Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 41 min 55 sec ago

March OUCH! Newsletter: Gaming Online Safely & Securely http://www.securingthehuman.org/ouch, (Wed, Mar 4th)

3 hours 46 min ago
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

No Wireshark? No TCPDump? No Problem!, (Wed, Mar 4th)

4 hours 25 min ago

Have you ever been on a pentest, or troubleshooting a customer issue, and the next step was to capture packets on a Windows host? Then you find that installing winpcap or wireshark was simply out of scope or otherwise not allowed on that SQL, Exchange, Oracle or other host? It used to be that this is when wed recommend installing Microsofts Netmon packet capture utility, but even then lots of IT managers would hesitate about using the install word in association with a critical server. Well, as they say in networking (and security as well), theres always another way, and this is that way.

netsh trace is your friend. And yes, it does exactly what it sounds like it does.

Type netsh trace help on any Windows 7 Windows Server 2008 or newer box, and you">C:\">Commands in this context:
? - Displays a list of commands.
convert - Converts a trace file to an HTML report.
correlate - Normalizes or filters a trace file to a new output file.
diagnose - Start a diagnose session.
dump - Displays a configuration script.
help - Displays a list of commands.
show - List interfaces, providers and tracing state.
start - Starts tracing.
stop - Stops tracing.

Of course, in most cases, tracing everything on any production box is not advisable - especially if its your main Exchange, SQL or Oracle server. Well need to filter the capture, usually to a specific host IP, protocol or similar.">netsh trace show capturefilterhelp

One of the examples in this output shows you how t o e.g. ">netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1

You could also add Protocol=TCP or UDP and so on..

Full syntax and notes for netsh trace can be found here: https://technet.microsoft.com/en-us/library/dd878517

For instance, the following session shows me capturing an issue with a firewall that Im working on. Note that you need admin rights to run this, the same as any capture tool. In a pentest you would likely specify an output file that isnt in the users">C:\">Trace configuration:
-------------------------------------------------------------------
Status: Running
Trace File: C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace
.etl
Append: Off
Circular: On
Max Size: 250 MB
Report: Off

When you are done capturing data, it">C:\ netsh trace stop
Correlating traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as
C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace.cab">c:\

The cool thing about this is that it doesnt need a terminal session (with a GUI, cursor keys and so on). If all you have is a metasploit shell, netsh trace works great!

If this is a capture for standard sysadmin work, you can simply copy the capture over to your workstation and proceed on with analysis. If this is a pentest, a standard copy might still work (remember, were on a Microsoft server), but if you need netcat type function to exfiltrate your capture, take a look at PowerCat (which is a netcat port in PowerShell).

Next, open the file (which is in Microsofts ETL format) in Microsofts Message Analyzer app - which you can install on your workstation rather than the server we ran the capture on (" />

If you do need another packet analysis tool, its easy to a File / Save As / Export, and save as a PCAP file that Wireshark, tcpdump, SNORT, ngrep, standard python or perl calls, or any other standard tool can read natively.

Or you can convert to PCAP using PowerShell (of course you can).">$s = New-PefTraceSession -Path C:\output\path\spec\OutFile.Cap -SaveOnStop
$s | Add-PefMessageProvider -Provider C:\input\path\spec\Input.etl
$s | Start-PefTraceSession

This Powershell cmdlet is not available in Windows 7 - youll need Windows 8, or Server 2008 or newer
(This script was found at http://blogs.technet.com/b/yongrhee/archive/2013/08/16/so-you-want-to-use-wireshark-to-read-the-netsh-trace-output-etl.aspx )

If netsh trace has solved an interesting problem for you, or was the tool that got you some interesting data in a pentest, please, use our comment form to let us know how you used it (within your NDA of course!)

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Freak Attack - Surprised? No. Worried? A little. , (Wed, Mar 4th)

14 hours 35 min ago

There has been some press surrounding the SSL issue published recently dubbed Freak. ">1 and other sites, but what does it really mean?

The issue relates to the use of Export Ciphers (the crypto equivalent of keeping the good biscuit yourself and giving the smaller broken one to your little brother or sister). The Export Ciphers were used as the allowed ciphers for non US use. The ciphersare part of OpenSSL and the researchers2 have identified a method of forcing the exchange between a client and server to use these weak ciphers, even if the cipher suite is not officially supported3. ">)attack. When you do aMITMattack you have full control over the connection anyway, so why bother decrypting anything?However, if Im reading and interpreting the examples correctly (kind of hoping Im wrong), it looks like this particular attack solves one challenge that a MITM has. For HTTPS intercept you usually generate a new certificate with the information of the site and resign the certificate before presenting it to the client. Whenever you present this newly signed certificatethe client receives an error message stating that the certificate does not match the expected certificate for the site. From the vids2 it looks like this attack could fix that particular problem. So now when you perform a MITM attack you retain the original certificate and the user is none the wiser. This could open up a whole new avenue of attacks against clients and potentially simplify something that was quite difficult to do.

What is the impact to organisations? Well it is quite possible that your sites will be impersonated and there wont be much that can be done about it and you may not even know that your customers are being attacked. To prevent your site from being used in this attack youll need to patch openSLL4 (yes again). This issue will remainuntil systems have been patched and updated, not just servers, but also client software. Client software should be updated soon(hopefully), but there will no doubt be devices that will be vulnerable to this attack for years to come (looking at you Android).

Matthew Green in his blog3describes the attack well and he raises a very valid point. Backdoors will always come back to bite.

The researchers have set up a site with more info5.

Cheers

Mark H ">(Thanks Ugo for bringing it to our attention).

Links:

1 -http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/
2 -https://www.smacktls.com/#freak
3- http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
4 - https://www.openssl.org/news/secadv_20150108.txt
5 -https://freakattack.com/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, March 4th 2015 http://isc.sans.edu/podcastdetail.html?id=4381, (Wed, Mar 4th)

14 hours 49 min ago
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

An Example of Evolving Obfuscation, (Tue, Mar 3rd)

Tue, 03/03/2015 - 08:42

Since May of 2014, Ive been tracking a particular group that uses the Sweet Orange exploit kit to deliver malware. This group alsouses obfuscation to make it harder to detectthe infection chain of events.

By 2015, this group included more obfuscation within the initial javascript. It however, the result causes more work to detect the malicious activity.

Either way, the infection chain flows according to following block diagram:


Previous obfuscation

Below are images from an infection chain from July 2014 [1]. Here we find malicious javascript from the compromised website. In this image, Ive highlighted two areas:" />

Here" />

Recent obfuscation

Below are images from an infection chain by the same actor in February 2015 [2]. Again we find malicious javascript from the compromised website. However, in this case, there" />

First is the function that replaces any non-hexadecimal characters with nothing and replaces various symbols with the percent symbol (%). This time, we have unicode-based hexadecimal obfuscation and some variables thrown in. This does the same basic function as the previous example. Its now a bit harder to find when you" />

That URL is now obfuscated with unicode-based hexadecimal characters. For example, \u0074 represents the ASCII character t (lower case).

Once again, let" />

however, the result causes more work for analysts to fully map the chain of events. We can expect continued evolution of these obfuscation used by this and other actors.

---

Brad Duncan,Security Researcher atRackspace
Blog: www.malware-traffic-analysis.net-Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2014/07/08/index.html
[2] http://malware-traffic-analysis.net/2015/02/09/index2.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, March 3rd 2015 http://isc.sans.edu/podcastdetail.html?id=4379, (Tue, Mar 3rd)

Mon, 03/02/2015 - 18:24
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

How Do You Control the Internet of Things Inside Your Network?, (Mon, Mar 2nd)

Mon, 03/02/2015 - 09:21

Klaus Vesthammer recently tweetedthat ">The Internet of Things is just like the regular Internet, just without software patches. We have a flood of announcements about vulnerable devices, and little in terms of patches. At the same time, expect more and more of these devices to be connected to your network, if you want it or not. Bring your own Devices should be addressed more inclusive then just covering smart phones and tablets.

If you do have a working inventory system that recognizes and blocks unauthorized devices in real time, then stop reading and count yourself lucky. But for most of us, network maps are filed under fiction and network access control was this great solution we tried and failed as it hit real network life. So what else is there to do?

One of the critical aspects is to figure out which devices are not just on your network, but also do they talk to systems outside of your network. Active scanning will only get you that far. Many devices, to save power, will not connect to the network unless they have something to say. Some also use bluetooth to connect to smartphones and use them as a gateway. The device will not show up as an entity on your network in this case.

Here are a couple of indicators to look for:

- NTP queries: Some devices do have hard coded NTP servers, that do not match your standard network configuration
- DNS queries: DNS knows everything
- HTTP User-Agent and Server headers

Someone I am sure will provide pointers to do this in Bro. For everybody else, some simple log parsing scripts can help. Any other methods your use to find new and dangerous devices on your network?

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, March 2nd 2015 http://isc.sans.edu/podcastdetail.html?id=4377, (Mon, Mar 2nd)

Sun, 03/01/2015 - 17:57
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Advisory: Seagate NAS Remote Code Execution, (Sun, Mar 1st)

Sun, 03/01/2015 - 08:14

Beyond Binary is reporting a vulnerability affecting SeagatesBusiness Storage line of NAS devices and possibly other Seagate NAS products. These arefairly common devices in SOHO and even small enterprise applications.

It appears that a number of OTScomponents and the custom web applicationused in the web management interface are out of date and will permit unimpeded access to the administration functions of the device. It is believe that versions of the firmware up to and including 2014.00319 are vulnerable.

It appears to be trivial to exploit the devices and a metasploit module and an exploit are publicly available.

It is hoped that if you have one of these devices in your network that you do not havethe administration interface accessible on the Internet. If you do you will want to remove it.You can be sure that the bad guys have startedscanning for these devices.At this point no updated firmware is available to resolve this issue.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Let's Encrypt!, (Fri, Feb 27th)

Fri, 02/27/2015 - 19:34

As I have stated in the past,I am not a fan of all of the incomprehensible warning messages that average users are inundated with, and almost universally fail to understand, and the click-thru culture these dialogsare propagating.

Unfortunately this is not just confined to websites on the Internet. With the increased use of HTTPS for web based management, this issue is increasingly appearing on corporate networks." />

The issue in most cases is caused by what is called a self-signed certificate. Essentially a certificate not backed up by a recognized certificate authority. The fact is that recognized certificates are not cheap. For vendors to supply valid certificates for every device they sell would add significant cost to the product and would require the vendor to manage those certificates on all of their machines.

The Internet Security Research Group (ISRG)a public benefit corporation sponsored by the Electronic Frontier Foundation (EFF), Mozilla and other heavy hitters aims to help reduce this problem and cleanup the invalid certificate warning dialogs.

Their project, Lets Encrypt, aims to provide certificates for free, and automate the deployment and expiry of certificates.

Essentially, a piece of software is installed on the server which will talk to the Lets Encrypt certificate authority. From Lets Encypts website:

The Lets Encrypt management software will:

  • Automatically prove to the Lets Encrypt CA that you control the website
  • Obtain a browser-trusted certificate and set it up on your web server
  • Keep track of when your certificate is going to expire, and automatically renew it
  • Help you revoke the certificate if that ever becomes necessary.

While there is still some complexity involved it should make it a lot easier, and cheaper, for vendors to deploy legitimate certificates into their products. I am interested to see how they will stop bad guys from using their certificates for Phishing sites, and what the process will be to report fraudulent use, but I am sure all of that will come.

Currently, it sounds like the Lets Encrypt certificate authority will start issuing certificates in mid-2015.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

DDOS are way down? Why?, (Fri, Feb 27th)

Fri, 02/27/2015 - 12:04

I have been tracking DDOS volume and patterns for a few years. We have seen the attacks move from DNS to NTP, to chargenthen on to SSDP and occasionally QOTD. I think we have a much better understanding of the vulnerabilities which are enabling thesuccessful amplification of">ISPs,to reduce the impact of this style of attack. " />

What I havent been able to understand is why since late last year, other than the occasional booter and attacks on Brian Krebs,the incidence and volume of these attacks has dropped off almost completely?

Any ideas?

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Leonard Nimoy has passed - please be alert for the rounds of Phishing and malware that will inevitably occur!, (Fri, Feb 27th)

Fri, 02/27/2015 - 10:23

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Tails 1.3 released - https://tails.boum.org/news/version_1.3/index.en.html, (Fri, Feb 27th)

Fri, 02/27/2015 - 05:30

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Tor Browser Version 4.0.4 released - https://blog.torproject.org/blog/tor-browser-404-released, (Fri, Feb 27th)

Fri, 02/27/2015 - 05:27

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, February 27th 2015 http://isc.sans.edu/podcastdetail.html?id=4375, (Fri, Feb 27th)

Thu, 02/26/2015 - 17:42
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New Feature: Subnet Report, (Thu, Feb 26th)

Thu, 02/26/2015 - 10:17

We do have a new way to search our data more efficiently by subnets. Right now, the data will cover recent reports to DShield and a few of external feeds that we include. You can access the new report here:https://isc.sans.edu/subnetquery.html

I am still monitoring the impact the queries have on our overall database performance. For now, you are limited to 3 queries per minute if you are not logged in.

And as a reminder: The data is only as good as the data we receive. Please consider contributing your own data. See https://isc.sans.edu/howto.html for details. We do also access web server error logs (see: 404 project) and Kippo SSH honeypot logs.

In case of high database load, you will beredirected back tot he index page (index_cached.html),

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, February 26th 2015 http://isc.sans.edu/podcastdetail.html?id=4373, (Thu, Feb 26th)

Wed, 02/25/2015 - 19:02
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Samba vulnerability - Remote Code Execution - (CVE-2015-0240), (Wed, Feb 25th)

Wed, 02/25/2015 - 18:51

The RedHat security team has released an advisoryon a Samba vulnerabilityeffecting Samba version 3.5.0 through 4.2.0rc4. It can be exploited by a malicious Samba client, by sending specially-crafted packets to the Samba server. No authentication is required to exploit this flaw. It can result in remotely controlled execution of arbitrary code as root. [1]

A patch [2] has been released by the Samba team to address the vulnerability.


[1] https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

[2] https://www.samba.org/samba/history/security.html

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

, (Wed, Feb 25th)

Wed, 02/25/2015 - 03:37

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, February 25th 2015 http://isc.sans.edu/podcastdetail.html?id=4371, (Wed, Feb 25th)

Tue, 02/24/2015 - 19:28
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts