Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 51 min 31 sec ago

ISC StormCast for Tuesday, June 10th 2014 http://isc.sans.edu/podcastdetail.html?id=4015, (Tue, Jun 10th)

Mon, 06/09/2014 - 18:55
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, June 9th 2014 http://isc.sans.edu/podcastdetail.html?id=4013, (Mon, Jun 9th)

Sun, 06/08/2014 - 19:51
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

efax Spam Containing Malware, (Sun, Jun 8th)

Sun, 06/08/2014 - 14:03

Beware of efax that may come to your email inbox. This week I receive my first efax spam with a source address of "Fax Message [message@inbound.efax.com]" which contained a link to www.dropbox.com that contained malware. The link has since been removed.


On efax's website, the indicate that you are receiving fax spam to submit the fax via to online form and they "will attempt to prevent further transmission of junk faxes from the source.[2]

[1] http://www.efax.com/help/faq
[2] http://www.efax.com/privacy?tab=reportSpam

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft June Patch Tuesday Advance Notification, (Fri, Jun 6th)

Fri, 06/06/2014 - 08:42

Microsoft is expecting to release 2 critical and 5 important bulletins on Tuesday [1]. 

There are no patches scheduled for Windows XP even though CVE-2014-1770 does affect Internet Explorer 8, which is the last version of IE to run on Windows XP.

Preliminary Patch Table: (the bulletin numbers and anything else may change in the final release)

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS14-030 Cumulative Internet Explorer Update
  Internet Explorer
CVE-2014-1770 TBD Vuln. known, but according to MSFT not yet exploited. Severity: Critical
Exploitability: ? Critical Critical MS14-031 Microsoft Office and Lynx Remote Code Execution Vulnerability
  Windows, Office, Lync (Client) TBD . Severity: Critical
Exploitability: ? Critical Important MS14-032 Microsoft Office Remote Code Execution Vulnerability
  Microsoft Office TBD . Severity: Important
Exploitability: ? Critical Important MS14-033 Information Disclosure Vulnerability in Windows
  Microsoft Windows TBD . Severity: Important
Exploitability: ? Important Important MS14-034 Information Disclosure Vulnerability in Lync Server
  Lync Server TBD . Severity: Important
Exploitability: ? N/A Important MS14-035 Denial of Service Vulnerability in Windows
  Microsoft Windows TBD . Severity: Important
Exploitability: ? Important Important MS14-036 Tampering Vulnerability in Windows
  Microsoft Windows TBD . Severity: Important
Exploitability: ? Important Important

 

[1] https://technet.microsoft.com/library/security/ms14-jun

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, June 6th 2014 http://isc.sans.edu/podcastdetail.html?id=4011, (Fri, Jun 6th)

Thu, 06/05/2014 - 18:41
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Updated OpenSSL Patch Presentation, (Thu, Jun 5th)

Thu, 06/05/2014 - 15:32

I recorded an updated Internet Storm Center Briefing for today's OpenSSL patches. It corrects a couple of mistakes from this afternoon's live presentation and adds additional details to CVE-2014-0195.

 

Presentation Slides (PDF)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

More Details Regarding CVE-2014-0195 (DTLS arbitrary code execution), (Thu, Jun 5th)

Thu, 06/05/2014 - 13:17

HP's Zero Day Initiative released a few more details about this bug explaining the nature of the problem. It is actually remarkably similar to some of the IP fragmentation bug we have see in the past.

DTLS attempts to avoid IP fragmentation. But many SSL related messages contain data (for example certificates) that exceed common network MTUs. As a result, DTLS fragments the messages. Each message fragment contains 3 length related fields:

- Message size (Length) - this is the total size after reassembly. Should be same for all fragments 
- Fragment Offset - where does this fragment fit in the original message.
- Fragment Length - how much data does this fragment contain.

If there is no fragmentation, the fragment length is equal to the message size. However, if the fragment length is less then the message size, we do have fragmentation. Each fragment should indicate the same message size.

This is different from IP. In IP, the fragment does not know how large the original package was, and we use the "more fragment" flag to figure out when all fragments are received.

Once OpenSSL receives a fragment, it allocates "Length" bytes to reassemble the entire message. However, the trick is that the next fragment may actually indicate a larger message size, and as a result, deliver more data then OpenSSL reserved, leading to a typical buffer overflow.

You can see the complete source code at HP's blog, including a Wireshark display of a PoC packet. This essentially provides a PoC for this vulnerability. Interestingly Wireshark does recognize this as an error.

[1] http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002#.U5C78BYXk2-

 

(this is different, but sort of reminds me of the OpenBSD mbuf problem in IPv6, CVE-2007-1365)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Critical OpenSSL Patch Available. Patch Now!, (Thu, Jun 5th)

Thu, 06/05/2014 - 13:08

[Webcast Correction] Important correction to the webcast. The MITM attack does not just affect DTLS. It does affect TLS (TCP) as well. 

Quick Q&A Summary from the webcast:

- The MITM vulnerablity only affects servers that run OpenSSL 1.0.1 but all clients. Both have to be vulnerable to exploit this problem.
- The MITM vulnerability is not just DTLS (sorry, had that wrong during the webcast)
- Common DTLS applications: Video/Voice over IP, LDAP, SNMPv3, WebRTC
​- Web servers (https) can not use DTLS.
- OpenVPN's "auth-tls" feature will likely mitigate all these vulnerabilities
- Even if you use "commercial software", it may still use OpenSSL.
 

---------

The OpenSSL team released a critical security update today. The update patches 6 flaws. 1 of the flaws (CVE-2014-0195) may lead to arbitrary code execution. [1]

All versions of OpenSSL are vulnerable to CVE-2014-0195, but this vulnerability only affects DTLS clients or servers (look for SSL VPNs... not so much HTTPS).

I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers (which is why I stuck with "important" for servers). The discoverer of this vulnerability released details here: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html .

CVE-2010-5298 does allow third parties to inject data into existing SSL connections. This could be a big deal, but according to the OpenSSL advisory, the SSL_MODE_RELEASE_BUFFERS feature is usually not enabled. 

Make sure you update to one of these OpenSSL versions:

OpenSSL 0.9.8za   (openssl ran out of letters, so instead of calling this one 'z' they call it 'za' to allow for future releases. However, this *may* be the last 0.9.8 release).
OpenSSL 1.0.0m
OpenSSL 1.0.1h

CVE Name Impact Vulnerable Versions Client Server CVE-2014-0224 SSL/TLS MITM Vulnerability MiTM Server: 1.0.1, Client: 0.9.8,1.0.0,1.0.1 (both have to be vulnerable) Critical Important CVE-2014-0221 DTLS recursion flaw DoS 0.9.8,1.0.0,1.0.1 Important Not Affected CVE-2014-0195 DTLS invalid fragment vulnerability Code Exec. 0.9.8,1.0.0,1.0.1 Critical Critical CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference DoS 1.0.0,1.0.1
(neither affected in default config) Important Important CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection DoS or Data Injection 1.0.0, 1.0.1
(in multithreaded applications, not in default config) Important Important CVE-2014-3470 Anonymous ECDH Denial of Service DoS 0.9.8, 1.0.0, 1.0.1 Important Not Affected

Vendor Information:

Redhat https://rhn.redhat.com/errata/RHSA-2014-0625.html
https://rhn.redhat.com/errata/RHSA-2014-0626.html Ubuntu http://www.ubuntu.com/usn/usn-2232-1/ FreeBSD http://www.freebsd.org/security/advisories/FreeBSD-SA-14:14.openssl.asc Debian http://www.debian.org/security/2014/dsa-2950 OpenSuse http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00003.html Amazon AWS http://aws.amazon.com/security/security-bulletins/openssl-security-advisory/

[1] https://www.openssl.org/news/secadv_20140605.txt

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Defending Web Applications (DEV522) is coming to Boston end of July http://i5c.us/dev522bos, (Thu, Jun 5th)

Thu, 06/05/2014 - 10:45

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Internet Storm Center Briefing on OpenSSL Vulnerabilities today at 12pm ET (8am PT/4pm UTC) https://www.sans.org/webcasts/98445, (Thu, Jun 5th)

Thu, 06/05/2014 - 06:25

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

p0f, Got Packets?, (Wed, Jun 4th)

Thu, 06/05/2014 - 06:24

p0f has been discussed from time to time in our diary posts [1],[2] and I thought it good to bring that tool up again. There is a fully updated version [3] that has some additional features and seems to be maintained again (hoooray!). In that, there are some great things we can re-visit with the new and improved tool.

In the interest of the 'power' of sharing, to the "Inter-Tubes" for data. "Data, Data, Data" .... Here at the Internet Storm Center we have a saying "Got Packets?" well, in the interest of giving back check out http://www.netresec.com/?page=PcapFiles as a jumping off point for GiGs and GiGs worth of packets. Your mileage on the links may vary as some pcaps are no longer available. Be careful as always, some of that stuff may hurt :)

Checking what version is loaded, 3.06b and to the command line "Batman", let us first take a look at some simple protocol traffic. Mine is a capture from a ... location ... *hint_35K_feet*. If you want to take a look at other PCAPS that can be run through the tool for output check out references [4], [5], [6] (And I am sure there are others out there, please add in the comments).

We run p0f -r ./ and some results. Lets go over the normal stuff, then get to the good stuff.

 

If you notice in Figure 1., we see that we can tell a lot about this host, up-time, FREQ of the host, probably a Wifi, iType Device, likely a MacBook Pro (I have the inside scoop on that, it's me :).

For the more interesting part, we have to scroll back up a bit and we find?

According to the readme found at http://lcamtuf.coredump.cx/p0f3/README this is available via API. Just another tool in the belt of the analyst.

For fun, I downloaded a CTF PCAP from ICTF and ran it to see what p0f could find. 

 

[8]

References:
[1] https://isc.sans.edu/forums/diary/p0f+spam+detection+and+OOF+e-mails/2912
[2] https://isc.sans.edu/diary/Passive+Scanning+Two+Ways+-+How-Tos+for+the+Holidays/17246
[3] http://lcamtuf.coredump.cx/p0f3/
[4] http://www.netresec.com/?page=PcapFiles
[5] https://www.defcon.org/html/links/dc-torrent.html
[6] http://terasaur.org/item/downloads/computer-forensics-2009-m57-scenario/187
[7] https://www.evilfingers.com/repository/pcaps.php
[8] https://ictf.cs.ucsb.edu/data/ictf2009/

 

Richard Porter

--- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, June 5th 2014 http://isc.sans.edu/podcastdetail.html?id=4009, (Thu, Jun 5th)

Wed, 06/04/2014 - 18:27
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

OUCH! is out, learn how to securely dispose of your mobile devices! Thx to Guest Editor @CCrowMontance - https://www.securingthehuman.org/ouch, (Wed, Jun 4th)

Wed, 06/04/2014 - 05:58
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, June 4th 2014 http://isc.sans.edu/podcastdetail.html?id=4007, (Wed, Jun 4th)

Tue, 06/03/2014 - 18:24
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

An Introduction to RSA Netwitness Investigator, (Tue, Jun 3rd)

Tue, 06/03/2014 - 09:59

In many cases using Wireshark to do a network forensics is a very difficult task especially if you need to extract files from a pcap file.  

Using tools such as RSA Netwitness Investigator can make network forensics much easier. RSA Netwitness Investigator is available as freeware.

Installation:

1-Go to http://www.emc.com/security/security-analytics/security-analytics.htm#!freeware to obtain the latest version of RSA Netwitness Investigator.  

2-Launch NwInvestigatorSetup.exe

3- Read the license agreement and accept it (if you wish).

4- Choose users

5-Choose the Install location and click install.

Once you finished your installation you have to register  freeware user account. You have to activate your version before you can use it.

Usage:

1-Create New local collection


2-Enter the new collection name:


3-Select the collection


4-Select Import Packets from Collection menu and select the pcap file that you would like to investigate


 5-Select Navigate Collection From Collection Menu

6-Now you should have something similar to this screen :


As you can see everything is clear and can browse it by Service Type (protocol) ,hostname ,source IP ….. etc.

Let say for example you want to explore the name of the exe files that contained in the pcap file you do that by clicking on extension->exe and you will see all the exe files in the pcap file and you will see all the details of the file such as where it’s come from (IP Address and hostname ) and how it’s come (protocol) .


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

An Introduction to RSA Netwitness Investigator, (Tue, Jun 3rd)

Tue, 06/03/2014 - 09:59

In many cases using Wireshark to do a network forensics is a very difficult task especially if you need to extract files from a pcap file.  

Using tools such as RSA Netwitness Investigator can make network forensics much easier. RSA Netwitness Investigator is available as freeware.

Installation:

1-Go to http://www.emc.com/security/security-analytics/security-analytics.htm#!freeware to obtain the latest version of RSA Netwitness Investigator.  

2-Launch NwInvestigatorSetup.exe

3- Read the license agreement and accept it (if you wish).

4- Choose users

5-Choose the Install location and click install.

Once you finished your installation you have to register  freeware user account. You have to activate your version before you can use it.

Usage:

1-Create New local collection


2-Enter the new collection name:


3-Select the collection


4-Select Import Packets from Collection menu and select the pcap file that you would like to investigate


 5-Select Navigate Collection From Collection Menu

6-Now you should have something similar to this screen :


As you can see everything is clear and can browse it by Service Type (protocol) ,hostname ,source IP ….. etc.

Let say for example you want to explore the name of the exe files that contained in the pcap file you do that by clicking on extension->exe and you will see all the exe files in the pcap file and you will see all the details of the file such as where it’s come from (IP Address and hostname ) and how it’s come (protocol) .


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, June 3rd 2014 http://isc.sans.edu/podcastdetail.html?id=4005, (Tue, Jun 3rd)

Mon, 06/02/2014 - 17:49
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Gameover Zeus and Cryptolocker Takedowns, (Mon, Jun 2nd)

Mon, 06/02/2014 - 11:48

By now many you have already read the reporting on Brian Krebs on the Gameover Zeus (GOZ) and Cryptolocker takedowns (or more accurate, disruptions). You can read the US Justice Department's court documents here which include a named suspect behind the operation of GOZ. This is the result of large-scale multijurisdictional law enforcement cooperation and work from the private sector.  The TL;DR version is that as of this moment, Gameover Zeus has been disrupted and can no longer control clients.  In the case of Cryptolocker, new victim machines can no longer communicate with command and control (C2s) servers which means files will not be encrypted.  If your files are already encrypted, these is no change as once the files are encrypted there is no other communication that is necessary with the C2s unless you are paying the ransom. This, unfortunately, is likely temporary in nature (between 2 weeks and 6 months depending on the specific circumstances).

One thing that would be helpful is that if you observe new GOZ or Cryptolocker infections, please write in with details so they can be analyzed.

Thanks!

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Using nmap to scan for DDOS reflectors, (Mon, Jun 2nd)

Sun, 06/01/2014 - 20:51

Before we get into this here is the standard disclaimer.  Do not scan any devices that you do not have explicit permission to scan.  If you do not own the devices I strongly recommend you get that permission in writing.  Also, port scanning may cause instability or failure of some devices and/or applications.  Just ask anyone who lost ILOs to heartbleed.  So be careful!

As we have seen in past diaries about reflective DDOS attacks they are certainly the flavor of the day.  US-CERT claims  there are several UDP based protocols that are potential attack vectors.  In my experience the most prevalent ones are DNS, NTP, SNMP, and CharGEN.  Assuming you have permission; Is there an easy way to do good data gathering for these ports on your network? Yes, as a matter of a fact it can be done in one simple nmap command.

nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr <target>

Let’s break this down:

-sU –perform a UDP scan.  Since all the services above are UDP I only need to scan for the UDP ports.

-A -perform operating system and application version detection.  This will attempt to give you more information about what applications are running on the open ports.  The -A option also includes operating system detection, but it is unlikely that operating system detection will work when scanning this few ports.

-PN –scan even if you can’t contact the IP.  By default nmap will not scan any device it can’t contact. Unfortunately if a device is hidden behind a firewall nmap will not usually be able to detect the device and will omit it from the detailed scan.  A downside of using –PN is that nmap will complete the detailed scan against the IP even if it doesn’t exist or no ports are open.  If you are scanning a large number of IPs the scan will take a long time.

-n –don’t do a DNS resolution.  By default nmap performs a DNS resolution.  Not doing that resolution will speed up the scan somewhat.

-pU:19,53,123,161 –scan UDP ports specified.  In nmap ‘–p’ is used to indicate which ports to scan. The ‘U’ tells nmap that the ports that follow are UDP ports. Since this scan is only scanning UDP ports (–sU) the ‘U’ is redundant.  However over the years I have gotten into the habit of explicitly specifying which type of ports I want to scan unless I want to add some TCP ports (-pT:) to the scan at a later time.

The ports specified in this scan are:

  • 19 – CharGEN
  •  53 – DNS
  • 123 – NTP
  • 161 - SNMP

–script=ntp-monlist,dns-recursion,snmp-sysdescr – the –script= option enables the nmap scripting engine (NSE) and runs scripts when they make sense to run.  In other words, the ntp-monlist script will only be run when the NTP port is found to be open.  nmap has many scripts available which can be used to extend nmaps basic functionality.

The scripts specified on this scan are:

  • ntp-monlist – while any open NTP service can be used in a reflective DDOS attack the maximum amplification is achieved with NTP services that permit the monlist command to be executed. This script will do a check to see if monlist can be executed against an open NTP port.
    • Normally an open NTP service will look similar to:

123/udp   open   ntp   NTP v4

If the monlist command is enabled on the ntp server, the ntp-monlist script will give you more information:

123/udp open  ntp     NTP v4

| ntp-monlist:

|   Target is synchronised with 206.108.0.131

|   Alternative Target Interfaces:

|       XXX.16.1.71    

|   Public Servers (4)

|       XXX.87.64.125    XXX.75.12.11    XXX.108.0.131

|   Other Associations (596)

…etc…

  • dns-recursion – Normally public DNS servers will only answer DNS queries for which they are authoritative.  A DNS server that permits and processes queries for names it is not authoritative are called recursive DNS servers and recursive DNS servers in most cases are misconfigured.   The output for an open DNS port with recursion enabled will be similar to :

53/udp  open          domain  Microsoft DNS 6.1.7600 (1DB04228)

| dns-nsid:

|_  bind.version: Microsoft DNS 6.1.7600 (1DB04228)

|_dns-recursion: Recursion appears to be enabled

  • snmp-sysdescr – attempts to extract more information from the SNMP service.  An open SNMP service will look similar to:

161/udp open     snmp    SNMPv1 server (public)

  • With the snmp-sysdescr script it will usually display more information which may tell you more about the device you are scanning:

161/udp open|filtered snmp

|_snmp-hh3c-logins: TIMEOUT

|_snmp-win32-shares: TIMEOUT

         Or

161/udp open     snmp    SNMPv1 server (public)

| snmp-sysdescr: Apple AirPort - Apple Inc., 2006-2012.  All rights Reserved.

|_  System uptime: 9 days, 20:15:36.56 (85053656 timeticks)

Want to take a guess at what these devices are?

As you can see nmap provides a simple and effective way of scanning for the common ports used in reflective DDOS attacks.  This diary has barely scratched the surface of nmap’s capabilities. 

I would be interested to know if any of you have ways to enhance or improve this scan.

 

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, June 2nd 2014 http://isc.sans.edu/podcastdetail.html?id=4003, (Mon, Jun 2nd)

Sun, 06/01/2014 - 17:36
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts