Packettotal ( ) is a new site that does some nifty analysis of Packet Captures for you if youre not so familiar with Wireshark or other analysis tools

Out of the gate, this site maps out connections, certificates, encryption algorithms and gives up files that are transfered in the session. A great start (I accidentally found another app that runs their own private CA with this), were looking forward to more great things from this site as they get on! So far everything you can do on Packettotal you can do in Wireshark, but its as quick and easy as can be on the PT site!

Of course - the standard rules apply - be sure that youre not uploading sensitive informaiton to cloud-based sites of this type! If youre analyzing client data, you might need permission to upload. They also still allow http access to their site (oops) - be sure to browse to them using https explicitly until they fix this.

Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

With the prevalence of Next-Gen Firewalls, were seeing a new wave of organizations decrypting traffic at the network edge, between organizations and the public internet.
This is a good thing. As we see more and more legit https traffic, were also seeing the attackers follow that trend, where malware and attacks are now often encrypted using standards based protocols as well.

How does this look in practice? width:1025px" />

But as we do the decrypt / inspect / encrypt thing, were also being forced to deal with applications that do things in unexpected ways - stuff like ...

What NOT to Decrypt
There is *always* a list of applications that your dont want to decrypt. For privacy reasons, you almost never decrypt healthcare sites and banking/financial sites. Not only is the case that we dont want that information in a log someplace, its likely either illegal or breaks compliance if we decrypt and inspect tha ttraffic. Depending on your jurisdiction and industry, that list may of course vary.

Apps that run a Private CA and/or do Certificate Pinning
Ive seen some banking terminals (both ATMs and POS platforms) do certificate pinning, which is exactly as you would hope should be going on. Of course theyll run their own CA, and reject any traffic that is encrypted using a certificate that isnt their own. And of course, we simply put that banking terminal (ATM or payment card processor) into an exemption list - we dont *want* to decrypt that traffic - if we could decrypt that traffic successfully and still have it operate, wed report that as an issue to the payment processor. Where possible though, its also a good practice to isolate these units, and only allow them to communicate to their payment card mothership. You definitely dont want to be the source of an ATM breach, and if they get compromised from some other source, you dont want their attacker to see your network either.

Surprisingly though, Im seeing the same sort of behaviour in Courier apps. You know, that desktop app that shipping receiving (or the office manager, or whoever does shipping in your organisation) runs? Again, because the private CA is pinned, the only way to deal with it is to exempt the traffic between that workstation and the DN (Directory Name) of the target (* in this case). Good on them for going the extra mile, but it sure was a surprise to find it in the logs! We still get to decrypt everything else to and from those machines - theyre not isolated, but exempting traffic for that one application is straightforward.

Apps that Break the Rules
A more troubling situation is that we do see some applications that break or bend the rules for good encryption. For instance, apps that accept expired certificates from their server.
Logmein (the support/remote control application) for instance is currently in that situation. Their web services back-end currently uses an expired certificate. Worse yet, their upstream has no fixed IP address (its in a CDN), and the traffic is over tcp/443. Without putting some work into the rules, the decryption engine will simply drop the traffic because the cert is expired. So what this means for perimeter rules is that we need to match on the target DN (theres a list), and for those DNs we have to allow expired certificates. And right below that rule, we need a second rule that has the same DNs but doesnt allow expired certificates (for when they fix this situation).

We see similar things for applications that use APIs inside of SSL or TLS - if theyre using weaker ciphers, older protocols or pin certificates, to allow that app to work we need to set the allowed DNs and permit whatever bad habit that app has.

Other Bad Habits:
We also see lots of file downloads happen for one application or another. So if your organization blocks downloading JAR files for instance, any Java based app that pulls a JAR will trigger and block, breaking the application. Its very common for instance to see all-in-one helpdesk applications download a package of EXEs, JARs and MSIs when a new station is enrolled. As a side note, its also common to see these apps pull down older versions of Java, Acrobat Reader and other apps - what could possibly go wrong with that?

Logging is your friend for all of these something is broken situations - for any application that doesnt work, have a test user break it on film and note the time. Once youve got it logged, youll have the info you need to allow that application (and only that application) to do whatever dumb thing (or smart thing) that it needs to do to run, without allowing that behaviour on other applications.

For the helpdesk app example - in some cases we luck out and can set up a local repository, in other cases that cloudy nature of the app cant be worked around, and we need to permit exemptions.

Final advice? Once you have a smarter perimeter appliance like this in play, be prepared for your users to request that you whitelist a never-ending list of websites and applications. Before you do that, make sure that theyre actually blocked for one behaviour or another - in most cases they work just fine. Im still working out why human nature pushes folks to want a mile-long whitelist rule - one that has a pass everything, trust it all permission. So far, for most of those I leave all the decryption, traffic inspection, IPS and file inspection/sandboxing in play - the list of sites where you *dont* want that going on is pretty short.

If youve gone down the decrypt/inspect/re-encrypt road at your network edge, what problems have your found? How did you work around it? Please, use our comment form and let us (and everyone else) know!

Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

What to do on a cloudy lazy Sunday? You go hunting and review some alerts generated by your robots. Pastebin remains one of my favourite playground and you always find interesting stuff there. In a recent diary, I reported many malicious PE files[1] stored in Base64 but, today, I found a suspicious piece of JavaScript code[2]. It was posted by a valid account but it was its first pastie 2 : var _6101=34280B84F123A777A741D825 ... stripped data ... F713C589E 11 : _9837=_2519 15 : var _8383=_1472 16 : var _2078=_8383=_9837 24 : } 25 : 26 : var _1667=_6430=_5991 27 : var _3473=_3473=_6430

Its an interesting example of code obfuscation but not very complicated to reverse. After a quick check, we may assume that the malicious code is stored in the variable _6101 (line 2) and that the rest of the code is just used to deobfuscate it. Note also the presence of the string eval in 10. Thisshouldget you thinking. Lets review the code line by line:

Line3, _9332 contains the following string (hex-encoded): ABCDEF.

Line 5, _3603 contains the last characters of the payload: E.

Line 7, the payload is split based on the separators ABCDEF padding:5px 10px"> 34280,84,123,777,741,825,741,813,749,809,773,801,817,585,481,825,741,809,481,689,773,817,785,757,481,597,481,489,621,669,625,629,481,693,665,633,681,645,629,665,625,481,617,709,481,709,741,793,765,593,541,613,601,489,589,393,825,741,809,481,625,757,813,749,809,773,801,817,773,797,793,813,481,597,481,489,489,529,393,481,481,481,481,733,817,757,833,817,481, ...

Line 8: _4029 contains an array of JavaScript functions

Line 9: _4678[1] contains 4 (String(parseInt(84)/21) = 4)

Line 10: The most important one: _5991 contains the eval // eval(_9837) }

What is stored in the variable _9837? Is it malicious or just suspicious? The payload passed to eval() is a JavaScript code called CODE UNFRIEND by Yang. It looks to be a script to massively remove friends from a Facebook account. I posted a copy of the de-obfuscated payload on pastebin[3]. If it rings a bell to you, let me know.


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status