Category Archives: General InfoSec

Application Fuzzing Can Be Fun

Posted on by
1

One of the things my mother always said I was good at was breaking things. Apparently, as a young Evangelist, I chose to be an agent of entropy. I guess I always have been a huge fan of how things are continually breaking down and according to my mother at least, I did a lot to help them along the way. My mother just loves to tell stories about me taking things apart (clocks, radios, tv sets, lamps, my sister….) but I will save you from those, unless you choose to have coffee with my mother some day… 🙂

Today though, breaking software applications and studying how they fail has become a huge part of my work. I study how they fail, what causes the underlying issues, how those bad decisions could be exploited and what makes applications, devices and other things, tick. I am truly a student and professor of entropy.

You too can participate in these exercises. Tons of new tools are available to fuzz a variety of things, or you could choose to write your own fuzzers (this was a very worthwhile thing for me and led me to create “Defensive Fuzzing” which is the core of the HornetPoint defensive tools). (Patent Pending)

Here is a quick list of some books, papers and tools that you might want to explore if you are interested in playing with and learning from these techniques:

Fuzz testing – Wikipedia, the free encyclopedia

Ethical Hacking and Penetration Testing: Fuzzers – The ultimate list

Fuzzing – OWASP

Amazon.com: Fuzzing: Brute Force Vulnerability Discovery: Michael …

22C3: Fuzzing

Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications | Darknet …

These links should give you plenty of materials and links to tools. I would highly encourage any security folks to set up a small lab, try the tools and just learn a bit about breaking applications. You will be surprised at how easy it is and how much insight it will give you into information security. Give it a shot and let me know how it goes!

More Toata Scans for a New RoundCube File

Posted on by
1

Last night, HITME began to pick up various sources scanning for a new file in the RoundCube Webmail product. The file “list.js” is being scanned for by the Toata bot and low levels of port 80 scans matching these probes are ongoing. SANS and the project owners have been informed.

No exploitation has been observed by us thus far in relationship to these scans, but cataloging is ongoing. Intent of the attacker is currently unknown, as is the vulnerability, if any, present in the file.

Following are the signatures captured from one host:

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:41 on port 80

Alert Data: GET /rc/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:39 on port 80

Alert Data: GET /roundcubemail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:38 on port 80

Alert Data: GET /roundcube/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:36 on port 80

Alert Data: GET /webmail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:35 on port 80

Alert Data: GET /email/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

Once again, users of RoundCube Webmail are urged to ensure they are doing additional levels of monitoring, staying current on all patches/updates and taking other precautions. Consider removing RoundCube from Internet exposure until these and other ongoing issues are mitigated.

Win7, Linux and the Future of the Desktop OS

Posted on by
Reply

First of all, I think one of the major reasons that Windows 7 will not “kill Linux on the Desktop” is cost. Quite honestly, unless they are going to make Windows 7 free, it might be popular enough to stall the spread of Linux on desktops in the developed world, but the rest of the world (the parts of the world where the next IT explosion will originate from because it is not already saturated) can not afford to purchase the licenses and will continue to grow Linux as their leading OS. How important is Linux in the emerging world? Google for Linux news in Brazil, India, the Middle East and find out. Linux has become BOTH the server AND desktop OS of choice in many of those areas. In addition, schools are teaching Linux as part of the curriculum, so that means additional armies of Linux users will eventually come to bear on the market over the next decade. That is likely a force that can not be derailed.

Second, I believe in open source. While the majority of users could care less about source and will never tweak their code, there are a core group of code geeks who will tweak stuff and play with things. These geeks will create improvement in the Linux desktop experience. The experience has been slowly and steadily improving over time. Don’t take my word for it, go back and download a VM of an early Ubuntu release and compare it to today. Ubuntu and the other open source Linux-based OS projects CONTINUALLY release new enhancements and upgrades that impact user experience. What releases have there been since Windows 98? XP, Vista and now Windows 7. How many releases of Ubuntu and other desktop environments have there been since the release of Windows 98? Basically, ALL OF THEM. Not to mention the fact that Ubuntu and the Linux movement isn’t dead. Just as they incorporated and learned from the powerful features of OS X, they will learn from, emulate and advance the experience in the future based on Windows 7 too. They will likely release a lot of changes over the next couple of years, even as Windows 7 reaches its mass market plateau. Likely, as they learn from and advance beyond, the “stall” will end and Ubuntu and the Linux desktop “movement” will experience further growth. Face it, the model is just more efficient.
Third, the idea that users choose desktop OS solely by features is ludicrous. The majority make their choice based on a combination of ease of use, brand familiarity, stability and PRICE. In the developed world, price might have less to do with it, and it is likely that ease of use and branding “what I use at work and already know” is more likely the top considerations. Followed by stability and price. But even in those decisions, Linux has made a huge improvement and at such a rapid pace THAT IF IT CONTINUES AT THAT PACE, it will easily surpass Windows in terms of everything but branding by the time Windows 7 hits its plateau of saturation. Business adoption is the key here. The more businesses that put Linux on the desktop, the more people get familiar and begin to use it at home. Add to that equation the coming army of global young people that have been using Linux as their base of education and you see a rising tide. I think of Windows 7, not as death for Linux, but as the last Microsoft desktop OS that will enjoy HUGE MARKET OWNERSHIP. I see a continued splintering of the desktop into Windows/Linux and OS X, with easier sharing, integration and cross platform collaboration in the future. Far from death, I see a market splinter where we reach some form of mutual equity, give or take small evangelic groups of BSD/Other/Netware+/Blah blah blah that ebb and flow. To demonstrate my point – I am sure Guy Kawasaki has no plans to switch from OS X to Windows 7 (nor do I) and I am sure Theo de Raadt is NOT going to dump OpenBSD anytime soon to become a Windows 7 user. Hardcore zealots will likely remain, but the majority of folks in the new “global economy” are likely to keep non-Windows OSs alive for a long long time.
Next is the subject of netbooks. A lot seems to be riding on them in these OS wars. The problem is, I am just not convinced that netbooks will remain a dominant force in the market place. They are kind of on a “computing land bridge” between the hand held devices that will evolve from smartphones and the real functionality and usability factors of a notebook/laptop. Given the reviews I have read about netbooks, it seems plausible that they may get swallowed into the sea as both sides of the land bridge exert pressure on them. Most folks say that they are just too physically small and lack core power to be true notebook replacements, and as the smartphone evolution occurs, I just don’t see how this remains a viable long term form factor, even in the emerging world. Thus anything that bets on netbooks in the Windows/Linux wars seems like an unsafe long term bet to me. (Note, I just bought a Linux-based EEEPC to try, but have not used it yet.)
So as not to leave security out of this, a lot depends on how well Microsoft did with security in Windows 7. (I have not yet used it myself, so only speculation and review based opinions here.) They made significant improvements in Vista and additional improvements are likely here too. Linux continues to have security issues as well, though, they too seem to be improving (without any real metrics research on my part). All operating systems though, face high levels of additional risks from all of the add-on apps and software users use on desktops. Part of what I think will be important in the future of security of desktop systems is how they minimize the damages that a user level compromise can do. How do they prevent escalation? How compartmentalized do they keep data? What detective and responsive controls do they build in to help compensate for bad user decisions? These are key elements in the future of desktop operating system selection. We all know, no matter how many posters we hang and meetings we hold, users continue to choose the dancing gnome or hamster bowling over security. They will click on bad links, visit naughty sites and make incredibly bad decisions. We just have to be ready for them and identify ways to minimize the risk those bad decisions pose to our information assets. What OS platforms would seem more capable of rapid evolution here? It seems to me that the myriad mindset and crowd-source is much more likely to create improvements here in the short term, but you decide for yourself. Bottom line, the future of the desktop operating system is in “compromise tolerance”. You can quote me on that one.
So, there you go, my opinions on the future of Windows 7 as Linux desktop killer. Maybe you agree, maybe you disagree. Let me know. Maybe I am totally wrong and I will be completely surprised 10 years from now. I don’t think so, but it has happened before. As always, your mileage and paranoia may vary.

SANS Posts Info on Previous RoundCube Vulnerability

Posted on by
Reply

Looks like our work got more folks looking at RoundCube. SANS Storm Center has a posting that shows the exploit being used by attackers against the helpnetsecurity announced vulnerability in “html2text”.

The RoundCube folks have already released patches and done code cleanup to remove this and other known issues, including the msgimport.sh scripts from previous versions.

If you are a RoundCube user, please upgrade. Scans have slowed for this issue, but are still present and active at low levels.

Thanks to everyone who helped on this and to the RoundCube Webmail project team for their friendly, open approach to solving the problems and their rapid attention. It is refreshing to work with developers who are focused on solutions instead of wanting to fight about the source of the problems. Hats off to them!

PHP Threats Continue to Rise But More Work & Education Could Help

Posted on by
Reply

Threats against web applications developed in PHP continue to be an area of high activity and interest for attackers. PHP applications now represent a significant portion of the web-application attack footprints we see in our HoneyPoint Internet Threat Monitoring Environment (HITME). PHP scans and probes for new and emerging vulnerabilities are a common occurrence and one the driving forces behind our deployment of the HITME. Our unique insights into ongoing threat activities allows our vulnerability management and professional services clients to know that they are better protected, even against bleeding edge threats.

PHP security issues are so common that the folks at BreakingPoint Labs call it “one of the most commonly attacked pieces of software on the Internet today”. Even when deployed in so called, “safe mode”, PHP applications can still present a high level of risk. Until, at least, the release and wide scale adoption of PHP 6, issues are likely to continue to abound, maybe even beyond that if the attacker underground has anything to say about it.

PHP security problems also represent a major portion of known web vulnerabilities, especially over the course of 2008. Syhunt, the makers of Sandcat Pro, a web application vulnerability scanner and partner to MSI, has even created Sandcat4PHP, a special source code scanner to help organizations proactively secure their PHP applications during development. Recently, Syhunt created these images that show the impact that PHP vulnerabilities are having on their work. PHP security issues represent an overwhelming margin of their work for the year.

All of this is not to say that PHP development is a bad thing. In fact, PHP developed applications have empowered many new cutting edge applications, fueled the growth of web 2.0 and been a powerhouse for bringing average users the web maturity that they have come to expect. Combining the ease of PHP with the power of MySQL, Apache and other open source tools has become a virtual standard for the online world. PHP applications CAN BE DONE SECURELY, they just require additional work and effort to create secure code, just like any other language. The ease of PHP makes it a great language for learning development, but we, as a community, need to help even those budding developers among us learn the basics of creating secure code. Techniques like input validation, proper sanitization, strong authentication and role-based access controls need to be a core part of our outreach teaching to developers.

In the meantime, while education is being worked on, it might be a wise idea to take a check around your environment and audit any PHP applications in production or planned for use in the near future. Additional work, tools or monitoring may be required to better handle the risk you find. Let us know if we can be of any help or if you desire additional insight into PHP security problems. Keep your eyes on PHP, though, its powerful, flexible capabilities make it a big player in the future of the web!

** Have feedback on this post? Please feel free to leave a comment, drop me a line via email or send me a tweet to @lbhuston on twitter. Thanks for reading! **

Round Cube Webmail Probes Spreading Rapidly

Posted on by
21

Our HoneyPoint Security Server deployment has identified a set of 0-day scans and probes against the Round Cube Webmail system.

The probes are originating from infected Linux systems world wide and appear to be spreading rapidly. Infection of systems via a bot-net client or other form of malware is likely. The extent of compromise is currently unknown, but complete compromise or escalation to complete compromise may be possible.

Research and work with the developers is ongoing. Users of Round Cube Webmail systems should take steps to remove their systems from Internet access and/or implement additional controls for monitoring and protection. Removal of the msgimport.sh script file is highly encouraged, though additional entry points may emerge in the future.

New versions of the application may not have the msgimport.sh file present.

The current version of the attack is probing for the following files:

/nonexistenshit

/mail/bin/msgimport

/bin/msgimport

/rc/bin/msgimport

/roundcube/bin/msgimport

/webmail/bin/msgimport

Our HoneyPoint deployment has been reconfigured to trap additional data about this threat and additional information may be available soon. The MSI technical team is working with our clients to ensure they are protected against this and other emerging threats. Our threat detection capability, provided to us by our HoneyPoint line of products gives us uniquely deep insight and visibility into bleeding edge threats. As always, we strive to use that knowledge to protect our clients and the Internet at large.

More information can be found on this issue by following @lbhuston and/or @honeypoint on Twitter. You can also check back on our blog or schedule a call with one of our team members if you have additional needs.

** Update: @around 2:30pm Eastern, the “Toata” bot-net added the signature to its scans as well. In less than 24 hours there are now at least 2 known bot-nets scanning for the issue. Any bets on how long it will take before “morfeus” scans for it too??? Also, note that the URL request from “Toata” has a double // typo in it….

** Another Update: Syhunt has added tests to Sandcat for the issue. They are now available via update mechanism for clients.

Best Practices for Certificate Expiration

Posted on by
2

Today, I was asked by a client to look at best practices for digital certificates, such as X.509 and the like. I extended that research to include all types of encryption certificates, SSL/code signing, etc.

Basically, there was a dearth of best practice information available for setting the expiration dates on certs issued for various purposes.

We found a wealth of mentions in PCI, FFIEC, FDIC, NCUA, HIPAA, NIST and other guidance about checking to make sure that expiration dates were valid, reasonable and such, but no real guidance for what “reasonable” is or anything to cite to make a statement that your approach and processes fit the reasonable judgement. There were plenty of guidance sources on checking authenticity of certs, vendor selection and all of that, but little to help organizations in their attempts to define reasonable best practices for how long certs should live once issued.

Our next step was to take a look at the practices of some of the leading certificate vendors and see if we could establish a consensus from their approaches. Quick checks into their process revealed the following:

The major certificate vendors (Verisign, Thawte, etc.) issue certificates with a maximum life span of 2-3 years for most purposes. They explained that this minimized the overhead management work for them while establishing enough care for cryptographic changes (this doesn’t happen right? MD5 nightmare anyone, anyone?), organizational changes and churn in their client base. Secondary vendors (Comodo, RapidSSL, GlobalSign, etc.) in this arena issue certificates for a maximum of 5 years. It appears that they are willing to extend trust a little further to minimize their workload/overhead in management of the certs and processes.

Generally speaking, after reviewing this data, the various standards and processes and the mechanisms that the “big boys” use, I would offer the following as a best practice for setting up expirations on certificates in general.

The best practice for establishing expiration dates on certificates should be two years with a hard set maximum of five years. Two years should be the established baseline for processes and organizations with any increases (up to a maximum of five years) requiring appropriate risk assessment/acceptance from responsible parties in an organization.

I hope this helps folks who are working on establishing certificate systems and other processes in their organizations. If you disagree with my approach or work, please let me know. I am always open to comments via the blog or @lbhuston on Twitter. Thanks for reading!

Security Tips for a Safer 2009

Posted on by
Reply

2008 is quickly evaporating and 2009 is on the horizon. The first few days of the new year always feel fresh, like a newly washed blackboard, ready for new thoughts and ideas. This is an excellent time to plan how you want to secure your organization’s most precious and sensitive data. Here are a few ideas:

  1. Protection – Start a spreadsheet log that not only lists all your electronic assets (laptops, mobile phones) but the names and dates of who has them. This will save you the stress of trying to figure out who had the laptop last week.
  2. Destruction – Do you regularly shred? Do you have a schedule to keep you on track to regularly shred? Don’t let dumpster diving thieves get your data. Shred and shred often.
  3. Cell Phone Mania – The ubiquitous cell phone is often in danger simply because of the sensitive information that is on it. Think of a pop star’s cell phone getting stolen and everyone prank called. Now think of a thief getting a cell phone and snagging that credit card information of a new client. Get your stable of cell phones password-protected and avoid keeping financial or private information on it.
  4. Information – It’s all about the data. As much as you may suffer from information-overload, it’s important to take stock of what exactly is on a laptop in case it is lost. Make lists and check on them regularly for updates.
  5. Out with the old, in with the new – Whenever you buy new equipment and toss the old, don’t allow it to sit collecting dust in the back room. If your organization experienced a burglary, there would be a serious breach of confidentiality if those old hard drives were stolen. Find a reputable company to dispose of your outdated equipment safely and efficiently.

Employ some of these tips or all, and your organization is guaranteed to have a much safer 2009!

Correction: Twitter API Does Have SSL Support!

Posted on by
Reply

Previously, I wrote about the supposed lack of SSL/HTTPS support in the Twitter API. However, thanks to Tony for pointing me in the right direction. I DID find support for HTTPS in the API and I have since updated my own tool (released by me as freeware and not associated with MSI) to use it.

For those of you who are interested, you can find the new release of TweetCLI 1.10 that supports updates via HTTPS here:

Windows, Linux, OS X versions.

Thanks to everyone that uses it and feel free to let me know your thoughts and feelings on twitter @lbhuston.

The new version should work as a simple replacement in the previously released HPSS plugin.

You can also subscribe to a “bad touches” feed from some of our Internet exposed HoneyPoints around the world. We are publishing source IP and destination ports only currently, as we work on ways to publish the payloads we get in some manner as well. More on that in the future. The current “bad touches” feed is @honeypoint.

Apologies to twitter for the SSL issue. Additions to the API documentation to show HTTPS examples as the default would be much appreciated.

Hope everyone is having a wonderful holiday season. Thanks for reading and we look forward to more infosec news and research in the future.

New Twitter Feed of “Bad Touches” Available

Posted on by
Reply

For those of you interested in security, black listing or HoneyPoint stuff, check this out.

I used the TweetCLI tool I blogged about earlier to write a HoneyPoint Security Server plugin. The plugin fires for each event and tweets the attacker IP and source port that the deployed HoneyPoints covered by this console saw.

There are several hosts and networks reporting HoneyPoint alerts to this console. All of these HoneyPoints are Internet exposed, so you should be able to see some basic sources of scans, probes and malware attacks.

I am not presently publishing the payloads, though I may in other ways in the future or show aggregate data in some manner.

The basis for the “bad touches” is that these are hosts and ports not truly offering any services, thus any interaction with them could be considered suspicious at best and malicious at worst. An IP address will only be tweeted once per 24 hour period currently, regardless of the amount of interaction it has with HoneyPoints reporting to this console.

You can watch the stream via the web at http://www.twitter.com/honeypoint or by following @honeypoint on twitter. There could be a lot of tweets depending on attack trafffic, so know that up front.

Please let me know if you like the feed, any plans or ways you can think of that it might be helpful to you or other feedback. We are offering this up to the community and we hope that it is helpful to those interested in HoneyPoints, security trending and/or black list generation.

Let me know your thoughts and thanks for reading!