InfoSec News

Sorry for the play on words, but really, we do.
I just finished a security assessment engagement, and the pentest part was one of my shortest in history. Part of the morning procedure for the helpdesk was to login to their corporate critical infrastructure gear and verify status and history against a daily checklist. This included all the usual suspects - Backups, critical servers, power, HVAC (Heating, Ventilation, AC), generator, the works. Good so far, right? Keep reading .... The client had a mix of some new and some older UPS Controllers (smart PDUs actually), the older ones only supported telnet and http (no ssh or https). Because this gear was doing the job, the request to upgrade to the latest version of the gear (which *does* support encryption) was put off until the next budget year (2013).
Part of my internal pentest was to sniff for the easy stuff - ftp, telnet and the like (using a man-in-the-middle attack against the user VLAN's default router). Starting with this, especially in smaller environments, is almost a sure thing. I caught a telnet login to the UPS PDU's within 10 minutes of starting the session - and guess what? To keep things easy, they had used the same password for:

UPS PDUs and controllers

Domain Administrator

SQL Server SA

Firewall (vty access and enable)

Routers and Switches (vty access and enable)
So, for the want of 5K worth of upgraded hardware, all of the internal infrastructure was compromised - I had a first draft of the pentest section of the report done before my coffee was finished.




We've done a number of diaries on telnet over the years, notably https://isc.sans.edu/diary.html?storyid=7393, but this message bears repeating, we see telnet over and over (and over), in big companies, small companies, financial, public sector, healthcare, whatever.
Scans for open telnet services on the public internet have their highs and lows, but even the low values remain consistently high == http://isc.sans.edu/port.html?port=23
Just re-iterate - compromising telnet is as easy as looking for it. It's not something that should be used in a modern ITgroup. And yes, Microsoft did us all a great service when they removed it from the default install in Windows 7.

Update 1
Ican't believe that Imissed this in the initial story, but mainframes and mini computers almost always have telnet enabled. Even if the clients are mostly using ssh or stelnet, telnet is almost always still running as a service on the host, and you'll still find clients connecting to it. In many companies, the mainframe or the p-series or i-series box (or the VMSbox in some cases) stores the crown jewels- the financial systems and all the customer information. Yet we continue to see these systems as the least protected in many organizations.
(and yes, this graphic is a telnet session)


Important Note - if you plan to run a Man in the Middle (MITM) attack against a busy router, be VERY SURE that you have the horsepower to do this. If you should run out of CPU in this process, you will have ARP Poisoned critical servers in the client's datacenter, potentially making them unreachable by clients. This process can often take up to 4 hours to clear up on it's own (the default ARP timer on many routers and firewalls), depending on the gear. Also, be VERY SURE that you terminate the MITM gracefully when the process is complete (same risk here).
Note 2 - Since 1994, the cert.org team has formally recommended using something other then plain text authentication due to potential network monitoring attacks ( http://www.cert.org/advisories/CA-1994-01.html ). Disabling telnet (and rlogin, and any clear text authentication for admin) is a key recommendation in just about every hardening guide out there. FTP is another nice target - if you have an FTP server, do not allow any interactive user accounts to start an FTP session, as the credentials are sent in the clear. Similarly, do not host or transfer any sensitive information using FTP. If you plan to transfer any sensitive information over a public internet, consider using strong encryption (commonly implemented via FTPS, SFTP, HTTPS or SCP).

===============
Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Yesterday's earthquake (centered in Virginia), along with Monday night's earthquake (centered in Colorado), got me to thinking about disaster preparedness (again).
Lots of ITgroups would like to do more in the area of BCP(Business Continuity Planning), but can't get budget due to a management philosophy of disasters happen elsewhere. For many of my clients in this situation, these earthquakes are nice wedge to demonstrate that disasters do in fact happen close to home - everyone had a bit of a pause today when the buildings, and us inside them, swayed back and forth for a minute.
If you have a good DR(Disaster Recovery Plan) at work, now might be a good time to dust it off to make sure everything still works, while this is still fresh in everyone's mind. Make sure that your plan truly reflects the needs of your organization. The IT side of DRis relatively simple - a second location, some servers, replication (often SANor virtualization based), and you're getting there. Oh - and failing back to the production site is important (and often overlooked) as well.
I've seen DRplans go down in flames, where the ITgroup comes through 100%, all the backup servers are running, but for one reason or another, the company can't do business. Think things like - where does my main 1-800 telephone number go? How will we ship? How will we receive? There are hundreds of non-ITdetails that go into a working organization and should go into a good BCPstrategy.
Don't neglect DRplanning at home as well, there are lots of good references on how to kit your house out for common disasters, but Iparticularly like the CDCguide on surviving the Zombie Apocalypse (http://blogs.cdc.gov/publichealthmatters/2011/05/preparedness-101-zombie-apocalypse/ ). If you can survive that, I'm thinking you're good for anything.
The whole DR topic is seeing real interest due to recent events - please, use our comment form and let us know if the recent earthquakes have shaken things up in your organization, if you are now stirred to consider changes in Disaster Preparedness at work or at home?



http://earthquake-report.com/2011/08/22/earthquakes-list-august-23-2011/

http://earthquake-report.com/2011/08/23/very-strong-and-dangerous-earthquake-rattles-virginia/



http://earthquake-report.com/2011/08/22/earthquakes-list-august-22-2011/

http://earthquake-report.com/2011/08/23/unusually-strong-earthquake-in-colorado-new-mexico-united-states/
===============
Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
This release fixes two issues introduced in the PHP 5.3.7 release:



Fixed bug #55439 (crypt() returns only the salt for MD5)

Reverted a change in timeout handling restoring PHP 5.3.6 behavior, which caused mysqlnd SSL connections to hang (Bug #55283).



All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.8.



For source downloads please visit the downloads page at

http://php.net/downloads.php



Windows binaries can be found on

http://windows.php.net/download/

Christopher Carboni - Handler On Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 


Recently, while conducting an audit at a financial services company, I decided to verify their claim that their desktop build isstandardized and no other devices are on the network. The network team provided access to a SPAN port on their Internet uplink, whereI attached my pen-test workstation to take a look.
$sudo ngrep -qt -W single -s1514 -d eth0 -P~ 'User-Agent:' 'port 80'
ngrep works like grep, but on network traffic. Thus, the above command digs through everything on port 80 (http) that the span portprovides, and searches for the string User-Agent:, which commonly contains the signature of the web client making the access.A little bit of cleanup was needed to make the output usable:
| sed 's/.*User-Agent/User-Agent/' | sed 's/~.*//' | sed '/^$/d'
This takes care of empty lines, and throws out everything that isn't part of the User-Agent: string. Collect the output into a file for a while, and then tally:
$cat output.txt | sort | uniq -c | sort -rn
And lookie, we ended up with about 80 distinct user agents. In only five minutes of traffic. Well, so far for standardized desktop buildand nothing else on the network .NET rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 (.NET CLR 3.5.30729)
Hmm, peculiar, some users are surfing with IE7 on Windows XP, while others are using an oooold version of Lotus Notes, and again others Trident/5.0)

User-Agent: BlackBerry9000/5.0.0.822

User-Agent: BlackBerry9700/5.0.0.656
A couple of mobile devices ... with what looks like a Windows7/IE9 system thrown in for good measure. The mobile devices turned out to be most interesting, because unless there is a WiFi gateway hooked into the corporate LAN, these devices usually surf via the mobile phone network, and shouldn't show up in the company's outbound Internet traffic. Guess what we found a couple minutes later ...: a little unauthorized wireless network extension, using WEP and the company name as SSID. Duh...!
And,last but not least, we found some odd ducks that certainly warranted a closer look ..:
User-Agent: core

User-Agent: n1ghtCrawler

User-Agent: curl/7.8.1 (sparc-sun-solaris2.6) libcurl 7.9.6 (OpenSSL 0.9.6c)

User-Agent: Mozilla/4.0 (banzai)
Moral of the story: While your IDS probably alerts on unusual User Agent strings, it might nonetheless be a good idea to check out thefull set of client applications that you have communicating with the Internet. The User-Agent string isn't failsafe, but it's a goodstart.You never know, you might just uncover a Secret (User) Agent who is busy squirreling away your data.
If you have other clever ways of auditing the user agent strings on your perimeter, please share in the comments below!
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Readers have been writing in and I wanted to get this out to for info and comment. I have not had a chance to test it out myself. It first surfaced in 2007 by Michal Zalewski on bugtraq. [1] It appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time.
It formally resurfaced last Friday with a proof of concept. A CVE is in draft and a patch is expected in a few days by the Apache team. You can read a discussion about it on the Apache HTTPD dev mailing list. [2] The link provides details on some mitigation measures to be taken. When I get chance I will test and report back.
In the mean time please share your experiences with your fellow readers with a comment.


[1] http://seclists.org/bugtraq/2007/Jan/83

[2] http://marc.info/?l=apache-httpd-devm=131418828705324w=2
-Kevin

--

ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Users of NoSQL databases and data processing frameworks such as CouchDB and Hadoop are deploying these new technologies for their speed, scalability and flexibility, judging from a number of sessions at the NoSQL Now conference being held this week in San Jose, California.
 


Recently, while conducting an audit at a financial services company, I decided to verify their claim that their desktop build isstandardized and no other devices are on the network. The network team provided access to a SPAN port on their Internet uplink, whereI attached my pen-test workstation to take a look.
$sudo ngrep -qt -W single -s1514 -d eth0 -P~ 'User-Agent:' 'port 80'
ngrep works like grep, but on network traffic. Thus, the above command digs through everything on port 80 (http) that the span portprovides, and searches for the string User-Agent:, which commonly contains the signature of the web client making the access.A little bit of cleanup was needed to make the output usable:
| sed 's/.*User-Agent/User-Agent/' | sed 's/~.*//' | sed '/^$/d'
This takes care of empty lines, and throws out everything that isn't part of the User-Agent: string. Collect the output into a file for a while, and then tally:
$cat output.txt | sort | uniq -c | sort -rn
And lookie, we ended up with about 80 distinct user agents. In only five minutes of traffic. Well, so far for standardized desktop buildand nothing else on the network .NET rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 (.NET CLR 3.5.30729)
Hmm, peculiar, some users are surfing with IE7 on Windows XP, while others are using an oooold version of Lotus Notes, and again others Trident/5.0)

User-Agent: BlackBerry9000/5.0.0.822

User-Agent: BlackBerry9700/5.0.0.656
A couple of mobile devices ... with what looks like a Windows7/IE9 system thrown in for good measure. The mobile devices turned out to be most interesting, because unless there is a WiFi gateway hooked into the corporate LAN, these devices usually surf via the mobile phone network, and shouldn't show up in the company's outbound Internet traffic. Guess what we found a couple minutes later ...: a little unauthorized wireless network extension, using WEP and the company name as SSID. Duh...!
And,last but not least, we found some odd ducks that certainly warranted a closer look ..:
User-Agent: core

User-Agent: n1ghtCrawler

User-Agent: curl/7.8.1 (sparc-sun-solaris2.6) libcurl 7.9.6 (OpenSSL 0.9.6c)

User-Agent: Mozilla/4.0 (banzai)
Moral of the story: While your IDS probably alerts on unusual User Agent strings, it might nonetheless be a good idea to check out thefull set of client applications that you have communicating with the Internet. The User-Agent string isn't failsafe, but it's a goodstart.You never know, you might just uncover a Secret (User) Agent who is busy squirreling away your data.
If you have other clever ways of auditing the user agent strings on your perimeter, please share in the comments below!
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Heroku, the platform-as-a-service provider bought last year by Salesforce.com, announced Thursday that it will begin supporting applications written in Java.
 
Microsoft Visual Studio Report Viewer Control Multiple Cross Site Scripting Vulnerabilities
 
After months of hunting, Advanced Micro Devices on Thursday said it hired Lenovo executive Rory Read as its new CEO as the chip maker looks to grow in the mobile and server markets.
 
Does your enterprise have an Android security policy? Senior Site Editor Eric B. Parizo says the growing number of Android Trojans now demand it.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
PHP Versions Prior to 5.3.7 Multiple Security Vulnerabilities
 
Experts are reporting a rise in the number of attacks that take advantage of known vulnerabilities of IPv6, a next-generation addressing scheme that is being adopted across the Internet. IPv6 replaces the Internet's main communications protocol, which is known as IPv4.
 
Verizon Thursday announced it has acquired CloudSwitch, a cloud software technology vendor, further demonstrating that 2011 is becoming Verizon's year of the cloud.
 
As part of an enterprisewide upgrade and data center consolidation, NYSE Euronext has rolled out 10Gbps Ethernet technology throughout its data centers, increasing aggregate throughput for trades from 0.5Tbps to 2.4Tbps.
 
Multiple Virtualization Applications Intel VT-d chipsets Local Privilege Escalation Vulnerability
 
Apache HTTP Server CVE-2011-3192 Denial Of Service Vulnerability
 
CreatiWeb Remote SQL injection Vulnerability
 
As soon as the news hit late Wednesday that Steve Jobs was resigning as Apple's CEO, social networks heated up with traffic.
 
It's the end of an era at Slashdot as Rob 'CmdrTaco' Malda announced Thursday that he is leaving the site that he created.
 
The bounty for any developer who manages to port Android to the TouchPad is growing, reaching more than $2,100 on Thursday, just as one effort to execute the port struggles to get off the ground.
 
No one ever got fired for buying a ThinkPad, as the saying goes, and without a doubt no one will get fired for buying the latest Lenovo T420. This scintillatingly fast Sandy Bridge refresh of the familiar business-black, boxy-but-impressive, all-purpose laptop remains a reliable 4-pound workhorse.
 
Apple's new CEO faces a challenge putting his own imprint on the company as long as Steve Jobs sticks around, a management expert said today.
 
[slackware-security] php (SSA:2011-237-01)
 

By Hillary O’Rourke, Contributor

Researchers at vulnerability management vendor Qualys Inc. discovered this week how to reverse-engineer a Microsoft patch to perform a denial-of-service attack on a Windows DNS Server.

The researchers reverse engineered one of two critical patches released by Microsoft in its August Patch Tuesday round of security updates. The 11-058 update resolves two vulnerabilities to Windows DNS.

The research goes against Microsoft’s Exploitability Index, which gave the update a 3, meaning it was unlikely that code would surface exploiting the flaws. The index is used by patch management specialists to weigh the priority of specific patch deployments. Qualys said it is possible to accomplish the attack through a step-by-step process.

“We reverse engineered the patch to get a better understanding of the mechanism of the vulnerability and found this vulnerability can be triggered with a few easy steps,” explained Bharat Jogi, a vulnerability security engineer at Qualys, in a blog post.

Although this proof of concept demonstrates a denial of service, Jogi explains that “an attacker who successfully exploited this vulnerability could run arbitrary code in the context of the system” and those “with malicious intent may be able to get reliable code execution.”

Qualys took advantage of one of the two patches that were rated critical. This particular patch fixed two flaws in Windows DNS Server while the other fixed seven flaws in Internet Explorer.

Qualys researchers used binary-diffing of the unpatched and patched version of the files to compare and understand the changes that were made to fix the vulnerabilities. The binary-diffing tool, called TurboDiff, shows them “a list of all the functions that are identical, changed, unmatched, and those that look suspicious,” said Jogi.

Two DNS servers were needed for the proof of concept in order for researchers to crash one of them and serve as a comparison. Researchers discovered it was particularly simple and the vulnerability could be triggered with a few easy steps. Therefore, they recommend to “apply this security update as soon as possible.”



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
WordPress Redirection Plug-in 'id' Parameter Cross Site Scripting Vulnerability
 
It's the end of an era at Slashdot as Rob "CmdrTaco" Malda announced Thursday that he is leaving the site that he created.
 
Steve Jobs quit this week as CEO of Apple, marking the "end of an era." Questions remain about Jobs' product sway as Chairman. Cast your vote: Can Apple maintain its mojo without Jobs at the helm?
 
This month's Premier 100 IT Leader also reveals the qualities he most likes his employees to have.
 
Oracle has updated its Application Express tools for quickly building Web applications on top of its database, the company announced Thursday.
 
The U.K. government met on Thursday with technology companies for a post-mortem on the violent riots earlier this month, but made clear from the onset that it was no longer considering shutting down services in times of crisis.
 
ASUS RT-N56U Wireless Router 'QIS_wizard.htm' Password Information Disclosure Vulnerability
 
Cisco Security Advisory: Open Query Interface in Cisco Unified Communications Manager and Cisco Unified Presence Server
 
With Steve Jobs' resignation as CEO, will Apple remain on top of the mobile industry with alluring new product designs and technology marvels, much less the business savvy to work with global wireless carriers and manufacturers?
 
1. Asking for a 10 percent budget increase in the next fiscal year:
 
Verizon said it has acquired CloudSwitch and plans to use its cloud software to help enterprise customers more easily move applications to Verizon's Terremark environment.
 
Windows XP quietly turned 10 years old Wednesday, a milestone for the still-popular operating system that powers nearly half the world's PCs.
 
WordPress Amazon Associate Plugin Multiple Cross Site Scripting Vulnerabilities
 
A German court has upheld a preliminary injunction requested by Apple, preventing Samsung Electronics from selling its Galaxy Tab 10.1 tablet PC in Germany.
 
An otherwise sound business plan shouldn't get sabotaged by any of these missteps.
 
Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities
 
The greatest fallacy in the story of Steve Jobs stepping down as Apple CEO, the one you’ll find in endless media reports, is this: In 1985 after Steve Jobs left Apple, the company went on a downhill slide that led it to the brink of bankruptcy. Therefore, the Apple of 2011 is at risk of doing the same.
 
CommodityRentals Books/eBooks Rental Software 'index.php' Cross Site Scripting Vulnerability
 
Cisco Security Advisory: Denial of Service Vulnerabilities in Cisco Intercompany Media Engine
 
A dangerous piece of malicious code responsible for stealing money from online bank accounts is being updated with new functions after its source code was leaked earlier this year, according to security researchers.
 
Nokia has launched the 101, the company's most affordable dual-SIM phone to date, which allows users in developing countries to switch between two different networks to lower costs and expand coverage, the company said on Thursday.
 
New technologies are enabling companies to perform increasingly sophisticated data analytics on very large and very diverse data sets, according to the results of a survey by The Data Warehousing Institute.
 
Companies looking to move database operations to public and private clouds will soon have another option in the form of Postgres Plus Cloud Server, EnterpriseDB announced Thursday.
 

Posted by InfoSec News on Aug 25

Forwarded from: Guofei Gu <smart.gophy (at) gmail.com>

Apologies for multiple copies of this announcement.
-------------------------

Dear Colleagues,

Please consider the following opportunity to submit and publish original
scientific results to a SPECIAL ISSUE of COMPUTER NETWORKS (ELSEVIER
journal) on "Botnet Activity: Analysis, Detection and Shutdown".

The submission deadline is set to December 1st, 2011....
 

Posted by InfoSec News on Aug 25

http://www.chinasignpost.com/2011/08/a-smoking-cursor-new-window-opens-on-china%E2%80%99s-potential-cyberwarfare-development-cctv-7-program-raises-new-questions-about-beijing%E2%80%99s-support-for-hacking/

By Andrew Erickson and Gabe Collins
China SignPost
24 August 2011

The positions expressed here are the authors' personal views. They do
not represent the U.S. Naval War College, Navy, Department of Defense,
or Government, and do not...
 

Posted by InfoSec News on Aug 25

http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_admins_of_DoS_attack_tool

By Gregg Keizer
Computerworld
August 24, 2011

Developers of the Apache open-source project today warned users of the
popular Web server software that a denial-of-service (DoS) tool is
circulating that exploits a bug in the program.

The tool, called "Apache Killer," showed up last Friday in a post to the
"Full Disclosure"...
 

Posted by InfoSec News on Aug 25

http://www.networkworld.com/news/2011/082411-mit-tep-250077.html

By John Cox
Network World
August 24, 2011

MIT researchers have devised a protocol to flummox man-in-the-middle
attacks against wireless networks. The all-software solution lets
wireless radios automatically pair without the use of passwords and
without relying on out-of-band techniques such as infrared or video
channels.

Dubbed Tamper-evident pairing, or TEP, the technique is...
 

Posted by InfoSec News on Aug 25

http://www.guardian.co.uk/technology/2011/aug/24/inside-secret-world-of-hackers

By Heather Brooke
guardian.co.uk
24 August 2011

Hackerspaces are the digital-age equivalent of English Enlightenment
coffee houses. They are places open to all, indifferent to social
status, and where ideas and knowledge hold primary value. In
17th-century England, the social equality and merit-ocracy of coffee
houses was so deeply troubling to those in power...
 
Industry analysts have suspected that adding Google+ to the social networking mix would force Facebook to up its game. And it looks like that prediction is coming true.
 
SQL-Ledger patch update for SQL injection
 

Get mobile on device infosec policy
SC Magazine Australia
Unlimited access to SC Magazine content as well as access to to our global resources from SC Magazine US and UK editions. Full use of over 11000 articles database covering breaking news, video interviews, case studies, research, product reviews and ...

 
Research In Motion is testing a cloud-based music service around its BlackBerry Messenger, that it plans to offer commercially later this year.
 
NGS00054 Technical Advisory: : Lumension Device Control (formerly Sanctuary) remote memory corruption
 
Internet Storm Center Infocon Status