Underground Cyber-Crime Economy Continues to Grow

Posted on February 28, 2008 by Brent Huston

I read two interesting articles today that reinforced how the underground economy associated with cyber-crime is still growing. The first, an article from Breech Security, talked about their analysis of web-hacking from 2007. Not surprisingly, they found that the majority of web hacking incidents they worked last year were geared towards theft of confidential information.

This has been true for the majority of incident response cases MSI has worked for a number of years now. The majority are aimed at gaining access to the underlying database structures and other corporate data stores of the organization. Clearly, the target is usually client identity information, credit card info or the like.

Then, I also read on darknet this morning that Finjin is saying they have been observing a group that has released a small P2P application for trading/sale of compromised FTP accounts and other credentials. Often, MSI has observed trading and sale of such information on IRC and underground mailing lists/web sites. Prices for the information are pretty affordable, but attackers with a mass amount of the data can make very good incomes from the sale. Often, the information is sold to multiple buyers – making the attacker even more money from their efforts.

Underground economies have been around since the dawn of capitalism. They exist for almost every type of contraband and law enforcement is usually quite unsuccessful at stamping them out. Obviously, they have now become more common around cyber-crime and these events that have “bubbled to the surface” are only glimpses of the real markets.

It is critical that information security teams understand these motivations and the way attackers think, target victims and operate. Without this understanding, they are not likely to succeed in defending their organizations from the modern attacker. If your organization still spends a great deal of time worrying about web page defacements and malware infections or if your security team is primarily focused around being “net cops”, it is pretty likely that they will miss the real threat from today’s cyber-criminals and tomorrow’s versions of organized crime.

Thunderbird 2 MIME vulnerability

Posted on February 28, 2008 by wstoner

Mozilla Thunderbird 2.0.0.9 has been found to contain a heap buffer overflow vulnerability due to the way it handles external-body MIME types. Systems running this version of Thunderbird are vulnerable to compromise or the execution of arbitrary code via specially crafted email messages. You should update to Thunderbird 2.0.0.12 as soon as possible.

Mozilla’s advisory is located at: http://www.mozilla.org/security/announce/2008/mfsa2008-12.html

ICQ Vulnerability Should Increase Your Vigilance

Posted on February 28, 2008 by wstoner

A newly discovered format string error in ICQ version 6 build 6043 once again highlights the need to be cautious about who you are conversing with. Interaction with the embedded Internet Explorer component can allow specially crafted messages to execute arbitrary code on the affected system. Make sure that you only open messages from known and trusted contacts. It is a good idea to clean unknown or untrusted contacts from your contact list and enable the “Accept messages only from contacts” option. The build named above is known to be vulnerable other versions may also be affected

Laying the Trap with HoneyPoint Personal Edition & Puppy Linux Live CD

Posted on February 27, 2008 by Brent Huston

Recently, I have been capturing quite a bit of attacker probes and malware signatures using a very simple (and cheap) combination of HoneyPoint Personal Edition (HPPE) and a Puppy Linux Live CD. My current setup is using an old Gateway 333MHz Pentium Laptop from the late 90’s!

The beauty of this installation is that it lets me leverage all of the ease of a Live CD with the power and flexibility of HPPE. It also breathes new usefulness into old machines from our grave yard.

So, here is how it works. I first boot the machine from the Puppy Live CD and configure the network card. From my FTP server (or a USB key) I download the binary for HPPE Linux (available to licensed HPPE users by request), the license and my existing config file. That’s it – run the binary and click Start. Now I am set to trap attack probes and malware to my heart’s content!

It really is pretty easy and the new email alerting now built into HPPE allows me to remotely monitor them as well from my iPhone email. This makes a nice, easy, quick way to throw up HoneyPoints without needing a separate console or a centralized monitoring point.

This setup is very useful to me and has even got me thinking about adding a plugin interface to HPPE in future releases. That would essentially give you the power to write custom alerting mechanisms and even fingerprinting tools for attacking systems.

Give this setup a try and be sure to let me know your thoughts on HPPE. As always, MSI really wants to hear your ideas, input and feedback on our work.

Thanks for reading and have fun capturing attack data. Some of this stuff is pretty darn cool! 😉

VMWare Directory Traversal for Shared Folders

Posted on February 26, 2008 by wstoner

Multiple VMWare products running on Windows platforms with Shared Folders are vulnerable to a directory traversal attack. If an attacker can has access to a guest operating system they can exploit the vulnerability to gain write access to the underlying hosting system. This obviously opens the door for a multitude of attacks.

Until a patch is released users on Windows are advised to disable any Shared Folders that they may have configured.

The original advisory is at:http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004034

Incident Reporting & Handling WorkFlows

Posted on February 26, 2008 by Brent Huston

I had an interesting conversation with a client today and they are planning to implement a web site that would give their internal employees a centralized resource for looking up how to report security incidents, building/facilities issues, HR problems, policy violations, etc.

They picture this as a web page with a list of phone numbers, intranet applications and other contact mechanisms for their staff to use to report issues. The conversation was around attempting to create a workflow or flowchart for decision making about how to report an issue and how to decide which contact method to use.

I know a few other organizations have created formal incident reporting and such for their employees. Would anyone care to share their decision trees or the like for incident handling and user training around this topic (sanitized, of course!)?

Thanks, in advance, for any insight on this. The client will be monitoring the thread and it may help others as well.

Risk Increase in Laptop Loss with Encryption?

Posted on February 26, 2008 by Brent Huston

There has been a bunch of buzz in the last few days about researchers who figured out how to retrieve crypto keys from RAM on stolen laptops. Several analysts have talked about this raising the risk for data loss from laptop theft and some are even questioning the effectiveness of crypto as a control. I think that much of this is hype and will prove to be overblown in the coming months.

First, the attack has some difficulty and knowledge requirements. This essentially makes it equivalent to a forensic technique and as such is well beyond the capabilities of basic attackers. It requires knowledge deeper than an average computer user or power user would possess. While this does not eliminate the risk, it does significantly reduce the pool of attackers capable of exploiting the vulnerability. Further risk reductions could be gained by understanding that the attackers must gain access to the device (what controls are in place for this?, what training have you done on laptop loss control?) and the device must be in a sleep state or recently powered down (have you taught users to power down laptops completely when removing them from the office or other controlled areas?). Each step in training and additional controls further serves to reduce the risks from this vulnerability.

Vendors are also reacting to the problem. Many are identifying the key management processes in their products and moving to change them in such a way as to make them more effective with this attack in mind. Their results and effectiveness are likely to vary, but at least many of them are trying.

So, while laptop loss remains a potential data theft risk, even with crypto in place, it is likely to remain a manageable and acceptable risk if proper awareness controls are in place. So before you put too much stock in some of the “near panic” FUD levels some security analysts are shouting, step back, take a look at it from a rational risk standpoint and then identify what you can do about it.

This issue again reinforces that there aren’t any silver bullets in security. Nothing is “absolute protection”, even high level math. The only real way to do security is through proper, rational risk management…

Open Source Security Information Management vuln

Posted on February 25, 2008 by wstoner

An injection vulnerability has been found in OSSIM. The “dest” parameter in the PHP based login page is not adequately sanitized. This can lead to Cross Site Scripting attacks or even SQL injection. The original advisory can be found at:http://www.milw0rm.com/exploits/5171

WMWare ESX Multiple Vulns, Novell iPrint Remote Code

Posted on February 22, 2008 by Nathan Grandbois

VMWare ESX is vulnerable to multiple issues, including the bypassing of security restrictions, system compromise, denial of service, and the disclosure of sensitive information. Currently, VMWare ESX 2.x and 3.x are vulnerable. VMWare has released a patch for this issue, available from www.vmware.com.
Novell iPrint Client is vulnerable to remote exploitation. The vulnerability lies in the active control ienipp.ocx and can be exploited remotely to cause a stack based buffer overflow. This has been confirmed in version 4.26 and 4.32. Novell recommends all users update to version 4.34.

Symantec Veritas Storage Foundation Vulnerabilities

Posted on February 21, 2008 by wstoner

Two new vulnerabilites have been reported in Symantec’s Veritas Storage Foundation product. Both are primarily Denial of Sevice issues, but one may lead to the execution of arbitrary code. This more serious issue is caused by input validation issues in the Administrator Service and can be exploited by sending a specially crafted packet to one of the products default ports, 3207/UDP. This vulnerability affects version 5.0 on both Windows and Unix/Linux systems. The lesser vulnerability is also caused by an input validation issue, this time in the Veritas Scheduler service. It can be exploited by sending a specially crafted packet to the default port 4888/TCP.

The original Symantec advisories are available at:
SYM08-005: http://www.symantec.com/avcenter/security/Content/2008.02.20a.html

and

SYM08-004:
http://www.symantec.com/avcenter/security/Content/2008.02.20.html

MSI :: State of Security

Insight from the Information Security Experts