InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Windows Resource Monitor is a hidden gem within the OS that can be very useful to an incident responder in a crunch. It isnt as comprehensive as SysInternals Process Monitor but it is built in to Windows so you can use it on a computer with no internet connection. It lacks the depth of WMIC but it does have a very nice GUI (if you are into that sort of thing). In short, resource monitor is a worthy addition to the incident responders toolkit. Resource Monitor isnt a separate program, but rather it is an operational mode for Performance Monitor (Perfmon.exe). If you start Performance Monitor with the /res option you will see the Resource Monitor interface. Click START-Run and type Perfmon.exe /res and press Enter. Here is what it looks like.

It has a series of Tabs across the top (Number 1) for Overview, CPU, Memory, Disk and Network. Each of the tabs is broken down into sections that can be expanded or collapsed by clicking the arrow on each section's header (Number 2). The top section on each tab allows you to check a box next to a process names that will apply a filter to the other sections of the tab. So by checking the box next to Firefox.exe you will only see disk, memory and network resources associated with the Firefox process. The disk section shows you files that are open by the process. The networking section will show you the fully qualified DNS name for each of the TCP and UDP connections in use by that process. The memory section gives you a quick look at how much memory is in use by the process. Thats about it for the Overview tab. If that didn't tell you everything you wanted you can refer to the CPU, Memory, Disk and Network tabs for more information. Lets take a look at the CPU tab.

The CPU tab has some nice features. By selecting a process you can see all of the OS Handles in use by the process (number 4). It even has a search feature that allows you search all of the open handles. The Modules section (number 5) will show you all of the DLLs that are in use by the process.
Ill leave the remaining tabs for you to explore on your own. I think you will find that in a pinch resource monitor is a good way for a first responder to get a first look at what is happening on a computer.
Performance monitor used Performance counters and Event Tracing for Windows to capture data from various sources. The /res option is one of performance monitors way of displaying that information to you. If you are curious what other modes Performance Monitor has give perfmon.exe /report a try. If your want to see how a penetration tester might use Event tracing check out this article.

.Join me for SANS 504 Hacker Techniques, Exploits and Incident response in San Antonio Texas November 27th - December 2nd 2012 in San Antonio Texas!

Mark Baggett

On Twitter @markbaggett

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Qualcomm has lowered its forecast of global cellular device shipments for 2012 due to a gloomy economic outlook, though it expects device sales to surge in the fourth quarter because of upcoming products, a likely reference to Apple's iPhone and Microsoft's Windows 8 tablets.
The new version of Microsoft Office offers compelling enhancements to its capabilities and interface design, as well as improvements in cloud functionality that should make it a far better product than its predecessor.
For its most recent financial quarter, IBM experienced a drop-off in revenue, though it was able to maintain profit growth.
The U.S. Congress may need to pass legislation that limits the way government agencies and private companies use facial recognition technology to identify people, a U.S. senator said Wednesday.
Black Hat 2012 insider Jennifer Jabbusch Minella analyzes the session lineup for the annual security research conference.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

A recent audit into U.S. federal agencies’ adoption of cloud computing services highlighted challenges that likely would resonate with private enterprises looking to move applications to the cloud.

The report by the U.S. Government Accountability Office looked at the progress seven agencies have made in implementing the White House’s “Cloud First” policy. According to GAO, agencies need to do better planning – of the 20 plans for implementing cloud solutions the agencies submitted, seven didn’t include estimated costs. None of the plans for meeting the federal cloud computing strategy included details on how legacy systems would be retired or repurposed.

What’s telling, though, is the list of cloud challenges GAO compiled after talking to agencies. Topping the list is concern over the ability – or inability – of cloud providers to meet federal security requirements. For example, State Department officials reported that cloud providers can’t match the department’s ability to monitor its systems in real time. Also, Treasury officials noted that meeting a FISMA requirement for maintaining a physical inventory is tough since they don’t have insight into the cloud provider’s infrastructure and assets.

Other challenges cited in the GAO report include agencies not having the necessary expertise to implement cloud services; a Health and Human Services official reported that it’s difficult to teach staff a new set of procedures, such as monitoring performance in a cloud environment. Another challenge: Ensuring data portability and interoperability by avoiding vendor lock-in.

Sounds familiar, right? Security, cloud provider transparency, lack of expertise, vendor lock-in are all issues that organizations, both public and private, are wrestling with as they try to take advantage of cloud services.  In its report, the GAO notes that recently issued federal guidance and initiatives, including guidance from NIST and FedRAMP, address some of these issues. Still, the issues are far from easy to solve. The journey to the cloud is a pretty bumpy one right now, as the GAO report found.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Insider Jennifer Jabbusch Minella ranks the top 10 Black Hat 2012 sessions on the conference agenda.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
James Philput of Information Assurance Professionals will explain how social engineering training can instill security awareness into end users.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Microsoft today announced that it will start selling Windows 8 on Friday, Oct. 26, a little more than three months from now.
Like many of us, Eric Jacobs has parents and those parents are confounded by iPad photo management. He writes:
Microsoft and Google are each taking steps to extend the social networking capabilities in their search services, with the goal of making it easier to find or share useful results.
Thanks for the heads-up to our reader Bill, who pointed out that Snort 2.9.3 is just released, details are here ==http://blog.snort.org/2012/07/snort-2930-has-been-released.html
A couple of new features, and lots of changes to existing ones, the release notes are well worth the read !

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Just days after a former employee blasted Mozilla for its frequent updates, the company on Tuesday shipped Firefox 14, patching 18 vulnerabilities and adding automatic encryption of searches passed to Google's search engine.
A hacker claimed to have broken into ITWallStreet.com, a website for IT professionals who are seeking Wall Street jobs or are working with Wall Street firms, and exposed highly detailed data belonging to tens of thousands of job applicants.
Facebook appears to be losing users in the U.S. and other major markets, though its user base in parts of Asia is growing, according to an investment company report.
To generate interest from developers, Boston-based Akiban Technologies has released as open source its flagship database software, called Akiban Server. The company also released a connector for replicating a MySQL database within Akiban, and forged a partnership with platform hosting provider Engine Yard.
Patent licensing firms that can't get satisfactory results in patent infringement cases in U.S. courts are abusing a patent complaint process at the U.S. International Trade Commission that can lead to products made by U.S. companies being excluded from sale in the country, some U.S. lawmakers suggested Wednesday.
[slackware-security] mozilla-thunderbird (SSA:2012-200-03)
[slackware-security] seamonkey (SSA:2012-200-04)
[slackware-security] mozilla-firefox (SSA:2012-200-02)
This topic is likely more important than the Weak Key story I published earlier. Unfortunately, we all DO get a vote on weak encryption, and almost everyone votes wrong - - enabling the defaults, which include easily attacked crypto algorithms.

I do a fair number of security assessments, and invariably I find servers that support weak ciphers. What this means is that encryption using weak algorithms is supported, methods such as the ones below (taken from a recent assessment):


EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export

EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export


EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export

EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export

EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export


EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export

EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export

EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Note that no matter what the hash (MD5 or SHA1), the encryption is all using symmetrical algorithms with a 40 bit key(!), also the Key Exchange (Kx) is 512 bits for each. And yes, you can still implement weak encryption in SSLv3 and TLS - why we all decided that should be in the default set for these newer protocols is beyond me! We're (mostly) past the days where we need to worry about our customers being subject to the old export regulations that limited them to 40 or 56bit encryption (full disclosure - there are still a few exceptions).

The problem is that until very recently, support for these weak encryption methods was part of the default installation - so if you run setup and press enter or OK 15 times, this is what you'll have. An attacker only needs to downgrade your encryption, either during the initial negotiation or by triggering a renegotiation, and they can decrypt your data. With the right tools the decryption of these algorithms can be almost real-time.

The sad thing is that, while it's very easy to disable these algorithms, almost every server you'd care to check still supports them. Mostly because folks don't know that they are there, don't know what they are, or don't know what the risks are. Or don't care (though people are starting to come around on caring about it)

I'm hoping that Microsoft's recent emphasis and patches on weak keys will trigger some interest in what's going on inside our corporate webservers.

... Because if the application and the information is important to your organization, it should be considered important enough to protect properly!


Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
OK, so I'm a bit off base with the title - we don't get a vote, but that's a good thing!

As part of the August patch cycle (just 3 weeks away), Microsoft will be pushing out a patch that will block all RSA keys under 1024 bits in length. This will affect the whole fleet - Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This is being done in the certificate store, so it'll affect all Microsoft encryption services (the most visible being IE).

Their blog entry on this patch is here:


They highlight the more common issues that folks may see:

Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
Creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
Installing Active X controls that were signed with less than 1024 bit signatures
Installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).

Those last two I hadn't thought of until I read this article - I could see lots of organizations being vulnerable on application and ActiveX signing and not realizing it. (many companies don't realize that they are even using signed applications or controls!)

Not only does the blog describe the patch, and the possible issues, but they go through the steps organizations should make to assess any internal (or external) web applications and services, to ensure that they'll still work post-patch.
The follow-on blog entry covers how to implement work-arounds to permit continued operation. Their approach uses (of course) certutil.exe, the command line certificate utility that is in all affected versions of windows. Find this follow-on blog here:

Hopefully the impact of this change will be minimal. Remember that the 1024 bit keys in question are in the certificate, so these are the keys used to secure the initial authentication of an SSLconversation. These keys are not the used in the subsequent cipher that encrypts the actual data. Most of the public CAs (Certificate Authorities) all moved to longer keys quite some time ago, so support for weak keys within the certificates is likely a legacy issue, one that will mostly be seen on poorly implemented internal CAinfrastructures.

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
European Union antitrust officials are looking into charges that Microsoft has blocked rival browser makers from harnessing the power of Windows 8 for their software.
[SECURITY] [DSA 2514-1] iceweasel security update
It wasn't long ago that an organisation's choice of IT was dictated to its users by a centralised internal IT function, hand-picking selected devices and favoured suppliers.
If there's one myth in the information security field that just won't die, it's that an organization's security posture can be substantially improved by regularly training employees in how not to infect the company. [Editor's note: See Joe Ferrara's recent article 10 commandments for effective security training.]
AT&T announced voluntary wireless data sharing plans today that don't require new and current customers to enroll, a marked distinction from the forced Share Everything plans from rival Verizon.
Using Visa or MasterCard for donations to WikiLeaks was made possible again Wednesday when the French organization Defense Fund Net Neutrality (FDNN) started accepting payments via those credit card providers through the French Carte Bleue systems.
Symantec on Tuesday joined other vendors offering tools to stop such mobile malware with its own: Mobile Security for Android
Microsoft yesterday clarified that Mac users will not be able to download and install a copy of Office for Mac 2011 as one of the five licenses allowed by the new Office 365 subscription plans.
Check Point Software Technologies plans to introduce document security software that encrypts and controls access to files across an organization's various departments and also meets the growing need for corporate users to access company information on mobile devices, a company executive said.
The Open Mobile Alliance (OMA) has developed a standard for handling 2D barcodes that it hopes will direct mobile phone users to websites more easily. By standardizing the specification for encoding, decoding and resolution of 2D barcodes, OMA wants to stimulate the usage of the codes, it said.
Oracle exec says Project Jigsaw technology has been deferred until 2015 with release of Java SE 9.
A rich ecosystem of free maps, free data and free libraries give developers excellent alternatives to Google Maps.
Skyhook introduced a new version of its location engine for mobile apps that it said will allow smartphones to determine a user's location once a minute throughout the day without draining the battery.
Security company Onapsis released on Wednesday a product that allows intrusion detection systems to recognize attacks against SAP applications holding critical financial and business data.
Contract IT workers may walk, talk and code like staff, but in fact they're not company employees -- something managers should keep in mind. Insider (registration required)
HTC filed a counterclaim before a court in Florida stating that Apple infringed on two of its patents, originally assigned to Hewlett-Packard and Electronic Data Systems, a company that HP acquired in 2008.
PayPal has acquired Card.io, a developer of technology for using mobile phone cameras to scan credit cards and capture relevant information, the companies said.
Microsoft could have escaped the wrath of European Union antitrust regulators and the risk of potential fines in the billions if it had paid attention to an exchange on its own support site more than a year ago.

GRC: a hard dollar cost but soft dollar return, says RSA Archer
Infosecurity Magazine
Chief information security officers (CISOs) are increasingly adding risk management to their ever expanding portfolio of responsibilities, according to a new report by infosec social networking site Wisegate. Infosecurity Europe 2012: defining risk ...

and more »
Keynote Competitive Research placed Bank of America first among 23 banks that it analyzed on the basis of online customer experience, saying it leads in functionality, ease of use, privacy, security, quality and availability.
The New York metropolitan area has the highest demand for H-1B workers in the U.S., according to a new study that examines regional use of the work visa.
Motorola Mobility said Tuesday that it has taken "proactive measures" to ensure that its smartphones remain available to consumers in the U.S., despite a U.S. International Trade Commission ban on its phones that comes into effect on Wednesday.
Dropbox is investigating reports that some European users are receiving spam to email addresses associated with their accounts, the company said Tuesday.
Internet Storm Center Infocon Status