Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Toata Moves On To Additional Targets

Posted on by
Reply

The Toata bot army has moved on to scanning for additional web-applications to target/catalog. Medium levels of scanning began last night and continue today. The new targets are:

/mantisbt/login_page.php

/tracker/login_page.php

/bugtracker/login_page.php

/bugtrack/login_page.php

/support/login_page.php

/bug/login_page.php

/bugs/login_page.php

/login_page.php

/statistics

/bin/statistics

/twiki/bin/statistics

/wiki/bin/statistics

/wikis/bin/statistics

/cgi-bin/twiki/bin/statistics

/cgi-bin/wiki/bin/statistics

/cgi-bin/wikis/bin/statistics

Check your systems to see if you have these files, if so, check with the responsible projects for updates. Consider additional monitoring and/or removal from service. Investigations should be performed, exploitation timelines and goals are unknown. It appears that Mantis Bugtracker and Twiki are the likely targets. Exploit vectors have not been researched at this time, though Mantis has had known XSS in the login page previously.

Our HoneyPoint Internet Threat Monitoring Environment (HITME) is tracking the scans, sources and payload evolutions. SANS and other groups have been notified.

More Toata Scans for a New RoundCube File

Posted on by
1

Last night, HITME began to pick up various sources scanning for a new file in the RoundCube Webmail product. The file “list.js” is being scanned for by the Toata bot and low levels of port 80 scans matching these probes are ongoing. SANS and the project owners have been informed.

No exploitation has been observed by us thus far in relationship to these scans, but cataloging is ongoing. Intent of the attacker is currently unknown, as is the vulnerability, if any, present in the file.

Following are the signatures captured from one host:

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:41 on port 80

Alert Data: GET /rc/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:39 on port 80

Alert Data: GET /roundcubemail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:38 on port 80

Alert Data: GET /roundcube/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:36 on port 80

Alert Data: GET /webmail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:35 on port 80

Alert Data: GET /email/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

Once again, users of RoundCube Webmail are urged to ensure they are doing additional levels of monitoring, staying current on all patches/updates and taking other precautions. Consider removing RoundCube from Internet exposure until these and other ongoing issues are mitigated.

Win7, Linux and the Future of the Desktop OS

Posted on by
Reply

First of all, I think one of the major reasons that Windows 7 will not “kill Linux on the Desktop” is cost. Quite honestly, unless they are going to make Windows 7 free, it might be popular enough to stall the spread of Linux on desktops in the developed world, but the rest of the world (the parts of the world where the next IT explosion will originate from because it is not already saturated) can not afford to purchase the licenses and will continue to grow Linux as their leading OS. How important is Linux in the emerging world? Google for Linux news in Brazil, India, the Middle East and find out. Linux has become BOTH the server AND desktop OS of choice in many of those areas. In addition, schools are teaching Linux as part of the curriculum, so that means additional armies of Linux users will eventually come to bear on the market over the next decade. That is likely a force that can not be derailed.

Second, I believe in open source. While the majority of users could care less about source and will never tweak their code, there are a core group of code geeks who will tweak stuff and play with things. These geeks will create improvement in the Linux desktop experience. The experience has been slowly and steadily improving over time. Don’t take my word for it, go back and download a VM of an early Ubuntu release and compare it to today. Ubuntu and the other open source Linux-based OS projects CONTINUALLY release new enhancements and upgrades that impact user experience. What releases have there been since Windows 98? XP, Vista and now Windows 7. How many releases of Ubuntu and other desktop environments have there been since the release of Windows 98? Basically, ALL OF THEM. Not to mention the fact that Ubuntu and the Linux movement isn’t dead. Just as they incorporated and learned from the powerful features of OS X, they will learn from, emulate and advance the experience in the future based on Windows 7 too. They will likely release a lot of changes over the next couple of years, even as Windows 7 reaches its mass market plateau. Likely, as they learn from and advance beyond, the “stall” will end and Ubuntu and the Linux desktop “movement” will experience further growth. Face it, the model is just more efficient.
Third, the idea that users choose desktop OS solely by features is ludicrous. The majority make their choice based on a combination of ease of use, brand familiarity, stability and PRICE. In the developed world, price might have less to do with it, and it is likely that ease of use and branding “what I use at work and already know” is more likely the top considerations. Followed by stability and price. But even in those decisions, Linux has made a huge improvement and at such a rapid pace THAT IF IT CONTINUES AT THAT PACE, it will easily surpass Windows in terms of everything but branding by the time Windows 7 hits its plateau of saturation. Business adoption is the key here. The more businesses that put Linux on the desktop, the more people get familiar and begin to use it at home. Add to that equation the coming army of global young people that have been using Linux as their base of education and you see a rising tide. I think of Windows 7, not as death for Linux, but as the last Microsoft desktop OS that will enjoy HUGE MARKET OWNERSHIP. I see a continued splintering of the desktop into Windows/Linux and OS X, with easier sharing, integration and cross platform collaboration in the future. Far from death, I see a market splinter where we reach some form of mutual equity, give or take small evangelic groups of BSD/Other/Netware+/Blah blah blah that ebb and flow. To demonstrate my point – I am sure Guy Kawasaki has no plans to switch from OS X to Windows 7 (nor do I) and I am sure Theo de Raadt is NOT going to dump OpenBSD anytime soon to become a Windows 7 user. Hardcore zealots will likely remain, but the majority of folks in the new “global economy” are likely to keep non-Windows OSs alive for a long long time.
Next is the subject of netbooks. A lot seems to be riding on them in these OS wars. The problem is, I am just not convinced that netbooks will remain a dominant force in the market place. They are kind of on a “computing land bridge” between the hand held devices that will evolve from smartphones and the real functionality and usability factors of a notebook/laptop. Given the reviews I have read about netbooks, it seems plausible that they may get swallowed into the sea as both sides of the land bridge exert pressure on them. Most folks say that they are just too physically small and lack core power to be true notebook replacements, and as the smartphone evolution occurs, I just don’t see how this remains a viable long term form factor, even in the emerging world. Thus anything that bets on netbooks in the Windows/Linux wars seems like an unsafe long term bet to me. (Note, I just bought a Linux-based EEEPC to try, but have not used it yet.)
So as not to leave security out of this, a lot depends on how well Microsoft did with security in Windows 7. (I have not yet used it myself, so only speculation and review based opinions here.) They made significant improvements in Vista and additional improvements are likely here too. Linux continues to have security issues as well, though, they too seem to be improving (without any real metrics research on my part). All operating systems though, face high levels of additional risks from all of the add-on apps and software users use on desktops. Part of what I think will be important in the future of security of desktop systems is how they minimize the damages that a user level compromise can do. How do they prevent escalation? How compartmentalized do they keep data? What detective and responsive controls do they build in to help compensate for bad user decisions? These are key elements in the future of desktop operating system selection. We all know, no matter how many posters we hang and meetings we hold, users continue to choose the dancing gnome or hamster bowling over security. They will click on bad links, visit naughty sites and make incredibly bad decisions. We just have to be ready for them and identify ways to minimize the risk those bad decisions pose to our information assets. What OS platforms would seem more capable of rapid evolution here? It seems to me that the myriad mindset and crowd-source is much more likely to create improvements here in the short term, but you decide for yourself. Bottom line, the future of the desktop operating system is in “compromise tolerance”. You can quote me on that one.
So, there you go, my opinions on the future of Windows 7 as Linux desktop killer. Maybe you agree, maybe you disagree. Let me know. Maybe I am totally wrong and I will be completely surprised 10 years from now. I don’t think so, but it has happened before. As always, your mileage and paranoia may vary.

SANS Posts Info on Previous RoundCube Vulnerability

Posted on by
Reply

Looks like our work got more folks looking at RoundCube. SANS Storm Center has a posting that shows the exploit being used by attackers against the helpnetsecurity announced vulnerability in “html2text”.

The RoundCube folks have already released patches and done code cleanup to remove this and other known issues, including the msgimport.sh scripts from previous versions.

If you are a RoundCube user, please upgrade. Scans have slowed for this issue, but are still present and active at low levels.

Thanks to everyone who helped on this and to the RoundCube Webmail project team for their friendly, open approach to solving the problems and their rapid attention. It is refreshing to work with developers who are focused on solutions instead of wanting to fight about the source of the problems. Hats off to them!

PHP Threats Continue to Rise But More Work & Education Could Help

Posted on by
Reply

Threats against web applications developed in PHP continue to be an area of high activity and interest for attackers. PHP applications now represent a significant portion of the web-application attack footprints we see in our HoneyPoint Internet Threat Monitoring Environment (HITME). PHP scans and probes for new and emerging vulnerabilities are a common occurrence and one the driving forces behind our deployment of the HITME. Our unique insights into ongoing threat activities allows our vulnerability management and professional services clients to know that they are better protected, even against bleeding edge threats.

PHP security issues are so common that the folks at BreakingPoint Labs call it “one of the most commonly attacked pieces of software on the Internet today”. Even when deployed in so called, “safe mode”, PHP applications can still present a high level of risk. Until, at least, the release and wide scale adoption of PHP 6, issues are likely to continue to abound, maybe even beyond that if the attacker underground has anything to say about it.

PHP security problems also represent a major portion of known web vulnerabilities, especially over the course of 2008. Syhunt, the makers of Sandcat Pro, a web application vulnerability scanner and partner to MSI, has even created Sandcat4PHP, a special source code scanner to help organizations proactively secure their PHP applications during development. Recently, Syhunt created these images that show the impact that PHP vulnerabilities are having on their work. PHP security issues represent an overwhelming margin of their work for the year.

All of this is not to say that PHP development is a bad thing. In fact, PHP developed applications have empowered many new cutting edge applications, fueled the growth of web 2.0 and been a powerhouse for bringing average users the web maturity that they have come to expect. Combining the ease of PHP with the power of MySQL, Apache and other open source tools has become a virtual standard for the online world. PHP applications CAN BE DONE SECURELY, they just require additional work and effort to create secure code, just like any other language. The ease of PHP makes it a great language for learning development, but we, as a community, need to help even those budding developers among us learn the basics of creating secure code. Techniques like input validation, proper sanitization, strong authentication and role-based access controls need to be a core part of our outreach teaching to developers.

In the meantime, while education is being worked on, it might be a wise idea to take a check around your environment and audit any PHP applications in production or planned for use in the near future. Additional work, tools or monitoring may be required to better handle the risk you find. Let us know if we can be of any help or if you desire additional insight into PHP security problems. Keep your eyes on PHP, though, its powerful, flexible capabilities make it a big player in the future of the web!

** Have feedback on this post? Please feel free to leave a comment, drop me a line via email or send me a tweet to @lbhuston on twitter. Thanks for reading! **

Three Things You Can Do To Improve Home PC Security “Beyond the Basics”

Posted on by
Reply

Just about everyone knows that home networks and machines need a firewall. Most home PC users also know they need to run anti-virus and anti-spyware tools. Heck, most systems come with these things pre-installed these days. Saavy users even know how to enable the Windows or Linux auto-update feature and go a long way towards to making their machines more protected against attacks.

But, I wanted to remind home users of three “Beyond the Basics” they could do to really help improve home system security. Ready? Here is the list:

1. Install a software update tool like Personal Software Inspector from Secunia. This tool checks your system for various software packages that you may have installed. Have an old version of Java runtime or an out of date version of Flash Player? If so, this tool will not only find it and alert you to it, but in most cases, give you a direct download link to the update. Since many of today’s exploits are against ancillary software packages, this step will help take you well beyond the basic security of most users!

2. Make sure that your home wireless network is secure. If you can, make sure you are using something more than WEP for wireless encryption. If our router or access point doesn’t support more than WEP, or worse yet, doesn’t have any wireless security enabled at all, then you have a serious problem. Take a few minutes and check out this site for more steps on securing your home wireless network.

3. Change from IE to a different browser. Internet Explorer (IE) if a MAJOR TARGET and a source for a myriad of compromises. You can help protect yourself by switching to Chrome, Opera, Firefox, Safari or some other alternative browser. While each of these browsers may also have their share of security issues, none of them represent as a wide and large of a target as IE. Google “alternative browser” for a plethora of browsers for your operating system.

There you have it. 3 fairly easy ways for home users to go “Beyond the Basics” to increase the security of their computing environments. There are a ton more ways to tune the user experience and reduce risk. A bit of Google searching and staying current on various security topics is a great way to start. Be safe out there!

Round Cube Webmail Probes Spreading Rapidly

Posted on by
21

Our HoneyPoint Security Server deployment has identified a set of 0-day scans and probes against the Round Cube Webmail system.

The probes are originating from infected Linux systems world wide and appear to be spreading rapidly. Infection of systems via a bot-net client or other form of malware is likely. The extent of compromise is currently unknown, but complete compromise or escalation to complete compromise may be possible.

Research and work with the developers is ongoing. Users of Round Cube Webmail systems should take steps to remove their systems from Internet access and/or implement additional controls for monitoring and protection. Removal of the msgimport.sh script file is highly encouraged, though additional entry points may emerge in the future.

New versions of the application may not have the msgimport.sh file present.

The current version of the attack is probing for the following files:

/nonexistenshit

/mail/bin/msgimport

/bin/msgimport

/rc/bin/msgimport

/roundcube/bin/msgimport

/webmail/bin/msgimport

Our HoneyPoint deployment has been reconfigured to trap additional data about this threat and additional information may be available soon. The MSI technical team is working with our clients to ensure they are protected against this and other emerging threats. Our threat detection capability, provided to us by our HoneyPoint line of products gives us uniquely deep insight and visibility into bleeding edge threats. As always, we strive to use that knowledge to protect our clients and the Internet at large.

More information can be found on this issue by following @lbhuston and/or @honeypoint on Twitter. You can also check back on our blog or schedule a call with one of our team members if you have additional needs.

** Update: @around 2:30pm Eastern, the “Toata” bot-net added the signature to its scans as well. In less than 24 hours there are now at least 2 known bot-nets scanning for the issue. Any bets on how long it will take before “morfeus” scans for it too??? Also, note that the URL request from “Toata” has a double // typo in it….

** Another Update: Syhunt has added tests to Sandcat for the issue. They are now available via update mechanism for clients.

Best Practices for Certificate Expiration

Posted on by
2

Today, I was asked by a client to look at best practices for digital certificates, such as X.509 and the like. I extended that research to include all types of encryption certificates, SSL/code signing, etc.

Basically, there was a dearth of best practice information available for setting the expiration dates on certs issued for various purposes.

We found a wealth of mentions in PCI, FFIEC, FDIC, NCUA, HIPAA, NIST and other guidance about checking to make sure that expiration dates were valid, reasonable and such, but no real guidance for what “reasonable” is or anything to cite to make a statement that your approach and processes fit the reasonable judgement. There were plenty of guidance sources on checking authenticity of certs, vendor selection and all of that, but little to help organizations in their attempts to define reasonable best practices for how long certs should live once issued.

Our next step was to take a look at the practices of some of the leading certificate vendors and see if we could establish a consensus from their approaches. Quick checks into their process revealed the following:

The major certificate vendors (Verisign, Thawte, etc.) issue certificates with a maximum life span of 2-3 years for most purposes. They explained that this minimized the overhead management work for them while establishing enough care for cryptographic changes (this doesn’t happen right? MD5 nightmare anyone, anyone?), organizational changes and churn in their client base. Secondary vendors (Comodo, RapidSSL, GlobalSign, etc.) in this arena issue certificates for a maximum of 5 years. It appears that they are willing to extend trust a little further to minimize their workload/overhead in management of the certs and processes.

Generally speaking, after reviewing this data, the various standards and processes and the mechanisms that the “big boys” use, I would offer the following as a best practice for setting up expirations on certificates in general.

The best practice for establishing expiration dates on certificates should be two years with a hard set maximum of five years. Two years should be the established baseline for processes and organizations with any increases (up to a maximum of five years) requiring appropriate risk assessment/acceptance from responsible parties in an organization.

I hope this helps folks who are working on establishing certificate systems and other processes in their organizations. If you disagree with my approach or work, please let me know. I am always open to comments via the blog or @lbhuston on Twitter. Thanks for reading!

Playing with Plugins for HoneyPoint

Posted on by
Reply

I have been playing with various plugins lately for HoneyPoint. In this case, I wanted to show the output of two plugins I am playing with currently.

The first one is the TweetCLI plugin that I have written about before. In this example, I am going to show an event that has come in and what the plugins did for me.

The TweetCLI plugin posted the following to the @HoneyPoint feed on Twitter:

Suspicious Activity Captured From: 41.205.122.150 on port 23

Then, the console also executed a plugin I lovingly call AutoPoke. It basically does a whois look up of the address and performs a basic nmap TCP port scan of a few common ports. This produced the following output:

OrgName: African Network Information Center

OrgID: AFRINIC

Address: 03B3 – 3rd Floor – Ebene Cyber Tower

Address: Cyber City

Address: Ebene

Address: Mauritius

City: Ebene

StateProv:

PostalCode: 0001

Country: MU

ReferralServer: whois://whois.afrinic.net

NetRange: 41.0.0.0 – 41.255.255.255

CIDR: 41.0.0.0/8

NetName: NET41

NetHandle: NET-41-0-0-0-1

Parent:

NetType: Allocated to AfriNIC

NameServer: NS1.AFRINIC.NET

NameServer: NS-SEC.RIPE.NET

NameServer: NS.LACNIC.NET

NameServer: TINNIE.ARIN.NET

Comment:

RegDate: 2005-04-12

Updated: 2005-07-12

OrgAbuseHandle: GENER11-ARIN

OrgAbuseName: Generic POC

OrgAbusePhone: +230 4666616

OrgAbuseEmail: abusepoc@afrinic.net

OrgTechHandle: GENER11-ARIN

OrgTechName: Generic POC

OrgTechPhone: +230 4666616

OrgTechEmail: abusepoc@afrinic.net

# ARIN WHOIS database, last updated 2008-12-29 19:10

# Enter ? for additional hints on searching ARIN’s WHOIS database.

Starting Nmap 4.68 ( http://nmap.org ) at 2008-12-30 xxx AST

Interesting ports on 41.205.122.150:

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp filtered telnet

25/tcp closed smtp

79/tcp closed finger

80/tcp filtered http

110/tcp closed pop3

135/tcp filtered msrpc

136/tcp closed profile

137/tcp closed netbios-ns

138/tcp closed netbios-dgm

139/tcp filtered netbios-ssn

443/tcp closed https

445/tcp filtered microsoft-ds

1433/tcp closed ms-sql-s

3389/tcp closed ms-term-serv

5800/tcp closed vnc-http

5801/tcp closed vnc-http-1

5900/tcp closed vnc

5901/tcp closed vnc-1

6666/tcp closed irc

6667/tcp closed irc

6668/tcp closed irc

6669/tcp closed irc

Nmap done: 1 IP address (1 host up) scanned in 2.330 seconds

This output is kind of fun (at least to me) to watch. I get real time info about where scans and probes are coming from. I also get real time port info from the scanning hosts. Over time, this gives me some pretty interesting insight into common postures of hosts that appear to be compromised or infected.

In this case, this particular host was interesting because of the source. Our global HoneyPoint deployments don’t see too many offending hosts from this particular region. Over time, if I see more activity originating from there or the like, then I can decide if the threat levels in that area are increasing, but none the less, even this first one is interesting. A quick review of the host shows a likely vulnerable ssh deployment, which may indicate that the host is compromised and/or bot-net infected. Of course, this is all supposition, but interesting (to me) anyway.

Now you know how I spend my time. I love to watch the ebb and flow of attacks, probes and scans. I like to know the sources and virtual “look and feel” of the victim systems. I suppose that is where many of the capabilities in HoneyPoint come from. I think they are just toys that I would like to play with, thus they end up in the product. Do you have some plugins you would like to see or some new HoneyPoint toys or functions you would enjoy? If so, drop me a line. We are working on the plans for HPSS 3.xx as we speak, so now would be a great time to hear a want list from the public!

Thanks for reading!

Correction: Twitter API Does Have SSL Support!

Posted on by
Reply

Previously, I wrote about the supposed lack of SSL/HTTPS support in the Twitter API. However, thanks to Tony for pointing me in the right direction. I DID find support for HTTPS in the API and I have since updated my own tool (released by me as freeware and not associated with MSI) to use it.

For those of you who are interested, you can find the new release of TweetCLI 1.10 that supports updates via HTTPS here:

Windows, Linux, OS X versions.

Thanks to everyone that uses it and feel free to let me know your thoughts and feelings on twitter @lbhuston.

The new version should work as a simple replacement in the previously released HPSS plugin.

You can also subscribe to a “bad touches” feed from some of our Internet exposed HoneyPoints around the world. We are publishing source IP and destination ports only currently, as we work on ways to publish the payloads we get in some manner as well. More on that in the future. The current “bad touches” feed is @honeypoint.

Apologies to twitter for the SSL issue. Additions to the API documentation to show HTTPS examples as the default would be much appreciated.

Hope everyone is having a wonderful holiday season. Thanks for reading and we look forward to more infosec news and research in the future.