Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 50 min 22 sec ago

Checking for vulnerabilities in the Smart Grid System, (Thu, Aug 7th)

Thu, 08/07/2014 - 17:02

SCADA systems are not composed the same way as regular IT systems. Therefore, the risk and vulnerability assessment cannot be performed as it is done for any other IT system. The most important differences are:

  • SCADA Pentesting should not be done in production environment: SCADA devices are very fragile and some activities that could pose harmless to regular IT environments could be catastrophic to the process availability. Think of massive blackouts or no water supply for a city.
  • SCADA devices have specific outputs for the industrial process they are controlling. The architecture and operating systems are not the same, so risks assessment approach is not performed in the same way. For electrical systems, we need to address devices belonging to the Advanced Metering Infrastructure (AMI), Demand Response (DR), Distributed Energy Resources (DER), Distributed Grid Management (DGM), Electric Transportation (ET) and Wide Area Monitong, Protection and Control (WAMPAC). This means we need to address devices like the following, instead of conventional network devices, services, laptops, desktop computers or mobile devices:
AMI Meters Relays Aggregators Access points DR Energy Resources Digital Control Unit DER DER Managed generation and storage devices Customer Energy Management System DGM Automated Reclosure Remote Fault Indicators Capacitor Banks Automated Switches Load Monitor Substation Breakers WAMPAC Phasor Measurement Units Device which includes Phasor Measurement Unit capabilities Field Deployed Phasor Data Concentrator Field Deployed Phasor Gateways

Table 1: Devices in the Smartgrid Network

This means we need to considering a specific methodology for this type of infrastructure that leads to effective risk mitigation for proper detection of vulnerabilities in the smartgrid system. I want to recommend one today named Guide to Penetration Testing for Electric Uitilities created by the National Electric Sector Cybersecurity Organization Resource (NESCOR). This metodology is composed by the following steps:

 


Source: http://www.smartgrid.epri.com/doc/NESCORGuidetoPenetrationTestingforElectricUtilities-v3-Final.pdf

Let's explain the steps a little bit:

  • Penetration Test Scoping: You need to decide which sector of the entire system will be the target of the assessment. Could be a substation, generation plant or any other device listed in table 1. The scope could even be the entire system.
  • Architecture Review: You want to learn the context of the entire system. This is the first step of information acquisition. Can be done checking the documentation of the system and analyzing the configuration of the devices part of the scope.You can also check for information in the same way as it is done with conventional pentesting like google, shodan, maltego and social networks.
  • Target System Setup: You don't want to perform a pentesting in a smartgrid live production environment. Instead, you need to setup an environment with the same configuration, as much as possible, to the live configuration of the smartgrid production environment. That's how we can get a full list of the vulnerabilities performing even dangerous test without affecting the availability of the electrical service.
  • Server OS, Server application, Network Communication and Embedded device penetration tasks: Those are the specific pentest tasks within the target systems. You can use several tools like
  • End to end penetration testing analysis: You need to ensure that all possible inputs from external systems to all systems in the scope have been tested and evaluated as possible vulnerable points for attacks.
  • Result interpretation and reporting: As always, you need to develop a report including the vulnerabilities that could be exploited, the risks associated, the remediation steps and other recommendations that could be applied.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, August 7th 2014 http://isc.sans.edu/podcastdetail.html?id=4095, (Thu, Aug 7th)

Wed, 08/06/2014 - 17:07
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Free Service to Help CryptoLocker Victims by FireEye and Fox-IT, (Wed, Aug 6th)

Wed, 08/06/2014 - 16:25

Various Internet Storm Center Handlers have written Diaries on the malware called CryptoLocker, a nasty piece of malware which encrypting the files of the systems it infects, then gives victims 72 hours to pay the ransom to receive a private key that decrypts those files. There are still victims out there with encrypted files, and if you're one of them or know of someone affected, the folks at FireEye and Fox-IT have created a web portal https://www.decryptcryptolocker.com/ to decrypt those files. 

This is a free service for any afflicted by CryptoLocker, many of which are small businesses without the resources to deal with this properly, so let people know.

Using the site is very straight forward (Steps taken from the FireEye blog[1]):

How to use the DecryptCryptoLocker tool Users need to connect to the https://www.decryptcryptolocker.com/ Identify a single, CryptoLocker-encrypted file that they believe does not contain sensitive information. Upload the non-sensitive encrypted file to the DecryptCryptoLocker portal. Receive a private key from the portal and a link to download and install a decryption tool that can be run locally on their computer. Run the decryption tool locally on their computer, using the provided private key, to decrypt the encrypted files on their hard drive. DecryptCryptoLocker is available globally and does not require users to register or provide contact information.

This is a fantastic resource from both FireEye and Fox-IT, so thanks to all involved in making this happen and making it free to use.

For more background on CryptoLocker from Fox-IT, read their CryptoLocker ransomware intelligence report [2].

 

[1] http://www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html

[2] http://blog.fox-it.com/2014/08/06/cryptolocker-ransomware-intelligence-report/

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

OpenSSL Security Advisories http://www.openssl.org/news/secadv_20140806.txt, (Wed, Aug 6th)

Wed, 08/06/2014 - 15:48

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

OUCH is out, this month we explain what encryption is and how to use it. https://www.securingthehuman.org/ouch, (Wed, Aug 6th)

Wed, 08/06/2014 - 09:14
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

OUCH is out, this month we explain what encryption is and how to use it. https://www.securingthehuman.org/ouch, (Wed, Aug 6th)

Wed, 08/06/2014 - 09:14
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

All Passwords have been lost: What's next?, (Wed, Aug 6th)

Wed, 08/06/2014 - 03:40

Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost as yesterday's report by Hold Security states, given all the password leaks we had over the last couple years it is pretty fair to assume that at least one of your passwords has been compromised at some point. [1]

yes. we have talked about this many times, but it doesn't seem to get old sadly.

So what next? Password have certainly been shown to "not work" to authenticate users. But being cheap, they still are used by most websites (including this one, but we do offer a 2-factor option). 

For web sites:

  • review your password policies. There is no "right" policy, but come up with something that rejects obvious weak passwords and on the other hand, allows users to choose passwords that they can remember (so they can have a unique password for your site).
  • Make sure your site works with commonly used password managers. The only real way for the user to have a unique password for each site is a password manager.
  • lock accounts that haven't been used in a long time, and delete their password from your database forcing a password reset if they try to reactivate it
  • consider two factor authentication, at least as an option and maybe mandatory for high value accounts (e.g. administrators). Google authenticator is probably the easiest one to implement  and it is free. We talked about other alternatives in the past as well.

For users:

  • Have a unique password for each site. As an alternative, you may have a single "throw away" password for sites that you don't consider important. But be aware that at one point, a site that is not important now, may become important as you are doing more business with them.
  • Use a password safe, if possible one that allows syncing locally without having to send your password collection to a cloud service.
  • For important sites that don't allow for two factor authentication, consider a "two-part password": One part will be kept in your password safe, while the second part you type in. The password safe part is unique to the site while the additional second part can be the same for different sites or at least easy to remember. This will give you some protection against a compromised password safe.
  • Change passwords once in a while (I personally like every 6 months... ) in particular the "static" part of these high-value passwords.
  • Ask sites that you consider important to implement 2-factor authentication.

That's at least what I can come up with while sipping on my first cup of coffee for the day. 

[1] http://www.holdsecurity.com/news/cybervor-breach/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, August 6th 2014 http://isc.sans.edu/podcastdetail.html?id=4093, (Wed, Aug 6th)

Tue, 08/05/2014 - 18:09
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Center for Internet Security Releases Benchmark for VMWare ESXi 5.5 https://benchmarks.cisecurity.org/downloads/form/index.cfm?download=esxi55.100, (Tue, Aug 5th)

Tue, 08/05/2014 - 05:22

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Synolocker: Why OFFLINE Backups are important, (Tue, Aug 5th)

Tue, 08/05/2014 - 05:15

One current threat causing a lot of sleepless nights to victims is "Cryptolocker" like malware. Various variations of this type of malware are still haunting small businesses and home users by encrypting files and asking for ransom to obtain the decryption key. Your best defense against this type of malware is a good backup. Shadow volume copies may help, but aren't always available and complete.

In particular for small businesses, various simple NAS systems have become popular over the recent years. Different manufacturers offer a set of Linux based devices that are essentially "plug and play" and offer high performance RAID protected storage that is easily shared on the network. One of these vendors, Synology, has recently been somewhat in the cross hairs of many attacks we have seen. In particular vulnerabilities int he web based admin interface of the device have led to numerous exploits we have discussed before. 

The most recent manifestation of this is "Synolocker", malware that infects Synology disk storage devices and encrypts all files, similar to the original cryptolocker. Submissions to the Synology support forum describe some of the results [1].

The malware will also replace the admin console index web page with a ransom message, notifying the user of the exploit. It appears however that this is done before the encryption finishes. Some users where lucky to notice the message in time and were able to save some files from encryption.

It appears that the best way to deal with this malware if found is to immediatly shut down the system and remove all drives. Then reinstall the latest firmware (may require a sacrificial drive to be inserted into the system) before re-inserting the partially encrypted drives.

To protect your disk station from infection, your best bet is:

  • Do not expose it to the internet, in particular the web admin interface on port 5000
  • use strong passwords for the admin functions
  • keep your system up to date
  • keep offline backups. this could be accomplished with a second disk station that is only turned on to receive the backups. Maybe best to have two disk stations from different manufacturers.

It is important to note that while Synology has been hit the hardest with these exploits, other devices from other manufacturers had vulnerabilities as well and the same security advice applies (but typically, they listen on ports other then 5000). 

[1] http://forum.synology.com/enu/viewtopic.php?f=3&t=88716

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Legal Threat Spam: Sometimes it Gets Personal, (Tue, Aug 5th)

Tue, 08/05/2014 - 04:57

Yesterday, I spotted the following tweet mentioning me:

Needless to say, I got intrigued, and luckily the sender of the tweet was willing to share a sample.

The sample turned out to be simple legal threat malware e-mail written in German. The e-mail claimed that the recipient downloaded a copyrighted movie and it asked for legal fees. The invoice for the legal fees was supposed to be included in the attached ".cab" file.

From: "Johannes Ullrich"  
To: [removed].de
Subject: [vorfall:132413123]

Guten Tag,

Am 01.08.2014 wurde von Ihrem Rechner mit der IP-Addresse 192.0.2.1 um 12:13:01 der Film "Need for Speed" geladen. Nach §19a UrhG ist dies eine kriminelle Handlung. Unsere Anwaltskanzlei  muss dies ans zuständige Amtsgericht melden, außer Sie Zahlen ein außergerichtliches Strafgeld in Höhe von 436.43 Euro an uns.
Die Rechnung "1234.cab" entnehmen Sie dem Anhang.

Hochachtungsvoll,
Johannes Ullrich
+4991312341234

The attached .cab file runs a typical trojan downloader that could download various pieces of malware. A quick search shows a number of other reports of this email, with different "From:" names. It looks like it picks plausible German names, maybe from the contact list of infected systems. My names isn't that terrible unusual, so I don't think this is targeted at all. Sometimes it is just an odd coincidence, and they aren't really after you.

In the case above, the "From" e-mail address is not related to me. However, if an attacker sends spam using your e-mail address, it is very useful to have DMARC configured for your domain. With DMARC, you give the receiving mail server the option to report any e-mail that fails the DKIM or SPF tests to you. Only a few mail servers do so, but some of them are major public web mail systems. For example, here a quick report I just received for a domain I own:


(click on image for full size)

The attachment does include a report with details why the e-mail was found to be suspect (of course, you should still be careful with attachments. These reports can be faked too!) ;-).

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, August 5th 2014 http://isc.sans.edu/podcastdetail.html?id=4091, (Tue, Aug 5th)

Mon, 08/04/2014 - 17:23
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Threats & Indicators: A Security Intelligence Lifecycle , (Mon, Aug 4th)

Sun, 08/03/2014 - 17:06

In our recent three-part series, Keeping the RATs Out (Part 1, Part 2, Part 3), I tried to provide analysis offering you an end-to-end scenario wherein we utilized more than one tool to solve a problem. I believe this to be very useful particularly when making use of threat intelligence. Following is a partial excerpt from my toolsmith column, found monthly in the ISSA Journal, wherein I built on the theme set in the RATs series. I'm hopeful Threats & Indicators: A Security Intelligence Lifecycle helps you build or expand your threat intelligence practice.

I receive and review an endless stream of threat intelligence from a variety of sources. What gets tricky is recognizing what might be useful and relevant to your organizations and constituencies. To that end I’ll take one piece of recently received intel and work it through an entire lifecycle. This intel came in the form of an email advisory via the Cyber Intelligence Network (CIN) and needs to remain unattributed. The details, to be discussed below, included malicious email information, hyperlinks, redirects, URL shorteners, ZIP archives, malware, command and control server (C2) IPs and domain names, as well as additional destination IPs and malicious files. That’s a lot of information but sharing it in standards-based, uniform formats has never been easier. Herein is the crux of our focus for this month. We’ll use Mandiant’s IOCe to create an initial OpenIOC definition, Mitre’s OpenIOC to STIX, a Python utility to convert OpenIOC to STIX, STIXviz to visualize STIX results, and STIX to HTML, an XSLT stylesheet that transforms STIX XML documents into human-readable HTML. Sounds like a lot, but you’ll be pleasantly surprised how bang-bang the process really is. IOC represents Indicators Of Compromise (in case you just finally just turned off your vendor buzzword mute button) and STIX stands for Structured Threat Information eXpression. STIX, per Mitre, is a “collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information.” It’s well worth reading the STIX use cases. You may recall that Microsoft recently revealed the Interflow project which incorporates STIX, TAXII (Trusted Automated eXchange of Indicator Information), and CybOX (Cyber Observable eXpression standards) to provide “an automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time.“ Interflow is still in private preview but STIX, OpenIOC, and all these tools are freely and immediately available to help you exchange threat intelligence...   Keep reading Threats & Indicators: A Security Intelligence Lifecycle here.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, August 4th 2014 http://isc.sans.edu/podcastdetail.html?id=4089, (Mon, Aug 4th)

Sun, 08/03/2014 - 16:36
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

All Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon, (Sat, Aug 2nd)

Fri, 08/01/2014 - 16:46

A remote code execution in nmbd (the NetBIOS name services daemon) has been found in Samba versions 4.0.0 to 4.1.10. ( assgined CVE-2014-3560) and a patch has been release by the team at samba.org.

Here's the details from http://www.samba.org/samba/security/CVE-2014-3560

=========== Description =========== All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite the heap ofthe target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root).   ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.1.11 and 4.0.21 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Do not run nmbd, the NetBIOS name services daemon.

 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft's Enhanced Mitigation Experience Toolkit 5.0 is out: http://www.microsoft.com/en-us/download/details.aspx?id=43714, (Fri, Aug 1st)

Thu, 07/31/2014 - 23:00

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, August 1st 2014 http://isc.sans.edu/podcastdetail.html?id=4087, (Fri, Aug 1st)

Thu, 07/31/2014 - 17:41
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

WireShark 1.10.9 and 1.12.0 has been released, (Fri, Aug 1st)

Thu, 07/31/2014 - 17:18

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

A Honeypot for home: Raspberry Pi, (Thu, Jul 31st)

Thu, 07/31/2014 - 06:20

In numerous previous Diaries, my fellow Internet Storm Center Handlers have talk on honeypots, the values of full packet capture and value of sharing any attack data. In this Diary I'm going to highlight a fairly simple and cost effective way of rolling those together. 

If you have an always on internet connection, having a honeypot listening to what is being sent your way is never bad idea. There's plenty of ways to set up a honeypot, but a inexpensive way is to set up one up at home is with a Raspberry Pi [1]. The Raspberry Pi is a credit-card sized computer, which can be hidden away out of sight easily, has a very low power consumption and is silent but works very well for a home honeypot.  

These are plenty of install guides to install the OS (I like using Raspbian), secure it then, drop your pick, or mix, of honeypot such as Kippo [2], Glastopf [3] or Dionaea [4] on it. Again, guides on how to set these up litter the intertubes, so take your pick. As additional step, I like to install tcpdump and plug in a Linux formatted 4Gb USB drive in to the Pi and then do full packet capture of any traffic that is directed to the Pi's interface to the USB drive. Other than who doesn't like to sifted through packet captures during downtime, there are times capturing the full stream provides insights and additional options (like running it through your IDS of choice) on the connections being made to you.

Once you have it all set up, secured, tested and running don't forget to share the data with us, especially if you install Kippo [5]

From my observations, don't expect a massive amount of interaction with your home honeypot, but you will see plenty of scanning activity. It's a fairly interesting insight, especially if you pick a number of ports to forward on from your router/modem for the honeypot to listen on. If you do set up tcpdump to capture any traffic hitting the Raspberry Pi network interface (and haven't set up a firewall to drop all non-specified traffic) is that it'll pick up any chatty, confused or possibly malicious connections within your home network if they are broadcasting or scanning the subnet as well. With the Internet of Things being plugged in to home networks now, it's always handy to have a little bit of notification if your fridge starts port scanning every device on your network...

As one of my fellow Handler, Mark Hofman, sagely mentioned:

"if you are going to set one up, make sure you fully understand what you are about to do.  You are placing a deliberately vulnerable device on the internet.  Depending on your location you may be held liable for stuff that happens (IANAL).  It it gets compromised, make sure it is somewhere where it can't hurt you or others."

So keep an eye on your Pi!

Happy honeypotting!

 

[1] http://www.raspberrypi.org/
[2] https://github.com/desaster/kippo
[3] http://glastopf.org/
[4] http://dionaea.carnivore.it/
[5] https://isc.sans.edu/diary/New+Feature%3A+%22Live%22+SSH+Brute+Force+Logs+and+New+Kippo+Client/18433

 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, July 31st 2014 http://isc.sans.edu/podcastdetail.html?id=4085, (Thu, Jul 31st)

Wed, 07/30/2014 - 17:58
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts