General: January 2006 Archives
Last May, you might recall I had a problem with my website over at PoWWeb. It seems that somehow an iframe had been appended to the bottom of my site so that if you went to my page, it also called http://www.tgp.la/or.html and attempted to install spyware. I wrote about that here. This came up again last week.
The staff at PowWeb posted that they have cleaned up the infection by removing the malicious code. I know they really didn't want have to touch people's webpages, but I think this was the best solution. I hope they've taken some steps to prevent this from happening again.
Infoworld has reported that ZoneAlarm 6 Internet Security Suite is phoning home. Rather ironic since one of the reasons you would want a personal firewall that controls outbound access is to stop products from phoning home.
Thomas C Green has an article in The Register on Steve Gibson's WMF conspiracy theory. I love it.
I'm currently looking for a Forensics research paper topics. In reviewing current research topics in Forensics I read one paper I thought was worth sharing here.
http://www.ucl.ac.uk/cert/win_intrusion.pdf
Checking Microsoft Windows Systems for Signs of Compromise by Baker, Green, Meyer, and Cochrane.
The goals of the paper are to document actions to be taken when dealing with a compromised Microsoft system. Additionally the paper tries to explain how we can best investigate the system, find points of entry and compromise.
Ten Places NOT to Hide Your Password
Auditors and attackers look for passwords in common hiding places. If you must write down your password, keep it in a safe place, just as you would cash. Do not write the full password. Use a code or a memory jogger. Here is a list of places where auditors have found passwords! (You should not put your passwords in any of these locations):
1. On a note inside a book’s pages
2. On the ceiling
3. On a sticky note on the underside of a shelf or drawer
4. On a note thrown into the trash without shredding
5. On a note in the drawer under the pencil tray
6. On a note behind the lamp
7. On a note under the keyboard
8. On a sticky note on the monitor
9. Behind the calendar
10. In plain sight mixed into other writing on a chalk or dry erase board
If you must write your passwords down store them securely, either physically locked up or protected by password or biometric.
Looks like someone practiced some root fu over the weekend at powweb. First I got a comment from someone finding this blog via Google. He/she discovered a tgp.la link in their website hosted at powweb. I assumed that was just an old infection from when that happened last April. At that time, some server exploit added an iframe for that domain into many user's websites. POWWeb chose not to clean their users websites of the iframe link to tgp.la, much less notify the users of the problem. Although several of us had worked to knock tgp.la offline last April, it was always possible for the bad guys to re-register that domain and get back in business. Sadly tgp.la is alive again causing some websites on powweb webservers to inadvertently serve up viruses.
Some would like to claim that the individual users sites were all hacked (certainly the more likely option). We looked into that last April and there was no commonly vulnerable system. Some people had only static HTML with strong ftp passwords. This was clearly a server level hack.
But this wasn't the only problem at powweb this weekend. The default 404 page was apparently hijacked on cluster 2. Meaning all websites housed on this cluster would serve a virus if a file was not found on their site. The discussion thread for this is here, assuming it has not been deleted.
To avoid 404 page hijackings, I encourage everyone hosted on an Apache server to implement their own 404 redirect so they are not reliant on their web-host. Instruction for doing this are provided by extras here.
Really, powweb is a great webhost. Things like this are going to happen in a shared environment. A lot of places wouldn't have the forums to find out what is going on.
Good luck, and safe computing.
I wrote in November 2004 about how news is reported in I.T. We just saw another example of it.
Back in November 2005, Eugene Kasperski blogged about the problems in current antivirus products as they compete against criminals motivated by the dollar. Now the more traditional print media in SC Magazine finally caught up with the story. This story was then repeated in Donna's Security Flash (generally a good blog, but in this case repeating a two month old story). I thought it was kind of funny to see this story coming around again. But hey, as NBC says, if you haven't seen it, its new to you.
I'm going to be receiving some training in Cisco wireless hardware this week. Hopefully it will be somewhat worthwhile. I signed up for it last fall, but it looks like now we'd be going with Cisco's more recent wireless products. If nothing else its a good way to get out of the office for 4 days.
Actually, from the budget talk I've heard lately the wireless funds are already gone.
Dan Kaminsky received fame a few months ago by querying DNS cache results to see how many DNS servers worldwide had cached the resolution of the fqdn used to check in by machines with the Sony rootkit. He talked about that as well as IP Fragmentation attacks, DNS poisoning, and the trouble you get into when scanning all the dns servers on the internet.
Billy Hoffman of SPI Labs presented on Covert Crawling: A Wolf Among Lambs. He is discussing how he created a web crawler that is designed to subvert log analysis.
Attacks are foreshadowed by reconnaissance (other than by worms) and are often followed by the attacker checking the site to see if they are successful.
You might want to check websites for many reasons. Monitoring competitors progress, where they are speaking etc. When AT&T ran the patent office website, it was possible for them to see what competitors were working on based on what they were looking at on the patent office website.
Making the website crawl appear like normal surfing avoids obvious signs in the logs.
Steve Manzuik, Toby Madhat, and Chris Farrow presented a Birds of a Feather titled "Network Policy Enforcement / Network Quarantine : Latest Security Gimmick or Good Idea.
NAC controls access to the network until the computer is brought into compliance. A lot of users go around the country plugging into any port available. What happens when they get back home. While they may get a cycle of penicillin, their computer gets attached to the network spreading anything the computer may have picked up.
You can have a lot of problems with NAC if you apply it foolishly. A company with 5-6 thousand users had NAC implemented. On Friday they configured NAC to require the WMF patch. When monday came, they had 3 thousand computers that couldn't access the network. (does NAC have remediation? With a system with remediation, I dont see how this is a bad thing as long as management was on board that this was a critical requirement and they also had been made to understand what would happen.
There are three types of network enforcement. The client could isolate itself using a personal firewall. The switch could isolate bad clients. Or an appliance could be added in-line to the network to provide enforcement.
One of the key problems with Network Policy Enforcement is handling heterogeneous environments. Can you deal with mac and Linux. Second, how do you interrogate the clients. Is it only a network vuln scan like nessus, or is there a client agent. If you dont trust the computer, how can you trust the answer it gives to the agent. Someone could go to a lot of trouble to fool the agent. Or they could just write their own agent to give answers to the device assuming the protocols are that insecure.
In their experience it takes a huge amount of manpower and money. Some things just don't scale well and Network Policy enforcement may never work on large 10k+ implementations.
Dan Greer was the Keynote speaker at Shmoocon.
For a statistician he made a rather broad brush statement that current security workers have no formal training. Yet now every college has a security course. The non-credentialed he says are the ones with skills while those with credentials are the charlatians.
Was the world really better when the astronomers where the ones hunting down the hackers? Is the best hacker one with no formal training? It certainly is popular to attack anyone who has bothered to get a certification or a degree as if that certifies them as having no skills at all.
I do agree with his statement that as demand for security professionals outstrips supply, the number of charlatian increases. Its very annoying to watch clueless people stampede after the money. At least in the pre-credential days, you knew people were doing it because they loved the challenge.
Greer also talked about a change in focus from prevention to detection and recovery. Ceeding that attacks will succeed but making sure what is important is recoverable. With strong recovery capability in place, you can apply patches at they are released without a formal q/a process.
Another interesting comment from Greer is that according to Symantec's own data a new virus is released every 4 hours. How often do you update your antivirus definitions? It is a doomed model.
I'm going down to the Shmoo Con at the Wardmen Park Marriott in DC. My next few posts will be about the sessions I saw there. Of course since people read the posts in reverse order, you wont see this until later.
I haven't had time to check the transcripts as I am walking out the door to shmoocon.
According to reports, Steve Gibson claims that the wmf vulnerability could not have been a mistake, it was in intentional backdoor inserted by microsoft.
http://thisweekintech.com/sn22
LOL. yet more fodder for grcsucks.com as well as the Microsoft haters.
Steve Gibson. What an idiot.
Today I was over at Cisco in Herndon for presentation on their wireless solution. Trying to figure out how to architct a solution in a semi-secure manner.
If we authenticate wireless clients onto our internal network, AD credentials aren't good enough. So now I have a concern about the usability. Another concern is how to deal with guest access.
http://www.scmagazine.com/uk/news/article/534613/eschelbeck-new-webroot-cto/
It was quite a surprise when I heard that Gerhard Eschelbeck had quit Qualys. Now I hear today that he is taking the same position at Webroot where he will be CTO and VP. Good news for Webroot, bad news for Qualys.
According to Gerhard Eschelbeck (former CTO and VP of engineering for Qualys) 85% of damage from automated attacks takes place in the first 15 days of a vulnerabilities release. (cited in this months SC Mag)
How long does it take your company to get fully patched?
Annoyed that they haven't been able to stir the Internet into a full panic, ISC handlers now resort to sarcastic attacks on Microsoft. Basking in the warmth of their PR machine, they throw rocks at the desire to test a patch in the many languages operating systems and chipsets that make up Microsoft Windows. When SANS releases a patch, it can be "good enough". But when Microsoft releases a patch, four versions in the first four days just isn't going to cut the mustard.
The ISC Handler should report on the security status of the Internet. Its not a opinion piece. A personal blog like this one is the place for opinion.
Over at broadband reports I see a thread with a link (which the moderator has deleted) cleaiming to be to the official Microsoft patch for the WMF vulneraibility and that it has been fully q/a tested on Windows XP, Windows 2003 x86, x64 english and that it is currently being tested on other language installs and the IA64 architecture.
That sounds like great social engineering.
I had been wondering if it is possible to run the third party WMF patch in a silent mode. When I downloaded the patch and ran it with a /? it did not give me any command line options. SANS is now reporting the syntax to run the install quietly.
I'm still wondering how to uninstall the patch programatically when the real patch is released. I'm assuming since it is listed in add/remove programs is should be possible to find the uninstall command line in the registry. I haven't looked through.
SANS has posted a WMF FAQ. Good summary for those not keeping up.
http://isc.sans.org/diary.php?storyid=994
