Alerts

Microsoft & IE support plans, best be on IE11 by 01/2016, (Sat, Aug 9th)

Latest Alerts - Fri, 08/08/2014 - 21:38

Microsoft announced in their blog on the 8th (thanks Allan for the heads up) that starting January 2016 the browsers that will be supported are: 

  • Vista SP2 - IE9
  • 2008 SP2 - IE9 
  • Windows 7 - IE11
  • 2008 R2 SP1 - IE11
  • Windows 8.1 - IE11
  • 2012 - IE10
  • 2012 R2 - IE11

​I can hear the security brain cells cheer and the business brain cells cringe.  From a security perspective running the latest browser typically makes sense.  However from a business perspective this may cause quite a few issues in many organisations.  Older applications were often written for specific browser versions, so to upgrade or allow for those to continue to function may not be a trivial task.  The blog does explain that you may be able to use "Enterprise mode" in IE11.  This might be one way to migrate for your organisation (http://blogs.msdn.com/b/ie/archive/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11.aspx)  

The blog entry also has what I'd like to call a few interesting throwaway lines.  For example "After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates." In other words you may have to migrate to IE12 when it becomes available for the OS you use.  

In short if you are not using the latest Internet Explorer in your organisation you may have limited time to get it sorted before your risk profile increases dramatically, unless of course all the bad guys promise to only concentrate on current versions of the browser. 

MS Blog can be found here --> http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx

Cheers

Mark H 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Exploit Available for Symantec End Point Protection, (Wed, Aug 6th)

Latest Alerts - Fri, 08/08/2014 - 06:30

An exploit is now available at exploit-db.com for the Symantec End Point Protection privilege escalation vulnerability. Symantec released a patch for this issue earlier this week [1].

The vulnerability requires normal-user access to the affected system and can be used to escalate privileges to fully control the system (instead of being limited to a particular user) so this will make a great follow up exploit to a standard drive-by exploit that gains user privileges.

We have gotten some reports that users have problems installing the patch on legacy systems (e.g. Windows 2003). Applying the patch just fails in these cases and appears to have no ill effect on system stability.

[1] http://www.symantec.com/business/support/index?page=content&id=TECH223338

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Coming up next: Microsoft Patch Tuesday, (Fri, Aug 8th)

Latest Alerts - Thu, 08/07/2014 - 18:57

Microsoft will publish 9 bulletins next patch tuesday, with 7 important and 2 critical bulletins. More information at https://technet.microsoft.com/library/security/ms14-aug

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, August 8th 2014 http://isc.sans.edu/podcastdetail.html?id=4097, (Fri, Aug 8th)

Latest Alerts - Thu, 08/07/2014 - 17:54
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Checking for vulnerabilities in the Smart Grid System, (Thu, Aug 7th)

Latest Alerts - Thu, 08/07/2014 - 17:02

SCADA systems are not composed the same way as regular IT systems. Therefore, the risk and vulnerability assessment cannot be performed as it is done for any other IT system. The most important differences are:

  • SCADA Pentesting should not be done in production environment: SCADA devices are very fragile and some activities that could pose harmless to regular IT environments could be catastrophic to the process availability. Think of massive blackouts or no water supply for a city.
  • SCADA devices have specific outputs for the industrial process they are controlling. The architecture and operating systems are not the same, so risks assessment approach is not performed in the same way. For electrical systems, we need to address devices belonging to the Advanced Metering Infrastructure (AMI), Demand Response (DR), Distributed Energy Resources (DER), Distributed Grid Management (DGM), Electric Transportation (ET) and Wide Area Monitong, Protection and Control (WAMPAC). This means we need to address devices like the following, instead of conventional network devices, services, laptops, desktop computers or mobile devices:
AMI Meters Relays Aggregators Access points DR Energy Resources Digital Control Unit DER DER Managed generation and storage devices Customer Energy Management System DGM Automated Reclosure Remote Fault Indicators Capacitor Banks Automated Switches Load Monitor Substation Breakers WAMPAC Phasor Measurement Units Device which includes Phasor Measurement Unit capabilities Field Deployed Phasor Data Concentrator Field Deployed Phasor Gateways

Table 1: Devices in the Smartgrid Network

This means we need to considering a specific methodology for this type of infrastructure that leads to effective risk mitigation for proper detection of vulnerabilities in the smartgrid system. I want to recommend one today named Guide to Penetration Testing for Electric Uitilities created by the National Electric Sector Cybersecurity Organization Resource (NESCOR). This metodology is composed by the following steps:

 


Source: http://www.smartgrid.epri.com/doc/NESCORGuidetoPenetrationTestingforElectricUtilities-v3-Final.pdf

Let's explain the steps a little bit:

  • Penetration Test Scoping: You need to decide which sector of the entire system will be the target of the assessment. Could be a substation, generation plant or any other device listed in table 1. The scope could even be the entire system.
  • Architecture Review: You want to learn the context of the entire system. This is the first step of information acquisition. Can be done checking the documentation of the system and analyzing the configuration of the devices part of the scope.You can also check for information in the same way as it is done with conventional pentesting like google, shodan, maltego and social networks.
  • Target System Setup: You don't want to perform a pentesting in a smartgrid live production environment. Instead, you need to setup an environment with the same configuration, as much as possible, to the live configuration of the smartgrid production environment. That's how we can get a full list of the vulnerabilities performing even dangerous test without affecting the availability of the electrical service.
  • Server OS, Server application, Network Communication and Embedded device penetration tasks: Those are the specific pentest tasks within the target systems. You can use several tools like
  • End to end penetration testing analysis: You need to ensure that all possible inputs from external systems to all systems in the scope have been tested and evaluated as possible vulnerable points for attacks.
  • Result interpretation and reporting: As always, you need to develop a report including the vulnerabilities that could be exploited, the risks associated, the remediation steps and other recommendations that could be applied.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, August 7th 2014 http://isc.sans.edu/podcastdetail.html?id=4095, (Thu, Aug 7th)

Latest Alerts - Wed, 08/06/2014 - 17:07
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Free Service to Help CryptoLocker Victims by FireEye and Fox-IT, (Wed, Aug 6th)

Latest Alerts - Wed, 08/06/2014 - 16:25

Various Internet Storm Center Handlers have written Diaries on the malware called CryptoLocker, a nasty piece of malware which encrypting the files of the systems it infects, then gives victims 72 hours to pay the ransom to receive a private key that decrypts those files. There are still victims out there with encrypted files, and if you're one of them or know of someone affected, the folks at FireEye and Fox-IT have created a web portal https://www.decryptcryptolocker.com/ to decrypt those files. 

This is a free service for any afflicted by CryptoLocker, many of which are small businesses without the resources to deal with this properly, so let people know.

Using the site is very straight forward (Steps taken from the FireEye blog[1]):

How to use the DecryptCryptoLocker tool Users need to connect to the https://www.decryptcryptolocker.com/ Identify a single, CryptoLocker-encrypted file that they believe does not contain sensitive information. Upload the non-sensitive encrypted file to the DecryptCryptoLocker portal. Receive a private key from the portal and a link to download and install a decryption tool that can be run locally on their computer. Run the decryption tool locally on their computer, using the provided private key, to decrypt the encrypted files on their hard drive. DecryptCryptoLocker is available globally and does not require users to register or provide contact information.

This is a fantastic resource from both FireEye and Fox-IT, so thanks to all involved in making this happen and making it free to use.

For more background on CryptoLocker from Fox-IT, read their CryptoLocker ransomware intelligence report [2].

 

[1] http://www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html

[2] http://blog.fox-it.com/2014/08/06/cryptolocker-ransomware-intelligence-report/

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

OpenSSL Security Advisories http://www.openssl.org/news/secadv_20140806.txt, (Wed, Aug 6th)

Latest Alerts - Wed, 08/06/2014 - 15:48

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

OUCH is out, this month we explain what encryption is and how to use it. https://www.securingthehuman.org/ouch, (Wed, Aug 6th)

Latest Alerts - Wed, 08/06/2014 - 09:14
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

OUCH is out, this month we explain what encryption is and how to use it. https://www.securingthehuman.org/ouch, (Wed, Aug 6th)

Latest Alerts - Wed, 08/06/2014 - 09:14
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

All Passwords have been lost: What's next?, (Wed, Aug 6th)

Latest Alerts - Wed, 08/06/2014 - 03:40

Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost as yesterday's report by Hold Security states, given all the password leaks we had over the last couple years it is pretty fair to assume that at least one of your passwords has been compromised at some point. [1]

yes. we have talked about this many times, but it doesn't seem to get old sadly.

So what next? Password have certainly been shown to "not work" to authenticate users. But being cheap, they still are used by most websites (including this one, but we do offer a 2-factor option). 

For web sites:

  • review your password policies. There is no "right" policy, but come up with something that rejects obvious weak passwords and on the other hand, allows users to choose passwords that they can remember (so they can have a unique password for your site).
  • Make sure your site works with commonly used password managers. The only real way for the user to have a unique password for each site is a password manager.
  • lock accounts that haven't been used in a long time, and delete their password from your database forcing a password reset if they try to reactivate it
  • consider two factor authentication, at least as an option and maybe mandatory for high value accounts (e.g. administrators). Google authenticator is probably the easiest one to implement  and it is free. We talked about other alternatives in the past as well.

For users:

  • Have a unique password for each site. As an alternative, you may have a single "throw away" password for sites that you don't consider important. But be aware that at one point, a site that is not important now, may become important as you are doing more business with them.
  • Use a password safe, if possible one that allows syncing locally without having to send your password collection to a cloud service.
  • For important sites that don't allow for two factor authentication, consider a "two-part password": One part will be kept in your password safe, while the second part you type in. The password safe part is unique to the site while the additional second part can be the same for different sites or at least easy to remember. This will give you some protection against a compromised password safe.
  • Change passwords once in a while (I personally like every 6 months... ) in particular the "static" part of these high-value passwords.
  • Ask sites that you consider important to implement 2-factor authentication.

That's at least what I can come up with while sipping on my first cup of coffee for the day. 

[1] http://www.holdsecurity.com/news/cybervor-breach/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, August 6th 2014 http://isc.sans.edu/podcastdetail.html?id=4093, (Wed, Aug 6th)

Latest Alerts - Tue, 08/05/2014 - 18:09
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Center for Internet Security Releases Benchmark for VMWare ESXi 5.5 https://benchmarks.cisecurity.org/downloads/form/index.cfm?download=esxi55.100, (Tue, Aug 5th)

Latest Alerts - Tue, 08/05/2014 - 05:22

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Synolocker: Why OFFLINE Backups are important, (Tue, Aug 5th)

Latest Alerts - Tue, 08/05/2014 - 05:15

One current threat causing a lot of sleepless nights to victims is "Cryptolocker" like malware. Various variations of this type of malware are still haunting small businesses and home users by encrypting files and asking for ransom to obtain the decryption key. Your best defense against this type of malware is a good backup. Shadow volume copies may help, but aren't always available and complete.

In particular for small businesses, various simple NAS systems have become popular over the recent years. Different manufacturers offer a set of Linux based devices that are essentially "plug and play" and offer high performance RAID protected storage that is easily shared on the network. One of these vendors, Synology, has recently been somewhat in the cross hairs of many attacks we have seen. In particular vulnerabilities int he web based admin interface of the device have led to numerous exploits we have discussed before. 

The most recent manifestation of this is "Synolocker", malware that infects Synology disk storage devices and encrypts all files, similar to the original cryptolocker. Submissions to the Synology support forum describe some of the results [1].

The malware will also replace the admin console index web page with a ransom message, notifying the user of the exploit. It appears however that this is done before the encryption finishes. Some users where lucky to notice the message in time and were able to save some files from encryption.

It appears that the best way to deal with this malware if found is to immediatly shut down the system and remove all drives. Then reinstall the latest firmware (may require a sacrificial drive to be inserted into the system) before re-inserting the partially encrypted drives.

To protect your disk station from infection, your best bet is:

  • Do not expose it to the internet, in particular the web admin interface on port 5000
  • use strong passwords for the admin functions
  • keep your system up to date
  • keep offline backups. this could be accomplished with a second disk station that is only turned on to receive the backups. Maybe best to have two disk stations from different manufacturers.

It is important to note that while Synology has been hit the hardest with these exploits, other devices from other manufacturers had vulnerabilities as well and the same security advice applies (but typically, they listen on ports other then 5000). 

[1] http://forum.synology.com/enu/viewtopic.php?f=3&t=88716

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Legal Threat Spam: Sometimes it Gets Personal, (Tue, Aug 5th)

Latest Alerts - Tue, 08/05/2014 - 04:57

Yesterday, I spotted the following tweet mentioning me:

Needless to say, I got intrigued, and luckily the sender of the tweet was willing to share a sample.

The sample turned out to be simple legal threat malware e-mail written in German. The e-mail claimed that the recipient downloaded a copyrighted movie and it asked for legal fees. The invoice for the legal fees was supposed to be included in the attached ".cab" file.

From: "Johannes Ullrich"  
To: [removed].de
Subject: [vorfall:132413123]

Guten Tag,

Am 01.08.2014 wurde von Ihrem Rechner mit der IP-Addresse 192.0.2.1 um 12:13:01 der Film "Need for Speed" geladen. Nach §19a UrhG ist dies eine kriminelle Handlung. Unsere Anwaltskanzlei  muss dies ans zuständige Amtsgericht melden, außer Sie Zahlen ein außergerichtliches Strafgeld in Höhe von 436.43 Euro an uns.
Die Rechnung "1234.cab" entnehmen Sie dem Anhang.

Hochachtungsvoll,
Johannes Ullrich
+4991312341234

The attached .cab file runs a typical trojan downloader that could download various pieces of malware. A quick search shows a number of other reports of this email, with different "From:" names. It looks like it picks plausible German names, maybe from the contact list of infected systems. My names isn't that terrible unusual, so I don't think this is targeted at all. Sometimes it is just an odd coincidence, and they aren't really after you.

In the case above, the "From" e-mail address is not related to me. However, if an attacker sends spam using your e-mail address, it is very useful to have DMARC configured for your domain. With DMARC, you give the receiving mail server the option to report any e-mail that fails the DKIM or SPF tests to you. Only a few mail servers do so, but some of them are major public web mail systems. For example, here a quick report I just received for a domain I own:


(click on image for full size)

The attachment does include a report with details why the e-mail was found to be suspect (of course, you should still be careful with attachments. These reports can be faked too!) ;-).

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, August 5th 2014 http://isc.sans.edu/podcastdetail.html?id=4091, (Tue, Aug 5th)

Latest Alerts - Mon, 08/04/2014 - 17:23
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Threats & Indicators: A Security Intelligence Lifecycle , (Mon, Aug 4th)

Latest Alerts - Sun, 08/03/2014 - 17:06

In our recent three-part series, Keeping the RATs Out (Part 1, Part 2, Part 3), I tried to provide analysis offering you an end-to-end scenario wherein we utilized more than one tool to solve a problem. I believe this to be very useful particularly when making use of threat intelligence. Following is a partial excerpt from my toolsmith column, found monthly in the ISSA Journal, wherein I built on the theme set in the RATs series. I'm hopeful Threats & Indicators: A Security Intelligence Lifecycle helps you build or expand your threat intelligence practice.

I receive and review an endless stream of threat intelligence from a variety of sources. What gets tricky is recognizing what might be useful and relevant to your organizations and constituencies. To that end I’ll take one piece of recently received intel and work it through an entire lifecycle. This intel came in the form of an email advisory via the Cyber Intelligence Network (CIN) and needs to remain unattributed. The details, to be discussed below, included malicious email information, hyperlinks, redirects, URL shorteners, ZIP archives, malware, command and control server (C2) IPs and domain names, as well as additional destination IPs and malicious files. That’s a lot of information but sharing it in standards-based, uniform formats has never been easier. Herein is the crux of our focus for this month. We’ll use Mandiant’s IOCe to create an initial OpenIOC definition, Mitre’s OpenIOC to STIX, a Python utility to convert OpenIOC to STIX, STIXviz to visualize STIX results, and STIX to HTML, an XSLT stylesheet that transforms STIX XML documents into human-readable HTML. Sounds like a lot, but you’ll be pleasantly surprised how bang-bang the process really is. IOC represents Indicators Of Compromise (in case you just finally just turned off your vendor buzzword mute button) and STIX stands for Structured Threat Information eXpression. STIX, per Mitre, is a “collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information.” It’s well worth reading the STIX use cases. You may recall that Microsoft recently revealed the Interflow project which incorporates STIX, TAXII (Trusted Automated eXchange of Indicator Information), and CybOX (Cyber Observable eXpression standards) to provide “an automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time.“ Interflow is still in private preview but STIX, OpenIOC, and all these tools are freely and immediately available to help you exchange threat intelligence...   Keep reading Threats & Indicators: A Security Intelligence Lifecycle here.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, August 4th 2014 http://isc.sans.edu/podcastdetail.html?id=4089, (Mon, Aug 4th)

Latest Alerts - Sun, 08/03/2014 - 16:36
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

All Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon, (Sat, Aug 2nd)

Latest Alerts - Fri, 08/01/2014 - 16:46

A remote code execution in nmbd (the NetBIOS name services daemon) has been found in Samba versions 4.0.0 to 4.1.10. ( assgined CVE-2014-3560) and a patch has been release by the team at samba.org.

Here's the details from http://www.samba.org/samba/security/CVE-2014-3560

=========== Description =========== All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite the heap ofthe target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root).   ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.1.11 and 4.0.21 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Do not run nmbd, the NetBIOS name services daemon.

 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft's Enhanced Mitigation Experience Toolkit 5.0 is out: http://www.microsoft.com/en-us/download/details.aspx?id=43714, (Fri, Aug 1st)

Latest Alerts - Thu, 07/31/2014 - 23:00

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content