November's Issue of the OUCH Newsletter is available, covering Social Engineering! http://www.securingthehuman.org/ouch, (Wed, Nov 5th)
Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center
ISC StormCast for Wednesday, November 5th 2014 http://isc.sans.edu/podcastdetail.html?id=4223, (Wed, Nov 5th)
From the vFeed Github repo: vFeed framework is an open source naming scheme concept that provides extra structured detailed third-party references and technical characteristics for a CVE entry through an extensible XML schema. It also improves the reliability of CVEs by providing a flexible and comprehensive vocabulary for describing the relationship with other standards and security references.
Figure 1: vFeed usage
You can use the likes of vfeedcli.py search CVE-2014-6271 to look for everyone" />
Figure 2: vFeed search
Note that vFeed recommend that I export that CVE for more information. Ok, I will! The result is an XML file that includes every facet of the vulnerability including all the reference URLs, cross references, vulnerable targets (CPE), risk scoring (CVSS), patch management details, attack patterns, assessment data (exploits vuln scanning), and even Snort Suricata signature details. I love vFeed so much I even wrote a little R app to parse vFeed XML exports for quick summaries (will be sharing in December as part of a Linux Magazine article, Security Data Analytics ">|">@holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC StormCast for Tuesday, November 4th 2014 http://isc.sans.edu/podcastdetail.html?id=4221, (Tue, Nov 4th)
Newcastle (UK) University researchers claim to have found an exploit for the contactless payment feature of Visa cards. One of the fraud prevention features of these cards is that only small amounts can be charged in touch mode, without requiring a PIN. But the researchers say that simply changing the currency seems to evade these precautions completely, and they built a fake POS terminal into a smart phone that apparently can swipe money from unsuspecting victims just by getting close enough to their wallet.
According to the press release, VISAs response was that they believe that the results of this research could not be replicated outside a lab environment. Unfortunately, there aint too many cases in security engineering history where such a claim held for more than a day or three. If this attack turns out to be true and usable in real life, Visas design will go down into the annals of engineering screwups on par with NASAs Mars Climate Orbiter, where the trajectory was computed in inches and feet, while the thruster logic expected metric information.
Needless to say that the latter episode didnt end all that well.(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A couple of weeks ago, I already covered the situation where a cloud IP address gets re-assigned, and the new owner still sees some of your traffic. Recently, one of our clients had the opposite problem: They had changed their Internet provider, and had held on to the old address range for a decent decay time. They even confirmed with a week-long packet capture that there was no afterglow on the link, and then dismantled the setup.
Until last week, when they got an annoyed rant into their abuse@ mailbox, accusing them of hosting an active spam operation. The guy on duty in the NOC didnt notice the IP address at first (it was still familiar to him), and he triggered their incident response team, who then rather quickly confirmed: Duh, this aint us!
A full 18 months after the old ISP contract expired, it turns out that their entire contact information was still listed in the WHOIS record for that old netblock. After this experience, we ran a quick check on ~20 IP ranges that we knew whose owner had changed in the past two years, and it looks like this problem is kinda common: Four of them were indeed still showing old owner and contact information in whois records.
So, if you change IPs, dont just keep the afterglow in mind, also remember to chase your former ISP until all traces of your contact information are removed from the public records associated with that network.
If you have @!#%%%! stories to share about stale whois information, feel free to use the comments below, or our contacts form.(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Are you looking for another packet sniffer? justniffer is a packet sniffer with some interesting features. According to the author, this packet sniffer can rebuild and save HTTP file content sent over the network. It uses portions of Linux kernel source code for handling all TCP/IP stuff. Precisely, it uses a slightly modified version of the libnids libraries that already include a modified version of Linux code in a more reusable way. The tarball can be downloaded here and a package is already available for Ubuntu.
The binary execution is pretty straightforward, you can capture/read of the wire or replay captured pcap files. This example (using -l option for custom log format) will output the Time, Destination IP, Website and URL:
justniffer -l %request.timestamp %dest.ip %request.header.host %request.url -f file.pcap
11/01/14 17:31:42 188.8.131.52 www.blackberry.com /select/wifiloginsuccess/EN/
11/01/14 13:08:45 184.108.40.206 init.ess.apple.com /WebObjects/VCInit.woa/wa/getBag?ix=1
11/01/14 12:55:27 220.127.116.11 fonts.gstatic.com /s/droidserif/v6/0AKsP294HTD-nvJgucYTaOL2WfuF7Qc3ANwCvwl0TnA.woff2
11/01/14 12:55:26 18.104.22.168 fonts.googleapis.com /css?family=Droid+Serif:regular|Crimson+Text:italic
justniffer-grab-http-traffic -d /tmp/web_traffic -U nobody -i eth1
It can decode other protocols by reading them in raw format. For example, just reading an email without any options output the follow summary information:
root@sniffer:/tmp/justniffer -f mail_mime.pcap
192.168.37.202 - - [-] test.mail.ca 0
192.168.37.202 - - [29/Dec/2008:19:35:08 -0500] HELO web88101.mail.re2.yahoo.com mail.server.ca 0
192.168.37.202 - - [29/Dec/2008:19:35:08 -0500] MAIL FROM: 2.1.0 0
192.168.37.202 - - [29/Dec/2008:19:35:08 -0500] RCPT TO: 2.1.5 0
192.168.37.202 - - [29/Dec/2008:19:35:08 -0500] DATA Enter 0
192.168.37.202 - - [29/Dec/2008:19:35:10 -0500] 30 Dec 2008 00:35:02 -0000 2.0.0 0
192.168.37.202 - - [29/Dec/2008:19:35:10 -0500] QUIT 2.0.0 0
Adding raw Mon, 29 Dec 2008 19:35:08 -0500 (EST)
250 test.mail.ca Hello web88101.mail.re2.yahoo.com [22.214.171.124], pleased to meet you
250 2.1.0 ... Sender ok
250 2.1.5 ... Recipient ok
354 Enter mail, end with . on a line by itself
This is another tool alternative to capture and analyze traffic that can be added to your tool bag. Give it a try.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC StormCast for Monday, November 3rd 2014 http://isc.sans.edu/podcastdetail.html?id=4219, (Mon, Nov 3rd)
This is a guest diary submitted by Chris Sanders. We will gladly forward any responses or please use our comment/forum section to comment publicly.">">If you work with any type of IDS, IPS, or other">detection technology then you have to deal with false positives. One">common">mistake I see people make when managing their indicators and rules is">relying">solely on the rate of false positives that are observed. While false">positive">rate is an important data point, it doesnt encompass everything you">should">consider when evaluating the effectiveness of a rule or indicator. For">instance, consider a scenario where you have a rule that looks for a">specific">">alert tcp $HOME_NET any - $EXTERNAL_NET any">(msg:Random Malware content:|AB BF 09">B7|">">You can see that this rule isnt incredibly">specific as it examines all TCP traffic for four specific outbound bytes.">As a">result, there might be potential for false positives here. In this case, I">ran">this rule on a large network over the course of a month, and it generated">58">false positive alerts. Using that data point alone, it sounds like this">rule">might not be too effective. As a matter of fact, I had a few people who">asked">me if I could disable the rule. However, I didnt because I also">considered the">number of true positive alerts generated from this rule. Over the same">period of time this rule generated 112 true positive alerts. This means">that the rule was effective at catching what it was looking for, but it">still">wasn">">I mention the word precise, because the false">positive">and true positive data points can be combined to form a precision">statistic">using the formula P = TP /(TP + FP). This value, expressed as a">percentage,">can be used to describe exactly how precise a rule is, with higher values">being">more desirable. In the case of our example rule, the rule has 65.9%">precision,">meaning that it successfully detected what it was looking for 65.9% of the">time. That doesnt sound like a rule that should be disabled to me.">Instead, I">was able to conduct more research and further tune the rule by looking for">the">">When examining rules and indicators for their effectiveness, be sure">to consider both true and false positives. You might miss out on favorable">detection if you don">">Blogs:">">http://www.chrissanders.org (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC StormCast for Friday, October 31st 2014 http://isc.sans.edu/podcastdetail.html?id=4217, (Fri, Oct 31st)
Often the start of a problem and its solution is receiving a call from a manger, project manager or other non-technical decision maker. Youll know going in that the problem is absolutely real, but the information going in might be a total red herring.
Some classic examples are:
The network is slow I ran a speed test, we should being seeing 10x the speed.
This is almost always a math error. The speed was measured in Bytes (upper case B), instead of bits (lower case B). Multiply by 8 and things should look better.
the network is slow our new web server takes 30 seconds to load the lead page
As most of you know, in a modern gigabit network, even on a busy network there just isnt anything on the network that will add a 30 second delay. 30 seconds in particular would have me checking for DNS issues first, especially for a new host or service. However, in this case, the client was loading their entire Java application (including the business logic) before the login page. The appdev answer to this would be to load the login page first, then load the app asynchronously in the background. The security answer to this is to question why you would load the application logic to an untrusted workstation on a hostile network (public internet).
The network is slow it must be a broadcast storm.
Its exceedingly rare to see a broadcast storm. Plus if the switches are configured correctly, if a broadcast storms does occur, it should be contained to a single Ethernet port, and it should either be rate limited or the port should be shut down, depending on your configuration.
When a non-technical person says broadcast storm, it really could mean anything that affects performance. Almost always it will end up being something server side DNS misconfigurations are a common thing (10-30 second delays on the first request), but it could also be an oversubscribed virtual infrastructure, coding errors, out of memory conditions, errors in programming, anything really.
The firewall is blocking our traffic
In some cases, especially if there is an egress filter, this can be the case. However, in many other cases it could be something else entirely. We recently worked on an issue where an AS400 (iSeries now I guess) was not connecting to the server. It turned out that the certificate needed for the connection was incorrect - the vendor had sent us a cert for a different site entirely. Wireshark did a great job in this case of saying LOOK HERE- THE PROBLEM IS HERE by giving us a Bad Certificate error - in bright red - in the main view.
We need port 443 open, in both directions
This is NEVER the case, but is commonly seen in vendor documentation. Either you need an outbound port (possibly an update to the egress filter), or an inbound port open. There are very few in both directions requirements - special cases like IPSEC VPNs encapsulated in UDP (NAT-T) for instance will have both a source and destination port of udp/500. In most cases, when the requirement is in both directions or bidirectional, its a bit of a treasure hunt to figure out what they mean (usually its outbound).
The moral of the story? I guess the first one is that if somebody tells you that the problem is the network, 70% of the time its not the network. More importantly though, is that if you get a business problem from a business person, its not something to minimize. You might not be able to count on all the information you get going in, but if they tell you something is slow or not usable, its their system, they are usually correct in at least identifying that the problem is real.
Please, use our comment form and fill us in on any recent false positives from a non-technical source that youve seen. Extra points if it was a real problem, but the initial info started you off in the wrong direction.
NIST 800-150 Draft Document "Guide to Cyber Threat Information Sharing" Released - http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf, (Thu, Oct 30th)
=============== Rob VandenBrink Metafore(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Recently we seem to have a theme of new bugs in old code - first (and very publically) openssl and bash. This past week weve had a bunch more, less public but still neat bugs.
First, a nifty bug in strings - CVE-2014-8485, with more details here http://lcamtuf.blogspot.ca/2014/10/psa-dont-run-strings-on-untrusted-files.html
a problem in wget with ftp: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
and now the ftp client (found first in BSD) - http://cxsecurity.com/issue/WLB-2014100174
These all share some common ground, where data that the code legitimately should be processing can be crafted to execute an arbitrary command on the target system. The other common thing across these as that these utilities are part of our standard, trusted toolkit - we all use these every day.
Who knew? Coders who wrote stuff in C back in the day didnt always write code that knew how much was too much of a good thing. Now that were all looking at problems with bounds checking on input data, expect to see at least a couple more of these!
ISC StormCast for Thursday, October 30th 2014 http://isc.sans.edu/podcastdetail.html?id=4215, (Thu, Oct 30th)
I think that I will start this Diary with the following statement:
If you use an open source CMS, and you do not update it frequently, there is a very high chance that your website if not only compromised but also part of a botnet.
You probably already saw several of our diaries mentioning vulnerabilities in very well-known CMS systems like WordPress and Joomla, which are quite powerful and easy to use/install, and also full of vulnerabilities and requires frequent updates.
The third one in this list is Drupal. We mentioned last week, on our podcast about a criticalvulnerability fixed by the developers, and today they released a Public Announcement in regards to that vulnerability. And it is scary (yes, Halloween pun intended...).
The PSAmentions that within hours of the Patch announcement, there were already several automated attacks looking for the SQL injection vulnerability in the Drupal implementations.
As our reader Gebhard noted, there is a very interesting quote in the PSA:
You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement
This means, that by now, evenif you updated your server, there is very high chance that your server is now part of a botnet...so, if you have a website with Drupal, I would highly recommendthe Recovery section of the PSA document.
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC StormCast for Wednesday, October 29th 2014 http://isc.sans.edu/podcastdetail.html?id=4213, (Wed, Oct 29th)
ISC StormCast for Tuesday, October 28th 2014 http://isc.sans.edu/podcastdetail.html?id=4211, (Tue, Oct 28th)
I will never forget the name of my first server - Rachel. I was very proud to be the person whose job it was to defend Rachel from all types of disruption. To this day I still remember each IP address, user account, service account and application. When patches were installed, I manually verified they had been applied successfully. I diligently reviewed the logs and configured full auditing to let me know the success and failure of just about everything.">I have administered many servers since Rachel, but do not remember as much about them as I do about my first love. Consider this an invitation to fall back in love withyour">How can you do this? The act of actively measuring how well you manage, secure and maintain your severs can very well be the catalyst you need to return back toyourfirst love. Consider creating and sending yourself a daily report that clearly shows its current security posture. What are good candidates for this report? I am glad you asked, Some of my favorites include the following.">Mean time to identify a new service running (or not running anymore)
">There are certainly many metrics you could track. Pick a few and diligently check themevery day for the next month. Youll be glad you did!">Feel free to use our comment page to let us know what you are doing to remember your first love.
">@russelleubanks(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC StormCast for Monday, October 27th 2014 http://isc.sans.edu/podcastdetail.html?id=4209, (Mon, Oct 27th)
Continuing our theme of False Positives this month, Id like to talk about the process of managing false positives we encounter in the course of analysis. False positives will almost always show at some point during a security analysis, which leads to unwanted additional work on the part of either the sysadmins, security teams, or both. Even worse, continued false positives can lead to complacency during analysis, where things are assumed">">Managing false positives in our testing and analysis is part of the overall security process, which can be used to identify and eliminate false positives. ">-Ports, Protocols, and Services baseline (need to know what we have on the wire, and where it">">An ideal scenario in an operating environment may run something like this: A Continuous Monitoring program alerts that a vulnerability exists on a host. A review of the configuration of the host shows that the vulnerability does not exist, and a verification can be made from the traffic logs which reveal that no traffic associated with the vulnerability has transited the wire. The Continuous Monitoring application should be updated to reflect that the specific vulnerability reported on that specific host is a false positive, and should be flagged accordingly in future monitoring. The network monitoring would *not* be updated, because it did not flag a false positive, leaving the defense-in-depth approach in tact.">">Now, this is *ideal*, and a very high level, but it hopefully gives some ideas on how false positives could be managed within the enterprise, and the processes that contribute. We would really like to hear how false positives are managed in other enterprise environments, so let us know. :)
tony d0t carothers --gmail(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.