Infosec Tricks & Treats

Happy Halloween!

This time around, we thought we’d offer up a couple of infosec tricks and treats for your browsing pleasure. Around MSI, we LOVE Halloween! We dress up like hackers, bees and hippies. Of course, we do that most other days too… 🙂

Here are a couple of tricks for you for this Halloween:

Columbia University gives you some good tricks on how to do common security tasks here.

University of Colorado gives you some password tricks here.

and The Moneypit even provides some tricks on cheap home security here.  

And now for the TREATS!!!!!

Here are some of our favorite free tools from around the web:

Wireshark – the best network sniffer around

Find your web application vulnerabilities with the FREE OWASP ZED Attack Proxy

Crack some Windows passwords to make sure people aren’t being silly on Halloween with Ophcrack

Actually fix some web issues for free with mod_security

Grab our DREAD calculator and figure out how bad it really is.. 🙂

Put those tricks and treats in your bag and smile. They won’t cause cavities and they aren’t even heavy enough to keep you from running from the neighborhood bully looking to steal your goodies! 

Thanks for reading and have a fun, safe and happy Halloween! 

October Touchdown Task: Phone System Review

This month’s Touchdown Task is to take an hour and give your phone system security a quick review. PBX hacking, toll fraud and VoIP attacks remain fairly common and many organizations don’t often visit the security of their phone systems. Thus, a quick review might find some really interesting things and go a long way to avoiding waste, fraud and abuse.

If you have a traditional PBX/analog phone system, here are some ideas for you to check out.

If you have a VoIP-based system, here are some checks to consider. (Note that this is a STIG in a  zip file). 

Generally speaking, you want to check passwords on voice mail boxes, give a look over to make sure that the phone system has some general logging/alerting capability and that it is turned on. Pay attention to out going dialing rules and test a few to make sure arbitrary calls can’t be made remotely. On the personnel side, make sure someone is actively monitoring the phone system, auditing the bill against “normal” and adding/deleting entries in the system properly.

Give the phone system a bit of your time. You never know what you might learn, and you might avoid tens to hundreds of thousands of dollars in fraud and abuse.

Thanks for reading and I hope you are enjoying the season! 

Come Out and See Us at NE Ohio Security Summit

Brent will be speaking at the NEO Security Summit again this year. He will be concluding his set of presentations on the History of Cybercrime and Toffler’s Cell Theory as its basis. TheSummit is October 24-25, 2103 in Westlake, Ohio. 

Brent speaks on Thursday at 1:15 PM in “The Champagne Room A”. (Get the thought out of your mind.. You know what Chris Rock says… NSFW…)

This is the 11th annual Summit for NEO and it has history of being a fabulous, affordable event. Come out and learn some stuff, get a ton of CPEs and re-connect with old friends. You can find out more about the event and register here. 

As always, thanks for reading and we hope to see you at the event!

UPDATE: Looks like I’ll be doing back to back sessions on Thursday at NEO Summit: 1:15 Crime History in Champagne A, 2:30 Defensive Tampering in Bordeax A. Come out and see me. That’s 2 chances in one day to get your heckle on!!!!

Save The Date: Midwest ICS/SCADA Security Symposium 2013

Just a quick announcement that the 3rd annual Midwest ICS/SCADA Security Symposium date has been announced. We will be holding the event on November 14th, 2013 in Columbus, Ohio.

It is a single track, single day event which is highly focused on peer to peer interaction between asset owners, utilities, manufacturers and other interested parties. The attendees usually span the various types of ICS asset holders from water, power, natural gas, chemical, automated manufacturing and other critical infrastructures. The focus is on real world threats, changing regulatory guidance, what controls work and work less, scenarios and tactics that have helped improve security and overall changes in protection strategies in the last 12 months.

The conversations are often candid, to the point and the open forum leads to passionate and real world discussions.

All attendees are vetted to ensure confidentiality and maintain focus on real content minus vendor sales pitches. The cost to attend is FREE and coffee, snacks and lunch is provided.

To learn more about the event or to qualify for an invitation, please drop us a line via email (info A T microsolved D O T com) or via aTwitter (@lbhuston or @microsolved). If you have attended or qualified in the past for the event, your invitation will be forthcoming shortly.

Speaker selection is now underway, so watch this blog for the agenda in the near future. 

Blast From the Past: D-Link Probes in the HITME

We got a few scans for an old D-Link router vulnerability that dates back to 2009. It’s interesting to me how long scanning signatures live in online malware and scanning tools. This has lived for quite a while. 

Here are the catches from a HoneyPoint Personal Edition I have deployed at home and exposed to the Internet. Mostly, this is just to give folks looking at the scans in their logs an idea of what is going on. (xxx) replaces the IP address… 

2013-10-02 02:46:13 – HoneyPoint received a probe from 71.103.222.99 on port 80 Input: GET /HNAP1/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) WebWasher 3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxx/ Authorization: Basic YWRtaW46dWA+NXhZQlU1d2VR Connection: keep-alive

2013-10-02 03:22:13 – HoneyPoint received a probe from 71.224.194.47 on port 80 Input: GET /HNAP1/ HTTP/1.1 Host: xxxx User-Agent: Opera/6.x (Linux 2.4.8-26mdk i686; U) [en] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxx/ Authorization: Basic YWRtaW46InkwYi4qMF5wL05G Connection: keep-alive

This probe is often associated with vulnerable D-Link routers, usually older ones, those made between 2006 and mid-2010. The original release and proof of concept exploit tool is here. The scan has also been embedded into several scanning tools and a couple of pieces of malware, so it continues to thrive.

Obviously, if you are using these older D-Link routers at home or in a business, make sure they are updated to the latest firmware, and they may still be vulnerable, depending on their age. You should replace older routers with this vulnerability if they can not be upgraded. 

The proof of concept exploit also contains an excellent doc that explains the HNAP protocol in detail. Give it a read. It’s dated, but remains very interesting.

PS – As an aside, I also ran the exploit through VirusTotal to see what kind of detection rate it gets. 0% was the answer, at least for that basic exploit PoC. 

Scanning Targets for PHP My Admin Scans

Another quick update today. This time an updated list of the common locations where web scanning tools in the wild are checking for PHPMyAdmin. As you know, this is one of the most common attacks against PHP sites. You should check to make sure your site does not have a real file in these locations or that if it exists, it is properly secured.

The scanners are checking the following locations these days:

//phpMyAdmin/scripts/setup.php
//phpmyadmin/scripts/setup.php
/Admin/phpMyAdmin/scripts/setup.php
/Admin/phpmyadmin/scripts/setup.php
/_PHPMYADMIN/scripts/setup.php
/_pHpMyAdMiN/scripts/setup.php
/_phpMyAdmin/scripts/setup.php
/_phpmyadmin/scripts/setup.php
/admin/phpmyadmin/scripts/setup.php
/administrator/components/com_joommyadmin/phpmyadmin/scripts/setup.php
/apache-default/phpmyadmin/scripts/setup.php
/blog/phpmyadmin/scripts/setup.php
/cpanelphpmyadmin/scripts/setup.php
/cpphpmyadmin/scripts/setup.php
/forum/phpmyadmin/scripts/setup.php
/php/phpmyadmin/scripts/setup.php
/phpMyAdmin-2.10.0.0/scripts/setup.php
/phpMyAdmin-2.10.0.1/scripts/setup.php
/phpMyAdmin-2.10.0.2/scripts/setup.php
/phpMyAdmin-2.10.0/scripts/setup.php
/phpMyAdmin-2.10.1.0/scripts/setup.php
/phpMyAdmin-2.10.2.0/scripts/setup.php
/phpMyAdmin-2.11.0.0/scripts/setup.php
/phpMyAdmin-2.11.1-all-languages/scripts/setup.php
/phpMyAdmin-2.11.1.0/scripts/setup.php
/phpMyAdmin-2.11.1.1/scripts/setup.php
/phpMyAdmin-2.11.1.2/scripts/setup.php
/phpMyAdmin-2.5.5-pl1/index.php
/phpMyAdmin-2.5.5/index.php
/phpMyAdmin-2.6.1-pl2/scripts/setup.php
/phpMyAdmin-2.6.1-pl3/scripts/setup.php
/phpMyAdmin-2.6.4-pl3/scripts/setup.php
/phpMyAdmin-2.6.4-pl4/scripts/setup.php
/phpMyAdmin-2.6.4-rc1/scripts/setup.php
/phpMyAdmin-2.6.5/scripts/setup.php
/phpMyAdmin-2.6.6/scripts/setup.php
/phpMyAdmin-2.6.9/scripts/setup.php
/phpMyAdmin-2.7.0-beta1/scripts/setup.php
/phpMyAdmin-2.7.0-pl1/scripts/setup.php
/phpMyAdmin-2.7.0-pl2/scripts/setup.php
/phpMyAdmin-2.7.0-rc1/scripts/setup.php
/phpMyAdmin-2.7.5/scripts/setup.php
/phpMyAdmin-2.7.6/scripts/setup.php
/phpMyAdmin-2.7.7/scripts/setup.php
/phpMyAdmin-2.8.2.3/scripts/setup.php
/phpMyAdmin-2.8.2/scripts/setup.php
/phpMyAdmin-2.8.3/scripts/setup.php
/phpMyAdmin-2.8.4/scripts/setup.php
/phpMyAdmin-2.8.5/scripts/setup.php
/phpMyAdmin-2.8.6/scripts/setup.php
/phpMyAdmin-2.8.7/scripts/setup.php
/phpMyAdmin-2.8.8/scripts/setup.php
/phpMyAdmin-2.8.9/scripts/setup.php
/phpMyAdmin-2.9.0-rc1/scripts/setup.php
/phpMyAdmin-2.9.0.1/scripts/setup.php
/phpMyAdmin-2.9.0.2/scripts/setup.php
/phpMyAdmin-2.9.0/scripts/setup.php
/phpMyAdmin-2.9.1/scripts/setup.php
/phpMyAdmin-2.9.2/scripts/setup.php
/phpMyAdmin-2/
/phpMyAdmin-2/scripts/setup.php
/phpMyAdmin-3.0.0-rc1-english/scripts/setup.php
/phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php
/phpMyAdmin-3.0.1.0-english/scripts/setup.php
/phpMyAdmin-3.0.1.0/scripts/setup.php
/phpMyAdmin-3.0.1.1/scripts/setup.php
/phpMyAdmin-3.1.0.0-english/scripts/setup.php
/phpMyAdmin-3.1.0.0/scripts/setup.php
/phpMyAdmin-3.1.1.0-all-languages/scripts/setup.php
/phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php
/phpMyAdmin-3.1.2.0-english/scripts/setup.php
/phpMyAdmin-3.1.2.0/scripts/setup.php
/phpMyAdmin-3.4.3.1/scripts/setup.php
/phpMyAdmin/
/phpMyAdmin/scripts/setup.php
/phpMyAdmin/translators.html
/phpMyAdmin2/
/phpMyAdmin2/scripts/setup.php
/phpMyAdmin3/scripts/setup.php
/phpmyadmin/
/phpmyadmin/scripts/setup.php
/phpmyadmin1/scripts/setup.php
/phpmyadmin2/
/phpmyadmin2/scripts/setup.php
/phpmyadmin3/scripts/setup.php
/typo3/phpmyadmin/scripts/setup.php
/web/phpMyAdmin/scripts/setup.php
/xampp/phpmyadmin/scripts/setup.php
<title>phpMyAdmin

Telnet Passwords Used In Brute Force Attacks

Just a quick post today, but I wanted to give you some insight into the Telnet scans we have been seeing lately. Here are the passwords that have been used to target logins on port 23 on one of our HITME sensors in the United States. This particular system emulates a login, and the probes appear to be automated. We saw no evidence of any manual probes on this sensor in the last month that targeted telnet.

The passwords used in brute force attacks on telnet (used against the usual root/admin/etc users…): 

default
1234
220
428
436
Admin
D-Link
admin
cobr4
dreambox
echo
enable
home-modem
l
password
private
public
root
sh
user

Keep a careful eye on any systems with Telnet exposed to the Internet. They are a common attraction point to attackers.

Just a Reminder, SIP is a Popular Scanning Target

I just wanted to give you a quick reminder that SIP scanning remains quite popular on the Internet. These probes can lead to compromise and fraud against your VoIP systems. Make sure you do not have VoIP systems exposed to the Internet without proper controls. If you review your logs on the Internet perimeter, SIP scans will look similar to this:

This was captured from the HITME using HoneyPoint Personal Edition.

2013-09-30 17:02:18 – HoneyPoint received a probe from 207.127.61.156 on port 23

Input: OPTIONS sip:nm SIP/2.0

Via: SIP/2.0/TCP nm;branch=foo

From: <sip:nm@nm>;tag=root

To: <sip:nm2@nm2>

Call-ID: 50000

CSeq: 42 OPTIONS

Max-Forwards: 70

Content-Length: 0

Contact: <sip:nm@nm>

Accept: application/sdp

Keep an inventory of your VoIP exposures. They remain a high area of interest for attackers.