Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
How's this for a challenge? The CEO dies suddenly and you're tabbed to take his place -- on the heels of your network infrastructure company entering into a major new strategic partnership and in the midst of the worst economic downturn since the Great Depression. Oh, did I mention your competition includes some companies named Cisco Systems, Hewlett-Packard and Juniper Networks, among others? That's life for Chris Crowell, CEO of Enterasys Networks, who took over in 2009 shortly after predecessor Mike Fabiaschi's untimely death.
 
Patent licensing company Intellectual Ventures has set its sights on Motorola with a new lawsuit charging the handset maker with infringing six patents.
 
I used my first computer sometime during the late 1970s. It was an Apple II, and it amazed me. I was in elementary school, and it was at a friend's house on a farm in the midwest. I point out the time and the location because in retrospect, I find it fascinating that my first exposure to computers, at the dawn of the PC era, wasn't in a school or a business, and it wasn't in the sort of setting most people would associate with groundbreaking technology. It was in a farmhouse surrounded by corn and bean fields, a few miles from a town of 2000 people, and much farther from anything you'd rightly call a city.
 
Oracle has agreed to pay $199.5 million plus interest for failing to meet its contractual obligations in a 1998 contract with the U.S. General Services Administration, the U.S. Department of Justice announced.
 
Stanford Hospital & Clinics this week blamed a third party billing contractor for a data breach that exposed the personal data of some 20,000 patients.
 
Samsung Electronics and Micron Technology on Thursday announced the creation of a consortium around a new low-power memory called Hybrid Memory Cube, which could challenge DDR3 memory in high-performance computers in a few years.
 
Although somewhat late to the market for cloud computing infrastructure, OpenStack enjoys an advantage over other cloud stacks in that it has a modular architecture, said one of the first developers of the open-source cloud software.
 
Oracle has agreed to pay $199.5 million plus interest for failing to meet its contractual obligations in a 1998 contract with the U.S. General Services Administration, the U.S. Department of Justice announced.
 
Autonomy KeyView Microsoft Office Document Filter Buffer Overflow Vulnerability
 
Autonomy KeyView Filter XLS File Viewer Buffer Overflow Vulnerability
 
Mozilla will start a more aggressive campaign to convince users of the older Firefox 3.6 to upgrade to the newest edition, Firefox 7.
 
Google has created a relational database for its cloud-hosted App Engine application development and hosting platform, a much-requested addition, the company said on Thursday.
 
A rush by President Barack Obama's administration to move U.S. government agencies to cloud computing services may lead to unintended security problems and other headaches, some lawmakers said Thursday.
 
Mozilla will start a more aggressive campaign to convince users of the older Firefox 3.6 to upgrade to the newest edition, Firefox 7.
 
When Steve Jobs' friends, colleagues and even competitors wanted to share their memories and condolences about their loss, they turned to social networking sites.
 
Editors and writers from Computerworld, Network World, CIO.com and ITworld share their thoughts on Steve Jobs, his impact on technology and the legacy he leaves behind.
 
In this interview from the Computerworld Honors Program's Oral History project, Steve Jobs talks about his life and his work during his time in exile from Apple. From his early years -- when he says he's sure that except for a few key adults 'I would absolutely have ended up in jail' -- to how he felt about Apple in the mid-'90s -- 'The Macintosh will die in another few years [under John Sculley]' -- to his predictions about the Internet, this is a rare look at Jobs after his first string of innovations but before he returned to Apple.
 
HTC said on Thursday that its latest smartphone in its Sensation series, the XL, with the Beats audio technology, will go on sale at the beginning of November across Europe and Asia.
 
A survey of 5,300 IT and security managers in 38 countries about cloud computing offers a vivid snapshot of expectations, anxieties and sometimes shattered hopes.
 
When Steve Jobs' friends, colleagues and even competitors wanted to share their memories and condolences about their loss, they turned to social networking sites.
 
Microsoft today said it will ship eight security updates next week to patch 23 vulnerabilities in Windows, Internet Explorer (IE) and several other products in its portfolio.
 
Steve Jobs, co-founder and former CEO of Apple Inc., has passed away. Which of his accomplishments will be his legacy?
 
The overhaul of an "outdated" U.S. Federal Communications Commission program that subsidizes telephone service in rural areas will lead to universally available broadband service in the U.S. by the end of the decade, FCC Chairman Julius Genachowski said.
 
Real Networks RealPlayer (CVE-2011-2947) Cross-Zone Scripting Vulnerability
 
Researchers from Trend Micro have spotted a piece of malicious software for Android that receives instructions from an encrypted blog, a new method of communication for mobile malware, according to the company.
 
Simon & Schuster has moved up the publication of the first authorized biography of Steve Jobs, the publisher confirmed today.
 
Clarence Labor Jr. pays tribute to Steve Jobs and Apple by placing his vintage Macintosh Plus computer in front of an Apple Store in Washington D.C.
 
Computerworld coverage of Apple's iconic leader
 
Active CMS 1.2.0 'mod' Cross-site Scripting Vulnerability
 
[SECURITY] [DSA 2317-1] icedove security update
 
[ MDVSA-2011:143 ] rpm
 

'Occupy' Movement Threat Extends Beyond Wall St. to Target Big Business ...
Sacramento Bee
Prior to ListenLogic, Vince was the Co-founder and Chairman of Turntide Inc., an anti-spam technology company, which was acquired by Symantec Corp., co-founder and Principal of InfoSec Labs, an information security company, which was acquired by ...

and more »
 
When the Apple iPhone 4S was unveiled this week, mobile payment technology was missing from the device.
 
Sprint confirmed that it will offer unlimited data plans for the iPhone 4S starting Oct. 14, but it will also sell the iPhone 4 for $99.99 with the iOS 5 upgrade starting today.
 
[SECURITY] [DSA 2316-1] quagga security update
 
Re: vTiger CRM 5.2.x <= Remote Code Execution Vulnerability
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module
 
Cisco Security Advisory: Directory Traversal Vulnerability in Cisco Network Admission Control Manager
 
http://www.sans.org/critical-security-controls/control.php?id=4
Hardening network infrastructure is an often overlooked step. For some reason, switches and routers often fall into the category of it works, we must be done. Or, if it was hardened when installed, it'll be checked off as done(as in done forever).
If you think about it, your routers, switches and firewalls touch *everything*. We really should put a sustained effort into securing these devices as vital parts of the infrastructure. Don't limit yourself to routers, switches and firewalls in this - be sure to include Fiber Channel switches, Load Balancers, IPSservers and appliances (yes, i see these get missed all the time!) in this category also
This sustained effort should have all the usual suspects:

Backups

Change Control

Logging and Time synchronization

Name user accounts (often using a back-end directory for authentication)

Encrypted administration protocols (no more telnet ! )

Verify boot Images before installing, and periodically after

Periodically update to remediate security exposures

Harden the device using a public or custom Benchmark (yes, even Firewalls are not hardened out of the box)

Audit the final configs against the Benchmark


Hardening Steps

We've had numerous diaries on this, on this, including (please let me know if i've missed any, I've only included the ones I could remember)

Logging (https://isc.sans.edu/diary.html?storyid=6100)
Implementing ARP inspection to prevent Man in the Middle Attacks (use with caution) (http://isc.sans.edu/diary.html?storyid=11650 , http://isc.sans.edu/diary.html?storyid=7567)
Implementing DHCP Snooping to prevent Rogue DHCP Servers (usually these home routers gone bad, but they can be real attackers too) (http://isc.sans.edu/diary.html?storyid=7567 , http://isc.sans.edu/diary.html?storyid=8233)
Implementing encrypted management protocols - ie stamping out telnet and http, and migrating to sshv2 and https (http://isc.sans.edu/diary.html?storyid=11434)

There have also been some recent papers in the reading room on scripting capabilities on routers, which can also be exploited:

Using routers for port scanning and reconnaissance (IOSMAP) (http://www.sans.org/reading_room/whitepapers/tools/iosmap-tcp-udp-port-scanning-cisco-ios-platforms_32964)
Bypassing or hijacking firewall functionson routers (IOSCAT)(http://www.sans.org/reading_room/whitepapers/tools/iosmap-tcp-udp-port-scanning-cisco-ios-platforms_32964)
Using routers to host malware (yes, really !!) ( http://www.sans.org/reading_room/whitepapers/malicious/iostrojan-owns-router_33324)

(note that forcing signature of scripts is the remediation for all of these)


Looking for specific documents that you can use as Benchmarks to Audit or as Guides in hardening your infrastructure? The most common ones referred to are:

CIS Router Benchmark (http://benchmarks.cisecurity.org/en-us/?route=default)
CIS Switch Benchmark (http://benchmarks.cisecurity.org/en-us/?route=default)
CISFirewall Benchmarks (http://benchmarks.cisecurity.org/en-us/?route=default)
RFC 3871 - Operational Security Requirements for Large Internet (http://www.faqs.org/rfcs/rfc3871.html )

The CIS Benchmarks have an advantage here, in that they also have an assessment tool to compare, audit and score a captured configuration against a benchmark.



Don't neglect vendor documentation in your efforts (Cisco, Brocade, Extreme, Juniper and all the rest). Vendor docs will include their own security and hardening guides and documentation - in many cases the same recommendations are covered, but the specific commands will of course vary from vendor to vendor. In other cases, they'll have security guidance that is specific to that vendor's features, platform or technology (fiber channel for instance will have quite different security guidance compared to ethernet)



Examples

Some example config lines for common recommendations (cisco syntax is covered, most other vendor's syntax is pretty similar, check your documentation and assess for impacts in your environment before implementing any of these blindly). Note that these examples do not constitute a complete hardening guide (use the links above for that), they fall into that low hanging fruit category, things that are easy to change that will make a significant difference.



NTP (Network Time Protocol)

On most gear, setting up NTP for time sync is dead easy. In most environments, you'll have a redundant pair of routers or switches that you can set up as the main NTP servers for the infrastructure (other sites might use Linux or Unix hosts, or dedicated timeserver appliances). Normally these get 2 reliable NTP time sources (often we'll pick 2 unrelated, reliable NTPservers on the 'net - dedicated NTPservers will often have an atomic clock on board). Everything else in the environment will point back to these hosts for their time.
ntp source GigabitEthernet0/0.1 !setting the source is optional but recommended

ntp server 203.0.113.1

clock timezone EST -5

clock summer-time EDT recurring



Similarly, logging everything back to a common syslog host is usually a one-liner (or close to it)
service timestamps log datetime localtime show-timezone

logging buffered 8192 debugging

logging 203.0.113.10

logging source-interface GigabitEthernet0/0.1 ! also optional but recommended
Setting the source interface for NTP, syslog and the rest is important, if you don't and a backup link is activated, the source ip address for these will change and potentially mess up any log management you may have in place. Note that the souce interface should either be a loopback, or some interface that will always be live (in this case it's a WANrouter, Iused the inside interface)
Also, the decision about what timezone to use in logging can also differ from company to company. If the entire network resides in a single company, normally local time is used (as is seen above). However, in larger organizations the span multiple timezones, a single timezone for all equipment can make troubleshooting a lot simpler. In cases like this, it is common to see all the network gear log in GMT(Greenwich Mean Time), with the SYSLOG server perhaps adding a local timestamp to make it easier for the admins to find things in the Gigs of logs. Using GMTis the recommendation in most hardening guides. In other organizations, all gear will be sync'd to the timezone that head officeis in. This accomplishes the same thing, but troubleshooting individual gear can get complex, especially if you are also factoring in information from end users who are in that timezone. Because of these varying perceptions of what time is it?, it's generally best to operate in GMT, and have the gear report its timezone in the log entry (Thanks Don for highlighting this omission in the original story)
Tieing back to an external authentication source is a bit more complex, but it's usually only a few lines on the infrastructure gear - If your back-end is AD, your authentication server is probably Microsoft IAS or NPS, and your config lines will look like:


First, set up a RADIUShost that you have already configured for this:



radius-server host 203.0.113.209 auth-port 1645 acct-port 1646 key some key

radius-server key some key

ip radius source-interface GigabitEthernet0/0.1 !optional


Note again the source-interface thing. If you miss this in RADIUS and another interface gets used (backup route activated or whatever), RADIUSwill break unless you have all possible IPs defined on the RADIUShost - it's just way easier to use source interface commands.
Next, set up AAA (Authentication, Authorization, Accounting):
aaa new-model

aaa authentication login default group radius local
once the login part is done, let's secure the remote admin access
access-list standard ACL-VTY-IN !define authorized mgt stations and subnets

permit 203.0.113.0 0.0.0.255

permit 198.51.100.7
hostname routername

ip domain-name domainname.com !need an FQDN to define RSAkeys

crypto key generate rsa general-keys modulus 2048 ! be sure to set a decent length

ip ssh version 2 !be sure to force SSHv 2



line vty 0 15

transport in ssh !force SSHonly

access-class ACL-VTY-IN ! enforce mgt station ACL



Backups:

Let's say you want to backup your routers or switches daily (or Fiber Channel Switches, or Firewalls, really anything that has a decent CLI). While we're at it, let's back up the version info, and also the md5 hash of the OS image to verify it's integrity (yea, I know all about md5 collisions, but md5 hashes are what we have to work with on this platform). We'll use plink (the text based putty client)to collect the data via SSH:



plink l %1 pw %2 %3 sho ver inventory\%3_inventory.txt

plink l %1 pw %2 %3 sho config inventory\%3_inventory.txt

plink l %1 pw %2 %3 verify /md5 flash:/c2800nm-advipservicesk9-mz.124-8.bin inventory\%3_inventory.txt
where:

%1 is the userid

%2 is the password

%3 is the ip address or resolvable name of the device

%3 is also used for the filename. You could get fancy and include a date / time stamp in the filename as well.
I tend to use plink to collect input for RAT, as opposed to the SNARF method in RAT (which uses telnet). This example is on Windows (putty / plink), but you can certainly write a similar script on Linux or OSX. Note also that there are tools out there that do exactly this (CATOOLS, RANCID).
Let's combine all of this (NTP, SYSLOG, AAA Back-end Authentication, config backups) to illustrate why this is all important, and how it all inter-relates:



Now that you have your configurations backed up, you can run DIFF reports to see any changes from yesterday.

Where the changes made approved in your change management procedure (oops, that's a good thing to have too!)
Did the changes happen in the approved time? Did the change run long, or was it just plain applied outside the change window?
Did the approved changer make the change (the person who made the change should show up as a named user in the log, both when they logged in and when they made the changes)
If it's NOT an approved change, who made it (ditto, you'll see their name in the log)
And finally, now that the change is complete, does RAT indicate that you may have weakened your overall security posture? Note that RAT audits you against the CIS Benchmark(s) - if you use a different hardening standard, you'll need either a different tool or script, or some manual translation to make the final call on this. Note also that RATis for audit, it's not a full security assessment tool - you'll need different tools for a full security assessment.

Again, this diary is all about catching the easy stuff that we see gets missed all the time - for complete set of things to consider, including procedures, use the Hardening Benchmarks, or define your own benchmark for a more complete picture that encompasses your organization's business requirements, policies and procedures.
If I've made any errors or especially typos, please use our comment form to set me straight ! More importantly, please use our comment form to let us know what you do in your environment - any tips or war stories are very welcome ! As always, our comment form is open 7x24.

PS - As an FYI, all IPaddresses in this story are formatted as per RFC5737(http://tools.ietf.org/rfc/rfc5737.txt ), which reserves specific IPv4 address spaces for documentation
===============

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Steve Jobs lived his life at the intersection of technology and art, but where will that vision come from now?
 
Hewlett-Packard has launched the t200 Zero Client, a US$99 device meant to be attached to a monitor, that when used with a host allows up to 15 users to share a PC, the company said on Wednesday.
 
The reverse proxy feature (mod_proxy) has a new vulnerability. If pattern matching is used, a crafted attack (using invalid inputs - even though this does not involve SQLthe Little Bobby TablesXKCDcomes to mind again, for like the 3rd time this week ! )can expose information on internal hosts.
Full details (and remediation)here ==http://seclists.org/fulldisclosure/2011/Oct/232
Patch is available for 2.2.21 here==http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/
the CVEis pretty sparse, but look for more content soon ==CVE-2011-3368
===============

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

'Occupy' Movement Threat Extends Beyond Wall St. to Target Big Business ...
PR Newswire (press release)
Prior to ListenLogic, Vince was the Co-founder and Chairman of Turntide Inc., an anti-spam technology company, which was acquired by Symantec Corp., co-founder and Principal of InfoSec Labs, an information security company, which was acquired by ...

and more »
 

'Occupy' Movement Threat Extends Beyond Wall St. to Target Big Business ...
MarketWatch (press release)
Prior to ListenLogic, Vince was the Co-founder and Chairman of Turntide Inc., an anti-spam technology company, which was acquired by Symantec Corp., co-founder and Principal of InfoSec Labs, an information security company, which was acquired by ...

 
The path to better projects may be for software developers to become better people. The source of all project dysfunction is usually the project manager, an organizational psychologist said at A recent conference on agile development.
 
News of the death of Apple co-founder Steve Jobs reached Japan on Thursday, as manufacturers hawked their latest iPad and MacBook clones at a giant trade show outside of Tokyo.
 
Steve Jobs left behind some prescient lessons that CEOs and managers in all sectors and in companies of all shapes and sizes can learn from. Columnist Ryan Faas explains.
 
Device makers and carriers let patches languish, so users may not ever get them -- a new approach is sorely needed
 
Samsung countered this week's iPhone 4S unveiling by proclaiming that its Android-based Galaxy S II is superior to the Apple device in many ways.
 
Internet Storm Center Infocon Status