Latest Alerts

A Tale of Two Admins (and no Change Control), (Mon, Feb 10th)

Mon, 02/10/2014 - 09:45

I have a client who's done the right thing, they've broken out their test environment from their production environment.  The production environment is in a colocation facility, and uses a different firewall.  The test environment is in the office location, and shares the office subnet and the office firewall.  So sort-of the right thing, they're moving in the right direction - I would have given the test lab it's own firewalled DMZ subnet.

About two years ago, one of the server admins asked the office firewall administrator to open port 3389 (RDP) to a test box, so that they could continue their build at home.  Not a great solution - I would have told him to VPN in and do it without changing the firewall - but it was done, the build got done and life moved on.

Unfortunately, the firewall change was not documented, was not remembered and was not backed out.

Fast forward 2 years.  The two folks from 2 years back have both moved on to other positions and/or companies, and a new server admin is building a new Hyper-V server in the test environment.  They're just about to deploy to producion when he notices RDP connections to it from our friends in China.  Yes, that undocumented change had come home to roost!

So, after we did the post mortem, what did they learn?

  • There's no fixing a compromised hypervisor - NFO (Nuke from Orbit) - repartition the RAID Array and starting over is always the best advice.
  • Hypervisors don't need a GUI - they shouldn't be RDP'ing into that box for admin in the first place.
  • DOCUMENT ALL FIREWALL CHANGES.  HAVE A CHANGE CONTROL PROCESS.  Happily, they've got a formal change control process now.  On the firewall, there's an assessment step on all changes, to decide if the requested change is a good idea in the first place (open RDP was a singularly BAD idea).
  • Finally, they now run a basic NMAP scan (all addresses in the range, all ports) of the office environment from the colo, and the results are run through diff, comparing it for changes against yesterday's results.  This client is lucky in this regard because they have 2 separate locations that can scan each other, but in a more typical situation, the folks responsible for security might do this from their laptop, scanning from home after work or before driving in each day.

You'd be surprised what a full port scan might find - those issues we're stuck with on open ports on home firewalls (https://isc.sans.edu/forums/diary/Scans+Increase+for+New+Linksys+Backdoor+32764+TCP+/17336 and https://isc.sans.edu/diary/Exposed+UPNP+Devices/15040 for instance) would have been caught a long time ago if more folks scanned their infrastructure from the untrusted outside network!  Mind you, typically home users never patch their firewalls anyway, so all those open PNP and other backdoor ports are with us for the long haul now.

Do you regularly scan your firewall from the outside?  Does your scan highlight changes, or are you looking for just vulnerabilities (using Nessus or similar) rather than changes?   Let us know in our comment form below.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, February 10th 2014 http://isc.sans.edu/podcastdetail.html?id=3833, (Mon, Feb 10th)

Sun, 02/09/2014 - 20:07
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Mandiant Highlighter 2, (Sun, Feb 9th)

Sun, 02/09/2014 - 10:38

In previous dairy I discussed the basic usage of Mandiant Highlighter .In this diary I will discuss some other features.

 

Mandiant Highlighter Graphic

The graphic is an overall view of the whole file. Each line/bar on the graph represents a line in the text, the length are proportional to the line lengths in the file. When you highlight a word on the text it will be highlighted on the graph as well.


If you would like to specify the range of data that you would like to display, you can do that by entering the range in “Zoom Control” section in the right bottom of the screen:


 

Windows Event Viewer:

To view Windows events, you have first to export it to .txt file. Here is the steps to Save the event files to text file:

1-Right click on the event category:


 

2-Select “Save All Events As  ...”

3-Type the file name and select Text from “Save Type As “Drop menu

 


 

 Now you can use Mandiant Highlighter to parse the Windows Events

 

Regular Expressions:

Can you imagine a powerful log parser without regular expression support? To use regular expressions in Mandiant Highlighter enter the regular expression in the Keyword box then select Case Sensitive RegExp/Case Insensitive drop menu




 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New ISO Standards on Vulnerability Handling and Disclosure, (Fri, Feb 7th)

Fri, 02/07/2014 - 05:26

Also in the news, ISO standard 30111 was published recently (on Jan 21) - a standard for the Vulnerability Handling Processes.  The standard was edited by Katie Moussouris, Senior Security Strategist Lead at Microsoft

The standard covers all the basics, including Vulnerability Verification steps, the Vulnerability Handling Process, and of particular interest is that it delineates where vendors should and should not be in the process.

The companion document, ISO 29147 (published in 2013) covers Vulnerability Disclosure.  This one is extremely valuable both to security researchers and for any company with a software product.  This standard includes guidance on buidling a framework to address vulnerabilities, including a 5 step process that guides vendors through initial receipt and verification of the vulnerability, developing a resolution, releasing the final fix and communication with customers after the fix is released

As with all ISO standards, unfortunately these are not free - both are well worth it if the standards apply to your organization.  If your organization writes code, or if you sell hardware that runs code, both of these standards are a must-have.
ISO 30111 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=53231
ISO 29147 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=45170

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, February 7th 2014 http://isc.sans.edu/podcastdetail.html?id=3830, (Fri, Feb 7th)

Thu, 02/06/2014 - 18:24
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Hello Virustotal? It's Microsoft Calling., (Fri, Feb 7th)

Thu, 02/06/2014 - 18:18

You might think that phone call might be unlikely, but as of this week it's built in and is likely happening right now.

I was poking around in the latest version of Sysinternals, and tripped over a new option.  You can now submit any running process in memory directly to Virustotal.  it's a simple right-click in the latest version of Process Explorer.

If that's not just the coolest thing!  If your AV product isn't triggering on a suspect process, you can now query all the AV engines without even having to find or upload the file - - assuming that a file that matches your process even exists - if you're in the midst of a security incident a suspect process might not have a matching file.

 

Sysinternals: http://technet.microsoft.com/en-us/sysinternals

VirusTotal: https://www.virustotal.com/

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Advance Notification for February 2014, (Fri, Feb 7th)

Thu, 02/06/2014 - 17:51

Today Microsoft published the advance notification for this months security bulletins. The bulletins will be published on February 11th (coming Tuesday) [1]. Again, we will have a pretty light patch day, with only 5 bulletins, and only 2 of these bulletins are considered critical.

Noteworthy: No Internet Explorer patches and no Office Patches. We will only see Windows Patches, a patch for .Net and a "Security Software" patch.  

Not part of the patch Tuesday, but still happening on the same day: Microsoft will no longer allow MD5 hashes for certificates. This may be difficult for some applications that haven't been changed over yet, even though Microsoft gave ample warning, and MD5 hashes have been shown to be badly broken for certificate signatures for a few years now. Just earlier today I ran into a brand new Axis, pretty expensive,  network camera that only allows the use of MD5 hashed certificate signatures.

 

[1] http://technet.microsoft.com/en-us/security/bulletin/ms14-feb

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, February 6th 2014 http://isc.sans.edu/podcastdetail.html?id=3827, (Thu, Feb 6th)

Wed, 02/05/2014 - 16:40
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

SANS Ouch Security Awareness Newsletter What is Malware http://www.securingthehuman.org/ouch, (Wed, Feb 5th)

Wed, 02/05/2014 - 05:54

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

To Merrillville or Sochi: How Dangerous is it to travel?, (Wed, Feb 5th)

Wed, 02/05/2014 - 05:54

Our reader Rodney sent us a link to a story that apparently aired on NBC Nightly News last night:

"I was wondering if someone could do a piece on the report that was on NBC's Nightly News last night (see link below) regarding connecting personal devices like smart phones and laptops to the Internet while in Sochi for the Olympics. The first video leaves out some details that the second video reveals. The first video aired on NBC, the second did not. It seems as if the first video was sensationalism. The second video revealed that the journalist had willingly clicked on links to download the malware. The first video made it look like they only had to connect to become infected. I know that it can happen, but they made it sound like it will definitely happen."

The first video [1] shows how a brand new computer is infected while connected to the a hotel network in Russia. "If they fire up their phone at baggage claim, it is too late" the announcer states to introduce the story. The reporter then states that his Android Phone was hacked almost immediately hacked "before we even finished our coffee". It then states that the two computers at the hotel where hacked as well "very quickly". 

 

A second video ("Open Hunting Season for Hackers" Same URL as earlier video) clarifies things a bit. The journalist clicked on a link. However, the link does appear to have been somewhat targeted as it came to him addressing him as a journalist and promised leads for a story. We don't know if there where additional warning signs.

There was also a brief twitter exchange about this story with Kyle Wilhoit, the security expert in the story:

So in short, it was not "uninitiated".

How dangerous is it to travel?

The report states that there is no expectation of privacy. I think this is a good assumption to go with no matter where and how you use the Internet. Many privacy rules are just that: Rules. To actually have privacy, you may need to go a step further and put technical controls in place. We covered travel security before, but here some of the main points:

- Patch before you go, not while on the road.
- Use a VPN whenever possible
- Use anti-malware / personal firewalls
- Don't leave your computer unattended
- encrypt your disks
- Power down your system if you have to leave it in your room and setup a BIOS/Firmware password.
- use hotel safes / lock down cables if you don't have another choice (yes, they can get broken into easily. But it is even easier to take a system that is not in the safe)
- if you have a choice, a wired connection is a tiny bit more secure then WiFi.

(also see the April 2011 edition of Ouch http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201104_en.pdf )

Will you get hacked "automatically as you have a coffee"? Who knows. But if, it may as well happen while you have the coffee at home. The risk isn't as much the location as a recent breach of PoS systems in hotels from Chicago to Merrillville shows. [2] . One of the great things about the internet is that distance doesn't really matter that much. Russian hackers can get to you while you (and they?) are in there PJs no matter where.

In the end, I am not sure if "TV magic" is the right way to educate users about the risks.

[1] http://www.nbcnews.com/watch/nightly-news/hacked-within-minutes-sochi-visitors-face-internet-minefield-137647171983

[2] http://www.dailyfinance.com/2014/02/04/credit-card-data-breaches-target-big-hotels/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, February 5th 2014 http://isc.sans.edu/podcastdetail.html?id=3824, (Wed, Feb 5th)

Tue, 02/04/2014 - 17:58
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Odd ICMP Echo Request Payload, (Tue, Feb 4th)

Tue, 02/04/2014 - 17:46

Update^2:

We now got confirmation that these packets are related to NVidia driver updates. One reader send us a complete capture, and also see the comments to this story below.

Here is a summary of the complete packet capture:

1 - DNS lookup for gfe.nvidia.com (returns 8.36.113.132)
2 - DNS lookup for download.gfe.nvidia.com (returns 8.36.113.133)
3 - HTTP GET for download.gfe.nvidia.com/packages/DAO/production/1234567/0.dat   (I obfuscated the full URL)

0.dat is a signed Windows executable

After it finished, the update software will send the three pings that were observed. One reader also submitted a comment to this post (see below) pointing out that the ICMP payload string can be found in the NVidia updater binary.

Thanks all for your help solving this!!

 

Update:

Our reader Jim sent in an interesting comment. Apparently, this traffic may be related to NVidia in some way. Many of the destination addresses are related to NVidia. In our example below, only one IP fits that description: 83.150.122.97 - Nvidia Helsinki DSL . But other IP addresses reported also point to NVidia.

There is also a discussion at https://forums.geforce.com/default/topic/534267/covert-channel-exploit-in-icmp-packet about packets that may match this event.

---------

Thanks to Donald for sending us a couple of interesting ICMP echo requests. They are coming from a machine that is having "issues" (problems staying live on the network, credentialed nessus scans are unable to connect). 

The ICMP echo requests being sent from the host contain the payload "PING DATA!" , nothing else of interest in the packets. They go out to various hosts. (see below for details).

Has anybody seen these before? They seems "familiar", but I can't point to the exact tool right now...

 xxx.xxx.xx.xx > 83.150.122.97: icmp: echo request
0x0000   4500 003c 211d 0000 fe01 b5bf xxxx xxxx        E..<!.........Wb
0x0010   5396 7a61 0800 b6b3 0001 0001 5049 4e47        S.za........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

 xxx.xxx.xx.xx > 90.83.94.114: icmp: echo request
0x0000   4500 003c 3508 0000 fe01 b706 xxxx xxxx        E..<5.........Wb
0x0010   5a53 5e72 0800 b6b2 0001 0002 5049 4e47        ZS^r........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

 xxx.xxx.xx.xx > 101.78.148.14: icmp: echo request
0x0000   4500 003c 356a 0000 fe01 760d xxxx xxxx        E..<5j....v...Wb
0x0010   654e 940e 0800 b6b1 0001 0003 5049 4e47        eN..........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Odd ICMP Echo Request Payload, (Tue, Feb 4th)

Tue, 02/04/2014 - 11:42

Thanks to Donald for sending us a couple of interesting ICMP echo requests. They are coming from a machine that is having "issues" (problems staying live on the network, credentialed nessus scans are unable to connect). 

The ICMP echo requests being sent from the host contain the payload "PING DATA!" , nothing else of interest in the packets. They go out to various hosts. (see below for details).

Has anybody seen these before? They seems "familiar", but I can't point to the exact tool right now...

 xxx.xxx.xx.xx > 83.150.122.97: icmp: echo request
0x0000   4500 003c 211d 0000 fe01 b5bf xxxx xxxx        E..<!.........Wb
0x0010   5396 7a61 0800 b6b3 0001 0001 5049 4e47        S.za........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

 xxx.xxx.xx.xx > 90.83.94.114: icmp: echo request
0x0000   4500 003c 3508 0000 fe01 b706 xxxx xxxx        E..<5.........Wb
0x0010   5a53 5e72 0800 b6b2 0001 0002 5049 4e47        ZS^r........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

 xxx.xxx.xx.xx > 101.78.148.14: icmp: echo request
0x0000   4500 003c 356a 0000 fe01 760d xxxx xxxx        E..<5j....v...Wb
0x0010   654e 940e 0800 b6b1 0001 0003 5049 4e47        eN..........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Firefox 27 Available http://www.mozilla.org/en-US/firefox/27.0/releasenotes/, (Tue, Feb 4th)

Tue, 02/04/2014 - 11:42

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Firefox 27 Available http://www.mozilla.org/en-US/firefox/27.0/releasenotes/, (Tue, Feb 4th)

Tue, 02/04/2014 - 11:42

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe Flash Player Emergency Patch, (Tue, Feb 4th)

Tue, 02/04/2014 - 11:29

Adobe today released an emergency patch for a vulnerability that is currently actively exploited. The patch addresses CVE-2014-0497. [1]

The address affects all Windows, OS X and Linux. for Windows/OS X, the current version is now 12.0.0.44 and for Linux 11.2.202.336. Google Chrome users need to update Google Chrome to fix the included version of Flash as do users of Internet Explorer 10 and 11. [2]

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
[2] http://technet.microsoft.com/en-us/security/advisory/2755801

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Do you block "new" domain names?, (Tue, Feb 4th)

Tue, 02/04/2014 - 04:41

This is more a quick question then a full post: Many attacks use recently registered domain names. Do you block newly registered domain names (lets say for the first week)? What system do you use to do so? I am thinking about setting up a simple API to return a "days registered" for a domain name, but first want to see what else is out there.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, February 4th 2014 http://isc.sans.edu/podcastdetail.html?id=3821, (Tue, Feb 4th)

Mon, 02/03/2014 - 18:04
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

When an Attack isn't an Attack, (Mon, Feb 3rd)

Mon, 02/03/2014 - 05:47

I think I have seen it referred to as the "X-Files Effect". You just installed a new firewall or IDS, it is still all new and shiny and the logs are still fresh and interesting. Looking at your logs, it starts dawning at you: "They are out there to get me!". While many of these attacks are attacks, there are also quite a few false positives that typically show up in your logs. At this point, lets quickly define false positives: These are either benign traffic that is mistaken for an attack, or an attack, that just doesn't affect you (Famous SQL Slammer attack against a Linux host).

Lets look at a few examples we have come across lately:

 a.b.c.d is constantly sending DoS ACK replies to my network, I would like to report this abuse and learn how to report future abuse more easily in the future because this kind of thing happens all the time. 

Thank you for taking the time to read this. Below is the log for the incident.

[DoS Attack: ACK Scan] from source: a.b.c.d, port 80, Thursday, January 30,2014 14:10:02

This is an e-mail we receive about once a month. In most cases the source is a busy web server, sometimes a CDN (Content Delivery Network) like Akamai. The reason for these alerts is that most firewalls will consider a connection closed if no activity has been seen in a while. However, in this case, the connection is still open and the web server will eventually send another data packet that is then rejected. This is NOT the result of a SYN flood attack (more about that later) and I am not sure why this particular device labels it a DoS attack.

If someone is spoofing your IP address, and using it to launch a DoS attack, then you should see SYN ACK packets, not ACK packets. For example a slightly abbreviated iptables log:

SRC=a.b.c.d DST=v.x.y.z LEN=60 TOS=0x00 PREC=0x20 TTL=49 ID=0 DF PROTO=TCP SPT=80 DPT=62547 WINDOW=2896 RES=0x00 ACK SYN URGP=0

Typical for these logs: The source is a well known server port (80). Could also be 443, 6667 or other ports. The target port is a "random" ephemeral port.

But it isn't just firewalls. IDSs of course love to annoy us with false positives to beg us to properly configure them. But we don't because an IDS with all rules it possibly offers enabled is SO much safer! (sarcasm if you didn't spot it...)

Snort for example has a very neat feature, the "sensitive data" plugin. It can spot sensitive data like e-mail addresses or social security numbers being sent in the clear. Here is an example alert:

[138:5:1] SENSITIVE-DATA Email Addresses [Classification: Sensitive Data] [Priority: 2] {TCP} a.b.c.d:80 -> v.x.y.z:63715

An e-mail address was received from port 80. So in other words: you accessed a web page that contained an e-mail address. Probably not what I would consider a "leak", in particular if this web server was located outside of my control. I have seen this signature trigger a lot on FTP and of course SMTP traffic. Probably still a good reminder to not sure a legacy protocol like clear text ftp.

But lets look at a more tricky one:

Reset outside window [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 23.202.88.93:80 -> 70.91.145.11:59867

The traffic that triggered this alert:

a.80 > b59782: Flags [P.], seq 1886684918:1886685156, ack 659663868, win 7240, options [nop,nop,TS val 1132895224 ecr 605850989], length 238 a.80 > b.59782: Flags [F.], seq 1886685156, ack 659663869, win 7240, options [nop,nop,TS val 1132895245 ecr 605851009], length 0 a.80 > b.59782: Flags [R], seq 1886685157, win 0, length 0   As you can tell, the sequence number for the reset packet is actually right on. This was again more of a timed out connection. In this case, the web server was Akamai and they appear to like to send an extra reset, likely to make sure the connection is down and save them some resources. The connection itself was triggered by an AV tool's "update check".   Which gets me to another favorite firewall false-positive:   SRC=v.x.y.z DST=a.b.c.d LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=49424 DF PROTO=TCP SPT=80 DPT=52968 WINDOW=14600 RES=0x00 ACK FIN URGP=0   A "FIN-ACK" being blocked coming in this case from my web server to a (valid) client. iptables loves to block the final fin-ack as it considered the connection already closed.   Any good false positives you keep running into?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, February 3rd 2014 http://isc.sans.edu/podcastdetail.html?id=3818, (Mon, Feb 3rd)

Sun, 02/02/2014 - 18:49
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts