Thursday, April 28, 2011

Derby Con Is Coming!

Well, I've been waiting for this moment. Tickets to Derby Con go on sale tomorrow, 4/29/11. Get them early, while you can.

This conference looks to be the best conference that I've seen in well, ever. check out the following information from Andrian Crenshaw's site:

"Here are some of our speakers: Scott Angelo, James Arlen (myrcurial), Paul Asadoorian (pauldotcom), Martin Bos (PureHate), Chris Buechler, Int0x80 – Dual Core, Adrian Crenshaw (IronGeek), Elliott Cutright (Nullthreat), Thomas d’Otreppe (Mister_X), Peter Van Eeckhoutte (corelanc0d3r), Tom Eston (agent0x0), Rick Farina (Zero_Chaos), Rob Fuller (mubix), Chris Gates (Carnal0wnage), Chris Hadnagy (loganWHD), Rick Hayes, Kevin Johnson (secureideas), Dave Kennedy (ReL1K), James Lee (egypt), Johnny Long, Rafal Los (WhiteRabbit), Kevin Mitnick, H.D Moore (hdm), Chris Nickerson, Jim O’Gorman (elwood), Deviant Ollam (TOOOL), Carlos Perez (darkoperator), Larry Pesce (haxorthematrix), Bruce Potter (gdead), Jason Scott, Ed Skoudis, Eric Smith (infosecmafia), John Strand, Jayson E. Street and Scott Ullrich."

Monday, April 18, 2011

It's Groundhog Day! Well, not really...

Well, it's Groundhog day... again. Well, not really, but it sure feels like that movie. You know the one where you wake up every day and it's the same day, OVER and OVER again.

Today's headline, Critical Adobe Flash Patch Released, Again. Adobe recommends everyone to upgrade their Flash to version 10.2.159.1.

Go here to check your version of Flash.

PS: Yes, I realize this happened on the 15th :)

Saturday, April 16, 2011

Kenneth Keller Kills Coreflood Botnet

As of Wednesday, Coreflood, a botnet that's been around for some time, has been shut down by the FBI (by declaration from Special Agent Kenneth Keller), who charges that wire fraud, band fraud and unauthorized interception of electronic communications were committed by the owners.

This botnet consisted of 2,336,542 individual machines or bots (most in the US) and was controlled by two botnet controllers. The hosts at 207.210.74.74 and 74.63.232.233 were Coreflood Command and Control servers for the botnet at the time of the investigation. All infrected machines essentially reported to these servers.

The Facts
Coreflood infected machines running Windows OS.
The Coreflood botnet communicated primarily by domain name, rather than IP address, so command and control servers could be fluid and be moved frequently.
The IP addresses of the command and control servers mentioned previously correspond to "jane.unreadmsg.net" and "vaccina.medinnovation.org"
Supporting reference can be found here.
Infected computers in the botnet logged keystrokes and various communications, sending online banking information to the command and control servers, where the data was stored to be reviewed later.
The later information would be used to wire money from bank accounts

There's No Place Like Home
According to a Seizure Warrant, DNS providers of the Coreflood domains were ordered to lock any account associated with the domain in question to prevent changes or deletions of information. In addition, the DNS servers of said domains are to be set to return an IP of 127.0.0.1 when queried.


Coreflood Domains associate with the botnet include:

adv-webhost.com
antrexhost.com
bonuspages.net
diplodoger.com
ehostville.com
fishbonetree.biz
googlestat.net
hostfarmville.net
hostfields.net
hostnetline.com
joy4host.com
just-twin.com
licensevalidate.net
medicalcarenews.org
medinnovation.org
nebuladay.net
nethostplus.net
netwebplus.net
penlist.net
realgoday.net
stafilocox.net
unreadmsg.net
vip-studions.net
virtukon.com

Regular virus scans with up to date definations would be a good step towards mitigating this issue. Programs like Malwarebytes and SPybot Search and Destroy are a good companion to your anti-virus software.

Of course, vigilence on the part of the computer user is also vital. Know what services and processes are supposed to be running on your system and monitor for anything suspicious.

Friday, April 15, 2011

Installing Metasploit on Ubuntu 10.10

This is going to be a tutorial on installing Metasploit on Ubuntu 10.10. Metasploit is a free, open source penetration testing solution that provides you with a way to test security vulnerabilities. It provides a framework for which to develop (Ruby) future modules. It's been around since about 2003, but I still wanted to so a small series on it for those who may be new and who have never heard of it.

Download the Metasploit Linux Full setup from here.

From the Metasploit instructions located here, perform the following:

Install the Ruby dependencies:

sudo apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby libiconv-ruby libreadline-ruby irb ri rubygems

Install the Subversion client:

sudo apt-get install subversion

Test the subversion client with the command svn ls https://www.metasploit.com/svn/framework3/trunk/ and you should see something like the screen shot below.



In order to build the native extensions (pcaprub, lorcon2, etc), the following packages need to be installed:

sudo apt-get install build-essential ruby-dev libpcap-dev

Here's where it gets a bit different. The current instructions say to download and untar the Metasploit tarball. Well, we we don't have a tarball at this point. The binary installer file that we have has to be run,


In trying to run the file, we run into a permissions problem. To fix, I set the permissions at "774" and ran the file again.





Making directories and linking folders

sudo mkdir -p /opt/metasploit3
sudo cp -a msf3/ /opt/metasploit3/msf3 <== This may take a few minutes
sudo chown root:root -R /opt/metasploit3/msf3
sudo ln -sf /opt/metasploit3/msf3/msf* /usr/local/bin/



Next we are going to install MySQL

sudo apt-get install mysql-server (Please provide a good password, 
when prompted.)
sudo apt-get install rubygems libmysqlclient-dev
sudo gem install mysql

Lastly, run ruby /opt/metasploit3/msf3/msfconsole and you should see something like this...


  
This concludes this tutorial, but look for future ones on the use of Metasploit as well as other security tools.

Tuesday, April 12, 2011

Security Slip-up Sinks Saturday

Security company, Barracuda Networks was hit this
past Saturday with an successful SQL injection attack... -1

This was due to a configuration oversight (their web
application firewall was put in passive monitoring
mode... DOH!) ............................................................-2

Barracuda gives full detailed disclosure .........................+2

What more can be said? Read about the incident here.

Reviewing RSA's Report

I recently read an article that was sent to me detailing some of the steps of the recent attack against RSA. RSA was the victim of an advanced persistent threat which are a long-term pattern of targeted sophisticated attacks again an entity.

This particular article is located on page 6 of the report located here.

Phine Phishing
The RSA SecurID breach was one that started with a phishing attack (whose goal usually is to obtain sensitive information or to have the user take a certain action, like opening an attachment). This attack is carried out by an attacker sending an email that portrays to be from a trustworthy source


Working As Planned - Good News and Bad News
In March of this year, phishing emails were sent to two small groups of "low-level" users with the subject line “2011 Recruitment Plan.” This email had an MS Excel attachment with the new Adobe Flash vulnerabilty embedded in it.

The good news is that an email filter or anti-spam program caught the attachment and sent it to the Junk Mail folder. The bad news is that the employee went into the folder, retrieved the message and opened the attachment.

Let's stop right there for a minute. A little employee awareness training would've proven invaluable at this point.

The attack then installed a Poison Ivy variant for remotely controlling the infected machine. The Poison Ivy trojan uses a reverse connection, masquerading as a web browser process to bypass security controls and avoiding detection by the user and firewalls.

The attack first harvested access credentials such as: user, domain admin, and service accounts.

According to the article, it then went into specific servers, removed data, and moved it to staging servers set up inside RSA, “where the data was aggregated, compressed and encrypted for extraction," 

Password-protected RAR files were transferred via FTP from the RSA file server to an external, compromised machine at a hosting provider.

The files were then pulled by the attacker and removed from the external host.

Lessons Learned
Lessons learned here include user education, incident response, and disclosure.

The report mentioned that the phishing scheme targeted "low-level" users. While these people weren't defined, there is definitely an opportunity for security education for the users. There was a very good reason that the message that was received was tagged as spam and isolated. Not too bad considering that this was a 0 day or close to it attack.

The machine from which the email was opened wasn't patched to handle the new Adobe vulnerability. Depending on other factors that are in play, such as the ability to mitigate this threat (see isolation in the above paragraph), this may not be too bad of an issue due to the timing of the release of the vulnerability details and patch.

The next part of this equation is a bit nebulous, since I am not aware of the account(s) used and the number of queries to the database servers during this time vs the baseline numbers for a comparable time, but it would seem curious as to why an alert of some sort wasn't configured to warn the admins or at least the help desk of a large number of queries or spike in activity , if that was the case.

Full disclosure of the attack to the customers is a right that they should have been given. Disclosure of this attack also provides the security community with the ability to see where potential holes exist in our own networks as well as provide an opportunity for user education, which looks to be the biggest issue here.

Friday, April 8, 2011

Digging Digital Data

Today, I wanted to take a look at what happens when you delete something from your drive, whether it be a hard disk or flash drive and how to recover information that may be accidentally deleted. Everyone has heard the horror stories of a company surplussing equipment, only to find that the equipment had confidential data still on it, so we are going to take a look at the deletion and retrieval of data.

In order to have a fresh place to start, I'm going to wipe my media (in this case a flash drive) clean. It should come from the factory like this, but there have been reports in the news about malware, etc. on everything from flash drives to digital picture frames.

Starting from Zero
We are going to start with a clean slate, by using Active@ KillDisk to wipe the drive of any data. It does this by overwriting all of the addressable locations on the drive with zeros.

Disclaimer:  Yes, I realize that this was only one pass and was using zeros, but it will suffice for what we are doing. IF YOU ARE LOOKING FOR A VERY SECURE METHOD OF ERASING THE DISK IN QUESTION, PLEASE PURCHASE THE FULL VERSION. which will wipe the disk to US DoD 5220.22-M security standards.

After installing the program, select the drive and click the “Kill” button. This will bring up a summary screen which you can continue on by clicking start.  After committing, you are then asked to confirm by typing “ERASE-ALL-DATA” in a text box.





Verifying the Disk
Next, I used Disk Digger to look through the physical disk for files. I not only scanned for deleted files, but for traces of files, by selecting the “Dig Deeper” radio button, then “Next”

For the file type, I left the default of all files…

 
At the end of the scan, nothing was found on the flash drive…




Next, I am going to save some data on this “new” drive. In this instance, this post that I am writing and the associated images will be saved on the drive.

I saved a Microsoft Word document, a text file with a list of links, an HTML file and a folder with images
After that, I highlighted them all and simply deleted them. We'll look at "permanent deletion" in another post.

Digging Data 

After deleting the data and viewing that the disk was "empty" in Windows Explorer, I fired up Disk Digger again and scanned the flash drive for any contents. We are going to perform the same "Dig Deeper" scan that we performed earlier.


When Disk Digger finished, it displayed a list of pictures that it had found. I was not able to view a preview of any .png file but .jpgs were easily viewable.

 

I then clicked on the documents tab and was able to preview the Word document that I had deleted earlier.


OK, but what about the other files? I clicked "Back" a few times and selected a regular "Dig Deep" scan which will find files regardless of the file type.


Here, we can see that other files, including temporary MS Word files and text files are still on the disk

Restoring Files
When the list of available files appears, we can simply select and right-click on the files name, then select "Restore Selected Files" and choose a directory to put the files in, then click "OK" and the file is recovered. When selecting a place to recover the files to, it's best to choose a place that is NOT on the media on which you are digging for data, because it may overwrite the next file that you may be trying to recover.

I hope that this not only helps someone who is needing to recover some lost data, but also serves to raise the awareness of people when disposing of old or surplus equipment to make sure that your data, stays your data.

Wednesday, April 6, 2011

Epsilon Evolves

Last weeks security breach at Epsilon Interactive, an Alliance Data Systems Corporation out of  Texas was well reported in the information security news, but I haven't seen too much information in the mainstream news, which apparently reflects an ignorance in consumers and provides an area for education for those in Information Security.


A short list of the customers of Epsilon's marketing services read's like a Who's Who of companies that most consumers deal with on a daily basis. When I see this list, it makes me wonder what due diligence the companies did to ensure that Epsilon follows best-practices for information security. Anyway, this list includes:

  • Capitol One
  • Citi
  • JP Morgan Chase
  • U.S. Bank
  • Barclays Bank of Delaware
  • Ameriprise Financial
  • Robert Half International
  • Ritz Carlton Rewards
  • Marriott Rewards
  • Hilton Hotels
  • Red Roof Inn
  • McKinsey & Co.
  • Meijer
  • Home Shopping Network
  • AbeBooks
  • New York & Company
  • Brookstone
  • Walgreen's
  • Kroger
  • BeachBody
  • The College Board
  • LL Bean
  • TigerDirect
  • Bebe
  • Benefit Cosmetics
  • Disney Destinations
  • Lacoste
  • Best Buy (Reward Zone/Credit Cards)
  • Ethan Allen
  • 1-800-Flowers.com
  • The Home Depot
  • Verizon
  • Best Buy
  • TiVo


I, like many people, have several email addresses such as one for work, one for personal use, etc. Incidents like the Epsilon breach serve to show us that we have to be more proactive in giving out our data. Yes, the company that we give our information to may just use it for "internal purposes" and yes, you may have "opted out" of any email correspondence (which probably just means that there is a field in a database that says to not contact you), but the fact of the matter is that they still have the information and if it falls into the wrong hands, it's as good as public. This information can (and will be) sold and used for spear phishing attacks, which are attacks tailored and targeted to you based upon the information that the attacker has.

So, what can we do as consumers?

Don't give out personal information. I know that some places make it "mandatory", but how about getting a PO Box for these instances?

Use your initial instead of your first name on a form.

Have a separate email address that you use for businesses, forms, marketing, etc.

Use different passwords that are unique to each company that you deal with, so if a list with your information is compromised, the attackers do not have THE password that you use for everything, including banking.

Lastly, we can also demand that Epsilon discloses the depth and details of the breach.