vulnerability

Nov 5 2009   4:50PM GMT

Do you use TLS or client certificates for authentication? Beware of new MITM vulnerability

Posted by: Troy Tate
tls, SSL, certificates, web services, authentication, IIS, apache, vulnerability, information security, risk, risk management

As Michael Morisy of ITKE recently posted, New SSL security hole allows man-in-the-middle attacks, a new SSL vulnerability has been announced. What you need to know about this vulnerability is that it most affects TLS (transport layer security) sessions using client authentication certificates. This is a vulnerability at the protocol level which makes it very difficult to fix where a recent previous SSL vulnerability had to do with certificate formats and content.

For specific details from the original researchers, visit the ExtendedSubset.com website. The summary of the announcement is shown below:

 Renegotiating_TLS.pdf

Some helpful protocol diagrams: Renegotiating_TLS_pd.pdf

Packet captures: renegotiating_tls_20091104_pub.zip

This one is definitely going to be interesting to watch. The excitement never ends in the security world. Leave a comment and let other ITKE readers know if you foresee any issues on this vulnerability or if you have taken any specific actions to address the risk. Thanks for reading and let’s continue to be good network citizens.

Sep 14 2009   1:49PM GMT

Microsoft does not patch vulnerability for supported version of Windows

Posted by: Troy Tate
Microsoft, information security, vulnerability, risk management, patches, tcp-ip, tcp, tcp/ip, Windows, windows 2000, support, Microsoft support, threat, risk

Last week was the September issue of Microsoft “patch Tuesday”. The September 2009 Microsoft Security Bulletin lists a number of vulnerabilities. Microsoft held the bulletin webcast on Wednesday, September 9, to discuss the vulnerabilities and customer concerns.

One particular bulletin is creating some concerns for Microsoft Windows 2000 users. MS09-048 is a bulletin for a vulnerability to the TCP/IP stack in all current supported versions of Windows. The bulletin describes the vulnerability:

Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)

This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Even though the bulletin here describes it as potential remote code execution, the webcast focused more on the denial of service threat due to this vulnerability. Unfortunately, Microsoft has chosen to not issue a patch for Windows 2000, even though Windows 2000 is a supported version of Windows with regards to patches and security fixes. ComputerWorld gives a good amount of detail in the article: Microsoft: Patching Windows 2000 ‘infeasible’ Dark Reading published Microsoft, Cisco Issue Defenses For TCP Denial-Of-Service Attack and The Register published Microsoft, Cisco issue patches for newfangled DoS exploit.

I know that there is a reasonable population of Windows 2000 machines in operation at my organization. So, this choice by Microsoft to not issue a patch for this vulnerability raises some concerns. Fortunately the vulnerable population is not publicly exposed and does not have mobile users. The layered defenses we have in place should help mitigate the risks to our environment. However, the risk is still there and the threat needs to be addressed. What other vulnerability will come out that Microsoft chooses not to address in a supported operating system? Are you facing the same situation in your environment? How large is the risk to your environment? What are you doing to address these threats? Why are you doing what you are doing? Share your thoughts with other ITKE readers.

Thanks for reading & let’s continue to be good network citizens.

Aug 24 2009   8:33PM GMT

Red alert - automated SHIELDS Up - malware becomes smarter!

Posted by: Troy Tate
malware, bot, command and control, malware research, information security, threat, vulnerability

If you haven’t recently kept up to date on the malware front, a recent article at DarkReading may come as a surprise to you. ALERT: Malware has become intelligent!

Rare Malware A Hint Of Threats To Come shows that malware has come a long way and has gained some significant intelligence to avoid detection. The article mentions that some attacks are more directed than broad. These attacks go at specific organizations and even specific data at those organizations. Once the data is collected, the malware can clean up after itself and disappear.

Other “intelligent” behavior seen by researchers includes command and control systems that can determine if a device is actually an owned bot or a researcher imitating a bot. In these types of cases, the command and control system can actually blacklist the researcher’s network range so it cannot intrude on the malware environment.

Quite intriguing stuff and this is what is really happening today! You should be familiar with this stuff if you manage a computer network and are responsible for security. Remember in secURITy - U R IT (you are IT).

Thanks for reading & let’s continue to be good network citizens!

Mar 31 2009   3:32PM GMT

Simple Conficker Scanner tool released - find the infected machines

Posted by: Troy Tate
honeynet, diagnostic tools, Conficker, ms08-067, antivirus, patches, anti-virus, detection, scanning, vulnerability scanning, vulnerability

A Simple Conficker Scanner (SCS) tool has been released by members of the Honeynet Project. This tool can be run under linux or Windows. It runs a specially crafted RPC query against a host or range of IP addresses. The tool will tell if systems are clean or potentially infected. I am running this tool against hosts on my network and I found a Windows 2000 server apparently infected by Conficker. I am in the process of clean-up on that host. It looks like a couple of things contributed to the infection on this computer:

1. Out of date anti-virus. The antivirus signatures had not been updated since January 2008.

2. Microsoft patches not applied.

Folks, the advice about maintaining up-to-date AV and applying patches is good advice. Heed the warnings and save yourself some troubles of clean-up. I will be having a discussion with my operations team about this situation and make it clear that we should have been prepared for this and this situation should not have arisen.

I am also following the advice from McAfee on Combating the Conficker worm

For more details on how the Conficker worm actually works, follow the links in my blog

The Conficker Analysis - are you ready for April 1?

Thanks for reading. Let’s continue to be good network citizens.

Dec 3 2008   3:50PM GMT

Holiday greeting cards, holiday shopping and computer security awareness

Posted by: Troy Tate
administration, Firewalls, Security, Microsoft Windows, Browsers, IT education, spam, antivirus, homeland security, Data security, malware, SSL, phishing, Firefox, Microsoft, anti-virus, online identity, risk, awareness, vulnerability, education, data loss

I just sent this email reminder to all users in my organization. I would recommend you do something similar if you are not already ensuring users are aware of these issues. Feel free to use my content and add your own.

 It is that time of year again when folks send electronic holiday greeting cards to one another. Some of the greetings may also be games that bear holiday messages. It is also a time when malicious software spreads using these same types of messages and software. You should also be cautious when doing any holiday shopping online or at stores. It is important that you and those you communicate with understand these risks. Your finances and identity are always at risk in today’s technology environment, but you may be less attentive during the holiday season. The following 10 tips are meant to remind you of some important security precautions.

 

1.    Do NOT use your company email address for personal holiday greetings or shopping activities. Merchants may sell your email address to other non-reputable sources and this puts your company identity at risk.

 

2.    If you receive personal holiday greetings or “cute” games at your company email address, ask the sender to not send those to you at work. Use a personal email account for those communications.

 

3.    If you do receive holiday greetings or games at your personal email address, check with the sender before opening to be sure they sent the message. Spammers and malicious software writers can easily deceive you through social engineering. They will do everything possible to get you to open their message and potentially damage your computer and/or harvest your email address as a valid address.

 

4.    Don’t trust everything you see online. Finding something on the internet does not guarantee that it is true. Anyone can publish information online, so before accepting a statement as fact or taking action, verify that the source is reliable.

 

5.    If it looks too good to be true, it probably is. You have probably seen many emails promising fantastic rewards or monetary gifts. However, regardless of what the email claims, there are not any wealthy strangers desperate to send you money. Beware of grand promises—they are most likely spam, hoaxes, or phishing schemes. Also be wary of pop-up windows and advertisements for free downloadable software—they may be disguising spyware. Close the pop-up windows by clicking the X in the top right corner. Do not click the YES, NO, or CANCEL buttons in the window. It may cause unwanted computer issues if you do. Do not trust what you see in these pop-up windows. Contact IT support if you have any questions or issues.

 

6.    Avoid phishing schemes. Banks and other institutions will not actively solicit personal information by email. When you click a link in an email asking for this type of information, your choice may risk your finances and personal identity. The link may take you to a website hosted by someone with malicious intentions. If you enter your personal information on the website, you have just had your identity taken by a social engineering attack and may have incurred a financial loss.

 

7.    If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).

 

8.    If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account. Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).

 

9.    Do not participate in forwarding chain letters or perpetuating hoaxes or urban legends. Hoaxes attempt to trick or defraud users. A hoax could be malicious, instructing users to delete a file necessary to the operating system by claiming it is a virus. It could also be a scam that convinces users to send money or personal information. Phishing attacks could fall into this category. Urban legends are designed to be redistributed and usually warn users of a threat or claim to be notifying them of important or urgent information. Another common form are the emails that promise users monetary rewards for forwarding the message or suggest that they are signing something that will be submitted to a particular group. Urban legends usually have no negative effect aside from wasted network bandwidth, server resources and time. If you want to check the validity of an email, there are some web sites that provide information about hoaxes and urban legends: Urban Legends and Folklore - http://urbanlegends.about.com/;  Urban Legends Reference Pages - http://www.snopes.com/; Hoaxbusters - http://hoaxbusters.ciac.org/; TruthOrFiction.com - http://www.truthorfiction.com/; Symantec Security Response Hoaxes - http://www.symantec.com/avcenter/hoax.html; McAfee Security Virus Hoaxes - http://vil.mcafee.com/hoax.asp

 

10. Protect yourself while shopping online. Use and maintain anti-virus software, a firewall, and anti-spyware software. Keep software, particularly your web browser, up to date. Do business with reputable vendors. Take advantage of security features like secure passwords and encrypting information between your computer and the vendor’s website (look for the “lock” symbol in the browser or the website address beginning with “https” rather than “http”. Use a credit card rather than a debit card. Check your statements for any unusual or unauthorized activity.

 

Hopefully these tips will help you and those around you to have a happy holiday and reduce the risk of an unwelcome holiday event due to being uninformed. Please feel free to share these tips with your friends and family to help increase awareness and reduce risky behavior.

 

See the CERT Cyber Security Tips website for more information like this.

Nov 17 2008   7:44PM GMT

Surviving Cisco Telephony - SRST

Posted by: Troy Tate
administration, Cisco, VoIP, unified communications, IP telephony, DataCenter, PSTN, design, risk, diagnostics, vulnerability

As you may have seen in some of my previous posts the company I work for has implemented VOIP/IP telephony at some of our locations.

VOIP - IPT - QOS - COS on and on - Oh My!

CampIT Enterprise VOIP conference

VOIP virtual panel discussion

Recently we had a phone system outage at the largest of these sites. This was a site with a clustered Cisco CallManager solution. This outage lasted 4+ hours. We were definitely surprised that both members of the cluster failed at the same time and how long it took to recover. Since that time we obviously are working with our support vendor to find a better method of providing uptime to the phone system at this site. I am also looking at making sure my other sites are prepared in the event of a similar outage.

The solution for providing a backup to the CallManager cluster is called Survivable Remote System Telephony (SRST). Think of this as CallManager light. A limited number of the phones still have connectivity and can make/receive calls. I say “limited” because the SRST function is dependent on the PSTN gateway hardware. A larger gateway can support more users. The current gateway we had was a Cisco 2821 series router. This would support 96 users. A Cisco 3825 will support 175 users.

One thing I understand though is that you cannot necessarily specify which phones will get serviced by SRST. The phones are serviced on a first-come-first-served basis. This could be an issue if there are phones that should be serviced and an outage is occurring. Unneeded phones would need to be disconnected from the network to provide capacity to support the critical phones.

Hopefully this will be the last of 4+ hour outage for the phone systems at this site and none will happen at my others. The Cisco solution has been very good for my organization and so far has been very reliable with the exception reported here.

Thanks for continuing to read my blog and hope you have a great day on the technology frontier wherever that may be for you!

Nov 11 2008   3:51PM GMT

Did you see this? - MS08-067 and the Security Development Lifecycle

Posted by: Troy Tate
administration, Security, Microsoft Windows, patching, Development, debugging, Data security, malware, design, Microsoft, server, risk, awareness, blog, vulnerability, analysis

As you probably already know, Microsoft issued an urgent out of cycle security patch recently for a Vulnerability in Server service could allow remote code execution. Look here for additional Microsoft Security Vulnerability Research and Defense information about this bulletin. If you have not already applied this patch, I urge you to do so as there are reports of MS08-067 exploits in the wild for this vulnerability. For those of you who are developers and QA testers out there and wonder about how this vulnerability slipped through testing at Microsoft. Look at this article about MS08-067 and the Security Development Lifecycle. Like many of the responses to this blog posting say: keep code as simple as possible. Automated testing is not a panacea and keeping things simple may head off signficant problems later for all users and administrators.

Oct 10 2008   7:58PM GMT

Counterfeit Metrics - Type II Reverse Engineering

Posted by: Troy Tate
Security, Monitoring, reporting, IT education, Data security, malware, performance monitoring, botnet, Metrics, risk, research, awareness, vulnerability, dhs, analysis

If you are into metrics, you might find this article rather interesting. For Good Measure: Type II Reverse Engineering

A couple of the security metrics I find interesting:

Counterfeit hosts (zombied/botted): 30% (estimated)
Odds that neither end of a P2P session is øwned: 50–50
Bytes required to counterfeit a presidential candidate: 1

Dollar value of counterfeit Cuban
cigars: $100 million
Dollar value of counterfeit whisky: $700 million
Dollar value of counterfeit IT: $100 billion

Information like this really helps you understand why hackers and criminals do the things they do. I’m not endorsing it by any means.

Oct 9 2008   3:00PM GMT

Alternatives to e-mail attachments - SharePoint is risky!

Posted by: Troy Tate
administration, Networking, Firewalls, Storage, Security, DataManagement, intellectual property, email, Data security, Policy, SharePoint, Exchange, design, website, risk, policy enforcement, vulnerability

I’m looking for some help on this topic and have posted a question to the ITKE community. Hopefully someone out there has had some experience with this service for your organization and can provide some valuable insight.

One group I participate in is a mailing list from SANS. If you have not attended a SANS event or education, then you should try to get to one of their events. They are one, if not, the premier non-vendor related security and systems administration group in the IT industry. I posed the same question to this peer group and have had some very good responses. Some suggestions for solutions have come back and include:

Microsoft Office SharePoint (http://www.microsoft.com/sharepoint/default.mspx)

OpenText – Livelink (http://www.opentext.com/2/sol-products/sol-pro-llecm10.htm)

Webex Connect – (http://webex.com/enterprise/index.html) (There are other flavors for small & medium business)

 Accellion -  http://www.accellion.com)

 

These are very interesting solutions and I will certainly be looking at all potential candidates. One thing that bothers me about the SharePoint option is its security capabilities. SharePoint is typically Microsoft Active Directory integrated. This has major security implications and in fact CSO magazine has posted a recent article on this topic. I recommend that you read the article and understand what risks the SharePoint solution may open for your organization.

Why Security Pros Hate Microsoft SharePoint

Microsoft’s SharePoint collaboration platform is all the rage in today’s business world, especially since third parties gained the ability to plug security holes. But managing it can still be a nightmare for IT security shops.

I am still looking for more references and ideas for this solution, so please share what you are doing for your organization and it will be much appreciated by me and other readers.

Sep 19 2008   12:53PM GMT

Did you see this? - Encyclopedia of internal network security threats

Posted by: Troy Tate
Networking, forensics, Security, tools, Microsoft Windows, Monitoring, Browsers, web, reporting, WWW, antivirus, homeland security, Data security, malware, Policy, design, Firefox, Microsoft, website, troubleshooting, honeypot, botnet, risk, research, awareness, vulnerability, man-in-the-middle

Promisec has released an online encyclopedia of internal network security threats. This is available online for free. There is a lot of information to look through and decide how the risks affect your organization.

Take for example the entry describing GoogleTalk. The site rates it as one of the top 5 internal threats.

The more we know about these risks the better prepared we can be. Thanks for your time. Let’s be good network citizens together & practice safe networking!