I was working on an ESX upgrade project for a client last week, and had an incident (lower case i) that I thought might be interesting to our readers.

I had just finished ugrading the vCenter server (vCenter is the management application for vSphere environments), everything looked good, and I was on my way home. Thats when it happened - I got the call. If youre a consultant, or have employed a consultant, you know the call Im talking about. The vCenter server seems to be *really* slow my client said, just since you upgraded it. Oh Darn! I said to myself (ok, maybe I didnt say exactly that, but you get my drift). I re-checked they hardware requirements for 5.1 as compared to 4.1, and the VM I had this on seemed to be OK on that front, and after a quick check the CPU and memory also looked fine. OK, over to the event log we go.

Ah-ha! Whats this?

Now dont that look suspicious? Who would try logging into SQL with a userid like hd673qyz? A brute force bit of malware maybe? And after a quick check, the IP in question was still live on the network, but doesnt resolve on my clients internal DNS server. So that means its not a server, and its not a client in Active Directory - this thing is not one of ours as they say. Now things are getting interesting!

Lets dig just a bit more, this time on the switching infrastructure - getting the MAC address and identifying the switch port its on:

At this point, I call my client back, and ask if he might know what this offending device is, and if he maybe wants to shut that switch port down until he can deal with it.

This brings some new information into the mix - he asks me I wonder if thats our XYZ scanner? (insert a name-brand security scanner here, often used for PCI scans). This question was followed immediately by a face-palm moment - because the scanner - with its logo prominently displayed - had been on the desk beside me the entire day while I was there! He was doing the absolute right thing, something I wish more folks did, he was scanning both his internal and perimeter network periodically for changes and security issues.

Sometimes, the change you just made isnt the cause of the problem thats just come up. OK, usually the problem is related to your change, but sometimes, as they say, coincidences happen - ok, maybe they dont say *exactly* that, but its close. When were engaged to do penetration tests and security scans, we always caution clients that the act of scanning can cause performance issues and service interruptions. But when you run your own scans internally, just keep in mind that this caveat is still in play. Its very easy to DOS internal services by changing one tick-box in your scanner.

In the end, this incident had a positive outcome. Well be changing the Windows Firewall settings on the vCenter server, restricting SQL access to local access only (the vCenter server itself), denying network access to SQL. Because theres no reason at all to offer up SQL services to everyone on the network if only local services need it. We likely would have gotten there anyway, the vSphere Hardening Guide calls this out, in the guideline restrict-network-access. This doesnt specifically mention the SQL ports, but the hardening Guide does recommend using the host firewall on the vCenter Server to block ports that dont need a network presence.

After all was said and done, I find my taste for irony isnt what it used to be .. when clients take your advice (in this case, scheduled scans of the internal network), you dont have to look far when it comes back to bite you !

If youve had a success story, where youve implemented a scheduled scanning process and found an unexpected issue that needed a resolution, please let us know in our comment form. Alternatively, if youve accidentally DOSd a production service, that also makes a great comment!


Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Yahoo CEO Marissa Mayer has identified new products and mobile investments as among several strategies aimed at keeping the company relevant as it tries to compete against the likes of Google and Facebook.
The comprehensive immigration proposal being fashioned in the U.S. Senate may give new opportunity for H-1B critics to try to impose new restrictions on the visa. Then again, it may not.
Seagate and Virident today announced they're working together to produce their first PCIe SSD.
Google today announced it would again host its Pwnium hacking contest at a March security conference, but boosted the maximum amount it will pay to $3.14 million and changed the target to the browser-based Chrome OS.
Twitter has released new numbers showing that the social network complied with government data requests 69% of the time in the U.S., as government requests for user information worldwide continue to rise.
Moodle 'cURL' API Security Bypass Vulnerability
Broadcom BCM4325 and BCM4329 Wireless Chipset Out of Bound Read Denial of Service Vulnerability
Shaw reviews AT&T's Mobile Hotspot MiFi Liberate.
PoloTiger has both a solid state drive and a hard drive, and the SSD is almost full. What's the best way to both move data files to the hard drive and make Windows understand that that's where they belong?
Apple today released iOS 6.1, the first major update for the mobile operating system since its September 2012 launch, patching 27 security vulnerabilities and adding 36 LTE carriers to the iPhone 5's support list.

Apple today released iOS 6.1 as well as an update for Apple TV (5.2). No details about the security content have been posted yet, but we expect it to show up in a day or so at the usual location [1].

There appears to be however one interesting security related change: As in other upgrades, after upgrading to iOS 6.1, you will be asked to activate your device again by logging into your Apple iCloud account. This time around however, you will be asked to setup password recovery questions unless you already had them configured in the past. Apple will ask you to configure 3 questions as well as an optional password recovery e-mail address.

The questions are your usual mix of password security questions. They are reasonably diverse to pick some questions with non-obvious answers. Of couse, may security professionals will enter random answers to make it harder to guess the answer and to reset the password. In the past, Apple used information like partial credit card numbers to reset passwords, which turned out to be too easy to bypass and has been used in some highly publicized attacks [2]. Temporarily, apple had to suspend password resets.

Low cost password reset for large public systems like iCloud has been a challenge. Probably the best option is some form of out of band activation requiring a phone number (SMS or automated voice systems). Either way, it requires that the user configures these options before having to recover a password. A recovery e-mail is ok, and Apple may prefer this over an SMS message as the SMS message will likely go to the iCloud connected iPhone.

At this point, Apple has not joined Google in offering two factor authentication. Apple actually has a great opportunity to come up with something great and unique in this space using its own hardware as a platform for innovative two factor authentication techniques.




Johannes B. Ullrich, Ph.D.

SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Lenovo played down reports that it was interested in buying Research In Motion, saying that the BlackBerry maker was one of many companies it was looking at as a potential takeover target.
The group of U.S. Senators who are leading an effort to develop a bipartisan comprehensive immigration bill want it to include a so-called STEM visa.
It's finally go time at Research In Motion. After delays that have tested the resolve of even its most enthusiastic customers, the Canadian company will finally launch its BlackBerry 10 OS on Wednesday and the stakes couldn't be higher.
An easy step-by-step guide to setting up an Apache Web server on Fedora, CentOS, or Ubuntu
Oracle will not stop bundling what critics describe as 'crapware' and 'foistware' with its Java installer anytime soon, a company representative intimated last week.
Oracle wants to talk about Java security, but a recent conference call with Java User Group leaders suggests they don't have much to talk about when it comes to getting proactive with the problem of Java in the browser being a popular attack surface

Google Chrome Prior to 23.0.1271.97 Multiple Security Vulnerabilities
AVG has given its Internet Security suite a makeover for the new year. AVG Internet Security 2013 ($55 for one year, as of 12/17/12) now has a pretty, Windows 8-style tiled interface, complete with large, colorful buttons that are optimized for a touchscreen. That said, it seems as if AVG has put most of its effort into improving its program's looks, as the suite managed a respectable, but below-average, showing in our tests.
Kaspersky Internet Security 2013 ($60 for one year and three PCs, as of 12/19/12) is a solid antimalware suite that provides admirable protection and an excellent settings interface. This program looks a little different from the other suites we tested, mainly because of its teal-and-white colors, in contrast to the green-is-good/red-is-bad user interface that most other security packages use. But once you get past the fact that teal is sort of the same as green (trust us, this takes a moment), it's a good program that will keep you safe from most incoming attacks.
McAfee Internet Security 2013 ($40 for one year of protection on up to 3 computers, as of 12/19/12) didn't manage top marks in our security suite tests, but it's still a fairly proficient antimalware program that will keep you relatively
G Data InternetSecurity 2013 ($35 for one year, as of 12/19/12) is a comprehensive security suite with an excellent protection record: It blocked, detected, and disabled all of the malicious files we threw at it, and cleaned up 80 percent of infections in our system cleanup test. However, it's not the most user-friendly suite, with a tedious installation process and an advanced-users-only settings panel. As a result, it ended up toward the bottom of our rankings.
Bitdefender Internet Security 2013 ($70 for one year and three PCs, as of 12/19/12) may just be everything that you'd want in a security suite. This program, which earned the highest rating in both our real-world attack test and our system cleanup test, has a user-friendly interface that will appeal to both regular and advanced users. It also comes with several extra services, such as antitheft protection for various mobile devices.
F-Secure Internet Security 2013 (about $73 for one year and one computer, as of 12/19/12) came in first in several of our malware detection, blocking, and removal tests. It successfully blocked attacks, detected and disabled infections, and proved adept at cleaning up all traces of malware, landing at the top of this year's security suite roundup.
Avira Internet Security 2013 is an acceptable antivirus program--if you happen to be an expert in security jargon and working your way through a somewhat unfriendly user interface. This particular security suite passed our tests (though,
I recently decided, somewhat randomly, to experiment a bit more with social networking. I was on LinkedIn and at some point the service asked me if it could access my Gmail contact list.
The rise of near-field communications (NFC) has been part of the discussion in the mobile industry for years. Unfortunately, the technology hasn't generated much more than discussion to this point.
Flash storage vendor STEC is super-sizing the kind of flash storage used in smartphones and portable music players, coming out on Monday with 2TB SSDs in configurations for enterprise equipment vendors.
WebYaST CVE-2012-0435 Hosts List Modification Information Disclosure Vulnerability
OSClass Multiple Remote Vulnerabilities
Also on the table at the popular distro is the possibility of replacing MySQL with MariaDB.
A number of civil rights organisations have come together to express their outrage at the thriving trade in personal data and to set out their demands for the EU's planned data protection regulation. The declaration can be signed by anyone

Nokia plans to roll out in the first quarter of this year its Nokia Music+, a new subscription-based upgrade to its free-to-stream mobile music service.
Java's new security settings, designed to block "drive-by" browser attacks, can be bypassed by hackers, a researcher announced Sunday.
The Pentagon has approved plans to expand its Cyber Command by fivefold over the coming years as a response to what it sees as the increased gravity of threats from cyber attacks

Revenue at Microsoft's Windows division was up 11% in the fourth quarter of 2012, unexpected results that did little to answer the question on analysts' tongues: How did Windows 8 perform in its first sales test?
Security pros and government officials warn of a possible cyber 9/11 involving banks, utilities, other companies, or the Internet
This step-by-step troubleshooting guide will help you track down the problem when one Linux server can't talk to another or communication is unusually slow.
Anonymous defaced the site of a lesser known branch of the US federal justice system, protesting the death of Aaron Swartz and released what it claims is a "warhead" of encrypted information for which it will release the key if its demands are not met

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0743 Security Bypass Vulnerability
IBM will launch before mid-year several new and improved collaboration and communication products, including a new suite for human resources tasks and a major upgrade of its Connections enterprise social networking product.
JBoss Enterprise BRMS Platform JGroups Diagnostics Service Information Disclosure Vulnerability

Posted by InfoSec News on Jan 27


By Ellen Nakashima
The Washington Post
January 27, 2013

The Pentagon has approved a major expansion of its cybersecurity force over the
next several years, increasing its size more than fivefold to bolster the
nation’s ability to defend critical computer systems and conduct offensive...

Posted by InfoSec News on Jan 27


By Jaikumar Vijayan
January 25, 2013

Using a long phrase or a short sentence as a password may not be as secure as
some security experts think.

Researchers at Carnegie Mellon University's Institute for Software Research
have found that long passwords that incorporate grammar -- good or bad -- are
easier to...

Posted by InfoSec News on Jan 27


By Antone Gonsalves
January 24, 2013

Facebook's new Graph Search has security experts warning people who use the
social network to raise their privacy settings in order to avoid embarrassment
or becoming victims of cybercriminals.

Graph Search, which Facebook introduced this month and is rolling out
gradually, lets people use naturally phrased...
Internet Storm Center Infocon Status