Round Cube Webmail Probes Spreading Rapidly

Posted on by
21

Our HoneyPoint Security Server deployment has identified a set of 0-day scans and probes against the Round Cube Webmail system.

The probes are originating from infected Linux systems world wide and appear to be spreading rapidly. Infection of systems via a bot-net client or other form of malware is likely. The extent of compromise is currently unknown, but complete compromise or escalation to complete compromise may be possible.

Research and work with the developers is ongoing. Users of Round Cube Webmail systems should take steps to remove their systems from Internet access and/or implement additional controls for monitoring and protection. Removal of the msgimport.sh script file is highly encouraged, though additional entry points may emerge in the future.

New versions of the application may not have the msgimport.sh file present.

The current version of the attack is probing for the following files:

/nonexistenshit

/mail/bin/msgimport

/bin/msgimport

/rc/bin/msgimport

/roundcube/bin/msgimport

/webmail/bin/msgimport

Our HoneyPoint deployment has been reconfigured to trap additional data about this threat and additional information may be available soon. The MSI technical team is working with our clients to ensure they are protected against this and other emerging threats. Our threat detection capability, provided to us by our HoneyPoint line of products gives us uniquely deep insight and visibility into bleeding edge threats. As always, we strive to use that knowledge to protect our clients and the Internet at large.

More information can be found on this issue by following @lbhuston and/or @honeypoint on Twitter. You can also check back on our blog or schedule a call with one of our team members if you have additional needs.

** Update: @around 2:30pm Eastern, the “Toata” bot-net added the signature to its scans as well. In less than 24 hours there are now at least 2 known bot-nets scanning for the issue. Any bets on how long it will take before “morfeus” scans for it too??? Also, note that the URL request from “Toata” has a double // typo in it….

** Another Update: Syhunt has added tests to Sandcat for the issue. They are now available via update mechanism for clients.

Best Practices for Certificate Expiration

Posted on by
2

Today, I was asked by a client to look at best practices for digital certificates, such as X.509 and the like. I extended that research to include all types of encryption certificates, SSL/code signing, etc.

Basically, there was a dearth of best practice information available for setting the expiration dates on certs issued for various purposes.

We found a wealth of mentions in PCI, FFIEC, FDIC, NCUA, HIPAA, NIST and other guidance about checking to make sure that expiration dates were valid, reasonable and such, but no real guidance for what “reasonable” is or anything to cite to make a statement that your approach and processes fit the reasonable judgement. There were plenty of guidance sources on checking authenticity of certs, vendor selection and all of that, but little to help organizations in their attempts to define reasonable best practices for how long certs should live once issued.

Our next step was to take a look at the practices of some of the leading certificate vendors and see if we could establish a consensus from their approaches. Quick checks into their process revealed the following:

The major certificate vendors (Verisign, Thawte, etc.) issue certificates with a maximum life span of 2-3 years for most purposes. They explained that this minimized the overhead management work for them while establishing enough care for cryptographic changes (this doesn’t happen right? MD5 nightmare anyone, anyone?), organizational changes and churn in their client base. Secondary vendors (Comodo, RapidSSL, GlobalSign, etc.) in this arena issue certificates for a maximum of 5 years. It appears that they are willing to extend trust a little further to minimize their workload/overhead in management of the certs and processes.

Generally speaking, after reviewing this data, the various standards and processes and the mechanisms that the “big boys” use, I would offer the following as a best practice for setting up expirations on certificates in general.

The best practice for establishing expiration dates on certificates should be two years with a hard set maximum of five years. Two years should be the established baseline for processes and organizations with any increases (up to a maximum of five years) requiring appropriate risk assessment/acceptance from responsible parties in an organization.

I hope this helps folks who are working on establishing certificate systems and other processes in their organizations. If you disagree with my approach or work, please let me know. I am always open to comments via the blog or @lbhuston on Twitter. Thanks for reading!

Book Review: The Handbook of Information and Computer Ethics

Posted on by
Reply

 Another serious textbook, The Handbook of Information and Computer Ethics is an ambitious in-depth look at the dizzying playground where technology meets  human behavior. The book is a compilation of varying professors in philosophy and technology, offering their take on issues such as privacy and anonymity, hacking, and responsibility and risk assessment. 

The editors, Kenneth E. Himma and Herman T. Tavani, explore the relationship between the internet and one’s ability to co-exist with it ethically.  Himma especially has an interesting definition of the term “hacker” and ponders if the concept of trespassing means the same as the  term “digital intrusion.”

The chapter on responsibilities for information on the internet is challenging by questioning who truly owns it. Another chapter explores the issue of Software Development Impact Statements. (SoDIS) It is a fascinating book. For $100 (On sale at Amazon!), you can stretch your mind with all types of scenarios. A great book to pass along to your network staff.

Security Tips for a Safer 2009

Posted on by
Reply

2008 is quickly evaporating and 2009 is on the horizon. The first few days of the new year always feel fresh, like a newly washed blackboard, ready for new thoughts and ideas. This is an excellent time to plan how you want to secure your organization’s most precious and sensitive data. Here are a few ideas:

  1. Protection – Start a spreadsheet log that not only lists all your electronic assets (laptops, mobile phones) but the names and dates of who has them. This will save you the stress of trying to figure out who had the laptop last week.
  2. Destruction – Do you regularly shred? Do you have a schedule to keep you on track to regularly shred? Don’t let dumpster diving thieves get your data. Shred and shred often.
  3. Cell Phone Mania – The ubiquitous cell phone is often in danger simply because of the sensitive information that is on it. Think of a pop star’s cell phone getting stolen and everyone prank called. Now think of a thief getting a cell phone and snagging that credit card information of a new client. Get your stable of cell phones password-protected and avoid keeping financial or private information on it.
  4. Information – It’s all about the data. As much as you may suffer from information-overload, it’s important to take stock of what exactly is on a laptop in case it is lost. Make lists and check on them regularly for updates.
  5. Out with the old, in with the new – Whenever you buy new equipment and toss the old, don’t allow it to sit collecting dust in the back room. If your organization experienced a burglary, there would be a serious breach of confidentiality if those old hard drives were stolen. Find a reputable company to dispose of your outdated equipment safely and efficiently.

Employ some of these tips or all, and your organization is guaranteed to have a much safer 2009!

Playing with Plugins for HoneyPoint

Posted on by
Reply

I have been playing with various plugins lately for HoneyPoint. In this case, I wanted to show the output of two plugins I am playing with currently.

The first one is the TweetCLI plugin that I have written about before. In this example, I am going to show an event that has come in and what the plugins did for me.

The TweetCLI plugin posted the following to the @HoneyPoint feed on Twitter:

Suspicious Activity Captured From: 41.205.122.150 on port 23

Then, the console also executed a plugin I lovingly call AutoPoke. It basically does a whois look up of the address and performs a basic nmap TCP port scan of a few common ports. This produced the following output:

OrgName: African Network Information Center

OrgID: AFRINIC

Address: 03B3 – 3rd Floor – Ebene Cyber Tower

Address: Cyber City

Address: Ebene

Address: Mauritius

City: Ebene

StateProv:

PostalCode: 0001

Country: MU

ReferralServer: whois://whois.afrinic.net

NetRange: 41.0.0.0 – 41.255.255.255

CIDR: 41.0.0.0/8

NetName: NET41

NetHandle: NET-41-0-0-0-1

Parent:

NetType: Allocated to AfriNIC

NameServer: NS1.AFRINIC.NET

NameServer: NS-SEC.RIPE.NET

NameServer: NS.LACNIC.NET

NameServer: TINNIE.ARIN.NET

Comment:

RegDate: 2005-04-12

Updated: 2005-07-12

OrgAbuseHandle: GENER11-ARIN

OrgAbuseName: Generic POC

OrgAbusePhone: +230 4666616

OrgAbuseEmail: abusepoc@afrinic.net

OrgTechHandle: GENER11-ARIN

OrgTechName: Generic POC

OrgTechPhone: +230 4666616

OrgTechEmail: abusepoc@afrinic.net

# ARIN WHOIS database, last updated 2008-12-29 19:10

# Enter ? for additional hints on searching ARIN’s WHOIS database.

Starting Nmap 4.68 ( http://nmap.org ) at 2008-12-30 xxx AST

Interesting ports on 41.205.122.150:

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp filtered telnet

25/tcp closed smtp

79/tcp closed finger

80/tcp filtered http

110/tcp closed pop3

135/tcp filtered msrpc

136/tcp closed profile

137/tcp closed netbios-ns

138/tcp closed netbios-dgm

139/tcp filtered netbios-ssn

443/tcp closed https

445/tcp filtered microsoft-ds

1433/tcp closed ms-sql-s

3389/tcp closed ms-term-serv

5800/tcp closed vnc-http

5801/tcp closed vnc-http-1

5900/tcp closed vnc

5901/tcp closed vnc-1

6666/tcp closed irc

6667/tcp closed irc

6668/tcp closed irc

6669/tcp closed irc

Nmap done: 1 IP address (1 host up) scanned in 2.330 seconds

This output is kind of fun (at least to me) to watch. I get real time info about where scans and probes are coming from. I also get real time port info from the scanning hosts. Over time, this gives me some pretty interesting insight into common postures of hosts that appear to be compromised or infected.

In this case, this particular host was interesting because of the source. Our global HoneyPoint deployments don’t see too many offending hosts from this particular region. Over time, if I see more activity originating from there or the like, then I can decide if the threat levels in that area are increasing, but none the less, even this first one is interesting. A quick review of the host shows a likely vulnerable ssh deployment, which may indicate that the host is compromised and/or bot-net infected. Of course, this is all supposition, but interesting (to me) anyway.

Now you know how I spend my time. I love to watch the ebb and flow of attacks, probes and scans. I like to know the sources and virtual “look and feel” of the victim systems. I suppose that is where many of the capabilities in HoneyPoint come from. I think they are just toys that I would like to play with, thus they end up in the product. Do you have some plugins you would like to see or some new HoneyPoint toys or functions you would enjoy? If so, drop me a line. We are working on the plans for HPSS 3.xx as we speak, so now would be a great time to hear a want list from the public!

Thanks for reading!

Correction: Twitter API Does Have SSL Support!

Posted on by
Reply

Previously, I wrote about the supposed lack of SSL/HTTPS support in the Twitter API. However, thanks to Tony for pointing me in the right direction. I DID find support for HTTPS in the API and I have since updated my own tool (released by me as freeware and not associated with MSI) to use it.

For those of you who are interested, you can find the new release of TweetCLI 1.10 that supports updates via HTTPS here:

Windows, Linux, OS X versions.

Thanks to everyone that uses it and feel free to let me know your thoughts and feelings on twitter @lbhuston.

The new version should work as a simple replacement in the previously released HPSS plugin.

You can also subscribe to a “bad touches” feed from some of our Internet exposed HoneyPoints around the world. We are publishing source IP and destination ports only currently, as we work on ways to publish the payloads we get in some manner as well. More on that in the future. The current “bad touches” feed is @honeypoint.

Apologies to twitter for the SSL issue. Additions to the API documentation to show HTTPS examples as the default would be much appreciated.

Hope everyone is having a wonderful holiday season. Thanks for reading and we look forward to more infosec news and research in the future.

Giving for the Holidays

Posted on by
Reply

Now is the time when many folks open their hearts and their wallets to help others. At MSI, I am proud to say that we do this all year. This year alone we have worked on gathering and donating old cell phones for the Central Ohio Choices program, made donations to the One Laptop Per Child organization, donated our services to a group of non-profits and charities working to make the world a better place and performed various other functions. I am so very proud to lead a team of individuals who are fully committed to the goals of many of these organizations and who routinely work to improve the lives of others, the environment and our future.

Information security and technology aside, I wanted to take a few moments and give links to some very deserving organizations in my book. Of course, there are a ton of organizations out there, many are very very dedicated and do wonderful work. Organizations like the Red Cross/Red Crescent and so many others are deserving of your support year round, but here is a quick list of special organizations I hope you will support this year and in the future.

(RED) – This organization is fighting desperately to overcome the tragedy of HIV/AIDS. You can help by buying products with their logo, which will donate an amount of the sale to the cause.

Heifer – They provide animals and other micro-farming capabilities to emerging nations. Their tradition of passing new born animals back into the program is one of the greatest ideas ever!

Of course, One Laptop Per Child, who is taking measures to educate the youth of the world. Their “give one, get one” program is simply amazing. Try this, give one to the program and take the get one to a local school or pre-school and donate it too. Or, choose a neighbor or someone with children who could benefit from the technology. It is a great way to help.

Then there is Charity:Water , who is fighting to bring clean, safe drinking water to the world. Believe me, we will all need this in the future. The world could be a very different place in the future.

There are tons more I wish I could cover: dog shelters, Animal Rights Aruba, various anti-poverty and disease research groups, etc. The nice thing about charity today is that there are so many ways to give and so many organizations to support that everyone can find the right one to fit their own moral, religious and social compass. Just picking one is the first step. Hopefully, this quick list will get you started, or at least thinking about it.

We will now resume our regularly scheduled security banter. Thanks for reading, not just today, but all year long and everyone at MSI wishes you and yours a safe, peaceful and wonderful holiday season!

Holiday Reminder

Posted on by
Reply

Just a little Holiday reminder. As we get nearer to popular Holiday’s we normally see an increase in malware attacks. Remember not to open any “e-cards” or other assorted potentially malicious email from random addresses, and closely examine any that appear to come from a trusted source, such as a co-worker.

New Twitter Feed of “Bad Touches” Available

Posted on by
Reply

For those of you interested in security, black listing or HoneyPoint stuff, check this out.

I used the TweetCLI tool I blogged about earlier to write a HoneyPoint Security Server plugin. The plugin fires for each event and tweets the attacker IP and source port that the deployed HoneyPoints covered by this console saw.

There are several hosts and networks reporting HoneyPoint alerts to this console. All of these HoneyPoints are Internet exposed, so you should be able to see some basic sources of scans, probes and malware attacks.

I am not presently publishing the payloads, though I may in other ways in the future or show aggregate data in some manner.

The basis for the “bad touches” is that these are hosts and ports not truly offering any services, thus any interaction with them could be considered suspicious at best and malicious at worst. An IP address will only be tweeted once per 24 hour period currently, regardless of the amount of interaction it has with HoneyPoints reporting to this console.

You can watch the stream via the web at http://www.twitter.com/honeypoint or by following @honeypoint on twitter. There could be a lot of tweets depending on attack trafffic, so know that up front.

Please let me know if you like the feed, any plans or ways you can think of that it might be helpful to you or other feedback. We are offering this up to the community and we hope that it is helpful to those interested in HoneyPoints, security trending and/or black list generation.

Let me know your thoughts and thanks for reading!

Security of Secondary Financial Service Systems

Posted on by
Reply

In the US several “secondary financial services” exist. They range from check cashing/money transfer to short-term lenders and various other financial services. Many of these organizations also offer additional services like payroll check loans, check “floats”, tax preparation and a variety of services. In many cases these organizations aim their marketing for immigrant workers, people sending money to foreign countries and the economically challenged.

Unlike traditional banks and credit unions, these organizations are loosely regulated, if at all. In many states few rules for their operation exist and certainly they do not face the security and regulatory requirements of traditional financial services organizations. Several cases have been made about the predatory, aggressive and border-line criminal activities that seem to abound in this industry.

Recently, Panda, an anti-virus vendor, completed a study of the check cashing centric businesses associated with this tier of financial services. Their study found that thousands of machines in these businesses were running out of date security software, including anti-virus trial versions. They observed more than 1500 machines running these out of date basic security tools. Of those, they found more than 60 percent to be actively infected by some form of malware. 80 percent of the machines studied were actively being used to process financial transactions.

Basically, this demonstrates a true lack of concern for information security in this sector. By not providing for even the most basic of security functions, anti-virus, they leave the identity and financial data of their clients vulnerable to theft and tampering.

To make matters worse, in many locations in our state, Ohio, the check cashing organizations require a lot of information about you to obtain their services. Normal contact information, plus social security number, driver’s license and other identity details are often maintained in their databases. In more than one case of calling around various locales near us, several of the companies asked for a “client number” and when pressed, we were told this was the same as our social security number and could be found on our “membership card”. Needless to say, this very fact that SSN is being used so carelessly, gave us more than a chill. We truly hope that those consumers choosing to use these organizations for financial services take note of the insecurity and risks to which they may be exposing themselves.

Ohio has just passed new laws to regulate the practices of these organizations and to prevent some of their more abusive tactics. Let’s hope that additional regulatory oversight and attention to information security is also coming for these businesses. Until then, they and the consumers who choose them, remain in the low hanging fruit category for cyber-criminals and identity thieves.