security

Security patches: A losing battle

Noah Schiffman — Mon, 13 Oct 2008 02:08:47 -0400

Since my participation in Friday's roundtable discussion (see previous blog entry) has probably made some wonder about my level of security comprehension, and question whether English is my first language, I thought I would try to clear up some confusion here, by paraphrasing the thoughts of others.

One of the questions posed was: What do you think is the ultimate solution to end the patch/hack/patch cycle, which is the cornerstone of today's enterprise security?

Read more

Cisco claims best of breed security solutions

jheary — Sat, 11 Oct 2008 15:50:19 -0400

Is it possible to be both a security market share leader and have best of breed solutions? Cisco thinks so.

Read more

Password Reminder PRO: takes the pain out of password expiration

Ron Barrett — Thu, 09 Oct 2008 12:52:41 -0400

One of the unpleasant truths of being a network administrator is that when the time comes for a password to be reset, the little pop up reminder in Windows is not enough. Most users ignore the warnings until…well until you drag yourself in one morning ( and without fail it will happen on a morning you have to drag yourself in) and find that 30- 40% of the firm is locked out of the network.

Read more

Hacker 'schooled' in chat room

Noah Schiffman — Tue, 07 Oct 2008 23:47:17 -0400

Last Friday, I participated in a roundtable discussion on the topic of "Best innovations in Security." Joined by notable security minds Jamey Heary, Dave Kearns, and Andreas Antonopoulos, an hour long chat room session ensued.

Read more

Army cracks down on desktop software

Jeff Caruso — Tue, 07 Oct 2008 16:32:38 -0400

The U.S. Army has put software on about 11,000 desktop machines to guard against unauthorized software installations. If unauthorized software is installed, it can be easily removed remotely.

Read more

IT beware: Chrome, Google Apps pose security risks

Google Subnet — Fri, 03 Oct 2008 08:45:10 -0400

Another analyst has added to Richard Stallman's warnings on cloud computing, specifically honing in on Google's Chrome and Apps. Frost & Sullivan's Robert Ayoub warned in a webinar that both tools pose security risks, especially to organizations where IT has failed to put appropriate policies in place, says Collection Technology.net's Mary Wisneiwski. The idea is that since Chrome enables a faster, better Web experience, more end users will begin doing actual business on the Web, putting business data at risk.

While Chrome and Apps aren't insecure in themselves, the processes they enable are. As Ayoub says:

“The minute you put your data in the hands of your provider, you have just lost control and security of that data.”

Ayoub also offers these three steps for ensuring data remains safe, even in a Chrome/Apps scenario:

1. Recognize the risks and benefits of new devices and applications; 2. Be vigilant. This means looking for new devices that could allow for data to leave the enterprise; 3. Educate users and management about the risks of adopting unchecked applications.

Read more

Credit Card Skimming: How thieves can steal your card info without you knowing it

jheary — Wed, 01 Oct 2008 16:52:54 -0400

Taking just 5 seconds to inspect any credit/debit card readers before you swipe could end up saving you from identity and credit card theft. I’ll show you what to look for before you swipe your next card. The con is called skimming. Skimming works by retrofitting a perfectly legitimate card reader (like an ATM) with a camouflaged counterfeit card reader. The counterfeit reader records all of your card’s information as it passes through. To give you an idea of what we are dealing with, here is a picture of an ATM with a skimmer overlaid on to the slot where you insert your card and a micro camera hidden behind a bogus white plastic piece above the PIN keypad. This ATM was reported to police on September 6, 2008. Image is Courtesy of Naples Police Department: Would you have known it was stealing card data? The purpose of this blog is to educate you on how to identify a skimmer. To that end I’ve compiled a portfolio of example photos made up of both basic and advanced skimmers. It is by no means all inclusive but should give you a heads up on what to look out for the next time you go to swipe your card. According to law enforcement, “Credit card skimming has been around for years and is a growing problem that seems to be getting worse.” Many of us take for granted that inserting your credit/debit card into an ATM or swiping it at the grocery store or gas station is a safe practice. And most of the time you’d be right. However, skimmers are increasingly being retrofitted to legitimate ATMs, gas pumps, grocery/department store checkout machines, restaurants, etc., etc., you name it criminals are trying to skim your credit card from it. Here’s a look at the insides of the micro camera that is capturing video of your keypad presses. Image is Courtesy of Naples Police Department:

Read more

How secure is your corporate network compared to companies in China?

Cisco Subnet — Tue, 30 Sep 2008 15:55:56 -0400

Do you know if your employees are misusing corporate equipment? Cisco Tuesday issued a report that it commissioned which revealed some common data loss mistakes, including employees altering security settings on computers to incidents of employees accessing unauthorized parts of the company (as happens in China). Go here for the top 10 ways collaboration, mobility amplify data leakage dangers.

Cisco recommends the following practices for preventing data loss:

* Know your data; Manage it well: Know how/where it's stored, accessed, used.

* Treat data as if it's your own - Protect it like it's your money: Educate employees how data protection equates to money earned and money lost.

* Institutionalize standards for safe conduct: Determine global policy objectives and create localized education tailored to a country's culture and threat landscape.

* Foster a culture of trust: "Employees need to feel comfortable reporting incidents so IT can resolve problems faster," Stewart said.

* Establish security awareness, education and training: Think globally, but localize and tailor programs for regions based on threat landscape and culture.

Read more

Drive By Hacking; A Story From the Field

JimmyRay — Mon, 29 Sep 2008 20:56:43 -0400

I was at a customer site the other day conducting a bit of forensic analysis for an upcoming security TechWiseTV show. This customer was not happy about the SQL injection attacks some of his users were getting. He conducted training with his staff and end users, yet still, folks came back with Bots, keyloggers, etc... He was more angry then Chicago Cubs fan in October. Looking at what was going on, it appeared to be an classic drive by download attack and not a SQL injection. A drive by works kinda like this; A hacker attacks a web server with a SQL injection to act as a man in the middle between the user facing web application and the SQL database that supports it. Now a SQL injection can really do a lot of different things to get that database to present and do stuff it was not supposed to do. However, in this case, it was a classic ASPROX. It would transparently redirect the user to a hacker mirror that would launch a dark javascript to do an footprinting of the client machine. This is so common a attack that Sophos detected over 16K legitimate web pages were hit with this attack the first half of 2008. If you love math as much as me, you can see that averages out to about one page every five seconds. That is x3 what it was in all of 2007! After the hacker site determined the type and patch level of the OS, the hacker site just launched a simple iFrame redirect to send the user to the server that hosting the vuln exploiter for that OS. Simple, automated and transparent. Now that is goooood codin'! In the end, we found that many users exploited would go to a online gaming site at lunchtime and play poker. Their machines would be patched up on patch Tuesday, be OK for a bit then all of the sudden these clients would bring back all kinds of nastyware to the LAN. Kinda like the Malware version of the Circle of Life...sing it with me!!!

Read more

The Holistic Approach to Security

rsherstobitoff — Mon, 29 Sep 2008 16:56:15 -0400

In the wake of undiscovered data breaches and subsequent public exposure, a layered approach to security is becoming every more important to protecting critical assets.

Despite the increase in the number of data breaches via illicit means, internal controls seem to fail when it comes to the assurance that critical assets remain uncompromised.

According to the Identity Theft Resource Center a total of 336 breaches have been reported in 2008 alone, putting the overall number at 69% greater then this time last year . This is a concern for security teams especially given the fact that a lack of dedicated resources exist to combat and revert this trend.

The problem as it exists today – hidden threats from within

The variable of hidden and unidentified infections will almost certainly introduce a degree of unknowingness and concern when it comes to the protection of sensitive information and adherence to regulations.

More and more malware seen on the market today is designed to target specific platforms and the users that interact with them. Banker Trojans for example are an increasing concern for the financial and e-commerce communities; as a result malware is targeting specific payment or banking platforms advertently stealing credentials, therefore; fueling a rise in financial and economic fraud.

According to a recent study, annual revenue loss due to online fraud in 2007 amounted to $3.6 billion and is a trend that is to be consistent for 2008 and beyond . Online fraud and the use of targeted phishing campaigns have evolved in parallel to each other and are expected to continue to steadily increase. Furthermore, these tactics have become very popular amongst the hacker elite and have taken an evolutionary step forward in sophistication and complexity.

Read more

Anatomy of a Data Breach: A Global Perspective

rsherstobitoff — Mon, 29 Sep 2008 11:53:42 -0400

In the wake of undiscovered data breaches and subsequent public exposure, regulatory compliance and security audit standards are becoming ever more important to protecting critical assets.

Despite the increase in the number of data breaches via illicit means, internal controls seem to fail when it comes to the assurance that critical assets remain uncompromised. According to the Identity Theft Resource Center a total of 336 breaches have been reported in 2008 alone, putting the overall number at 69% greater then this time last year. This is a concern for security teams especially given the fact that a lack of dedicated resources exist to combat and revert this trend.

This is significantly important to take into consideration when going through the formal audit process to certify adherence to Sarbanes-Oxley (SOX), Graham Leach Bliley (GLBA), Payment Card Industry (PCI), or Health Insurance and Portability and Accountability Act (HIPAA).

With the significant increase in data exposure corporations can’t afford to take short-cuts when it comes to information assurance. Otherwise it is almost certain that one will become a victim of a serious exposure of sensitive information. This article will explore the several disconnects between established and accepted security audit framework and the variable of hidden infections.

The problem as it exists today – hidden threats from within

Cisco homepage lost its 't's but you can win a t ... shirt

Cisco Subnet — Thu, 25 Sep 2008 19:15:13 -0400

Cisco's Web site may have lost its 't's for part of the morning today, but Sophos wants to give you a 't' - a t-shirt that is. Yep, on the back of Cisco's missing t's episode Sophos has launched a competition for winners to correctly identify seven words that have the letter t missing. Especially like word No. 5: "buocks" - classic. Check out the words and enter to win! P.S.: Sophos doesn't believe there was something malicious behind Cisco's Web site missing the t's: "after all, a malicious script wouldn’t work as it would be a 'scrip' tag instead," notes Sophos' Graham Cluley.

Read more

A hacker changed my server password! Now what?

JimmyRay — Thu, 25 Sep 2008 15:32:04 -0400

Here in the CodeCave I run a large Dark Net and report my findings to my Twitter followers. If you are not familiar with darknettin' this is the practice of having servers out on the Internet for bait to allow hackers to hack them. Folks do this for many different reasons but my reason is to learn the latest and greatest methods in use on the net today to break into networks.

Many times these servers are just trashed out. Hackers try to destroy them if they are discovered. I had a major exploit found in my FireFox add-in FlashGot. A hacker got in and trashed my system and then changed the password of the root account. Now this is a big deal since I need to log on to that server to gather the data to learn from this attack. Now what? I remembered a little physical access trick I learned a few years back at Linux users group conf from a guru. It works like this:

- Boot the system and get to the GRUB screen. I moved the arrow key so I did not go into normal boot mode.
- Select the version and hit the "E" key to edit the kernel
- Arrow key to the line that begins with Kernel and hit the "E" key
- At the GRUB Edit line, I just simply append the load string with a number 1. So it looks like this:
grub edit>/vmlinuz-2.5.9-22.DRnetsmp ro root=LABEL=/ rhgb quiet 1
- Now hit ENTER and B and the system will boot up into single user mode
- Newcastle time!!! A simple:
sh-2.5# passwd
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

I got in and grabbed the data and released the forensics to the open source community. I think that is a great example of how we learn from each other. Users groups are a great place but also are open blog postings. Hey, share your knowledge here! Got any good tips and tricks we can all learn from?

Jimmy Ray

What we saw at Interop NY

Sevcik and Wetzel — Tue, 23 Sep 2008 09:26:22 -0400

Last week’s Interop in New York City was eerily normal considering the carnage Wall Street was experiencing just blocks away. Although attendance was modest, vendors told us there were enough qualified and savvy buyers to make the show worthwhile for them. Word is that IT budgets are not being frozen despite economic uncertainty—at least not yet.

The coolness factor of the show was kicked up several notches by the fact that a third of the hall was devoted to Web 2.0-themed exhibitors with names like KickApps, Yuuguu, Kapow Technologies, and Zude. The Web 2.0 portion of the show drew bigger crowds than the “legacy” portion as curious attendees explored new (and opportunistically repositioned) wares. A small portion of the hall was also devoted to Mobile Business Expo, which had a legacy feel to it.

All things virtual featured prominently at this fall’s show, telepresence came into its own, and desktop videoconferencing solutions were prominent. With travel costs skyrocketing, we predict telepresence and desktop video will be up front and center at Interop next spring. Desktop videoconferencing has been around a long time, and may finally be catching on. If so, brace yourselves for a Pandora’s box of enterprise network headaches opened by new infrastructure and large bandwidth demands. The sheer scale of desktop deployments can quickly overload network links and QoS deployments.

Read more

Simplifying Shellcode Analysis

JimmyRay — Mon, 22 Sep 2008 21:11:18 -0400

I run a purty darn big Darknet here in the Code Cave. I like to keep up to date with what is going on in the security space all over the world. I have peering agreements with other Darknetters all over the world to form a huge sensornet that we all benefit from. We have a ton of data to sift thru to find the good stuff. Feels like what panning for gold at Sutters Mill must have felt like in the 1800's...without all the killin' Sounds a little like my last family reunion, but I'll save that for another blog... The problem is after we document an attack or we need to filter out some of the noise, we need to write our own sig to detect and catalogue a known attack. Pattern matching takes some time get the right amount of detail and has always kinda been like having a mother in law that cooks good... An x86 emulator is what is needed however, I have tried qemu and bochs (a little, mainly qemu) and I was not too impressed. They are OK but not cool enough to change my processes and rudimentary scripts. I been messin' around with the tool Libemu to automate the process of shellcode pattern matching and I have been amazed. Libemu is a tool wrote in C (thank goodness) by Markus Koetter. This smokin' hot tool allows me to feed raw decodes from my nepenthes directly into Libemu. It will in turn detect the shellcode offsets and does a analysis of what the shellcode is actually trying to do. I have been using this with a great amount of success in shellcode analysis and it has a hit rate of about 92%!!! Pairing up Libemu with Nepenthes has really cut down my manual shellcode analysis time and increased my cohiba and fishing time and in the end that's what is all about. If you run honeys or do shellcode analysis; do yourself a big favor and start messin' around with Libemu. Jimmy Ray

Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere

jheary — Sun, 21 Sep 2008 21:04:49 -0400

Cisco recently released a new code upgrade for their ASA security appliance. The new release, 8.0.4, contains several new features and many bug fixes. Cisco also released a new version of its GUI, ASDM 6.1.3, that supports the new features of 8.0.4. The fact that 8.0.4 is an Early Deployment (ED) release means that it goes through extensive dev testing before release. It also means that it is meant to be a very stable release of ASA code and will contain numerous bug fixes to support that premise. In fact, 8.0.4 contains some 514 closed caveats that were discovered in previous ASA builds. Most ASA customers who are using SSLVPN features or are on an 8.0.3.X engineering release should seriously consider moving to the new 8.0.4 ED release. 8.0.4 doesn’t just include closed caveats but also some important new features. My favorite new feature has to be the IP Phone and Presence Proxy feature. First the IP Phone Proxy feature. This allows you to take your Cisco IP Phone home with you, plug it into the internet, have it setup an encrypted TLS tunnel back to your ASA, and register with your Cisco Call Manager just like you were at the office. Basically it gives you a VPN from your IP Phone to the Cisco ASA. This allows you to enable work from anywhere voice using your existing Cisco IP Phones. Now the presence proxy feature. This allows you to share your presence information with your other business partners and affiliates. Enterprises share Presence information, and can use IM applications. It allows you to secure connectivity (TLS proxy) between Cisco Unified Presence servers and Cisco or Microsoft Presence servers. Here are some of the benefits of using a Presence solution as reported by Cisco: • Increase productivity: Connect with colleagues on the first try by knowing their availability in advance on either Cisco Unified Personal Communicator and Cisco Unified IP Phone.

Read more

Interview with a Security/Identity Management engineer (and Cisco Subnet reader)

Cisco Subnet — Thu, 18 Sep 2008 17:53:35 -0400

One of the best parts of this job is chit-chatting with readers. Today, we bring you a little insight into the job of security/identity management engineer from a reader that performs this role for one of the nation's major "transportation" companies. We promised not to reveal the company, but can say it is in a highly regulated area of transportation due to the cargo it carries. The reader, Edgar Vargas, happens to be the June winner of Cisco Subnet's free training giveaway from Skyline ATS -- worth up to $3,495! (By the way, you too can be a winner if you enter ... or you just might want to enter any of the other giveaways from Cisco Subnet and Microsoft Subnet.)

Q: So, Edgar, tell us, what's your favorite thing about your job?

A: Every day I get to play "Cops and Robbers" with technology. Scanning our network devices and servers, making sure that malware, bots, viruses and all that is potentially dangerous to our environments stay out and not penetrate our network.

Q: In what ways do you work with Cisco technology?

A: I've got a rack at home with several routers and I'm working on labs for my CCNA exam. I configure and blow up the configs, try different things like password recovery, which came in handy when I forgot what I put in TWICE. I'd say it was a good exercise :-)

Q: If you were the Special Advisor to John Chambers and could make him do anything you wanted with the company, what would you have him do?

Read more

How I steal your Keystrokes without you even knowing it

JimmyRay — Thu, 18 Sep 2008 16:34:50 -0400

I have been messin' round with Keystroke loggers for quite sometime now. Brute forcing and luck of the draw password guessing cuts too much into my fishing time. Sure rainbow tables speed up the process, but I still need a username. That is were keystroke loggers come in handy. I have tried many types of software loggers and truthfully they all suck. It is just the level of suckiness you are willing to put up with. Plus the fact that nearly all of the ones I tested have backdoor relies funnelin'-tunnelin' your info back to abyss of hackerland... I have coded up my own but truthfully, they are just not as flexible as I need them. NEXT! I have also used the Snoop Stick to monitor my kids Internet usage and it works OK. The problem with that product is it does not scale that well and it wraps itself so tight around the TCP/IP stack that any problems with a patch, update or just plain ole removal results in having to reformat the machine. NEXT! Now I am left with hardware keyloggers. Most of those are PS2 connectors so I have to use an adapter that makes it stick out like a turd in a punchbowl. (ah...college...) Anyway, I ordered a hardware logger from KeyGhost and I must admit, I am as impressed with it as I am to walk into a restaurant and they have Newcastle on tap. First off, the KeyGhost logger uses a USB connector like 98% of the keyboards out there today. It also works on both my mega awesome Mac and my average Windows based PC's. Set up is like most other hardware loggers; just plug it inline. But that is really the only similarity. Three things that make the KeyGhost logger far superior to any other product I have tested: - Timestamping. Hardware loggers stand alone and can record thousands to millions of keystrokes. knowing how fresh the data is, is super important to avoid detection and provide useful analysis.

Read more

Top 5 recon hack tools

JimmyRay — Tue, 16 Sep 2008 13:00:54 -0400

I like lists. I tend to break down many different topics into a list format. Mentally, it is in CSS format and without a doubt marketing speak is equal to a SQL injection attack in my ole gourd. Be that as it may, (I love using that statement, makes me feel like a literary type person) I keep a top five list on the best places to eat in all the cities I visit often, top five best fishing holes, top five best Star Trek episodes and of course top five reasons to avoid going to my mother in laws.

Read more

Security Shouldn't Take a Backseat to Virtualization

rsherstobitoff — Mon, 15 Sep 2008 12:39:04 -0400

There’s no question that advances in server virtualization technology are becoming popular among corporations that want to save money by consolidating resources and improving operational efficiency. Virtualization enables a dramatic increase in cost savings in ongoing maintenance and the cost required to keep physical assets afloat. These benefits are often seen by CIOs and other information technology leaders as adding tremendous value to an existing robust IT infrastructure. Who wouldn’t want to save money by reducing the size and extent of their data center, especially in the manufacturing and financial services industries?

Read more