64 Bit OS Reminder for HoneyPoint

Just a quick note to help folks who are using HoneyPoint, regardless of version. If you are having trouble with execution on a 64 bit operating system, remember that HoneyPoint binaries are 32 bit. To run them on 64 bit OS’s, you need ensure that you have the 32 bit compatibility tools installed.

For Windows, read this.

For Ubuntu, read this.

For other operating systems, please consult your operating system vendors’ documentation. If we can be of any assistance, please contact your HoneyPoint support person.

Thanks!

Choosing Your OS is NOT a Security Control

Just a quick note on the recent Google announcement about dumping Windows for desktops in favor of Linux and Mac OS X. As you can see from the linked article, there is a lot of hype about this move in the press.

Unfortunately, dumping Windows as a risk reducer is just plain silly. It’s not which OS your users use, but how safely they use it. If a user is going to make the same “bad computing hygiene” choices, they are going to get p0wned, regardless of their OS. Malware, Trojans and a variety of attacks exist for most every, if not every, platform. Many similar brower-based attacks exist across Windows, Linux and OS X. These are the attack patterns of today, not the Slammer and Code Red worm attack patterns of days gone by.

I fail to see how changing OS will have any serious impact on organizational risk. Perhaps it will decrease, a very small amount, the costs associated with old-school spyware and worms, but this, in my opinion is likely to be a decreasing return. Over time, attackers are getting better at cross platform exploitation and users are likely to quickly feel a false sense of security from their OS choice and make even more bad decisions. Combine these, and then multiply the costs of additional support calls to the help desk as users get comfortable and have configuration issues in the enterprise, and it seems to me to be a losing gambit.

Time will tell, but I think this was a pretty silly move and one that should be studied carefully before being mirrored by other firms.

Increase in European “Options” HTTP Scans from Linux Systems

Over the weekend, we saw a large increase in HoneyPoint captures of HTTP fingerprinting scans using the “Options *” technique. Even more interesting was that nearly all of these scans originated in Europe. The scans were all originated from Linux boxes and simple port probes show all of the boxes to be running OpenSSH 4.3 (some with p2). Other ports show no consistency on the originating systems.

Clearly, it could be a coincidence, but for multiple hosts to show only that correlating port, it could also be a specific exploit for OpenSSH 2.4. Additional research shows a few known issues with this version of OpenSSH. Perhaps a new bot-net is being launched by leveraging this vulnerability?

We are deploying additional SSH HoneyPoints to try and capture more data about possible exploitation of systems meeting these implementations.

Editor’s Note: The current version is OpenSSH 4.7/4.7p1 – so if you are using older versions (including 4.2/4.3) you should upgrade as soon as possible to the current revision.

Post revised to update for identified existing OpenSSH issues. 

Linux Local Kernel Exploit

Two proof of concept kernel exploits have been released into the wild that exploit a newly discovered vulnerability. Kernel versions 2.6.17 to 2.6.24.1 are affected. The vulnerability is found within the vmsplice function call. This exploit effectively gives local root access on a wide range of Linux distributions.
Kernel version 2.6.24.2 fixes the issue. It’s recommended to disable all shell access until your kernel is updated, either by building from sources, or waiting for your Linux distribution to release an update.