Recently, while conducting a review at a community college where I'm helping out with security, we tried to determine why they kept having remote logins to generic student accounts, even though they had just reset all the passwords and erased all the home directories, to prepare for a new course.

The probably good news is that they noticed. The not so good news is that they couldn't figure out what was going on. Turns out that some of the student home directores contained a .ssh folder, which in turn contained an authorized_keys file. Some of these files were from as far back as 2011, and others contained a dozen or more public keys. Nobody had any idea of where the corresponding private keys were, and who had access to them, but it is safe to assume that former students had added a key of their own, and some of them had kept occasionally using the lab accounts.

When the teacher prepped the systems for a new set of lab exercises, he reset all the passwords, and erased all the contents of the home directories.  All the contents?  No. The cleanup script that they used did a for-loop over the existing home folders, and basically ran

cd /home/user1
rm -rf *
cd /home/user2


which .. to their surprise .. left the ".ssh" folders and its contents in place. [Why? Well, "*" is a shell expansion, and customarily ignores "hidden" files that start with a "dot". But that's a different story :)]  Due to this, all the authorized_keys remained, and the corresponding keys continued to work, no matter how often the administration reset the passwords on the student lab accounts.


Once we had this figured out and resolved, we wondered how many more stale authorized_keys files they had elsewhere in their Unix environment, so we went hunting from box to box:

find / -name "authorized_keys" -exec ls -ald \{\} \;

The advantage of doing it this way is that the "ls" command conveniently lists both the file size and the file timestamp, like thusly:

-rw------- 1 theowrig users 605 Apr 25  2008 /home/theowrig/.ssh/authorized_keys
-rw------- 1 stuhouwe users 393 May 15  2010 /home/stuhouwe/.ssh/authorized_keys


which gives a first indication of possible issues. While user "theowrig" was still working at the college, he had no idea what or where the corresponding private key was. No abuse of this particular account was detected when we reviewed the logs, but the account basically was a sitting duck since 2008 if anyone else once had access to the corresponding private key.

Long story short: If you are running a Unix environment that permits key-based SSH login, maybe it is a good idea to check for stale authorized_keys files. You can go by date and file size for a first triage, but often will find that you need to look at the file contents themselves for an indication whose key in the past might have been authorized to do what.

Another worthwhile exercise is to check the SSH logs for as far back as you have them, and to extract which accounts are being connected to by means of key-based login:

debian:/var/log# cat sshd | grep -i "accepted publickey" | perl -pe 's/.*for (\S+) from (\S+).*/$1 $2/' | sort | uniq -c | sort -rn
   1008 rendwras x.x.63.79
    550 sablythe x.x.25.12
    263 markraji x.x.25.235
    223 rendwras x.x.10.141
    211 arfranci x.x.65.90

This example shows user "rendwras" as a frequent user of key-based login, and he is accessing from two different IPs. Unfortunately, SSH by default does not log the fingerprint of the key that is being used, but even without this information, a quick tally of the logs like shown here can help to spot issues. If you have any other tips on how to keep tabs of private and public keys authorized for ssh login, please share in the comments below.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
After a nearly disastrous year and facing an expected negative earnings report Friday, BlackBerry hopes to start 2014 on a more positive note with its news interim CEO and a commitment to help developers more easily port Android apps to the BlackBerry World app store.
Building products manufacturer Quanex has stopped the rollout of an SAP ERP (enterprise resource planning) implementation, but due to a shift in corporate strategy rather than major problems with the software.

If a fatal flaw afflicts a critical cryptographic function used by no one, what are open-source developers to do? Until recently, such a predicament might have been regarded as a mere philosophical thought experiment, but no more.

An advisory published Thursday warns that a "FIPS module" of the widely used OpenSSL library contained a "fatal bug" in its implementation of Dual EC_DRBG. Credible doubts about the trustworthiness of the deterministic random bit generator surfaced almost immediately after National Security Agency (NSA) officials shepherded it through an international standards body in 2006. In September, those fears were rekindled when The New York Times reported the algorithm may contain an NSA-engineered backdoor that makes it easier for government spies to decode encrypted communications.

The fatal Dual EC_DRBG bug resides in the FIPS Object Module v2.0, an optional OpenSSL library used to build crypto apps that are certified by the US government's Federal Information Processing Standards. When using the module's implementation of Dual EC_DRBG, the application crashes and can't be recovered. That's an amazing discovery for an application that had to undergo countless hours of testing to be certified by the government of the world's most powerful country. The silver lining seems to be that there's evidence no one has ever actually used Dual EC_DRBG in release versions of the OpenSSL module (though that in turn raises the question of why RSA's BSAFE crypto tool used the RNG by default).

Read 4 remaining paragraphs | Comments


cURL/libcURL SSL Certificate Host Name Validation Security Bypass Vulnerability
Icinga Web Interface CVE-2013-7106 Multiple Unspecified Buffer Overflow Vulnerabilities
Icinga CVE-2013-7107 Cross Site Request Forgery Vulnerability
Icinga Web GUI CVE-2013-7108 Multiple Off-By-One Memory Corruption Vulnerabilities
Apple's new futuristic-looking Mac Pro will be a status purchase, an analyst said today as she predicted the high-priced desktop will sell better than many expect.
An increasing amount of programming is being conducted by non-professional programmers, a new IDC study has found.

BitTorrent, Inc. is developing a serverless instant messaging system that relies on public key encryption to protect the privacy of communications, identifying users not with traditional usernames but with cryptographic key pairs.

The company, which develops the BitTorrent peer-to-peer protocol as well as the BitTorrent and μTorrent file sharing software, announced the forthcoming chat software in September and revealed some details on how it will work in a blog post today. It reads:

With BitTorrent Chat, there aren’t any “usernames” per se. You don’t login in the classic sense. Instead, your identity is a cryptographic key pair. To everyone on the BitTorrent Chat network at large, you ARE your public key. This means that, if you want, you can use Chat without telling anyone who you are. Two users only need to exchange each other’s public keys to be able to chat.

Using public key encryption provides us with a number of benefits. The most obvious is the ability to encrypt messages to your sender using your private key and their public key. But in public key encryption, if someone gains access to your private key, all of your past (and future) messages could be decrypted and read. In Chat, we are implementing forward secrecy. Every time you begin a conversation with one of your contacts, a temporary encryption key will be generated. Using each of your keypairs, this key will be generated for this one conversation and that conversation only, and then deleted forever.

Underlying this system is a Distributed Hash Table (DHT) which finds IP addresses, removing the need for a central server to route messages, the company explained.

Read 5 remaining paragraphs | Comments


HP Operations Orchestration CVE-2013-6192 Unspecified Cross Site Request Forgery Vulnerability
HP Operations Orchestration CVE-2013-6191 Unspecified Cross Site Scripting Vulnerability
There's been an uptick in the adoption of dense servers for cloud deployments and Intel hopes to capture a larger share of that market through server chips it will release next year.
Oxford University researchers are floating the idea of using semi-transparent solar cells embedded in windows to generate electricity in high-rise office buildings.

SANS Institute Returns to New Orleans with Critical Security Training for IT ...
Broadway World
BETHESDA, Md., Dec. 19, 2013 /PRNewswire-USNewswire/ SANS today announced its upcoming Security East 2014 training in New Orleans, LA, January 20 25. Training courses will be offered for cybersecurity and Infosec professionals at all levels. To help ...

and more »
Though details of the massive data breach at Target are still emerging, it's already clear that, before the dust settles, the retailer will likely have to pay tens of millions of dollars in remediation and notification costs, fines, legal fees and settlements.
Kill-switch technology that can render a lost or stolen smartphone useless would become mandatory in California under a new bill that will be proposed to the state legislature in January.
The GSM Association, operators and vendors have published a specification that enables remote provisioning of embedded SIM identification modules, which should cut the cost of connecting cars and utility meters to the Internet.

An online poker service that deals solely in Bitcoin has issued a mandatory password reset one day after someone published login credentials for more than 42,000 enthusiasts of the card game and digital currency.

An advisory published Thursday by Seals with Clubs warns, "Our database containing user credentials was likely compromised." Left out is any mention of a list of 42,020 hashes posted to a user forum about 24 hours earlier. While the person posting didn't identify the source of the cryptographically salted SHA1 hashes, early rounds of cracking uncovered passwords such as "sealswithclubs", "88seals88", "bitcoin1000000", and "pokerseals". Password security experts almost immediately suspected that they belonged to Seals with Clubs users. Thursday's advisory from the site is probably the closest we'll get to a definite confirmation.

In Wednesday's post, which was made to a paid password recovery forum operated by commercial password cracking software developer InsidePro, the user StacyM attached a database of hashes and offered $20 in Bitcoins for every 1,000 unique hashes that were cracked. Nine minutes later, the first reply came in, claiming to have recovered the first 1,000. One day in, about two-thirds of the list has been cracked. It wouldn't be surprising to see that amount reach 80 percent or higher in the coming days.

Read 5 remaining paragraphs | Comments


IBM SmartCloud Provisioning CVE-2013-5455 Security Bypass Vulnerability

SANS Institute Returns to New Orleans with Critical Security Training for IT ...
PR Newswire (press release)
BETHESDA, Md., Dec. 19, 2013 /PRNewswire-USNewswire/ -- SANS today announced its upcoming Security East 2014 training in New Orleans, LA, January 20 – 25. Training courses will be offered for cybersecurity and Infosec professionals at all levels.

and more »
The GSM Association, operators and vendors have published a specification that enables remote provisioning of embedded SIM identification modules, which should cut the cost of connecting cars and utility meters to the Internet.
Most webcams have a warning light that indicates when they're active, but it's possible for malware to disable this important privacy feature on older Mac computers, according to research from Johns Hopkins University (JHU) in Baltimore.
APPLE-SA-2013-12-19-1 Motion 5.1
ESA-2013-079: RSA Archer® GRC Multiple Cross-Site Scripting Vulnerabilities
Rob VandenBrink
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Continuing to bulk up on its cloud software portfolio, IBM is acquiring Aspera, a company with an Emmy-award-winning, high-speed bulk data transfer protocol.
Apple today started taking orders for its pricy Mac Pro workstation, but shipping dates almost immediately slipped to February, irritating customers who have been awaiting the 'dark tower' desktop computer.
Call it the fist fight over firewalls for 2014. Juniper Networks is going for a knock-out against rival Palo Alto Networks in a patent-dispute lawsuit related to next-generation firewalls that's set to go to trial in Delaware in February. And Palo Alto wants to take out Juniper in its own separate patent lawsuit.

Last week, we discussed why you'd want to do passive vulnerability scanning at strategic points in your network https://isc.sans.edu/diary/Scanning+without+Scanning/17189, and which tools you might commonly do that with.  After some reader feedback, I thought we'd discuss just exactly how to do this with both p0f and PVS.  Both packages we're discussing have a gotcha or two, so it's worth a "how-to" from start to finish.

And, to paraphrase the Dos Equis guy: "I don't often install an OS on bare metal, but when I do, it's usually a hypervisor".  So today's discussion will cover off two methods to do passive scanning of a network segment's traffic inside of a VM.

Passive Scanning for Free - p0f

In this section we'll cover off installing and running p0f, a free passive "fingerprinting" scanner.

First of all, both Security Onion and Kali both come with an older (v2.08) version of p0f.  I chose to install the newer version, 3.06b, downloaded from http://lcamtuf.coredump.cx/p0f3/

The first thing that you'll notice is that the install is a bit strange - it's got a bundled "build.sh" installer which checks dependancies then installs.  The kicker is that no matter what, it tells you that libpcap isn't installed - even though you KNOW it's there!  After finally breaking down and running "vi README" and still getting nowhere, I realized that if I had read the actual messages from build.sh, I would know that it needs the development libraries from libpcap.

To get these (in ubuntu), run "sudo apt-get install libpcap-dev".  NOW you can likely run build.sh successfully!

Next, on to running the app.  p0f runs by sniffing the network and then reporting on what it sees, so you need to give it something to see.  The easy way to do this is to set up a SPAN port on your switch so that traffic from elsewhere is "mirrored" to the p0f port.  In this setup, I'm monitoring all traffic on the "family" segment (vlan 1) of my home network.  On a cisco switch, this will look similar to:

monitor session 1 source vlan 1
monitor session 1 destination interface g0/2

If you put p0f into a virtual machine, be sure that you either:

a/ dedicate an ethernet to it using vt-d (called DirectPath I/O in ESXi)
b/ enable promiscuous mode in the virtual switch or port group.  Since I've got multiple sniffers on my ESXi host, I chose this second option.  I created a dedicated "PROMISCUOUS" vSwitch for this purpose, and attached it to the vNIC attached to the physical switch port g0/2, then set the port group to allow Promiscuous mode.   If you are monitoring several VLANS, be sure to put the port group into VLAN 4095 (which tells VMware that the VM will correctly handle tagged frames for multiple VLANs).  When done, the vSwitch config looks like:



NOW you're ready to run the app.  There are a few different modes to run in.

The basic text output from "sudo p0f -i eth0" will look like:

This basic "dump to the screen" mode gives you nicely formatted text, but after a few minutes of watching it whiz by you'll realize that this will be impossible to parse into a spreadsheet or database or really do much useful with.  You probably want to output to a file, which will create a CSV file that you can parse into a spreadsheet or database table, using "pvs -i eth0 -o pvsout.txt".  Finally, you can also run p0f against an existing saved PCAP file:

So, what did I find?  After importing into excel and playing with the data:

  • My windows 7 machine running firefox 25 showed up more than a few times.  While the Firefox user agent string correctly identified the browser, p0f ignores that and identifies the browser by other indicators, which is likely a wise choice given how easy it is to lie with your user agent string.
  • My kid playing minecraft on his win7 machine
  • Various iPhones, iPads and iPods - they all show up as "IOS"


Passive Scanning with a real budget - PVS

Because we used VMware's promiscuous mode support for p0f, I chose to dedicate a NIC using VT-d (DirectPath I/0 in ESXi speak) for PVS.  After cabling the NIC (and before I forget), set up the second monitor session on your switch to allow vlan-wide packet sniffing - so, on the switch:

monitor session 1 source vlan 1
monitor session 1 destination interface g0/3

(again, it's in cisco-speak, but everyone's switch monitor syntax is fairly similar)

Back over the VMware, we need to determine which NIC we can use to dedicate to the VM.  In our case, it's vmnic3.  We'll then use the vCLI to determine which PCI device number is associated with that NIC (we'll need this number in the next step).  You can install vCLI on your laptop (the preferred method by far), or run these commands within the hypervisor's CLI if you have that enabled.

esxcfg-nics -l
Name    PCI           Driver      Link Speed     Duplex MAC Address       MTU    Description
vmnic1  0000:04:00.00 e1000e      Up   1000Mbps  Full   00:e0:81:ce:98:be 1500   Intel Corporation 82574L Gigabit Network Connection
vmnic2  0000:05:00.00 e1000e      Up   100Mbps   Full   00:e0:81:ce:98:bf 1500   Intel Corporation 82574L Gigabit Network Connection
vmnic3  0000:06:00.00 e1000e      Down 0Mbps     Half   00:e0:81:ce:98:c0 1500   Intel Corporation 82574L Gigabit Network Connection

Now, over to the vSphere client.  We'll edit the VM / Configuration / Advanced Settings, and we'll edit DirectPath I/O.  Choose "edit", and enable device 06:00:00 as enabled for passthrough. 

Note that you'll likely see a little red "reboot" icon over the device after it's set up - this indicates that the ESXi host needs a reboot to finish the process.  It's so rare that we need to reboot these that it caught me by surprise - good thing it's in my home lab, all I need to book around is my wife using the DLNA server and my kid using the minecraft server. 

Finally, over to the VM.  Add a device, and instead of an Ethernet adapter, we'll select "PCI Device", and choose the ethernet NIC we just reserved.

Before you start the install of PVS, be sure that you have MS Visual C++ installed (any version, i used the redistributable 2010).  If this is a new VM,  C++ likely won't be installed and the PVS install will complete with no errors, but it won't work - the PVS install does not check dependancies for you.

Once the install is done, fire up your services list and start "Tenable PVS Proxy" service.  The install app won't start this for you.

THe final configuration steps are in your browser - browse to https://localhost:8835 - you'll need to identify the network list to be monitored ( in my case), change the default admin/admin credentials, and also identify which interface is "sniffing".  Since they represent this in the NPF notation, I cheated and used Wireshark to figure out which interface was which.

Once installed, the PVS output was pretty much what I expected.  I fired up a few ssh and browser sessions on my laptop, hosts and clients where properly identified, the only risk that showed up was my DLNA server was running UPNP - which i need to chase down, I'm not sure it's needed or not.  The basic monitor screen shows a colour-coded screen by host:

But then I fired up some internet functions on our TV, and immediately got a screen full of red.  Not only is our TV running an old version of Opera, but it's got an XSS vulnerability!  Oh, and it's also running UPNP (no surprise there).  I think it's time to update my TV!

It also found the Flash versions on all hosts that had flash.  This in itself is worth the price of admission on a corporate network!  As time goes on, you'll see more and more applications that generate network traffic show up in the list.

An interesting situation is that in the vulnerability page, PVS identifies all of our i-devices (and we have a bunch), but Apple IOS is not listed in the discovered Operating Systems page.    It was nice to see that it could tell an iPod from an iPad.  Each of these findings has more pages of detail behind it of course.

As in any scanner, there was one false positive.  The DHCP server that I have running on my ASA Firewall was mis-identified as a vulnerable ISC DHCP server (from isc.org, not isc.sans.edu), but as with any scanner, system log or monitoring tool, you need to a/ look at the results and b/ apply some thought to the results, so a false positive here or there is much better than missing information entirely (false negatives).

The main "monitor" screen is a close to real-time display, with a short memory (you can configure the retention times).  This is a good thing in a corporate environment, as mobile devices on a network today might be on a different network in an altogether different location tomorrow.  There is a "results" tab that snapshots results at regular intervals (also configurable), so that you still have access to historical content.

While PVS found things on the network that p0f did not, the reverse is also true.  The major difference for me was the data presentation.  If you are short of time (which I think we all are), a colour coded display that lays everything out has a lot of value.  On the other hand, if you need to get into the weeds, the logs from p0f provide a lot more detail than PVS graphical screens do.  Mind you, the volume of raw data that comes with it makes weeding through the data a challenge, and until you get some scripts that suit your requirements it can take a lot of time.

A final note - if you use PVS and are yearning for the hundreds or thousands of log entries per day that p0f would give you, you can configure PVS to cough up that raw data as well.  More correctly, you can configure it to syslog it for you - there are separate settings for a "realtime syslog server list" and a "vulnerability syslog server list".  An important note on these settings, just punching in your syslog server IPs into these fields will not work, you need to include the listening ports:


You can then parse your syslog entries for PVS data with "cat syslogdata.txt | grep PVS" (*nix)  or "type syslogdata.txt | find PVS" (windows) 

If you use a different passive scanning tool, or have found something *interesting* while running passive scans on your network, please share on our comment form

All in all, this was a fun little bake-off, I'll be leaving both products running on my home network long term.  I hope you have as much fun installing one or both on your home network (or even better, your network at work) over the holdays!


Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Brian Krebs has a nice write-up on the Credit Card data breach at Target US ( http://krebsonsecurity.com/ )

The interesting thing for me in this story is that it affects US locations only.  The reason that this is interesting is that the data that was stolen was all mag-stripe data.  This mag-stripe data is much less useful on a  CHIP+PIN card, which is used in pretty much every other country on the planet.  We'll continue to see credit card attacks focus on countries that make it easy - while of course you can steal / duplicate a chip+pin card, for a criminal it's so much easier to simply skim a mag stripe and take the win.

Rob VandenBrink


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A real-estate brokerage opts to back up critical documents stored in Google Drive.
Target has confirmed that data from about 40 million credit and debit cards was stolen at its stores between Nov. 27 and Dec. 15.
The agency is in the final stages of rolling out a new database that will let law enforcement search for and identify criminals by palm print, iris image and mug shot as well as fingerprints. Early results are very positive.
In its first move since ordering a company reorganization, Acer said it is focusing more on software and services to revive its struggling PC business. But analysts expect the company to face a tough road with its new direction, at a time when rivals are also focusing on the cloud.
Cisco Unified Communications Manager DRS Information Disclosure Vulnerability
Microsoft pulled an update for the Surface Pro 2 after owners complained that it crippled their tablets with reduced battery life and spontaneously changed the device's power-saving sleep mode.
Apache Solr CVE-2013-6408 XML External Entity Injection Vulnerability
Apache Solr CVE-2013-6407 XML External Entity Injection Vulnerability

Posted by InfoSec News on Dec 19


By Brian Krebs
December 18, 2013

Nationwide retail giant Target is investigating a data breach potentially
involving millions of customer credit and debit card records, multiple
reliable sources tell KrebsOnSecurity. The sources said the breach appears
to have begun on or around Black Friday 2013 — by far the busiest shopping
day the year....

Posted by InfoSec News on Dec 19


By Eric Palmer
December 18, 2013

Hackers got into FDA computer systems recently, prompting the agency to warn
drugmakers to be on the lookout for misuse of their credit and to change their
passwords. But some drugmakers fear the breach will also put their trade
secrets--clinical trial data and manufacturing...

Posted by InfoSec News on Dec 19


By Steven Musil
December 18, 2013

The Washington Post's servers have been breached for the second time in three
years, giving hackers access to employee usernames and passwords, the company
revealed Wednesday.

Neither personal subscriber information nor the newspaper's publishing system
were believed to have been...
Samba 'dcerpc_read_ncacn_packet_done()' Function Heap Buffer Overflow Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
As people have moved to Windows 8.1 in the past two months, the drumbeat of reports that the OS update has affected the SkyDrive cloud storage service has grown louder.
Credit and debit card information of many Target customers may have been stolen during the Black Friday weekend, according to reports.
The Washington Post's servers were recently broken into by a group of unknown origin that gained access to the user names and passwords of its employees, the paper said on Wednesday.
Internet Storm Center Infocon Status