Yet Another Lesson on the Basics from DigiNotar

This time it was a Certificate Authority (again). Not just any CA, either, but an official CA that manages the “PKIOverheid” for the government of the Netherlands. In other words, a really important CA, even in a league where most, if not all, CA’s are important.

What happened? They got breached. They got breached in a way that allowed attackers to create at least 531 rogue certificates with their trust models. How did they get breached? It seems to stem from a combination of attackers exploiting basic issues to gain access, then leveraging more advanced custom skills to get the certificates generated and extrude them. I am basing that opinion on the Fox-IT report located here. (The report itself is well worth a read).

The critical issues identified?

  • Lack of a secure architecture for CA servers (1 Windows domain, connectivity from management network)
  • Missing patches
  • Lack of basic controls (AV, in this case) which allowed exploitation by basic attacker tools such as Cain/Abel
  • Poor password policies, logging and management of detective controls

If you follow our blog, attend our talks or listen to our podcasts, you should be seeing this as another reminder of just how critical it is to do the basics. Having powerful tools that no one watches, engaging vendors to do assessments that you ignore and spending money on controls that don’t matter won’t create an effective information security program. Getting the basic controls and processes in place might not protect you from breaches against resourced, skilled attackers completely, either, but it will go a long way toward giving you some protection from the most common threat models. In this case, it might have helped a CA know when they were under attack and take action against their threat sources to mitigate the breach before they got to the crown jewels or in this case, the crown certificates.

The attacker has been posting to Pastebin, (presumably the attacker), that they have access to other CA providers. If you are a CA or run a certificate system, now might be a good time to have someone take an independent third-party look around. It might be a good time to spend a few extra cycles on “just checking things out”.

If your organization is still stuck chasing vulnerabilities and hasn’t done a holistic review of their overall program, this would be a good impetus to do so. It should become an action item to look at your program through the lens of something like the SANS CAG or our 80/20 of Information Security lens and ensure that you have the basics covered in an effective manner. If you have questions or want to discuss the impacts or issues some of these recent breaches have against your organization, give us a call. As aways, thanks for reading and stay safe out there.

Microsoft Patches For July 2008

Tomorrow, Microsoft is releasing four security updates for multiple issues affecting Windows, Microsoft SQL Server and Microsoft Exchange Server. All four updates carry a rating of “important”, no “critical” updates on this round. Surprisingly, there’s no update for recent IE vulnerabilities. As usual, these updates should be tested and rolled out as soon as possible.

Microsoft SQL Injection Security Advisory

Microsoft has released a security advisory in response to the rapid increase in SQL injection attacks that have happened lately. This advisory was released to assist Web site administrators in identifying SQL injection issues within their Web application code, and to provide temporary solutions to mitigate SQL injection attacks against the server. The full advisory can be found at http://www.microsoft.com/technet/security/advisory/954462.mspx

It’s good to see Microsoft release such an advisory with explicit details on how to mitigate current issues and avoid SQL injection in the future. We have seen too many applications vulnerable to SQL injection, no matter if they’re ASP, PHP, Perl, Ruby or anything else. If you’re an ASP developer be sure to read this advisory and implement the listed strategies when coding, if you haven’t already.

Microsoft Patches Released for May

Microsoft posted their patches for May today. Looks like 3 critical patches, all of which allow remote code execution. A denial of service patch is also included as a moderate.

Given the interest lately in patch-based vulnerability generation, if exploits don’t already exist in the wild, they are likely very quickly.

Organizations should immediately begin testing the patches against their normal QA process and get them applied as quickly as possible.

A Plethora of New Issues for Today

It’s been a busy morning for vulnerabilities so far. We are tracking new vulnerabilities in the following applications:

Squid Proxy – a DoS problem has been identified in the ICAP implementation that could allow attackers to spike the CPU of the server, a patch is available and should be applied on your next maintenance process

Samba – A buffer overflow in Samba version 3.0.27a allows remote execution of code if the “domain logons” option is enabled, patches are available on the Samba site for the problem.

WordPress – A SQL injection has been found in the charset implementation. Dumping the database is possible and when combined with other exploits already available can allow remote compromise of the WordPress Admin password. There is a workaround, but it is very specific to each WordPress deployment, so check the WordPress site carefully for info on this issue.

We are also tracking a few new tools of interest, that might increase some of the scan and probe traffic over the next few weeks while attackers play with their new toys. They are:

HttpRecon – a tool for advanced web server fingerprinting, likely to increase web server probes as the tool is examined and included into other tools

BurpSuite – a new revision of this tool for testing websites for things like SQL injection and XSS is now available, likely to cause scans for web application problems

EchoVNC – a firewall, proxy and network access control avoidance enabled version of the VNC server has been released, this is likely to be a useful tool for attackers and bot-masters as they compromise networks

Lastly, Microsoft is releasing a large load of patches today. Amongst them are 3 remotely exploitable “critical” patches. Look for exploits and such to follow very quickly if they are not already available. Wide scale exploit distribution and inclusion into bot-net clients is likely to follow in the next few days. As always, patches should be tested and applied as soon as possible.