Latest Alerts

Testing your website for the heartbleed vulnerability with nmap, (Fri, Apr 18th)

Fri, 04/18/2014 - 09:08

We have received reports by many readers about buggy tools to test for the heartbleed vulnerability. Today I want to show you how easy it is to check for this vulnerability using a reliable tool as nmap.

You just need to trigger a version scan (-sV) along with the script (ssl-heartbleed). The following example with show a command that will scan 192.168.0.107 for this bug:

nmap -sV 192.168.0.107 --script=ssl-heartbleed

This will be the output for a non-vulnerable website. As you can see, no warnings are shown:

If you are vulnerable, you will get the following:

For vulnerability testing, always use reliable tools which won't contain malicious code infecting your computer and won't give you false positive messages.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Heartbleed CRL Activity Spike Found, (Wed, Apr 16th)

Thu, 04/17/2014 - 17:51

Update: CloudFlare posted in their blog twice today claiming responsibility for the majority of this spike. Quoting: "If you assume that the global average price for bandwidth is around $10/Mbps, just supporting the traffic to deliver the CRL would have added $400,000USD to Globalsign's monthly bandwidth bill."

Update: We've also seen articles from ZDNet and WIRED today in response to the below insights, with further analysis therein.

It looks like, as I had suspected, the CRL activity numbers we have been seeing did not reflect the real volume caused by the OpenSSL Heartbleed bug.

This evening I noticed a massive spike in the amount of revocations being reported by this CRL: http://crl.globalsign.com/gs/gsorganizationvalg2.crl

The spike is so large that we initially thought it was a mistake, but we have since confirmed that it's real! We're talking about over 50,000 unique revocations from a single CRL:

This is by an order of magnitude the largest spike in revocation activity seen in years, according to our current data.

I have set up a new page for everyone to monitor the activity as well as see how we are obtaining this data. The page can be found at https://isc.sans.edu/crls.html.

How will you use this page in your projects or general analysis? We'd love to hear some ideas.

If you know of other CRLs that we can add, please let us know in the comments! Additionally, if you would like to see an API call added so that you can automatically query us for this information, please let us know so that we are aware of the demand.

On a side note, we can see a clear upward trend in revocations over the past 3 or 4 years:

What do you attribute this consistent growth in revocations to? What do you think caused the previous spikes?

-- 
Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford | @alexstanford

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, April 18th 2014 http://isc.sans.edu/podcastdetail.html?id=3941, (Fri, Apr 18th)

Thu, 04/17/2014 - 17:26
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, April 18th 2014 http://isc.sans.edu/podcastdetail.html?id=3941, (Fri, Apr 18th)

Thu, 04/17/2014 - 17:26
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Looking for malicious traffic in electrical SCADA networks - part 2 - solving problems with DNP3 Secure Authentication Version 5, (Thu, Apr 17th)

Thu, 04/17/2014 - 12:25

I received this week a very valuable e-mail from the DNP Technical Committee Chair, Mr. Adrew West, who pointed an excellent observation and it's the very slow adoption of DNP3 Secure Authentication Version 5, which is the latest security enhancement for the DNP3 protocol. I want to talk today about this standard and the advantages of adopting it into your DNP3 SCADA system.

This standard has two specific objectives:

  • Help DNP3 outstation to determine beyond any reasonable doubt that it's communicating with an authorized user.
  • Help DNP3 master to determine beyound any reasonable doubt that it's communicating to the correct outstation.

This standard minimize the following risks:

  • Spoofing to outstation or master: Since the original specification includes only the DNP3 outstation address as the only way for identification, the new standard uses crypto keys to enforce the authentication to each end.
  • Modification: The standard includes the concept of Message Authentication Code (MAC) as shown in ISO/IEC 9798-4. This standard allows to determine if a message has been modified before arriving to the destination, ensuring integrity.
  • Replay attack: Valid traffic cannot be retransmitted anymore by any third party as authentication information would not be the same.
  • Eavesdropping: Crypto keys are securely exchanged. Data being transmitted goes still in clear-text, so confidentiality is not ensured. You need additional gear like crypto-boxes on each end of the communication link.


The following diagram shows the implementation architecture for this standard:

DNP Application Layer DNP Secure Authentication DNP Transport Function DNP Data Link Layer Serial Internet Protocol Suite

 

As seen, an additional level before application layer is added, providing the new security features.Unfortunately, there are two specific reasons that is preventing this standard for being widely deployed in the world:

  • ICS systems are still being planned to last from 10 to 20 years: Technology has arrived to that world and most ICS people have not noticed that yet. They still think that air gap is enough to protect the ICS systems and won't consider new investements to implement new security features. United States is one of the leaders in regulation for critical infrastructure. However, this does not happen in most countries and unless governments produce new laws for enforcing cybersecurity on critical infrastructure, adoption of such standards will keep slow.
  • DNP3 equipment manufacturers do not offer the same references and features in all countries of the world, and most of them even claim that this standard is not yet supported (for example, in south america).

Cybersecurity is not still mature in the ICS industry and has a long way to go. Information Security Professionals working with the ICS world has a really big challenge: We need to demonstrate that Information Security Controls like this standard will have a return of investment to the company and the risk of not having them, if operating a critical infrastructure to a Country, could be catastrophic and impacts incalculable. This standard works, won't put at risk any ICS facility and we all have a responsability of ensuring its implementation to our companies.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, April 17th 2014 http://isc.sans.edu/podcastdetail.html?id=3939, (Thu, Apr 17th)

Wed, 04/16/2014 - 17:48
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, April 17th 2014 http://isc.sans.edu/podcastdetail.html?id=3939, (Thu, Apr 17th)

Wed, 04/16/2014 - 17:48
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

WinXP and/or Win2003 hanged systems because of SC Forefront Endpoint Protection faulty update, (Wed, Apr 16th)

Wed, 04/16/2014 - 09:48

Reader Philipp reported today a bug affecting his remaining Windows XP machines and Windows 2003 servers. Seems to be that all Windows XP and Windows 2003 machines with SC Forefront Endpoint Protection definition update 1.171.1.0 and later are affected. You might want to test definition update 1.171.64.0, as we have received reports stating that it fixes the problem. However, we have not seen yet any official statement from Microsoft regarding this issue.

If you disable Forefront because it's not letting your machine work, please place other controls that minimize the associated risk. Otherwise, your computers could be so easily hacked.

We also receive questions on which AV is the best. Since the answer is it depends on the company and the information security assets, you might want to check the Magic Quadrant for Endpoint Protection from Gartner Group and try to find yourself what is the best answer for your company. If you want to read the entire file, you can have it from Mcafee or Computerlinks.

We will update this diary if more information becomes available.

More information available at:

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Oracle Critical Patch Update for April 2014, (Wed, Apr 16th)

Wed, 04/16/2014 - 05:07

Oracle released its quarterly Criticical Patch Update (CPU) yesterday [1]. As usual, the number of patches is quite intimidating. But remember these 104 fixes apply across the entire Oracle product range.

Some of the highlights:

CVE-2014-2406: A bug in Oracle's Database which allows a remotely authenticated user to gain control over the database.

37 new patches for Java SE, 35 of which allow remote execution as the user running the Java Applet (according to Oracle: "The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows)".

4 of the Java vulnerabilities have a base CVSS score of 10 indicating not only full remote code execution but also easy exploitability.

[1] http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, April 16th 2014 http://isc.sans.edu/podcastdetail.html?id=3937, (Wed, Apr 16th)

Tue, 04/15/2014 - 17:12
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New Feature: Monitoring Certification Revocation Lists https://isc.sans.edu/crls.html, (Wed, Apr 16th)

Tue, 04/15/2014 - 17:01

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Looking for malicious traffic in electrical SCADA networks - part 1, (Tue, Apr 15th)

Tue, 04/15/2014 - 13:42

When infosec guys are performing intrusion detection, they usually look for attacks like portscans, buffer overflows and specific exploit signature. For example, remember OpenSSL heartbleed vulnerability? The following is the snort alert for this vulnerability, taken from the snort community rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 00|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:5;)

When you perform inline detection within electrical SCADA networks, latency is a big issue. That means you need to fully optimize the amount of checks so latency does not increase more than 3 ms. We also need to include other threats that could materialize from other threats different to malware, exploits and buffer overflows. I will detail in this diary some specific SCADA protocol packets that could be malicious traffic and cause terrible consecuences to the process infrastructure. Today I will detail malicious packets from DNP3 protocol.

The following text details DNP3 packet structure:

Source: Practical Industrial Data Communications

  • Start: This is the starting delimiter of the DNP3 datalink layer. It is always set to 0x564
  • Length: This is the number of bytes for user data inside the DNP3 packet, plus 5 and does not count CRC bytes.
  • Control: This is the DNP3 Frame Control Byte, which provides control of data flow between the master and slave over the physical link. It identifies the type of the message and the flow direction for the communication.
  • Destination: DNP3 outstations are identified by a two-byte address. These two bytes are the little-endian representation for the outstation destination address .
  • Source: These two bytes are the little-endian representation for the outstation source address
  • CRC: Little-endian representation of the CRC-16 DNP3. This is calculated for each block and placed in the end of it.
  • Transport control: This DNP3 Frame Control Byte provides control of data flow between the master and slave in the transport level.
  • Userdata for block n:
    • Application Layer: Control byte: Duplicates the control byte in the transport control field.
    • Application layer: Function code: Defines the function being invocated by the packet
    • Application layer: structures: Defines the structures being written or queried.
  • CRC: Little-endian representation of the CRC-16 DNP3 for block n user data.

The following DNP3 functions could be used in a malicious way:

1. DNP3 Warm Restart: When this packet is received by the outstation and recognize that it comes from the master, it performs a partial restart on completition of the communications sequence. If this packet is received several times per second, the IED will experiment a denial of service and won't be able to perform actions to the industrial process, send events to the HMI or receive commands from the HMI. A typical DNP3 Warm Restart packet looks like the following: 

The following filters recognize these packets:

  • Wireshark: dnp3.al.func==14
  • Snort: alert tcp $DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (flow:from_client,established; content:"|0E|"; offset:12; depth:1; msg:"SCADA_IDS: DNP3 Warm Restart From Authorized Client"; classtype:attempted-dos; sid:1111112; rev:1; priority:2;)

2. DNP3 Cold Restart: When this packet is received by the outstation and recognize that it comes from the master, it performs a full restart on completition of the communications sequence. If this packet is received several times per second, the IED will experiment a denial of service and won't be able to perform actions to the industrial process, send events to the HMI or receive commands from the HMI. Packet looks same as previous one with one little change: count three bytes from the last to the first and change 0E (DNP3 Warm Restart) to 0D (DNP3 Cold Restart).The following filters recognize these packets:

  • Wireshark: dnp3.al.func==13
  • Snort: alert tcp $DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (flow:from_client,established; content:"|0D|"; offset:12; depth:1; msg:"SCADA_IDS: DNP3 Cold Restart From Authorized Client"; classtype:attempted-dos; sid:1111112; rev:1; priority:2;)

3. DNP3 Time Change: When this packet is received, the IED or RTU can change the internal clock time and so orders received with specific timestamp won't be executed and logs will be placed in other different places so the operator can't see them in real time. A typical DNP3 Warm Restart packet looks like the following: 

Wireshark can't fully filter this packets so the following tcpdump filter is provided: ip[52]=2 and ip[53]=0x32 and ip[54]=1

SCADA Information Security is different from the regular IT information security practices. We need to cover the specific vectors to improve the security level of the associated industrial process.

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

VMWare Advisory VMSA-2014-0004 - Updates on OpenSSL HeartBleed http://www.vmware.com/security/advisories/VMSA-2014-0004.html, (Tue, Apr 15th)

Mon, 04/14/2014 - 18:46

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, April 15th 2014 http://isc.sans.edu/podcastdetail.html?id=3935, (Tue, Apr 15th)

Mon, 04/14/2014 - 17:33
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

INFOCon Green: Heartbleed - on the mend, (Mon, Apr 14th)

Mon, 04/14/2014 - 06:21

We are going back to INFOCon Green today.   Things have stabilized and the INFOCon is used to indicate change.  Awareness of Heartbleed is well saturated and Internet teams everywhere appear to be responding appropriately.  

Some points to be aware:

  • Patching will continue and hopefully fill remaining gaps.
  • Certificate Revocation Lists (CRLs) will grow, which may lead to slower load times in some cases. Please let us know if you are observing CRL issues.
  • There is no practical way to identify if a certificate has actually been updated, unless you recorded the certificate serial number.   It is common to check the creation date, BUT a CA can re-issue a new certificate and keep the original creation date. This is silly but should be noted.
  • The client side (wget, curl, etc...) of Heartbleed is mostly a non-issue, but there are a few exceptions. Watch for VPN client updates.
  • Certificates continue to be revoked.  We have taken the liberty to look at the CRL counts of sixteen different CA's since April 1, 2014. 

In summary,  please keep scanning and patching all of your servers and encourage all end users to change their passwords after a site's certificate has been updated.


-Kevin
--
ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, April 14th 2014 http://isc.sans.edu/podcastdetail.html?id=3933, (Sun, Apr 13th)

Sun, 04/13/2014 - 15:54
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Reverse Heartbleed Testing, (Sun, Apr 13th)

Sun, 04/13/2014 - 05:01

I wanted to know if the tools/software I execute regularly are vulnerable to scraping my system memory.  Now the reverse heartbleed scenario is very possible, but the likelihood seems to be much more of a non-issue.  

Seeing is still believing in my book.  So I set out to see what the interweb world was doing to test this out.  There are some very reputable services/organizations out there offering up a fresh url to the reverse heartbleed and others offering to 'test' a given url.   These are a black box.  Trust is hard to earn at times, especially when you are dealing with an exploit like this one.  I wanted to see source code, or at least pseudocode so I could craft my own.  I found a script out there called Pacemaker [1] that was written and provided by Peter Wu.  I liked it because it was transparent, simple, and it can be used exclusively under my control (the ultimate first step of developing trust).

So simple, I was able to review it for harm and function, and cut and paste it into vi.  Escape, write, quit, and I was off and running.   Basically it works like a simple webserver, very simple.  The script is executed and listens on port 4433.  You point your client software at it with a localhost url and the server script reports on STDOUT what it finds.  

I did not have any vulnerable client software readily available to give a whirl, but I did try all my curl and wget installs that I use regularly.   I also hit it with Chrome and Safari to see the error messages.

Here is what I tested with it.

wget 1.11.4:  

Connection from: 10.0.0.11:60401 Unable to check for vulnerability: SSL 2.0 clients cannot be tested   curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5:   Connection from: 10.0.0.11:60418 Got Alert, level=Fatal, description=40 Not vulnerable! (Heartbeats disabled or not OpenSSL)   curl 7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5:   Connection from: 127.0.0.1:59451 Possibly not vulnerable   Chrome 34.0.1847.116:
Connection from: 127.0.0.1:59490 Got Alert, level=Fatal, description=47 Not vulnerable! (Heartbeats disabled or not OpenSSL)  

I am interested in seeing more output from known vulnerable client software.  Feel free to give this a ride and share your results.  If I get a chance to spin out a new VM with some vulnerable OpenSSL on it today, then I will share my experiences too.

 

[1]   https://github.com/Lekensteyn/pacemaker


-Kevin
--
ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Interested in a Heartbleed Challenge?, (Sat, Apr 12th)

Sat, 04/12/2014 - 04:29

CloudFlare lunched a challenge yesterday: Can You Get Private SSL Keys Using Heartbleed?[1]  The site created by CloudFlare engineers is located here and is intentionally vulnerable to heartbleed. If you manage to steal the private key from the site, they will post the full details on that site. So far two individuals have succeeded: Fedor Indutny (@indutny) and Ilkka Mattila of NCSC-F.[2]

If you have time and bandwidth, this might be a fun weekend project.

[1] http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
[2] https://www.cloudflarechallenge.com/heartbleed

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Critical Security Update for JetPack WordPress Plugin. Bug has existed since Jetpack 1.9, released in October 2012. - http://jetpack.me/2014/04/10/jetpack-security-update/, (Sat, Apr 12th)

Fri, 04/11/2014 - 18:45

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Heartbleed Fix Available for Download for Cisco Products, (Fri, Apr 11th)

Fri, 04/11/2014 - 15:42

The following Cisco products that were previously identified as vulnerable and have been remediated:

Cisco Registered Envelope Service (CRES)
Cisco Webex Messenger Service
Cisco USC Invicta Series Autosupport Portal

This following software has been fixed and is available for download, for all affected products:

Cisco AnyConnect Secure Mobility Client for iOS - Fixed in version 3.0(9353)
Cisco WebEx Messenger Server - Fixed in 2.0MR2
Cisco TelePresence Video Communication Server (VCS) - Fixed in X8.1.1

For additional information on Cisco product, follow this Cisco Security Advisory.

[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts