More Chinese Scans for Web Bugs

This morning I was checking through my usual HoneyPoint deployments and it was a normal day. As usual, the last 24 hours brought a large number of web application bug scans from hosts in China. They are the normal PHP discovery probes, some basic malware dropper probes against known web vulnerabilities and a ton of web server fingerprinting probes from various Chinese hosts.

China has now surpassed the US as the source of most global probes and attacks, a least according to Arbor. Check out the China profile here.

One of my close friends, JK, claims that there is a massive initiative underway in China to map the Internet on a global scale and to have a fairly up to date global vulnerability matrix for the world’s systems. While this could be true, and is certainly possible, with a large enough set of bot-infected hosts that dropped data back to a centralized database, it is an interesting thought.

For sure, these probes and scans exist on a global basis. Our international HoneyPoints pick up much of the same Chinese traffic as our US ones. Perhaps a quick check of some of your logs will show the same. Much discussion of pro-active blocks against Chinese address space is underway in several organizations. Perhaps this is something we should all think about?

Hardware Security Testing Presentation & MP3 Available

The pdf of the slides and the audio from yesterday’s presentation on Hardware Security Testing is now available.

You can get the files from this page on the main MicroSolved site.

Thanks to the many who attended and who sent me the great feedback this morning. I am really glad everyone liked the content so much!

Check out the next virtual event scheduled for March 25th at 4 PM Eastern. The topic will be 3 Application Security “Must-Do’s”.

Here is the abstract:

This presentation will cover three specific examples of application security best practices. Developers, security team members and technical management will discover how these three key processes will help them mitigate, manage and eliminate risks at the application layer. The presenter will cover the importance of application security, detail the three key components to success and provide strategic insight into how organizations can maximize their application security while minimizing the resources required.

We look forward to your attendance. Email info@microsolved.com to sign up!

Multiple IBM AIX Vulnerabilities

Vulnerabilities have been discovered in AIX’s X server and inet_network libc library that can lead to a number of threats. These include the execution of arbitrary code in a root context, Denial of Service, or exposure of sensitive data. The original IBM advisories are located at:

AIX X server multiple vulnerabilities

AIX libc inet_network buffer overflow

Underground Cyber-Crime Economy Continues to Grow

I read two interesting articles today that reinforced how the underground economy associated with cyber-crime is still growing. The first, an article from Breech Security, talked about their analysis of web-hacking from 2007. Not surprisingly,  they found that the majority of web hacking incidents they worked last year were geared towards theft of confidential information.

This has been true for the majority of incident response cases MSI has worked for a number of years now. The majority are aimed at gaining access to the underlying database structures and other corporate data stores of the organization. Clearly, the target is usually client identity information, credit card info or the like.

Then, I also read on darknet this morning that Finjin is saying they have been observing a group that has released a small P2P application for trading/sale of compromised FTP accounts and other credentials. Often, MSI has observed trading and sale of such information on IRC and underground mailing lists/web sites. Prices for the information are pretty affordable, but attackers with a mass amount of the data can make very good incomes from the sale. Often, the information is sold to multiple buyers – making the attacker even more money from their efforts.

Underground economies have been around since the dawn of capitalism. They exist for almost every type of contraband and law enforcement is usually quite unsuccessful at stamping them out. Obviously, they have now become more common around cyber-crime and these events that have “bubbled to the surface” are only glimpses of the real markets.

It is critical that information security teams understand these motivations and the way attackers think, target victims and operate. Without this understanding, they are not likely to succeed in defending their organizations from the modern attacker. If your organization still spends a great deal of time worrying about web page defacements and malware infections or if your security team is primarily focused around being “net cops”, it is pretty likely that they will miss the real threat from today’s cyber-criminals and tomorrow’s versions of organized crime.

Thunderbird 2 MIME vulnerability

Mozilla Thunderbird 2.0.0.9 has been found to contain a heap buffer overflow vulnerability due to the way it handles external-body MIME types. Systems running this version of Thunderbird are vulnerable to compromise or the execution of arbitrary code via specially crafted email messages. You should update to Thunderbird 2.0.0.12 as soon as possible.

Mozilla’s advisory is located at: http://www.mozilla.org/security/announce/2008/mfsa2008-12.html

ICQ Vulnerability Should Increase Your Vigilance

A newly discovered format string error in ICQ version 6 build 6043 once again highlights the need to be cautious about who you are conversing with. Interaction  with the embedded Internet Explorer component can allow specially crafted messages to execute arbitrary code on the affected system. Make sure that you only open messages from known and trusted contacts.  It is a good idea to clean unknown or untrusted contacts from your contact list and enable the “Accept messages only from contacts” option. The build named above is known to be vulnerable other versions may also be affected

Laying the Trap with HoneyPoint Personal Edition & Puppy Linux Live CD

Recently, I have been capturing quite a bit of attacker probes and malware signatures using a very simple (and cheap) combination of HoneyPoint Personal Edition (HPPE) and a Puppy Linux Live CD. My current setup is using an old Gateway 333MHz Pentium Laptop from the late 90’s!

The beauty of this installation is that it lets me leverage all of the ease of a Live CD with the power and flexibility of HPPE. It also breathes new usefulness into old machines from our grave yard.

So, here is how it works. I first boot the machine from the Puppy Live CD and configure the network card. From my FTP server (or a USB key) I download the binary for HPPE Linux (available to licensed HPPE users by request), the license and my existing config file. That’s it – run the binary and click Start. Now I am set to trap attack probes and malware to my heart’s content!

It really is pretty easy and the new email alerting now built into HPPE allows me to remotely monitor them as well from my iPhone email. This makes a nice, easy, quick way to throw up HoneyPoints without needing a separate console or a centralized monitoring point.

This setup is very useful to me and has even got me thinking about adding a plugin interface to HPPE in future releases. That would essentially give you the power to write custom alerting mechanisms and even fingerprinting tools for attacking systems.

Give this setup a try and be sure to let me know your thoughts on HPPE. As always, MSI really wants to hear your ideas, input and feedback on our work.

Thanks for reading and have fun capturing attack data. Some of this stuff is pretty darn cool! 😉

VMWare Directory Traversal for Shared Folders

Multiple VMWare products running on Windows platforms with Shared Folders are vulnerable to a directory traversal attack. If an attacker can has access to a guest operating system they can exploit the vulnerability to gain write access to the underlying hosting system. This obviously opens the door for a multitude of attacks.

Until a patch is released users on Windows are advised to disable any Shared Folders that they may have configured.

The original advisory is at:http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004034

Incident Reporting & Handling WorkFlows

I had an interesting conversation with a client today and they are planning to implement a web site that would give their internal employees a centralized resource for looking up how to report security incidents, building/facilities issues, HR problems, policy violations, etc.

They picture this as a web page with a list of phone numbers, intranet applications and other contact mechanisms for their staff to use to report issues. The conversation was around attempting to create a workflow or flowchart for decision making about how to report an issue and how to decide which contact method to use.

I know a few other organizations have created formal incident reporting and such for their employees. Would anyone care to share their decision trees or the like for incident handling and user training around this topic (sanitized, of course!)?

Thanks, in advance, for any insight on this. The client will be monitoring the thread and it may help others as well.

Risk Increase in Laptop Loss with Encryption?

There has been a bunch of buzz in the last few days about researchers who figured out how to retrieve crypto keys from RAM on stolen laptops. Several analysts have talked about this raising the risk for data loss from laptop theft and some are even questioning the effectiveness of crypto as a control. I think that much of this is hype and will prove to be overblown in the coming months.

First, the attack has some difficulty and knowledge requirements. This essentially makes it equivalent to a forensic technique and as such is well beyond the capabilities of basic attackers. It requires knowledge deeper than an average computer user or power user would possess. While this does not eliminate the risk, it does significantly reduce the pool of attackers capable of exploiting the vulnerability. Further risk reductions could be gained by understanding that the attackers must gain access to the device (what controls are in place for this?, what training have you done on laptop loss control?)  and the device must be in a sleep state or recently powered down (have you taught users to power down laptops completely when removing them from the office or other controlled areas?). Each step in training and additional controls further serves to reduce the risks from this vulnerability.

Vendors are also reacting to the problem. Many are identifying the key management processes in their products and moving to change them in such a way as to make them more effective with this attack in mind. Their results and effectiveness are likely to vary, but at least many of them are trying.

So, while laptop loss remains a potential data theft risk, even with crypto in place, it is likely to remain a manageable and acceptable risk if proper awareness controls are in place. So before you put too much stock in some of the “near panic” FUD levels some security analysts are shouting, step back, take a look at it from a rational risk standpoint and then identify what you can do about it.

This issue again reinforces that there aren’t any silver bullets in security. Nothing is “absolute protection”, even high level math. The only real way to do security is through proper, rational risk management…