv6 support (the links to the updated tools are at the bottom of this diary). They still need more work, especially with respect to handling optional extension headers (hop-by-hop, routing, destination, etc.). Iexpect to finish the clean up of those in the next few weeks. There are too many tools that Ilooked at to cover in one diary, but let me look a a few of them now and I'll continue with the rest of them during my next shift.

Infrastructure

RHEL4 - yes, Iknow this isn't the current version of RedHat, but it was the corporate standard when the malware environment was first set up, so that is what Iwas using. Unfortunately, it has some significant shortcomings w.r.t. IPv6, mostly around ip6tables which I'll get to below, so I rate this one a FAIL
XP SP2- yes, again, not the current version, but worked well with the old hardware. Iknow it is possible to do IPv6 with XP, but I haven't bothered to look at what it actually takes, we decided that this was a good excuse to upgrade, too, especially since many enterprises are moving to Win7 as the desktop of choice (skipping over Vista), FAIL?
Ubuntu 10.10 - This is the OS, I use for a lot of my throw away VMs and was the Linux distro Iused to get my feet wet with IPv6, so this one goes down as a WIN
Win7 - handles IPv6 quite nicely out of the box, so we'll be updating the honeypots and client machines to it in the near future, WIN


Network Monitoring

tcpdump - works just fine (though keep in mind that the 'ip' and 'ip6' BPFfilters examine the layer2 frame for the type of layer 3 traffic, so ip != ip6), WIN
wireshark/tshark - also handle IPv6 just fine, WIN
ipaudit - this is an old tool that Ihad been using to generate a 'flow' summary from the pcap, this one has not been actively maintained for a number of years and does not, handle IPv6, FAIL
argus - given the failure of ipaudit, Ilooked at some of the other tools Iwas already using to see if they could fill the gap and argus works great as long as you are using at least version 3.0, WIN
ngrep - unfortunately, though Ilove this tool, it doesn't handle IPv6 at all. It doesn't look like it is being actively supported anymore, though Iwill send in a bug report to the sourceforge group. If Iget the time, I may look at providing the patch myself. FAIL
pngrep.pl - Ihad already written a 'sort of ngrep workalike' in Perl because Ineeded to be able to print out something other than dots for the non-ASCII stuff in the packets. This is one of the ones that I've updated to be able to do some IPv6, but still need to put some more work into. WIN
dnsdump.pl - Another of my scripts that pulls out just the DNStraffic and gives it to me in a PSV file. This is another that Iupdated, but still needs some work. WIN
httpry - this is a nice tool that finds HTTPtraffic on any port and can summarize it. Iwas disappointed to discover that it doesn't handle IPv6. I've sent an e-mail to the author, but haven't heard back yet on whether he plans to support it in the future. If he doesn't, I'll need to find (or write)another tool that does this useful task. FAIL?
fauxdns.pl/fauxsmtp.pl/smtp-sink - In my paper from 2009, Imentioned that Iwas using Joe Stewart's faux*.pl scripts for my emulated internet. That is still largely true. Joe doesn't have any intention of supporting these scripts and Ifrankly haven't put much effort into them yet, but Iam using the smtp-sink program from postfix to absorb outbound spam and that handles IPv6 quite nicely, so Iguess Irate this as FAIL/FAIL/WIN(but the FAILs are on me)
netflow tools - this is an area that Ihaven't really looked into much. Iknow that netflow v9 can do IPv6, so any tools that can handle v9 netflow can probably handle IPv6 flows. Some of my old standbys though were written in the mid-90s (Mark Verber's flow-tools stuff)and that definitely does not, so ????


Firewalls

ip6tables - one of the big issues with RHEL4 was that the kernel was simply too old. Even though there is IPv6 support there, ip6tables was not stateful in older 2.6.x kernels. Rather than try to figure out which RHEL /Fedora/CentOS version would work, Iditched those and used what Iknew worked from my trials at home. Iwent with 10.10 because that was the current Ubuntu version when I started this, I'm sure 11.04 would work just as well (as would 10.04 since it is an LTSrelease). The one remaining issue with ip6tables is that they have removed the 'nat' table. Idon't want to get into any arguments about NAT, I know it isn't supposed to be necessar in IPv6. My problem is that since I'm emulating the entire internet, Iwas NAT-ing just about everything to my server transparently. Istill see a need for that. Fortunately, I've found an ip6tables extension that works via the QUEUE mechanism in user space to put NATback into ip6tables, so this works for me. WIN-ish
Checkpoint - It has been a number of years since I was a Checkpoint firewall admin, but Iknow folks who use continue to use Checkpoint an environments where they are turning up IPv6, so Iassume the support is really there (not just marketing hype), but I'll call this one ????
Cisco ASA - As above, Ihaven't admined a Cisco firewall in a number of years, so I'll defer to you folks on this one, ????


Packet Crafting

hping2/hping3 - probably my favorite tool for quick and dirty packet crafting has long been hping because Icould set everything on the command line. Alas, Isee postings on mailing lists going back to at least 2003 asking when hping3 would get IPv6 support and it still isn't there. I'll check one more time with hping.org, but Isuspect I'll be using another tool when Iwant to craft IPv6 traffic. FAIL?
sendip - the other command line tool that Isometimes used was sendip and fortunately, this one does seem to handle IPv6, though I'm not sure I can stack the optional headers, but for the quick and dirty it seems to work. WIN
scapy - the mother of all packet crafting tools handles IPv6 quite well, perhaps I'll have to give up on my quick and dirty command line stuff and just use scapy for all my packet crafting going forward. WIN



So there you have some of what Iwas looking at. How about you? In the next installment, I'll look at

Network Management
Logging
Databases
IDS/IPS
Scanning
Pentest Tools
Miscellaneous other tools

My updated tools (and there will be several more beyond the 2 listed above, to be added over the next couple of weeks) will (Ibelieve)eventually be available via our tools page, but for the moment can be found on my handlers page at http://handlers.sans.edu/jclausing/ipv6/
---------------

Jim Clausing, GIAC GSE #26

jclausing --at-- isc [dot] sans (dot) edu



SANS FOR558-Network Forensics coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=25749 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Now that Java 7 SE (Standard Edition) has officially been released, Oracle and members of the Java Community Process have started mulling over the next version of the programming language, Java SE 8. On the agenda: Java for the cloud.
 
Researcher Dillon Beresford has developed code that can take down Siemens industrial systems. But should he release it?
 
Free online registry will provide documentation of cloud provider security controls.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The software giant’s August 2011 Patch Tuesday release will address 22 flaws, including two critical, in Windows, Office, Internet Explorer and Visual Studio.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
AWS customers can now use their existing identity management systems.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
I am always quite fond of IDS signatures that look for results of compromise, versus attack attempts. This may sound a bit fatalistic, as these signatures are only triggered after the attack succeeded, but on the other hand, these alerts are actionable and can be tuned better then some of the attack attempts (most of which don't succeed and don't provide a lot of actionable information).
Today, a reader wrote in with a nice detect of NICK traffic on a non standard port.
Lets explain IRC a bit: IRC is a simple, text based online chat protocol [1], and it is used frequently to control botnets. To prevent simple port based detection, many malicious IRC servers run on odd ports. But the IRC traffic payload can be quite characteristic and easy to spot.
As the user connects to an IRC server, it will set a nick name. This is done via a NICK command. In addition, the USER command is used to set a user name. a USER and a NICK command have to be sent to connect to a server, and they are usually sent one after the other.

NICK something
USER something else


The reader's IDS captured a single packet due to this signature. The content (slightly obfuscated) was:

NICK {USA|XPa}abcdefg
USER abcdefg

These random strings with specific prefixes are typical for bot CC, and finding a string like this would make me almost certainly look a lot closer at this particular system.
[1]http://www.irchelp.org/irchelp/text/rfc1459.txt
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cybercriminals are looking at mobile devices as a target for personal and corporate information, a group of security experts says.
 
NASA Thursday announced that it has found evidence of flowing water on Mars during the planet's warmest months.
 
After initial success, Intel's netbook strategy is at a crossroads as demand for tablets and low-cost laptops with larger screens rises, a company executive said this week.
 
Oracle Sun GlassFish/Java System Application Server Remote Authentication Bypass Vulnerability
 
Black Hat 2011: A free Microsoft .NET application security tool helps programmers reverse-engineer .NET applications to manipulate and control them.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Black Hat hasn't disappointed this year, with research revealing a flaw that undercuts OSPF routing, two separate assertions that security for Apple products in the enterprise isn't that bad and a friendly hand being offered to hackers and crackers to join the U.S. fight against terrorists in cyberspace.
 
Google+ is going great guns right out of the gate, with the site starting out far better than rivals Facebook, Twitter and Myspace did.
 
In an escalation of the patent battles over Andoird, Microsoft said it urged Google's legal team to join it in buying up hundreds of Novell patents, but Google refused.
 
Microsoft today said it will ship 13 security updates next week to patch 22 vulnerabilities in Internet Explorer, Windows, Visio and Visual Studio.
 
Apple became the top smartphone maker globally for the first time in the second quarter, IDC confirmed Thursday.
 
A potentially damning e-mail from a Google engineer will be permitted at trial in Oracle's lawsuit against the search giant, a judge ordered on Thursday.
 
Members of Jobs4America say they plan to add 100,000 U.S. call-center jobs over the next two years.
 
Apple customers are increasingly dissatisfied with the company's technical support, which could affect the firm's bottom line down the road, a researcher said today.
 
In an escalation of the patent battles over Andoird, Microsoft said it urged Google's legal team to join it in buying up hundreds of Nortel patents, but Google refused.
 
Useless OpenSSH resources exhausion bug via GSSAPI
 
Businesses with websites should avoid these problems.
 
A researcher at Black Hat has revealed a vulnerability in the most common corporate router protocol that puts networks using it at risk of attacks that compromise data streams, falsify network topography and create crippling router loops.
 
The White House announced Thursday that President Barack Obama intends to appoint Steven VanRoekel to replace Vivek Kundra as the federal government CIO.
 
Community Server - Stored Cross-Site Scripting in User's Signature
 
Community Server - Reflected Cross-Site Scripting -
 
Re: [Full-disclosure] phpMyAdmin 3.x Conditional Session Manipulation
 
APPLE-SA-2011-08-03-1 QuickTime 7.7
 
In IT's never-ending search for efficiency improvements, client virtualization and its subsets -- presentation, application and desktop virtualization -- must be considered.
 
ThreeDify Designer ActiveX control Insecure Method
 
Multiple XSS in HESK
 
XSS in WP e-Commerce
 
Cross Site Scription Vulnerability in vBulletin 4.1.3, 4.1.4 and 4.1.5
 
Databases have come under increased attacks in recent months from hacktivist groups and cybercriminals. Learn how to apply the appropriate security technologies to defend your database.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Neil Daswani and his team demonstrated a drive-by attack on an Android smartphone and discussed behavioral analysis of more than 10,000 Android applications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
---------------

Jim Clausing, GIAC GSE #26

jclausing --at-- isc [dot] sans (dot) edu
SANSFOR558 coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=25749 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A pair of security researchers Wednesday unveiled a remote controlled, unmanned aerial vehicle capable of cracking Wi-Fi passwords, exploiting weak wireless access points and mimicking a GSM tower to intercept cell phone conversations.
 
Choosing a mobile browser is a lot like choosing a browser for your desktop. Do you want something light and speedy? Or is the ability to customize your online experience with add-ons and themes more important to you? Here's a look at some of the most popular Android browsers, to help you decide which browser is right for you.
 
ABBS Electronic Flash Cards Buffer Overflow Vulnerability
 
WordPress WP e-Commerce Plug-in 'cart_messages[]' Parameter Cross Site Scripting Vulnerability
 
Dell will start selling servers preloaded with the Apache Hadoop open-source data processing platform.
 
McAfee says Operation Shady RAT, a research effort involving 72 compromised organizations, exposes key national cybersecurity lapses.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

Seven Crucial Infosec Career Steps
Infosecurity Magazine
The (ISC)² US Government Advisory Board Executive Writers Bureau shares its wisdom and experiences from the perspective of career-IT and IT security professionals by focusing on the keys to a successful career. Read on for advice on how younger ...

 
In a bid to maximize the speed advantage of solid-state storage, more vendors are promoting approaches that move it closer to the CPUs that process stored data.
 
Skype has released version 2.1 of its application for Android, which allows more smartphones and tablets based on Google's operating system to use its video calling feature.
 
Amazon Web Services will introduce new capabilities for enterprises on Thursday, including identity federation and support for private network connections to AWS.
 
Web.com said Wednesday that it has signed a definitive agreement to acquire privately-held domain name registrar Network Solutions, to capitalize on a shift by small and medium businesses from traditional marketing channels to online marketing.
 
Facebook is facing fresh concerns from German data protection officials that its automatic facial recognition feature may violate European privacy regulations.
 
Malware used in the attack against RSA Security earlier this year was controlled from China, a well-known botnet researcher said Wednesday.
 
Steven VanRoekel, formerly managing director at the U.S. Federal Communications Commission, will succeed Vivek Kundra as the Chief Information Officer (CIO) of the U.S. federal government, The New York Times said early Thursday.
 
Drupal Mail Logger Module Multiple HTML Injection Vulnerabilities
 
Experts are comparing the demand for workers in healthcare IT to the dot-com era or Y2K, where thousands of positions are in need of urgent filling and where now may be the time for healthcare workers to consider a change of career to IT.
 
Barracuda Networks today announced it has doubled the amount of cloud storage capacity available to customers of its backup service, but it kept the price at $50 per month.
 
After two straight quarters of gains, the wages paid to tech workers at temporary jobs have stalled, according to Yoh Services, a technology staffing firm.
 
GLPI Prior to 0.80.2 Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status