Hackin9

InfoSec News

An information breach at a Florida college has compromised information of about 279,000 students and employees, the Florida Department of Education said on Wednesday.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Emerging chip technologies that Arm Holdings announced on Wednesday could help to power mobile networks that are being asked to handle more traffic with more fine-tuned controls.
 
Illness and legal advice stopped two founders of The Pirate Bay from speaking at the Hack in the Box security conference on Wednesday.
 
After years as the top PC maker in the world, Hewlett-Packard may be pushed aside by a quick-moving Lenovo.
 


It is Day 10 of Cyber Security Awareness Month. I am continuing with Part Two of my entry from Day 3 on Standard Sudo - Part One. We will cover some technical implementation options of sudo with pros and cons of the given examples.
Some Sudo Good Ideas
A. Central Distribution
The distribution control of your sudoers file is key to controlling the risk of your UNIX servers.
1. LDAP [1]



Cons











Pros







2. Central Server




B. Single File / 1:Many
Use of ONE standardized sudo command file to be used on every server lightens the distribution burdens. (sync scripts are an easy fix...) This does come with risks and each environment needs to measure the tolerance of this idea. The biggest gap to consideris unused sudo commands will likely exist on a server. For intance, if rule to restart the Apache web server was maintained by theUNIX group webteam and it existed on every server, then the servers without Apache may not end up with the webteam group. In many cases the process and procedure that already exists will easily dictate whether this is condition is acceptable.
Cons





An undetected critical mistake gets distributed every where.
Pros



(if command sets are kept basic)

(a potentially large file, but a BIG pro..)

(sync scripts easy to develop)
C. File Based Command Sets / Few:Many
The #includedir directive was released between Sudo v1.7.1 and v1.7.2 in early 2009.[2] This feature allows the configuration to be managed with multiple files. For instance, all web/app admin command sets can be placed into a file and distributed separately. An update to one command set does not necessarily jeopardize remainder of command sets. This method can easily be 'profiled'. For instance, the sync scripts can keep track of which file is pushed to which server with configuration/list files. This way, only webservers get the 'web admin' command sets.
Cons



- Potential for unused sudo command sets to be present on any given server

(not much mind you...)

Pros



(how can that be?! )
(sync scripts easy to develop)

D. Structured Formatting
The idea is to create a XML'ish format of the file using comment hashes (#). A copy of each sudoers file is stored centrally, and each section is managed locally at the central point, and distributed to the remote server as needed. The purpose of standard format (illustarated below) is to provide many opportunities to control, audit, and report on the sudoers environment.

The proposed file can be broken into two or more formatted sections and managed accordingly. My experiences have seen that three sections is best. It provides flexibility and room for growth. These sections can be carved and updated with scripting once they are rolled out. The layout of a standard file can be such with explanation below:


standard_OS
tier1_support
password resets
account aging
/tier1_support
tier2_support
account creations
account mods
account deletes
/tier2_support
/standard_OS
profiles
profile_support_group_one
DBA support commands
/profile_support_group_one
profile_support_group_two
Web Admin support commands
/profile_support_group_two
/profiles
native
localized rules
/native

Cons








Pros















(if command sets are kept basic)

STANDARD SECTION
A master command set is created that will be needed on EVERY server in your estate. This command set is stored in the standard section of every sudoers file. In some environments, the risks are to be considered, and separate standard sections will need to be created for each Operating System in your environement. The contents of this section will be a technical work of art. The value is solely created by the needs of each environment.


Example:
#### STANDARD_SOLARIS #### START ####
# Standard rules for Tier 1 Support
# User need only be added to tier1 unix group to access
#
User_Alias STD_SOL_TIER1_USERS = %tier1
Cmnd_Alias STD_SOL_TIER1_COMMANDS = \
/bin/passwd, !/bin/passwd *root*, \
/bin/usermod, !/user/usermod *root*, \
/bin/groupmod

STD_SOL_TIER1_USERS ALL=NOPASSWD: STD_SOL_TIER1_COMMANDS
#### STANDARD_SOLARIS #### END ####





PROFILES SECTION


A standard command set is created for each production support team like the Database Administrators, Web Admins, or System Admin's even. The idea however is NOT allow these command sets ON EVERY server. They would only be needed on a group of servers, as not every server has a database or a web server.

Example:
#### PROFILES #### START ####
##### DBA_PROFILE ##### START #####
# Standard rules for the DBA's
# User need only be added to dba unix group to access
#

User_Alias DBA_PROFILE_USER = %dba
Runas_Alias DBA_IDS = oracle

Cmnd_Alias DBA_CAT_PARENT = /bin/cat *../*
Cmnd_Alias DBA_PROFILE_COMMANDS = \
/bin/cat /u01/path/to/tracefiles/[a-zA-Z0-9]*/tracefiles/*trc \
/bin/cat /u01/path/to/tracefiles/[a-zA-Z0-9]*/tracefiles/*log \
/bin/cat /path/to/whatever/file/you/want

DBA_PROFILE_USER ALL=(DBA_IDS) NOPASSWD:DBA_PROFILE_COMMANDS

##### DBA_PROFILE ##### END #####
##### WEBADMIN_PROFILE ##### START #####
# Standard rules for the Web Guys
# User need only be added to webadmin unix group to access
#

User_Alias WEB_PROFILE_USER = %webadmin
Runas_Alias WEB_IDS = nobody

Cmnd_Alias WEB_PROFILE_COMMANDS_AS_ROOT = \
/usr/bin/apachectl

Cmnd_Alias WEB_PROFILE_COMMANDS= \
/opt/WebSphere/bin/startServer.sh

WEB_PROFILE_USER ALL=(WEB_IDS) NOPASSWD:WEB_PROFILE_COMMANDS
WEB_PROFILE_USER ALL=(root) NOPASSWD:WEB_PROFILE_COMMANDS_AS_ROOT

##### WEBADMIN_PROFILE ##### END #####
#### PROFILES #### END ####


NATIVE SECTION


The Native section is bit of flexibility worked in to insure you have the ability to support the business. This section is used exclusively for needed sudo commands on that particular server. It the standard formatting makes this section possible for any scripting to leave this section alone.

Example:
##### NATIVE ##### START #####
# Section reserved for any commands only needed on this server.
#
##### NATIVE ##### END #####


Summary
In summary, (if you're still with me) the sudo environment in your organization may not be very complicated, thus much of this may seem overkill. However, there is much listed above to take away to any sized organization. Sudo solves MANY problems, while creating some high risk ones. How it is configured, much like everything on your UNIX servers, really matters to the security of your environment. When sudo is setup and managed in a standard framework, it keeps the risks under control, the efficiencies high, and the auditors happier. The underlying main message is that no one solution fits all, yet Standard Methods of implementation lower your risks.
Please keep in mind, I only know what I know. There is always much to learn. Please share any ideas, gaps, or even questions you have about the diary above. We all benefit from the sharing.
[1] http://www.sudo.ws/sudo/sudoers.ldap.man.html

[2] http://www.gratisoft.us/sudo/maintenance.html#1.7.2

-Kevin



--

ISC Handler on Duty




(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
BlackBerry 10 will offer smartphone users some novel features when it finally ships next year, including text prediction software and BlackBerry Balance, an approach that separates work from personal data.
 
Lenovo has taken the crown from Hewlett-Packard to become the world's top seller of PCs, research firm Gartner said in a study released Wednesday.
 
Enterprises will either embrace a mobile device strategy that allows workers to do their job securely, or those workers will do an end-run around IT staffers, according to experts at a consumerization-of-IT conference.
 
Facebook has restricted the rate at which users can perform phone number searches on its mobile website in order to block a recently disclosed method of harvesting phone numbers.
 
Is Sprint preparing a bid for prepaid wireless carrier MetroPCS? Whatever the company's plans, its chief financial officer didn't offer any clues when speaking at a conference in Arizona.
 
Lenovo hopes that computers made in its first U.S. manufacturing facility will attract more buyers, while also making the delivery of ThinkPad laptops and tablets faster to U.S. customers.
 
vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities
 
Omnistar Document Manager v8.0 - Multiple Vulnerabilities
 
Enterprise software maker SAP plans to ship software that separates business data from personal information on smartphones and tablets.
 
Microsoft today disavowed comments made by its Czech subsidiary that the company will roll out iOS and Android apps of its Office suite early next year.
 
ISC BIND 9 DNS RDATA Handling CVE-2012-5166 Remote Denial of Service Vulnerability
 
Cisco Security Advisory: Multiple Vulnerabilities in the Cisco WebEx Recording Format Player
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
 
The National Institute of Standards and Technology (NIST) today announced the winner of its five-year competition to select a new cryptographic hash algorithm, one of the fundamental tools of modern information security.Credit: K. ...
 
Brian Hamilton, a reader who reads, is frustrated by what he perceives to be a Kindle limitation. He writes:
 
A robotic arm onboard the International Space Station reached out and grabbed hold of the SpaceX Dragon cargo ship, attaching the commercial craft to the station.
 
Stop thinking of Microsoft as just a software company; it's not anymore, according to CEO Steve Ballmer.
 
Google today awarded $60,000 to a security researcher who cracked Chrome at the search firm's second "Pwnium" hacking contest.
 
Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2012-74 through -87 Multiple Vulnerabilities
 
[ MDVSA-2012:162 ] bind
 
Multiple vulnerabilities in OpenX
 
[slackware-security] mozilla-firefox (SSA:2012-283-01)
 
Re: FastStone Image Viewer 4.6 <= ReadAVonIP Arbitrary Code Execution
 

General Dynamics Introduces NSA-Certified COTS Computer
Dark Reading
For a complete list of features, benefits and specifications visit, www.gdc4s.com/MultiBook. For additional information or to order the MultiBook call INFOSEC sales & support at 1-888-897-3148 or email Infosec@gdc4s.com. General Dynamics C4 Systems is ...

and more »
 
What do healthcare providers need to think about as they formulate social networking policies? (Insider; registration required)
 
At the company's Pwnium 2 security competition, Google's Chrome web browser has fallen to a "full exploit" by the hacker known as "Pinkie Pie", who also exploited the browser earlier this year at the first Pwnium


 
The international affairs chief at the United States Department of Justice on Wednesday expressed concern with the European Union's revision of the Data Protection Directive.
 
Four purported Microsoft TV advertisements for Windows 8 have leaked to the Web, and strut the operating system's new "Modern" user interface.
 
The U.S. Supreme Court has refused to overturn legal immunity for telecom carriers that allegedly participated with a U.S. National Security Agency surveillance program during the last decade.
 
Mozilla Firefox 16 was released on Tuesday and addresses numerous security vulnerabilities, many of which are rated as critical.
 
The Internet Systems Consortium (ISC) is warning users of a critical security vulnerability in the BIND DNS server which can be exploited for denial-of-service attacks


 
 


We are seeing reports of Facebook Scam Spam trickle in. Rene provided us with a detailed anecdote that includes the following image. The url provided in the image was investigated a bit. TinyURL has since taken down the redirect and classified it as Spam. However, the image (and others like it) still propagate by FB users clicking on the link.



This type of scam is used mostly without the permission of the vendor noted, in this case Costco. The idea is to entice the user to click so they get redirected to a site where the business model depends on traffic volume. If the Facebook user count has hit 1 billion yet, (not something I'm keeping track of.. :) ) then even a small percentage of that makes the Facebook population an easy target, with an easy payout.








If you are a Facebook user, then please be wary of any offers that entice you to click to receive. It's a really bad practice. The holiday shopping season is beginning and these vectors are going to be heavily used by the scammers in the coming months.


-Kevin

--

ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A survey of small business IT managers and mobile device end users revealed most are not familiar with mobile device management tools, even though they said smart phones and tablets are critical to performing their jobs.
 
The U.S. Supreme Court has refused to overturn legal immunity for telecom carriers that allegedly participated with a U.S. National Security Agency surveillance program during the last decade.
 
Mobile risk management vendor Mobilisafe assesses employee smartphones and tablets for platform vulnerabilities.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Security researcher Felix Lindner has a more compelling reason to steer clear of routers from Huawei Technologies than fears about its ownership.
 
For its monthly Patch Tuesday, Microsoft has released fixes for its Windows, Office, SQL Server and Lync products. Seven bulletins, one of which is rated "Critical", address a total of 20 security vulnerabilities


 
The family of a worker who committed suicide at an alleged Apple supplier in China is blaming his death on the harsh management at the factory and has tried demonstrating against the company, only to be detained by local police.
 
Research in Motion CIO Robin Bienfait's last name means "well done" in French. She's hoping those two words apply to BlackBerry 10 smartphones once they ship in the first quarter of 2013.
 
PHP 'com_event_sink()' Function Arbitrary Code Execution Vulnerability
 
CIOs are being predicably cautious with IT budgets for next year, and are focusing on increasing use of cloud technologies and offshore outsourcing, according IR execs surveyed by the Society for Information Management.
 
But the monthly Tiobe index still has Dart garnering only a tiny popularity rating
 
HP's OpenStack-based IaaS cloud blends openness and portability with nice proprietary extras and welcome hand-holding
 
Get your conspiracy theories ready: Two founders of The Pirate Bay were due to speak at the Hack in the Box security conference in Kuala Lumpur on Wednesday, but didn't show up.
 
Softbank Mobile said Wednesday it will launch a new mobile router next week providing download speeds of up to 110Mbps on its LTE network.
 
After releasing Firefox 16, Mozilla has now detailed all of the security vulnerabilities fixed in the new version of its browser, most of which are rated as "Critical". New versions of Thunderbird and SeaMonkey also close a number of the same holes


 
Research in Motion CIO Robin Bienfait's last name means "well done" in French. She's hoping those two words apply to BlackBerry 10 smartphones once they ship in the first quarter of 2013.
 
HTC's One X+ could be the sort of flagship phone that helps the Taiwan-based phone maker reverse its recent financial misfortunes.
 
According to media reports on Wednesday, Google has proposed a settlement of its antitrust case to the European Commission that involves labeling its own services in search results.
 
Microsoft's twice-yearly Security Intelligence Report reveals that the company has to remove malware from Windows XP twice as frequently as from Windows 7 or Vista. It does however leave a few questions unanswered


 
TinyCMS Local File Include and Arbitrary File Upload Vulnerabilities
 
The Supreme Court in the Philippines has temporarily restrained the government from enforcing a new controversial cyber law, in response to petitions from civil rights and journalists groups in the country.
 
It appears the hacker known as "Pinkie Pie" produced the first Chrome vulnerability at the Hack In the Box conference on Wednesday, just ahead of the deadline for the competition this afternoon.
 
RETIRED: Open Realty 'select_users_lang' Parameter Local File Include Vulnerability
 
Internet Storm Center Infocon Status