Category Archives: Emerging Threats

Toata Scanning for Zen Shopping Cart with Brain File – Updated

Posted on by
1

If you’ve been a long time reader of this blog, then you know about our ongoing efforts to help stem the tide of web application infections. Here is another example of this effort in action.

A couple of days ago the HITME began tracking a series of new scans that are circulating from the Toata bot network. These new scans appear to be aimed at cataloging systems that are running the Zen shopping cart application. As per usual behavior of these tools, it appears that the cataloging is automated and then later, exploitation occurs from either another piece of code or human intervention.

ToataZenBrain102709.txt

Above is a link to a brain file for the Web application scanner that we produce called BrainWebScan. You can use this tool and the brain file above to scan your own servers for implementations of the Zen shopping cart. If you identify servers that have the Zen shopping cart installed, careful review of these systems should be conducted to examine them for signs of compromise. Reviews of the logs for the string “Toata” will identify if the system has already been scanned by this particular attack tool. However, other attack tools are being used that do not create specific named strings in the log files. The vulnerability that these tools are seeking to eventually exploit is unknown at this time, may be an old vulnerability or exploit, or could potentially be a new and previously unknown vulnerability.

Users of the Zen cart application are encouraged to ensure that they are following the best practices for securing the application. The application should be kept up-to-date and the Zen cart vendor website should be carefully monitored for future updates and known issues. Additional monitoring, vigilance and attention to servers running the Zen cart application should be performed at this time. It is probably not a bad idea to have these systems assessed for currently known vulnerabilities in their operating system, content management application and other web components.

If you would like assistance checking your web application or vulnerability assessment performed on your web application, please do not hesitate to contact us for immediate assistance.

PS: You can download BrainWebScan for Windows from here: http://dl.getdropbox.com/u/397669/BrainWebScan100Win.zip

Here are an additional set of gathered targets:

//zencart/includes/general.js
//zen/includes/general.js
//ZenCart/includes/general.js
//ZEN/admin/includes/stylesheet.css
//zen/admin/includes/stylesheet.css
//zen-cart/admin/includes/stylesheet.css
//zencart/admin/includes/stylesheet.css
//zc/admin/includes/stylesheet.css
//zshop/admin/includes/stylesheet.css
/zencart/install.txt
/zen-cart/install.txt
/zen/install.txt
/zcart/install.txt

7 Areas of Concern With Cloud Computing

Posted on by
Reply

One of President Obama’s major initiatives is to promote the efficient use of information technology. He supports the paperless office ideal that hasn’t been fully realized in the Paperwork Reduction act of 1995.
Specifically mentioned is Federal use of cloud computing. So good, bad or indifferent, the government is now moving into the world of cloud computing – despite the fact that it is a new way of doing business that still has many unaddressed problems with security and the general form that it is going to take.

The Federal CIO Council (Federal Chief Information Officers Council codified in law in E-Government act of 2002) CTO of Federal Cloud is Patrick Stingley. At the Cloud Computing Summit in April 29 2009, it was announced that the government is going to use cloud for email, portals, remote hosting and other apps that will grow in complexity as they learn about security in the cloud. They are going to use a tiered approach to cloud computing.

Here are seven problematic areas of cloud computing for which solutions need to be found:

  1. Vendor lock-in – Most service providers use proprietary software, so an app built for one cloud cannot be ported to another. Once people are locked into the infrastructure, what is to keep providers from upping the price?
  2. Lack of standards – National Institute of Standards and Technology (NIST) is getting involved and is still in development. This feeds the vendor lock-in problem since every provider uses a proprietary set of access protocols and programming interfaces for their cloud services. Think of the effect of this on security!
  3. Security and compliance – Limited security offerings for data at rest and in motion have not agreed on compliance methods for provider certification. (i.e., FISMA or common criteria. Data must be protected while at rest, while in motion, while being processed and while awaiting or during disposal.
  4. Trust – Cloud providers offer limited visibility of their methods, which limits the opportunity to build trust. Complete transparency is needed, especially for government.
  5. Service Level Agreements – Enterprise class SLAs will be needed (99.99% availability). How is the data encrypted? What level of account access is present and how is access controlled?
  6. Personnel – Many of these companies span the globe – how can we trust sensitive data to those in other countries? There are legal concerns such as a limited ability to audit or prosecute.
  7. Integration – Much work is needed on integrating the cloud provider’s services with enterprise services and make them work together.

Opportunities abound for those who desire to guide cloud computing. Those concerned with keeping cloud computing an open system drafted an Open Cloud Manifesto, asking that a straightforward conversation needs to occur in order to avoid potential pitfalls. Keep alert as the standards develop and contribute, if possible.

Pandemic Planning Update: Consider 10 Day Minimums for Sick Time

Posted on by
Reply

Having just read this article, and participated in several discussions around Pandemic Planning, I am of the belief that folks might want to consider mandatory 10 day sick times/work from home times for H1N1 infected employees.

Research shows that infected folks may be contagious for up to 10 days from the onset of their symptoms, even after they “feel better”. The problem with this is that as they “feel better” they may return to work or school, thus exposing others to the virus, albeit, inadvertently. Many people simply think that if they “feel better”, then they must be over the infection and not contagious anymore.

So, as you consider your pandemic plans, please think about the idea of a 10 day work from home program or the like for folks that are symptomatic. Explanation and education of folks carrying the virus can only help, so take the time to explain this cycle to your team.

Thanks for reading and please let us know if you have any questions about pandemic planning or remote working issues. My team and I have been doing quite a bit of consulting lately reviewing pandemic plans and helping organizations make sure that they are prepared and that their remote access systems are robust enough to handle the load and secure enough to be trusted. If we can be of any help to your organization along these lines, please do not hesitate to call or drop us a line!

President of Colombia Has Swine Flu and So Might Other Leaders

Posted on by
3

This article pointed out the recent diagnosis of President Alvaro Uribe, of Colombia, with swine flu. Even worse, the leaders of Colombia have alerted the other leaders that were involved in a regional South American summit last week. While President Uribe is not considered high risk for death from the disease, this is a new turn in the pandemic and public awareness. To date, Colombia has reported 621 cases with 34 deaths, making the mortality rate .05%.

Meanwhile, in the US and UK, school has just resumed and health officials are closely monitoring schools. Plans for handling outbreaks in the schools vary by district, but several are known to be testing plans for tele-education and remote teaching.

Once again, organizations are urged to undertake some form of pandemic planning and testing, as a “just in case” measure for H1N1 and the possibility of a strong flu season this year. SANS has just launched a site dedicated to pandemic planning and news. Check it out for more information, or give us a call and arrange a time to chat.

Flu Pandemic Begins Early in Japan and Could Accellerate US Season

Posted on by
Reply

According to this article, just published, the flu season has unexpectedly begun early in Japan.

The WHO has fears that this outbreak could also hasten the beginning of flu season here in the US. This puts additional pressure on the health systems to prepare for vaccinations and on the producers of the vaccines to push forward as quickly as possible.

As we have previously mentioned, it is a good idea for organizations to prepare a pandemic plan to handle outages of staff or remote working arrangements in preparation for the H1N1 flu and other natural emergencies of similar scope. Please, take the time to review your plans, test them effectively or create these plans as soon as practical.

Keep an eye on the WHO and CDC news channels to stay abreast of flu trends and any patterns or new developments. Here are links to their sites.

WHO and the CDC sites.

Thanks for reading!

When The System Works, It Really Works! :)

Posted on by
5

OK gang, so here is our part of the story.

As many of you may now know, the NCUA issued a fraud alert this week based on a social engineering test we were doing for a client natural person Credit Union. You can find some of the materials at the following URLS:

NCUA Media Release

SANS Storm Center

NetworkWorld

Once we saw the alert from the NCUA, we immediately contacted our Credit Union client about the situation. The client had received the letter and CD set in the mail, just as intended and called for in their testing agreement. However, on their side, the person responsible for the penetration test was out the day the letter arrived. The receiver of the letter followed their incident response process and reported the suspicious activity to the NCUA Fraud Hotline, just as they are supposed to do.

Upon our contact with the CU, the entire situation became apparent and we quickly identified how the process had proceeded. The employee of the CU had followed the process, just as they should, and alerted the proper authorities to the potential for fraud. We immediately contacted the NCUA Fraud hotline and explained that the process was a part of a standard penetration test. Eventually, we talked with executive management of NCUA and offered them any information they desired, including the source code to the tools on the CDs. The NCUA was wonderful to work with, understood the situation and seemed appreciative of our efforts to help ensure that their members were meeting the requirements of NCUA 748, which calls for the protection of member data against illicit access, including social engineering attacks like these.

During our discussion with NCUA executive management, we discussed me reaching out to SANS and such to clarify the situation and to explain that the “attack” was simply a part of a penetration test. I did this as soon as I hung up the phone with NCUA. The handlers at SANS and I traded emails and phone calls and they amended their release to include the penetration testing scenario. The whole point of this was to add clarification and to prevent people from getting “spun up”, since there really was no ongoing attack in progress.

However, in typical Internet fashion, the story had already taken on a life of it’s own. The next thing we know, the press is picking up the story, there’s an article on slashdot and people are in alert mode. We then set about trying to calm folks down and such on Twitter, through email and such.

The bottom line here is this. This was a controlled exercise in which the process worked. The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement. The NCUA did a great job of getting the word out that such an attack had occurred and the media and security folks did a great job in spreading the word to prevent further exposures to this threat vector. Everyone, and I do mean everyone, is to be congratulated here for their efforts!

The system worked. Had we been bad guys, we would have been busted. The world was protected, once more, thanks to the vigilance and attention of the NCUA and the security community.

Now, about the testing. MicroSolved, Inc. does, indeed, test social engineering attack vectors as a part of our standard assessments. The social engineering threat is a powerful and valid attack vector that often leads to compromise. Our process for testing these engagements is well scoped, well organized and intensely controlled. The threats we emulate are very real (in this case, we even included typos and such in the fake letter). The simulated malware we use is a custom application, developed in house by my team of engineers and does not propagate in any way. It is safe, effective, tested and has been in use with ongoing revision and testing for more than five years. The entire process for testing social engineering has been performed thousands of times for thousands of clients and will continue to be a part of our testing methodology. We truly believe that information security starts and ends with the people involved in protecting the data.

I hope this answers any questions you may have about the process or the alert. If not, drop me a line at bhuston@microsolved.com and I will try and assist you, if I can. I would really like to thank the NCUA, SANS, my technical team and the customer CU for their help and attention on this project. Thanks also, to all of the security folks and CU folks who helped spread the word about this attack vector. Though the awareness campaign was unintended, it certainly has raised the bar for would be attackers if they hope to exploit this in the future. Thanks for all of your hard work and attention!

Oh, and lastly, no, it is not us sending the laptops to governors of the states. It might not even be us sending the next round of CDs, USB keys or whatever new fraud schemes emerge in the future. But, regardless of whether or not it is us doing a test for your organization, or real criminals attempting to exploit you, don’t fall for it! Report these events to the authorities and let’s make use of the process that we have clearly established!

Thanks for reading and make it a great day!

Update: Thanks to NetworkWorld for their help on getting the word out. Thanks to @alexhutton as well for this article.

Yay! A Winning Anti-Virus Check! Or Not…

Posted on by
Reply

So today on my RSS feeds, I saw that a new version of the Sub7 trojan has been released. This new version, called “legends” has some new features and such for exploitation and maintaining control over infected systems.

Being curious, I uploaded the installer to VirusTotal to see what kind of hit ratio I would get. To my surprise, ~96% of the AV software there detected Sub7!

There are two ways to look at this, I suppose. It sure seems like a victory when you get such a high hit rate, but on the other hand there are likely some elements of this extremely well known code that haven’t changed since it first emerged on the scene in the 90’s. So, I would hope that we could detect it with a high accuracy rate. In fact, I had really hoped we could detect it at 100%, but it seems that some AV vendors still miss it. Still 96% is far better than the ~15% detection rate I got on another test like this, just a little bit ago.

The second way to look at it is that we still have long known malware that is not detected by some AV products. Now, given, that is a small percentage, but after all of this time, they can not detect Sub7? That would be pretty horrible if you happen to be a customer of theirs and your data is at risk. Compound this with the data from the breach reports that show increases in custom malware being used in attacks and you can see the problem from a new perspective. If we can’t detect malware from the 90’s across the board, then how can AV hope to continue to be seen as the magic bullet defense against increasingly complex and dynamic attack code in the future? Of course, the answer is, it can not. It NEVER HAS BEEN THE MAGIC BULLET THAT MANY IT FOLKS AND MANAGEMENT FOLKS BELIEVE IT IS.

Where does that leave us? Somewhere between victory and defeat? Right where we have always been, but maybe, just maybe, with a little more argument and knowledge for those “magic bullet” folks!

PS – Here is my VirusTotal submission if you want to check it out.

Remote Access Challenges in Pandemic Planning

Posted on by
Reply

One of the tools that organizations are leaning on for pandemic responses is remote access to computing systems. Technologies such as VPNs, Citrix servers, terminal servers and other forms of remote access are widely appearing in the plans we are reviewing and are among the most discussed items in the planning sessions we have been holding with clients.

However, there are some issues that are emerging around many of these tools. To start, they can introduce a great deal of risk to the IT infrastructure and security posture if they are not deployed and managed properly. For example, blindly exposing terminal services, SSH and other remote access technologies to the Internet is a common path to compromise. Attackers are very good at finding these services and exploiting them, either with technical exploits or through credential discovery via social engineering, browser attacks and/or brute force. These exposures are often present in the major data breaches and serve as a danger point for organizations.

Blindly exposing remote access mechanisms such as these is usually a pretty bad approach. A better approach is to leverage a stronger access method such as VPN. VPN technologies are typically built around stronger security platforms and with greater security in place to protect the users and the organizations they serve. They will require a bit more “care and feeding” than blind port forwarding deployments, but they are a much safer solution for remote access to your environment.

VPN technologies also do not need to be expensive. Projects like OpenVPN and other open source approaches have reduced the costs to deploy VPN access to the lowest of levels. Basically, the cost of hardware and the human resources to install and support the system are the only costs involved. Many tools exist in this family and more are emerging every day.

Another significant issue to consider when looking at the remote access capability of your pandemic plan is capacity. More than likely, your solutions were implemented, as are most, with the idea that a somewhat limited subset of your entire employees would be using the access tools at any given time. That may not be the case in the event of a pandemic. The number of employees accessing the system may exceed your current designs and testing, so be sure you think through how you can expand that capacity, rotate shifts or use other techniques to plan for the impact from the surge in demand.

Lastly, be sure and test these mechanisms before you need them. Things in life often don’t work as planned the first time around, so practice for pandemics before one arrives. Have dedicated work from home days, plan for teams or lines of business to practice their plans and create lessons learned feedback loops to capture issues and work on minimizing them.

Preparation will likely pay off, both in the continued operation and bottom line of your business and in the reduction of panic should a pandemic every rear its ugly head. Thanks for reading, and let us know if we can assist you in planning or testing with pandemics in mind. Please, stay tuned to the blog for more information on the possible H1N1 pandemic, pandemic planning and other security issues that might emerge. At MSI, we are dedicated to helping you establish the means and mechanisms to keep your business, your business…

Your Next Security Threat May Not Involve Attackers

Posted on by
Reply

I was astounded when I read this article that includes a 2 BILLION estimate on the number of H1N1 cases that the WHO is expecting. Even worse, at 30% of human population on the planet, many are calling that number conservative. Some members of the medical community say that 45-50% may be likely!

In either case, the good news is that SOME vaccine is likely to be available to those in the Northern Hemisphere before Autumn arrives. The bad news is that there will likely not be an abundance of it, and that means some will not have access.

This is where the DR/BC planning comes in. By now, you probably have heard a little bit about pandemic planning and hopefully have created processes for remote working, containing illness and ensuring that you can operate with reduced staff. If you haven’t done this yet, NOW IS THE TIME to get this started.

If you do already have a plan, now might be a good time to do some rudimentary testing. Maybe declare a couple of reduced staff days, test the load on the VPN and remote access servers and such. This testing effort will likely reveal a few holes in these plans, but it is much better to learn about them and mitigate them now than when the real thing is going on.

Clearly, from the evidence presented by the WHO, this is something we should be paying attention to. Those who lack the focus or resources to take it seriously may well find themselves in troubling times when the weather turns colder and folks in the office begin to sneeze….

Get Ready, Here Comes the MS Web Office Bot-Nets!

Posted on by
Reply

Just as we expected, the exploit for the Web Office 0-day has been integrated into existing bot-net spread attacks. SANS and other folks began reporting that SQL injection compromises have now been tuned to include defacements with the embedded Web Office exploit.

These SQL injection attacks that lead to defacement, along with the recent spate of Cold Fusion defacements have been leveraged to spread malware for some time. However, this new “upgrade” to the malicious javascript the defacements leverage to infect browsers is likely to be much more effective with the Web Office exploit in place, given that no real patch is available and that the exploit code is so easy to use, stable and effective.

If you have not yet deployed the kill bit solution referenced in this article: https://stateofsecurity.com/?p=709, you should do so immediately. Mass, wide-scale, exploitation of this issue is likely beginning and will continue for some time.

It would also be very wise to educate your staff about this issue since they will need to activate the kill bits on home systems as well until a patch becomes available.

Please note that you must reboot systems before they become immune to the exploit once the kill bits are installed in the registry.

Let us know if you have any questions or desire any assistance with the kill bit solution.