Welcome to the MSI Podcast Studio! In this edition, we interview Gary Moser, MicroSolved’s Project Manager. We chat about the current threats and trends facing businesses today, and what a business can do to protect itself.
ISECOM, the renowned research organization for security, has again “made sense” of securing a Linux network against attacks. The book is a thorough guide to understanding how to “separate the asset from the threat” and block hackers from playing in the ultimate playground of Linux. The authors take you from the elements of security, to hacking the system, to hacking the users.
What is particularly helpful are the case studies. If you or your company’s employees need to travel and access your company’s website via wireless connection, you’ll be especially interested in the case study in Chapter Eight, where a hacker tracks a signal to a hotel’s access point and creates legit-looking error pages in order to obtain the account information of the user. Also helpful are their usual attack and countermeasure icons, which further define how to pinpoint areas of risk.
Security teams looking to evaluate their areas of vulnerability within Linux will be forearmed with the powerful arsenal of preventative approaches covered in this edition. All of the material is new, based upon the most recent and thorough security research. The hacking and countermeasure are based on the OSSTMM, the security testing standard, and cover all known attacks on Linux as well as how to prepare the system to repel unknown attacks. A pretty good buy for the $49.95 cost.
So, the worm based on MS08-067 was rumored last week and now SANS confirms that the worm is spreading from at least one host. SANS is blaming 61.218.147.66. We also have seen scans from 208.23.24.52, 66.100.224.113, 97.89.26.99, 219.158.0.96, 88.178.18.41, 91.142.209.26, 189.20.48.210, 212.122.95.217, 131.118.74.244, 84.3.125.99, 81.57.69.99 and a ton more. Those started to increase dramatically starting this morning around 9:25 am Eastern and have continued throughout the day.
HoneyPoints on consumer bandwidth networks and commercial ISP’s alike are picking up a spike in 445 scans and traffic.
Obviously, given the metasploit framework’s improvement of the exploit in the last week or so and the myriad of proof of concept tools that have been filtering around the underground, the threat of a worm is a reality. Worm code was first announced several days ago, but seemed to fail to propagate likely due to the lack of port 445 being available on most Internet connections. However, it appears that some victims have been found and have been slowly accumulating.
While we are not yet seeing the massive scans and probes associated with the worms of the past, we are beginning to see traffic levels that indicate increasing worm behaviors.
Obviously, if you have not yet ensured that port 445 is blocked at your Internet connection, you should immediately do so. HoneyPoint users can also setup TCP listeners or basic TCP HornetPoints to discover and attempt to “defensive fuzz” the worm code. Mixed results of causing termination have been shown so far, but our lab is working on a HornetPoint configuration to cause exceptions in the worm code in a stable manner.
HoneyPoint TCP listeners can be deployed on Linux boxes and other platforms where port 445 is undialated and used to identify hosts performing 445 scans and probes. This is an excellent approach to finding laptops and portable devices that might be infected on the internal network.
With election day on tomorrow’s dawn, now might be a good time to prep yourself for the coming tasks.
1) Make sure you have your ID, driver’s license or other documentation that may be required to vote in your state.
2) Take the time to prepare and familiarize yourself with the issues. There are several sites sorted by states that cover the various issues. Use a search engine to locate your specific issues and races.
3) Be prepared for weather issues, traffic, long lines and other significant problems. Take enough time to allow for the task and any snafus that might arise. Bring a book, a bottle of water and your patience.
4) Forget “testing the security” if that is your deal. It will only cause problems for you, others and the board of elections. Play around in the voting booth and you might end up spending some time as a guest of your state. Forget the e-voting media and press and just make your voice heard with a proper vote. Let the voting officials handle the rest.
Most of all, just vote. It is the single most important duty we have as an American. So, make your choices, select your candidate and do your patriotic duty. Using your voice is the finest way to honor the memory and sacrifice of all those who made it possible!
Officially, the flu season begins on the first of October and runs until spring. Even though the CDC says that this year’s flu is starting out a little bit milder than the two previous years, I know several people that are suffering through a nasty type of flu already this year. This stuff starts out with the usual fever and aches, and then turns into “cold” symptoms that hang on for weeks! We all know how nasty this is on a personal level, but a virulent long lasting flu like this can also really stress your business as well. So, let’s take a look at how the flu really works and what we can do about it.
First off, there are few real defenses against the flu if you are going to interact with other people. “Flu’s” are viruses that can infect you in several different ways and that mutate often and rapidly. The flu vaccine that is produced every year is really only devised to have some effect on the top three dominant flu strains of the year. The amount of effect they really have also depends on just how and how much each virus strain has mutated by the time you get the flu shot. So, although it is liable to help, don’t put too much faith in the flu vaccine.
So how can flu infect you? The most insidious way for the flu virus to spread is through the air in the form of “droplets”. When persons with the flu cough or sneeze into the air, large and very small droplets of liquid filled with virus travel through the air and can easily make their way into lungs or onto hands. Large droplets generally do not travel more than six feet but small “micro-droplets” can float through the air for some time and travel greater distances. Flu virus can also enter your body through your digestive system or eyes. If there is flu virus on your hands or food and you put them in your mouth, you can get the flu. If you have flu virus on your hands and you rub your eyes or nose, you can get the flu. So, what can you do to protect yourself from getting the flu or giving it to others?
The best thing you can do, even though it is a pain, is wash your hands. I mean wash your hands each time before you touch anything and put it in your mouth, or before you rub your eyes. Also, I wouldn’t eat food that has been sitting uncovered around where people have been coughing or sneezing.
There are also a number of different things that can kill microorganisms like flu viruses. Ultra violet radiation, such as direct sunlight, kills microorganisms almost instantly. Also, Microorganisms die quickly when they come in contact with hard, smooth, dry surfaces. And, microorganisms can be killed or removed by the use of soaps and other chemical cleaners such as hand sanitizing lotions or disinfectant sprays.
So how do you protect your business from the flu? When the flu is rampant in the community, protect yourself when you are in close public areas such as grocery stores, automobiles, airplanes or malls. Have your workers do any work remotely that they can. If they can VPN into the network securely and work from home, have them do so. If you are a financial institution, consider closing or restricting access to the lobby and doing as much business as possible via the drive up windows. Insist that employees that have the flu stay home. And finally, make sure that your business has good written operating procedures in place, and that your employees cross train with each other on a regular basis. This will be a real help in times of great absenteeism. Expect the best, but plan for the worst – the height of the flu season is just two or three months away!
Recently, attacks on web applications have been on the rise, and there is good evidence that exploitation through SQL injection of web applications has brought about the tremendous surge in botnet infected machines. The focus of such attacks should result in us asking ourselves if we are at risk. If you have a web application it is quite possible that you are, and could likely be a target.
One of the fundamental best practices for being sure you don’t get compromised through a web application is to have strict input validation. What do I mean by “strict input validation?” Essentially, this means filtering the input to ensure the data presented by the user to the page does not contain characters that the application could mistake for code to be executed. Using input validation protects your site from executing arbitrary and malicious code that compromises your system.
Another big thing to consider is error control, often times SQL errors are displayed out in the open, or a directory listing is shown. A simple Google search for these error codes represent low-hanging fruit for a malicious attacker, allowing them to identify your website as a target. I would encourage everyone to take a close look at your web applications and make sure you are protected against this increased attacker focus.
A worm has been spotted in the wild that is exploiting the MS08-067 vulnerability for which Microsoft released an out-of-band update for yesterday. We urge you to update as soon as possible as there is now working code in the wild. All servers should be patched, especially external ones. If for some reason you have RPC exposed to the world, a very close look should be given to those systems as they may have already been compromised. Internal systems should be patched as soon as possible since this is now a worm, a worm that could be brought in through laptops or other means of access.
A little info on the worm itself, it has been dubbed Gimmiv.A. When the worm executes it will drop three files, winbase.dll, basesvc.dll and syicon.dll into the %System%\Wbem\basesvc.dll. It will then install a service named BaseSvc which will then force svchost.exe to load the trojan dlls. The trojan will collect data from the machine, including passwords, and send them to a remote machine.
Today Microsoft is rolling out an unscheduled update. This vulnerability is critical and there are reports that it has been exploited by malware for the last few weeks. The most vulnerable systems are Windows 2000, Windows XP and Windows 2003. On these systems it is possible exploit the system without authentication. On Windows Vista and Windows Server 2008, the exploit requires authentiation to run, it would likely also lead to a Denial of Service condition due to the use of DEP and ASLR in these versions of Windows.
This is the first vulnerability that can be easily wormable in the past few years. It is very important that this update be tested and rolled out by your organization as soon as possible to prevent exploitation. The Security Bulletin can be found here.
Please be aware that new versions of HPPE in the works will be using a new key mechanism. The current key mechanism appears to have fallen prey to piracy and a key has been identified in several “WAREZ” distribution sites. It appears that the current key that was leaked was made public after the software was awarded as a prize at a local public IT event. We have received several reports of web sites hosting the current version of the software with the leaked key and of several torrents floating about the Internet.
Thanks to those who reported the issue and who alerted us to the presence of the leaked key. We urge any illicit users to register their software and purchase a valid copy from our site here. Your continued support of the product will allow us to continue to improve the product.
While software piracy is regrettable, we of all people, know that essentially any type of software license can be defeated. We have and will continue to make our software licenses as convenient for our customers as possible. In our opinion, ease of use is key!
Please note that HPSS keys are unaffected as the product is licensed using an entirely different mechanism that is host specific. HPPE licenses depend solely on a custom generated numeric key sequence.
Just a reminder about our lab services for those organizations that may be interested. Part of what has made MSI famous over the years is the extensive work we have done around application and device security. Our lab has tested everything from traditional software to ultra-modern web applications and all kinds of hardware from appliance firewall and server loads to bio-metric systems, check scanners and, of course, the voting systems!
In the past we have served as security testing labs for operating systems, appliance applications, consumer electronics, various financial products and a ton of consumer-facing software tools. Many vendors have chosen us as partners for application/device-based risk assessments, product testing, vulnerability management and penetration testing. We have even done some heavy testing of data destruction systems in conjunction with another lab who was testing data recovery capabilities.
Our lab has also been used by Information Security and ITWorld magazines for reviews, technology analysis and vendor evaluations. We have extensive experience in reviewing products for client companies, performing/managing vendor product bake-offs and leveraging our publicly acclaimed processes for proactive threat modeling to help companies spend their IT and infosec budget dollars as wisely as possible.
Our team loves to learn about, play with and exploit new technologies and products. They are continually involved in analysis of various products and projects. We are now accepting a few new projects for lab review and testing for the 4th quarter, so if you or your company are interested in establishing security as a differentiator for your product or having your new web-application branded with our labs SecureAssure logo, get in touch with an account executive as soon as possible. We only accept a few new products every quarter due to our schedule and the intensity of our process and those slots usually fill up very very quickly.