InfoSec News

I recently had a client call me, the issue that day was the VPN is down. What it turned out to be was that RADIUS would not start, because some other application had port UDP/1645 (one of the common RADIUS ports) open. Since he didn't have RADIUS, no VPN connections could authenticate.
So, standard drill, we ran netstat -naob, to list out which application was using which port, and found that DNS was using that port. Wait, What, DNS? DNS doesn't use that port, does it? When asked, what port does DNS use, what you'll most often hear is UDP/53, or more correctly, TCP/53 and UDP/53, but that is only half the story. When a DNS server makes a request (in recursive lookups for example), it opens an ephemeral port, some port above 1024 as the source, with UDP/53 or TCP/53 as it's destination.
So, ok, that all makes sense, but what was DNS doing, opening that port when the service starts during the server boot-up sequence? The answer to that is, Microsoft saw the act of opening the outbound ports as a performance issue that they should fix. Starting with DNS Server service security update 953230 (MS08-037), DNS now reserves 2500 random UDP ports for outbound communication
What, you say? Random, as in picked randomly, before other services start, without regard for what else is installed on the server Yup. But surely they reserve the UDP ports commonly seen by other apps, or at least UDP ports used by native Microsoft Windows Server services? Nope. The only port that is reserved by default is UDP/3343 - ms-cluster-net - which is as the name implies, used by communications between MS Cluster members.
So, what to do? Luckily, there's a way to reserve the ports used by other applications, so that DNS won't snap them up before other services start. First, go to the DNSserver in question, make sure that everything is running, and get the task number that DNS.EXE is currently using:

C: tasklist | find dns.exe

dns.exe 1816 Console 0 19,652 K

In this case, the task number is 1816. Then, get all the open UDPports that *aren't*using 1816

C: netstat -nao -p UDP | find /v 1816

Active Connections

Proto Local Address Foreign Address State PID

UDP *:* 860

UDP *:* 816

UDP *:* 3416

UDP *:* 4

UDP *:* 512

UDP *:* 1832

UDP *:* 2536
You may want to edit this list, some of them might be ephemeral ports. If there's any question about what task is using which port, you can hunt them down by running:
taskilst |find tasknumber
or, run netstat -naob - - i find this a bit less useful since the task information is spread across multiple lines.

Finally, with a list of ports we want to reserve, we go to the registry with REGEDT32, to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersReservedPorts

Update the value for this entry with the UDPports that you've decided to reserve:

Finally, back to the original issue, RADIUSnow starts and my client's VPN is running. We also added a second RADIUS back in - - the second RADIUSserver had been built when the VPNwent in, but had since mysteriously disappeared. But that's a whole 'nother story ...
If you've had a patch (recent or way back in the day) go bad on you, we'd like to hear about it, please use our comment form. Patches with silly design decisions, patches that crashed your server or workstation, patches that were later pulled or re-issued, they're all good stories - - after they're fixed that is !
Afinal note:
Opening outbound ports in advance is indeed a good way to get a performance boost on DNS, if you have, say 30,000 active users hitting 2 or 3 servers. But since most organizations don't have that user count, a more practical approach to reserving ports would be to simply wait for queries, and not release the outbound ports as outbound requests leave the server, until the count is at the desired number. Maybe reserving ports should wait until the server has been up for some period of time, say 20 minutes, to give all the other system services a chance to start and get their required resources. Another really good thing to do would be to make the port reservation activity an OPTION in the DNSadmin GUI, not the DEFAULT.
In Server 2008, the ephemeral port range for reservations is 49152-65535, so the impact of this issue is much less. You can duplicate this behaviour in Server 2003 by adjusting the MaxUserPort registry entry (see the MS}


Rob VandenBrink

Metafore (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Explorer bests all in infosec browser battle
SC Magazine Australia
Microsoft's Internet Explorer 9 is the best browser for preventing the execution of web-based malware, according to a NSS Labs test. Windows Internet Explorer 9, Google Chrome 12, Mozilla Firefox 4, Apple Safari ...

and more »
The man who claimed to have attached a bomb collar to an Australian high school student two weeks ago thought it would be a good idea to leave a ransom note on a USB stick looped around her neck. What he probably didn't realize is that he also left his name, hidden deep in the device's memory.
Hackers claiming to belong to the collective Anonymous this morning publicly posted the names, home addresses, email addresses and passwords of 102 police officers belonging to San Francisco's Bay Area Rapid Transit (BART) agency
Microsoft's Office 365 and SkyDrive were hit by outages on Wednesday, withsome customers saying they lost access to e-mail and other services for upto four hours.
Microsoft's Office 365 and SkyDrive were hit by outages on Wednesday, with some customers saying they lost access to e-mail and other services for up to four hours.
RETIRED: Real Networks RealPlayer Multiple Remote Vulnerabilities
[SECURITY] [DSA 2296-1] iceweasel security update
ZDI-11-272: (0day) FlexNet License Server Manager Remote Code Execution Vulnerability
[SECURITY] [DSA 2295-1] iceape security update
Xplace Company (dettaglio.asp?id) (alloggi-dett.asp?id) (eventi.asp?id) Remote SQL injection Vulnerability
Intel on Wednesday issued a firmware upgrade that fixes a bug that caused its SSD 320 solid-state drives to crash and lose data, months after the issue first came to light.
Files entrusted to cloud-storage provider Dropbox were susceptible to unauthorized access via three attacks devised by security researchers, but the provider has since closed the vulnerabilities.
[ MDVSA-2011:127 ] mozilla
WebRising (dettaglio.asp?id) Remote SQL injection Vulnerability
ZDI-11-271: Mozilla Firefox appendChild DOM Tree Inconsistency Remote Code Execution Vulnerability
Shaw reviews Sonos' Play:3 wireless music system; Seagate's GoFlexTurbo portable hard drive.
Google has been pushing hard to work its way into the enterprise, but it remains to be seen whether that effort will be aided by this week's acquisition of Motorola Mobility.
Mozilla's decision to strip the version number from Firefox's "About" dialog box has been greeted by a nearly unanimous thumbs down, according to a lengthy, and at times heated, debate on a company discussion list.
ZDI-11-270: Mozilla Firefox SVGTextElement.getCharNumAtPosition Remote Code Execution Vulnerability
StudioLine Photo Basic 3 ActiveX control Insecure Method
Multiple XSS in WP-Stats-Dashboard
XSS in Fast Secure Contact Form wordpress plugin
A year after a major outage on its banking website, Chase today experienced another problem: An outdated Firefox certificate left some users without access for 45 minutes.
The keyboard on Therese Gween's laptop is misbehaving. What can she do about it?
Google is hoping to head off some of the complaints Oracle has made against it by asking a judge for permission to file summary judgment on four issues.
There was a time when pcAnywhere was the only software available if you needed to take remote control of another computer. Times have changed, and there are now several out there. Splashtop, which has been available for the Mac for quite some time, is now available for Windows systems as well.
T-Mobile customers who expect to get better prices from the proposed AT&T merger should think again, according to a new Yankee Group report.
Oracle Sun Solaris CVE-2011-2249 Remote Security Vulnerability

Rob VandenBrink
Metafore (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Amazon introduced a new cloud service aimed specifically at the United States government this week. Although the Amazon Web Services (AWS) GovCloud is targeted at government agencies, there are also some valuable lessons for private sector businesses and IT admins to learn about cloud servers and data storage.
Spam - particularly the kind with malicious attachments - is exploding, reaching a two-year high overall, which includes the spike last fall just before the SpamIt operation folded its doors, a security firm says.
The ISO says that C++11 will support parallel algorithms and boast improved performance
lab382 (dettaglio.php?id) Remote SQL injection Vulnerability
ZDI-11-269: RealNetworks RealPlayer Cross-Zone Scripting Remote Code Execution Vulnerability
ZDI-11-268: RealNetworks RealPlayer SWF DefineFont Remote Code Execution Vulnerability
ZDI-11-267: RealNetworks Realplayer MP3 ID3 tags Remote Code Execution Vulnerability
Microsoft Windows Data Access Component DLL Loading Arbitrary Code Execution Vulnerability
Oracle Sun Solaris CVE-2011-2285 Local Vulnerability
A U.S. trade judge has rejected Google's move to block the testimony of a Microsoft expert witness in the latter's 10-month dispute with Motorola over patents allegedly used by Android.
ZDI-11-266: RealNetworks RealPlayer Advanced Audio Coding Element Remote Code Execution Vulnerability
ZDI-11-265: RealNetworks Realplayer QCP Parsing Remote Code Execution Vulnerability
ZDI-11-264: Symantec Veritas Storage Foundation vxsvc.exe Value Unpacking Integer Overflow Remote Code Execution Vulnerability
ZDI-11-263: Symantec Veritas Storage Foundation vxsvc.exe ASCII String Unpacking Remote Code Execution Vulnerability
ZDI-11-260: Nortel Media Application Server cstore.exe cs_anams Remote Code Execution Vulnerability
ZDI-11-259: Apple QuickTime STSZ atom Parsing Remote Code Execution Vulnerability
ZDI-11-258: Apple QuickTime STSC atom Parsing Remote Code Execution Vulnerability
ZDI-11-261: HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution Vulnerability
The recent story about Jason Cornish, a disgruntled employee of pharmaceutical company Shionogi is getting a lot of attention this week. In a nutshell, he resigned after a dispute with management, and was kept on as a consultant for a few months after.

The story then goes that he logged into the network remotely (ie - VPN'd in using his legitimate credentials), then logged into a secret vSphere console (I'd call foul on that one - there would be no reason to have a secret console - my guess is he used the actual corporate vCenter console or used a direct client against ESX, which you can download from any ESX server, so he had rights there as well) then proceeded to delete a large part of the company infrastructure (88 servers in the story I read). The company was offline for a number of days, and Jason is now facing charges.

This diary isn't about the particulars of this case, it's much more of a common occurrence than you might think. We'll talk a bit about what to do, a bit about what NOT to do, and most important, we'd love to hear your insights and experiences in this area.

First of all, my perspective ...

Separation of duties is super-critical. Unless you are a very small shop, your network people shouldn't have your windows domain admin account, and vice versa. In a small company this can be a real challenge - if you've only got 1 or two people in IT, we generally see a single password that all the admins have. Separation of duties is simple to do in vmWare vSphere - for instance, you can limit the ability to create or delete servers to the few people who should have that right. If you have web administrators or database administrators who need access to the power button, you can give them that and ONLY that.

Hardening your infrastructure is also important. Everything from Active Directory to vSphere to Linux have a press the enter key 12 times default install. Unfortunately, in almost all cases, this leaves you with a single default administrator account on every system, with full access to everything. Hardening hosts will generally work hand-in-hand with separation of duties, in most cases the default / overall administator credentials are left either unused or deleted. In the case of network or virtual infrastructure, you'll often back-end it to an enterprise directory, often Active Directory via LDAP (or preferably LDAPs), Kerberos or RADIUS. This can often be a big help if you have audits integrated into your change control process (to verify who made a particular change, or to track down who made an unauthorized change)

HR processes need to be integrated with IT. This isn't news to most IT folks. They need to know when people are hired to arrange for credentials and hardware. But much more important, IT needs to be involved in termination. They need to collect the gear, revoke passwords and the like, in many cases during the exit interview. When an IT admin is layed off, fired or otherwise terminated, it's often a multi-person effort to change all the passwords - domain admin credentials, passwords for local hosts, virtual infrastructure admins, and the myriad of network devices (routers, switches, firewalls, load balancers, etc). If you've integrated your authentication back to a common directory, this can be a very quick process (delete or disable one account). In this case, a known disgruntled employee was kept on after termination as a consultant with admin rights. You would think that if HRas aware of this, or any corporate manager knew of it for that matter, that common sense would kick in, and the red flags would be going up well before they got to the point of recovering a decimated infrastructure. Yea, I know the proverb about common sense not being so common, but still ....

Backups are important. It's ironic that I'm spelling this out in the diary adjacent to the one on the fallout from the 2003 power outage where we talk about how far we've come in BCP (Business Continuity Planing), but it's worth repeating. Being out for a number of days is silly in a virtual environment - it should be *easy* to recover, that's one of the reasons people virtualize. It's very possible, and very often recommended, that all servers in a virtual infrastructure (Hyper-V, XEN, vmWare, KVM whatever), be imaged off to disk each day - the ability and APIs for this are available in all of them. The images are then spooled off to tape, which is a much slower process. This would normally mean that if a server is compromised or in this case deleted, you should be able to recover that server in a matter of minutes (as fast as you can spin the disks). This assumes that you have someone left in the organization that knows how to do this (see the next section).

Don't give away the keys. Organizations need to maintain a core level of technical competancy. This may seem like an odd thing for me to say (I'm a consultant), but you need actual employees of the company who own the passwords, and have the skills to do backups, restores, user creation, all those core business IT tasks that are on the checklist of each and every compliance regulation. In a small shop, it's common for IT to give consultants their actual administrative credentials, but it's much more common these days to get named accounts so that activity can be tracked, these accounts are often time limited either for a single day or the duration of the engagement.

I'd very much like to see a discussion on this - what processes do you have in place, or what processes have you seen in other organizations to deal with IT root level users - how are they brought on board, how are they controlled day-to-day, and how are things handled as they leave the organization? I'm positive that I've missed things, please help fill in the blanks !

If I'm off-base on any of my recommendations or comments above, by all means let me know that too !

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
ZDI-11-256: Apple QuickTime Media Link src Parameter Remote Code Execution Vulnerability
ZDI-11-255: Apple QuickTime Player H.264 Reference Picture List Remote Code Execution Vulnerability
ZDI-11-254: Apple QuickTime 'trun' atom sampleCount Integer Overflow Remote Code Execution Vulnerability
InYourLife (dettaglio.php?id) (dettaglio_immobile.php?id) (notizia.php?id) Remote SQL injection Vulnerability

List of malware domains can be fed into IPS and IDS appliances to disrupt communication between malware and an attacker’s command and control server.

RSA is bolstering its CyberCrime Intelligence Service, adding malicious domain blacklists as a new feature for organizations that use the service.

Malicious domain blacklists, which can be gotten from a variety of sources, are pieced together by the security research community to cut off malware from their command and control server. Blacklisted hosts and IP addresses are used by cybercriminals for launching attacks or storing stolen information. Many of the blacklist feeds are freely available, but RSA’s service will bring together information it has collected from its partners into one location.

The RSA CyberCrime Intelligence Service is a managed security service, which provides companies with data about infected machines and systems present on their network. It focuses mainly on endpoint devices and provides raw data on malware detection and what business data or email correspondence may have been compromised. RSA said the data helps organizations identify gaps in existing security policies, remediate incidents of identity theft and infected corporate machines and educate employees about the impact of malware infections.

RSA is likely wrapping in data pulled from its NetWitness acquisition. NetWitness Spectrum provids users to with a feed to the Malware Domain List, ZeuSTracker and Shadowserver, as well as its own live threat intelligence service. RSA also licenses feeds from its partners, which collect malicious IP and domain data from their customer base.

McAfee, Symantec, VeriSign and other security vendors offer similar managed security intelligence services. IBM, Hewett-Packard and CA also offer security services that include threat assessments and other services designed to help organizations assess their individual risk profile. Some services like VeriSign’s iDefense Security Intelligence Services offer more robust information, including vulnerability data and malicious code analysis to help incident response teams.

Telecommunications providers AT&T and Verizon also have subscription-based services providing near real-time threat landscape data and information specific to an organization. In June, Verizon announced a new Incident Analytics Service, which brings together the firm’s popular data breach investigation report along with data from its incident, classification and reporting repository. The goal of that service is to help organizations score themselves relative to other firms in their peer group.

Add to digg Add to StumbleUpon Add to Add to Google
Nokia said Wednesday that it has entered into an agreement with Polar Mobile to launch more than 300 mobile applications for Nokia smartphones.
Net-SNMP Fixproc Insecure Temporary File Creation Vulnerability
Muzedon (dettaglio.php?id) Remote SQL injection Vulnerability
ECHO Creative Company (dettaglio.php?id) Remote SQL injection Vulnerability
dpconsulenze (dettaglio.php?id) Remote SQL injection Vulnerability
dedacom (dettaglio.php?id) Remote SQL injection Vulnerability

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
With the next release of its Red Hat Enterprise Virtualization (RHEV) package, Red Hat has finally rid itself of one of its most notorious dependencies, namely the use of Microsoft's Windows Server and SQL Server.
China's Baidu is facing criticism after a state-run television network ran reports alleging that the company fails to stop scammers from abusing its keyword advertising platform to promote fraudulent websites.
Dell expects both Windows 8 and Android to be credible options for tablet customers next year, and indicated it plans to offer products built around the two operating systems, a company executive said on Wednesday.
The head of the organization chartered with managing some of the Internet's complex routing systems is resigning.
HP Easy Printer Care Software 'HPTicketMgr.dll' ActiveX Control Remote Code Execution Vulnerability
Avaya Media Application Server Client Remote Code Execution Vulnerability


Webroot confirms staff cutbacks
Steven Malone, technical director at Infosec Technlogies, which has been a Webroot partner for five years, was unfazed by the changes. "We have seen other vendors making tuning cuts for the past two years so this news does not concern us," he said.

From an ingeniously designed surge protector to a tiny portable speaker that sounds like a million bucks, this gear will get students back in the swing of things on campus and off.

Posted by InfoSec News on Aug 16

By Robert McMillan
IDG News Service
August 16, 2011

Logging in from a Smyrna, Georgia, McDonald's restaurant, a former
employee of a U.S. pharmaceutical company was able to wipe out most of
the company's computer infrastructure earlier this year.

Jason Cornish, 37, formerly an IT staffer at the U.S. subsidiary of
Japanese drug-maker...

Posted by InfoSec News on Aug 16

By Tracy Kitten
Managing Editor
Bank Info Security
August 16, 2011

NSW Police in Australia say the department's fraud squad has arrested
and charged five Malaysian and Sri Lankan nationals suspected of being
behind an elaborate international card-skimming scheme that spanned the
United Kingdom, mainland Europe and North America.

The alleged scheme, which authorities have been...

Posted by InfoSec News on Aug 16

By Elad Benari
Arutz Sheva

Hackers who attacked the website of a prominent Canadian newspaper early
on Tuesday posted a false news item saying the Premier of the province
of Quebec had died.

According to a report by the Reuters news agency, the newspaper whose
website was attacked was the Quebec-based Le Devoir newspaper.

The fake item regarding the supposed death of Premier...

Posted by InfoSec News on Aug 16

By William Jackson
Aug 16, 2011

Change is the one constant for most information systems and managing
changes in configuration is an essential element of IT security.

“The configuration of an information system and its components has a
direct impact on the security posture of the system,” the National
Institute of Standards and Technology writes in newly...

Posted by InfoSec News on Aug 16

By Kelly Jackson Higgins
Dark Reading
Aug 16, 2011

More than 100 security professionals next month will compete in a two-day
cybersecurity competition that simulates real-world attackers and attacks.

The SANS NetWars contest -- part of the U.S. Cyber Challenge program -- will
be held as part of the...
Internet Storm Center Infocon Status