Thu, 21 Sep 2006
Run Security Scans from Visio
I'm not a huge fan of Visio but
the ability to connect the MBSA to
individual hosts and trigger scans is very neat. I'm also assuming that you
can use the Visio scripting interface to mark machines that fail as a
different colour. Full details over at the Visio
Connector for MBSA article.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2006/09/21 08:38 | /security/tools | Permanent link to this entry | This entry + same date
Wed, 06 Sep 2006
Own a SQL Server 2000 Machine and get ALL Passwords
Watch it be done in under five minutes in the MS SQL Preauth
Attack, Pwdump and John the Ripper video. Surprising? No. Fun to
watch? Yes! Every now and again it's nice to be reminded our systems are
not as secure as we'd like to think.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2006/09/06 23:59 | /security | Permanent link to this entry | This entry + same date
Wed, 16 Aug 2006
Incompetents, Security and Hellish Policies
"You do not secure the liberty of our country and value of our
democracy by undermining them. That's the road to hell.
-- Lord Phillips of Sudbury (source: BBC News - "Police
decryption powers 'flawed'"
I don't normally post on politics or law because I'm not an expert and, to be honest (judging by my apache logs), they're only interesting to a small fraction of the people that stop by here. However, two of the security related news stories I've seen today need to be pointed out, first of all we have proof of the old saying, "if they want you bad enough they'll get you".
Only in this case "they" turned out to be a 12 year old child (and no, I don't read the Express - it's the only instance of the story I could find to link to) who'd run away from a care home in Merseyside. And made it on to a jet during "one of the tightest lock-downs in airport history". He only managed to sneak through passport control. And police. And security. And a metal detector and pad down. And the ground control checks. And through the departure checks.
Who ever said "The guards are most diligent after the break in" has obviously never met any of the massively skilled people at Heathrow. I liked "we're launching an investigation", I don't want an investigation, I want a full witch hunt; with bloodhounds. Followed by lots of high level sackings and possible prosecutions. Airports are a vital part of our infrastructure, something like this must be as near to criminal negligence as you can get without seeing a nice cell and that guy called "Bruiser" with the pretty tattoos on his knuckles...
Now I've released my bile let's get to the other story, well, another link. Some peers have claimed the Police decryption powers are 'flawed' and risk being abused.. No shit.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2006/08/16 20:32 | /security | Permanent link to this entry | This entry + same date
Mon, 26 Jun 2006
AIDE Agony
When it comes to host-based intrusion detection I'm most familiar with
the Tripwire
OpenSource Edition, while shopping around for a HIDS to deploy on a
play box I decided to try AIDE. And got stopped at one of the first
hurdles.
Tripwire has an interactive update mechanism, it runs a scan (based on your config file) and then prompts you to except, reject or mark changes as pending - within one operation. Unless I'm missing something, AIDE takes a generate signatures, user checks the output, generate signatures approach, which leaves a huge race condition open. Any files created / edited between the check and second generate steps will slip through the net.
Am I missing something or is this really how it works?
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2006/06/26 18:15 | /security | Permanent link to this entry | This entry + same date
Wed, 08 Mar 2006
Know Thy Open Network ports
Which ports do your servers have open right now? How did you check?
Netstat? Are you really sure that it's doing the right thing? What the host
claims to be exporting isn't always the same as what other hosts on the
network see. When did your DNS server start exposing that TCP port? Has it
always been there?
I want a tool that keeps track of what ports a machine has open and shows me changes (and tracks when things change). It has to scan the whole port range from top to bottom and it needs to do UDP scans in under a couple of hours. Think of tripwire but for network ports. Changes have to be approved or they keep being flagged as suspicious. As a side effect it'll also show you when things go away. Hard to write? Not really. But why don't most of us already have it built and running?
It's also worth pointing out that this isn't the same role that programs like Nagios fill. You tell Nagios what to watch and it picks up changes in that limited scope. I want something to watch the whole (finite) port range and show me things I didn't think about.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2006/03/08 20:45 | /security | Permanent link to this entry | This entry + same date
Mon, 06 Feb 2006
Patching for Custom Config File Locations
While
discussing the FIA via SSH article, one of my comments got some
feedback; the comment was sudos config potentially giving the game away.
A number of people suggested the same solution, patch where the source
looks for the config file and compile it yourself. The idea is that you
put a fake config file in the usual place, patch the source to use a
different location and then compile the application. When it runs it
leaves the fake config alone, uses the custom location you added and the
attacker is none the wiser.
This isn't difficult to do. For example a number of honeypot articles recommend patching syslog so the attacker doesn't see a "log to remote host" config setting. Technically this works just fine. But that's not where you pay the price...
Doing something like this is a small security win but a huge usability loss. Firstly, every time you want to upgrade the binaries you need to patch, compile and occasionally even package them. After you've done this step you need to find a way of incorporating their distribution with the rest of your software. Lastly you have the enjoyment of having a sysadmin spend half an hour changing settings, restarting the command/daemon and NOTHING HAPPENS! Why? Because they changed the default config file. Which is a fake... You'll do this once and then swear off the technique for anything except a one man research box that you don't want to keep current.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2006/02/06 23:33 | /security | Permanent link to this entry | This entry + same date
Sat, 04 Feb 2006
File Integrity Assessment via SSH Article - Sysadmin Article
Hal Pomeranz has an interesting article on File
Integrity Assessment via SSH over at sysadmin magazine (well
worth a subscription). At my last job a couple of us discussed doing
something similar so I enjoyed the article; it's nice to see someone
actually implement the damn thing.
The basic idea addresses one of the implicit weaknesses with FIA tools. You give the attacker an obvious target to try and subvert. While there are little tricks you can employ to make their life harder (add a false positive so if they replace the binary with a fake it doesn't report everything you'd expect etc.) Hals technique moves the whole FIA setup off the machine. You only copy the FIA tools in when you're going to run the scan. This won't stop kernel level hacks written just for screwing with FIA but it does raise the bar a fair bit.
One of my suggested tweaks for this would be to replace the null passphrase root SSH. Firstly I dislike allowing root to SSH to a machine. Secondly, keys with no passphrase are often a bad thing. While SSH agent can make them better, a non-privileged account, sudo and the NOPASSWD option are often a better choice.
The config in '/etc/sudoers' will make it easier for a competent attacker to work out what's going on (although to make life harder you can still rename commands as mentioned in the article) but this is better than allowing such a dangerous entry point to all your systems.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2006/02/04 20:28 | /security | Permanent link to this entry | This entry + same date
Sat, 28 Jan 2006
Over Mounting in Linux
A topic that's been discussed to great length on one of (many) Linux lists
I lurk on has been that of mounting one file over another. It's easier to
show this with an example:
$ cat password dwilson:password $ cat fakepassword attacker:fakepassword (root) $ mount --bind fake_password password $ cat password attacker:fakepassword
While this requires root access (or flimsy mount permissions) to execute, it is a nasty little trick. An 'ls' won't show anything strange but a 'mount' command will. It's also worth noting that this can be done with binary and executable files. 'root# mount --bind /tmp/attacker_ps /bin/ps' works as well as the example did.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2006/01/28 19:46 | /security | Permanent link to this entry | This entry + same date
Sat, 12 Nov 2005
Sudo Article Promoted Bad Behaviour
I like sudo, it allows you to
give people (and automated jobs) more privileges without having to hand
out the root password. One of the more important aspects of its use is
restricting the commands a user can run. After all, limiting peoples
access to rootly powers doesn't help much if they can just shell out to
bash or edit the shadow file (or other important files) and locally
escalate their privileges.
Unfortunately a Linux.com sudo article shows new users a number of ways of doing this without explaining why it's a really bad idea. I understand that a lot of people just give themselves full root powers using sudo (hell I do on my own machines) but in an article pointed at beginners, especially one that has examples of using an interactive editor with sudo, the concepts need to be explained and some good practices presented. More why with the how please.
The highlight of the article for me was introducing new users to the 'sudoedit' and '-e' options: "but it uses the editor in your $EDITOR environment string". How often do you check the value in $EDITOR? Neither do I. And you're expected to blindly trust, with full root powers, whichever command it points to?
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2005/11/12 16:33 | /security | Permanent link to this entry | This entry + same date
OpenCON 2005 OpenBSD Slides
The OpenCON
2005 OpenBSD Slides are now available and linked to from undeadly.org. When ever the OpenBSD people
get together and present on security it's worth ten minutes of the admins
day to have a look for the new ideas, after all they'll often appear ever
where else over the next year.
The highlights of this batch include an overview of how the congestion indicator works and allows you to log in even when getting DoSed, the changes to the ports and package tools (which are moving to Perl!) and the whole of Theos Exploit Mitigation Techniques slides. Especially the Stackgap slide.
PS: MagicPoint needs to output HTML with access-keys defined. It'd make the slides a lot easier to read...
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2005/11/12 15:53 | /security | Permanent link to this entry | This entry + same date
Sun, 02 Oct 2005
Toorcon 2005 Slides Available
I've never been able to get to a Toorcon but from reading the Toorcon 2005 slides it
seems they have a number of quality speakers. The three highlights from
this years sessions seem to be Introducing the Bastille
Hardening Assessment Tool by Jay Beale, How Big is that Foot
in the Door by Foofus and Simple Nomads How Hackers Get
Caught.
The intro to Bastille does both a good job of explaining why you should care about hardening, which includes some great quotes: The NSA's Information Assurance Directorate evaluated a system locked-down following CIS's Windows 2000 guide. 90 percent of all the vulnerabilities in this platform were mitigated by the guide. It also introduces some of the knowledge required to add your own Bastille checks.
Foofus's talk is an ideas spring board and well worth a read. His slides show mapping out relationships between machines and how a single compromised password can bring down a large chunk of your infrastructure. I can't wait for a canned tool, sysadmin friendly, that I can use for this.
Simple Nomads talk is less technically focused but more entertaining. He covers some of the back and forth of attacking and the stupid thing skiddies do. It's worth a read and serves as an amusing refresher.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2005/10/02 10:39 | /security | Permanent link to this entry | This entry + same date
Fri, 25 Mar 2005
F-Secure Blacklight Windows Rootkit Detector Beta
F-Secure has released a blacklight
beta download that is available in both GUI and command-line versions.
The full Blacklight
details are now online and after a quick play it seems pretty nifty,
and most importantly, has a command-line version for automated deployment
and scanning. One to watch when it goes gold.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2005/03/25 10:31 | /security | Permanent link to this entry | This entry + same date
Sat, 19 Mar 2005
Follow the Bouncing Malware -- ISC Handler's Diary
Tom Liston wrote up an excellent (and scary!) analysis of what happens to
an unpatched machine when it goes to a less than reputable site. The full
details,
part 1,
part 2,
part 3 and
part 4 are well
worth a read. You'll be stunned at how much shite comes down from a single
executable that the user never even gets a choice whether to run.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2005/03/19 11:50 | /security | Permanent link to this entry | This entry + same date
Thu, 10 Mar 2005
Address Book Phishing and Information Leakage
Firstly let's define Phishing,
"The act of sending an e-mail to a user falsely claiming to be an
established legitimate enterprise in an attempt to scam the user into
surrendering private information that will be used for identity
theft." While most phishing attacks are done over the web consider
how they could be tailored to abuse email and local address books.
Lets consider a scenario, a non-technical (and busy) receptionist or assistant (Alice) sends a number of email's from her pet executive to certain people outside the company. Assume an accountant, insurance broker and some other highly paid but pointless consultant, you probably have about six names in your head right now :) For the sake of this example they are all public members of the company (AGM meetings, stockholders or even just pages showing previous customers).
The villain of our story, the dastardly Bob, purchases a domain similar to the one used by one of our external parties, Carol. He then sends an email to Alice (getting the name of the financial controllers PA isn't that hard...) from this dodgy domain with the name looking pretty much identical to Carols. Maybe an i is a 1 or something similar but awkward to notice. Bob then either plays it safe and just asks an innocuous question just to get a reply (wait for it :)) or tries to social engineer his way into having Carols original details removed. This is risky but makes the attack a lot more successful.
One day Alice takes some notes, types them in, cleans them up and then sends them to the external parties, including Carol. Since Alice has a nice, shiny and helpful mail client it added the address (which was received and replied to) to it's personal address book and offers it to her when she types in Car. In some cases it'll even hide the ones offered by the global address-book and allow you to get even nastier. The auto-complete will pop-up and most people will either select the top option out of habit or not even notice that their were multiple entries, muscle memory is a wonderful thing once you know how to exploit it.
Is this likely? Not really, it involves a lot of work for a difficult to execute attack. Could the local address book fiddling be added to an existing worm or malware to make it even worse? Quite easily. Still it was fun to think through; it's nice to be the (theoretical) attacker now and again.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2005/03/10 20:37 | /security | Permanent link to this entry | This entry + same date
Thu, 27 Jan 2005
MySQL Worm Hits Windows Machines
You know you've hit the big time when you get your own worm! The MySpool
worm is turning badly configured MySQL installations (on Windows) into
zombies in a huge bot net. Now I'm not even going to ask why so many people
have MySQL installations listening to the network (Debian disables this by
default so bonus points to them) but it is depressing. To stop it doing
this just add "skip-networking" to the [mysqld] section of the config file.
I think it's about time someone wrote a MySQL vulnerability scanner to pick up weak passwords, unprotected accounts and similar. Judging by the number of machines out there that are being broken into by this thing there is a market...
For more technical coverage of the problem have a look at SecuiTeam's MySQL UDF Dynamic Library Exploit.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2005/01/27 23:07 | /security | Permanent link to this entry | This entry + same date
Sat, 15 Jan 2005
Making Internal Spoofing Harder with OS Detection
I recently wrote down a couple of snippets on Limiting Administration by OS,
since putting those to er... paper another thought crossed my mind.
Some of the worst internal incidents I've been involved in were those where the attacker either rebooted into a live Linux CD or had a second hard drive that was mostly left unwired. This made tracking and auditing his actions extremely difficult due to the nature of his attack platform.
While tools like arpwatch look for the more obvious changes of MAC addresses using something like P0F or a PF based firewall it'd be possible to look for operating system changes on the network in cases where the MAC address isn't changed, and if it is changed the firewall can block and flag the unknown address. After all if a MAC tied to a Windows machine suddenly changes to a FreeBSD box for example it certainly warrants investigation.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2005/01/15 12:51 | /security | Permanent link to this entry | This entry + same date
Limiting Administration by OS
This is the third and probably last of my ramblings on the subject of
locking down a machines potential attack footprint by mass filtering. While
I've already mentioned blocking certain ports to entire countries
(mostly to stop SPAM) and only allowing access to other ports to
geographically local IPs (to stop attacks on critical services like SSH
for admins) it is also worth mentioning OS detection.
Certain products and operating systems, such as P0F, OpenBSD's PF etc, can detect what operating system someone is trying to connect with. Now this alone isn't very interesting but when you build it in to a firewall such as PF you suddenly gain another trick in the tool box.
Most machines in botnets for example are Windows machines. If your admin team use Linux 2.4 then lock down the settings on your firewall to only allow 2.4, this way even if the attackers are local (in terms of geographical IP ranges) they still need to be using the correct operating system to even attempt a connection.
Putting the three concepts I've discussed together you've reduced the potential for attack on your administration services from anyone in the world, to anyone in your city / country and then to anyone in your city / country running your chosen operating system. And then you can require them to get through key authentication AND a username password check :)
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2005/01/15 11:53 | /security | Permanent link to this entry | This entry + same date
Wed, 15 Dec 2004
MS Network Access Protection (NAP) -- Paranoid Visions
TheRegister has an informative, and pretty short, article on MS NAP, a technology that should help keep
networks clear of worm activity by requiring all machines to have
up-to-date patching and anti-virus before the network equipment will let
them play with others.
Now lets gloss over the more obvious question, how do you get a machine on the network for the first time, as it's simple, the kind of company that actually needs this will have a patch management system in place for new builds (maybe just something like MS SUS) to bootstrap the process. The real questions to ask are, will any anti-virus software except MS Anti-virus (or what ever they call it by then) actually work with this? And more importantly will it be easy to turn this feature off so we can add *Nix boxes to the network?
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/15 00:39 | /security | Permanent link to this entry | This entry + same date
Mon, 13 Dec 2004
This is a Local Service for Local People...
In a previous post about
blacklisting IP ranges used by China I stated why I feel it's a valid
approach. I think I should clarify my own actions when it comes to things
like this.
Any servers that are owned and admined by me alone (Bytemark Virtual machines, friends servers etc) have a number of deny rules in place to drop connections to a number of important ports (SSH, SSL etc) to reduce the attack vectors provided by the servers. These rules block connections from any IP addresses no in the UK, Brussels and a couple of other countries, if I'm going to a tech conference I'll open the range slightly to allow remote access but I'll turn on stupid amounts of login for the duration of the trip.
For work machines the rules have to be a little different, most companies fit into one of two categories, those that have geographically dispersed teams and those that don't. It's worth noting that for the purpose of this post I'm only discussing admin and other important services, SSH, SSL to certain servers etc, not web and email traffic. For those I do layer 7 filtering.
The only real difference between the two is how many allow rules you have to add. It should not be possible for Joe Random Stranger in the land of the script kiddies to even probe those services unless they are located in the same country as your admins. By adding simple, logical rules like these you reduce your exposure dramatically and increase your networks security at pretty much no loss of functionality.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/13 20:19 | /security | Permanent link to this entry | This entry + same date
Wed, 01 Dec 2004
PHP Easter Eggs and Version Disclosure
There has recently been a thread about PHP easter eggs on the webappsec security list. In
essence if you call ANY PHP page with certain parameters custom pages will
be returned.
Here's an example of the PHP Credits Page. It may seem a little petty to complain about such a small thing in a code-base provided for free but there is a more serious aspect to this, the pages returned vary depending on the version of PHP you run so it's possible to use this to determine which version the server is running; even if you've changed the ServerTokens directive to something more restrictive than the default.
While you can disable this using 'expose_php = Off' in your php.ini file, easter eggs in Internet exposed production code annoy the hell out of me.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2004/12/01 16:41 | /security | Permanent link to this entry | This entry + same date
Copyright © 2000-2005 Dean Wilson
