Cybersecurity challenge and update…

 

So I saw an interesting link on the interwebs, it is a packet analysis challenge with promise of invitations to  summer 2011 USCC Cyber Camps training in various locations (Delaware for East Coast folks, I believe) for the winners.  I registered and hope to complete the challenge this weekend; you have 24 hrs once you get the .pcap file to answer 30 questions about evidence of intrusion in the traffic.  You can read more about it here  http://www.uscyberchallenge.org The contest is over May 1st 2011.

 

UPDATE:  I did well enough to be invited to the Virginia camps in early August, with full tutition, room, and board paid.  An awesome opportunity that I’m looking forward to.

Facebook Faux pas?

So Facebook’s been in the news recently about their ever degrading privacy protections and coding screwups (EFF link and Tech Crunch link). I’m not a big fan of the service but it is a unique way to keep in touch with people you are far away from, as well as get updates on the “normal” part of their lives that don’t exactly warrant a phone call or email.  Anyway, I’ve already erased most all my personal info because I’m a paranoid.  I also check up on the privacy settings to see if I’m inadvertently leaking personal info because of my mistake or Facebook’s frequent policy changes.

I noticed an interesting feature yesterday that allows you to get an email when a computer that hasn’t been “authorized” authenticates to your account ( Click Account Button…Account Settings…Account Security). Facebook also allows you to see a log of the computers that have authenticated to your Facebook (security guys love logs) which is cool.  The log is weak on the technical side, no IP address, DNS hostname, or Useragent etc.  But it is an interesting feature that I believe banks should offer as well.

Continue reading

Countering the new threats…

The SANS Incident handling steps are

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

I’m going to talk about Preparation and Identification today. See I enjoy the challenge of having a network and resources to protect.   Its funny to see how that translates into my non-work life, for example I always like RTS type games and often take a defensive posture by default.  Called turtling in the gaming world it’s more than likely to get you a loss because most games I played seem to favor the noob friendly kamikaze aggressive style, or rushing. However, that just makes me enjoy defense even more, who wants to take the uneducated inexperienced easy way out?  In the real world all out no fear, attack is not a legitimate info sec strategy for obvious reasons.

First it’s well documented how the “bad guys” have changed over the last 2 decades from notoriety seeking weekend hackers, to “hey I can make money at this” full time hackers, to organized criminal gangs.  What I don’t hear enough about is the current migration from gangs to an underground criminal marketplace, and that is just plain frightening.  Organized crime is dangerous and hard to stamp out but it’s a threat that can be met with equal good guy organization and cooperation.  Like when it took Elliot Ness and the federal government to stamp out the mobs and corruption of the 30’s.   Complicated Bad can be fought with complicated Good, hard but doable.  But how do you fight a decentralized economy of goods/service providers with a specialized skillset, profiting off loose, dynamic, and temporary connections to others?  That is really hard to do. Now throw in more recent fully state sponsored agencies targeting small subsets of the internet (Advanced Persistent Threat [APT] attacks on Google) and you’ll see why Information Security is so much in the news these days.

Continue reading

Blackhat SEO, The Next Generation…

UPDATE March 2012: So I was rereading my own blog and wondered if I got this post right.  I googled and turns out it was probably a FAIL.  Although Van Morrison deny’s it he bought Gigi a house in Texas and visited her and the child regularly (although she recently passed away).  Guess I should have known writing about celebrity gossip, the truth will probably never really made public.

December 29th 2009  I noticed a story come across the wires about the singer Van Morrison and Gigi Lee having a baby. This was picked up by the Associated Press and many legitimate news outlets.  Turns out it was a carefully orchestrated plan to drive traffic for keywords already seeded on hacked websites that redirected to mostly known fake AV malware servers (more on that at bottom).  Not knowing this at the time I did a quick google search out of normal user interest and got these results…

Being the paranoid security guy I am, I immediately noticed the similarity in the URLs  and that they weren’t domain’s of news sites.  For example domain.com/xxx.php?=gigi%20… or domain.com/xxx.php?=van%20…  Hmmmm, those don’t look like legit results to me.  Welcome to the world of Blackhat SEO, I don’t presume to be the end all authority on this as Dancho Danchev and others Sophos have been tracking this for years. But this was a new twist, the bad guys were not grabbing the currently hot top search results (like when a celebrity dies) and competing with other pages to get their rank high, they INVENTED the keywords  and already had the seeded keywords in Google’s page rank before attacking Van Morisson’s website!  Gotta to respect the ingenuity, wish they were on the good guys side. Whatever Google is doing to counter the bad guys from gaming their page rank algorithm it isn’t working very well, although in this instance Google was working as intended.  If a malware author can poison a person’s view of the web (search engine results) then the average user doesn’t have much of a chance.  Turns out any one of the links redirected me to a known malware page. I followed them with Malzilla, here’s an example…

…. ALL LINKS CHANGED SLIGHTLY TO PROTECT INNOCENT….

1. First the click to Google’s search results
http [break] ://www.google.com/url?sa=t&source=web&ct=res&cd=17&ved=0CB8QFjAGOAo&url=

http%3A%2F%2Fxxxxx-law.com%2Fmvf.php%3Ft%3Dgigi%2520lee&ei=8K06S8yYFpS2swOKg_XBBA&usg=AFQjLNG7qREztsl9Fo0TC6RUCWNaB5Vp_A&sig2=48nUTmo26vz49MerFAydtg

2. Redirects to the search result

HTTP/1.1 302 Found
Location: http [break]://xxxxxx-law.com/mvf.php?t=gigi%20lee
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Wed, 30 Dec 2009 17:04:04 GMT

Which is a .php script that looks like it’s taking an input of “t=gigi lee”  (the %20 is an encoded space) So I tried it w/o correct input and with “wget” default user-agent and was cleverly 301 redirected to cnn.com homepage, I thought that was a nice touch by the bad guys.

3. Continuing with the correct link gets me too, (hmmm  random .pl domain not a good sign.  No offence intended to Poland)

HTTP headers:

HTTP/1.1 302
Date: Wed, 30 Dec 2009 17:04:12 GMT
Content-Type: text/html
Server: Apache

Location: http [break]://vby1x4.xoeg .pl/in.php?t=cc&d=29-12-2009_tr2&h=xxxxxx-law.com&p=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3D…. snip….6vz49MerFAydtg

4. Then finally the below link which my endpoint HIPS stopped.  Just from the link you can tell it’s a fake AV Trojan and probably a couple exploits to go along with it (I didn’t go down the rabbit hole any farther).  Also I was impressed with Firefox WOT add-on (link) as I kept having to disable it to follow the redirects with FireFox.  Definitely recommend it, along with no_script of course

HTTP/1.1 302 Found
Date: Wed, 30 Dec 2009 19:08:52 GMT
Server: Apache/2.0.55 (Unix) PHP/5.2.1
X-Powered-By: PHP/5.2.1
Location: http [break] ://createpc-pcscan-kokn .net/?uid=195&pid=3&ttl=e11476d0489

So I was intrigued by this .php file that they were able to upload to many websites like the example above which is a law firm in Boston Mass. I contacted several of them to tell of the infection and to ask if I could get a copy of that server side .php script, but none have done so.

So the whole thing was an elaborate scheme to get hits as it was most likely the same group of hackers that compromised the singer’s website and started the whole thing.  I was wondering how they knew to upload the files with the right keywords before the news broke and had figured they must have ongoing access to adjust the keywords or replace the .php depending on the current news story, which still could be true. The AP picking up the story must have had the bad guys celebrating for sure.

From BBC news site:

The Belfast-born 64-year-old said he had been the victim of an internet hacking attack that had placed “falsehoods” on his official website. BBC News was one of several outlets to report the hoax as fact.”The comments which appeared on my website did not come from me,” he [Van Morrison] said, in a statement issued to the media. The singer said he had asked his management team to carry out an immediate investigation, adding it was the second time his website had been hacked in the last three months.

Link to MTV talking about it.  They missed the point though it wasn’t an innocent hoax, it was motovated by the second oldest story book…..Money.

Is it Malware?

One lesson I remember learning during my teen years was the world is really shades of gray, not so much the black and white it seems when you’re younger.  The same principal applies to malware, what really is…bad?  If an AV scanner asks for payment before clears your spyware cookies and removes other fake AV installs is it malware?  What if separate 3rdparty affiliates install it w/o your or manufacturer’s permissions, through an exploit, social engineering, or by forcing you to opt-out? What if they steal other companies detection DBs as in the iobit and malwarebytes saga? Apple installs file sharing software (Bonjour) w/o notification and with opt-out techniques (Google Toolbar, Quicktime) when installing iTunes. Does that make Apple a spyware purveyor?  Again, shades of gray.

So what is the user/IT tech to do? Well there’s no easy answer, and in my humble opinion you have to trust but verify with research.  Check already trusted forums/websites of whitehats and coworkers along with other trusted IT user’s opinions.  In short, do your homework before installing any software on your machine.

Along these lines an interesting thing happened while I was dealing with a small outbreak of Vundo.Trojan at work. Our AV vendor didn’t detect the sample yet so I recommended for the IT staff to install update and run malwarebytes in safemode. For various reasons one infected computer had no immediately available IT rep so it was left up to the user.  When getting to the download link he was tricked by a deceptive (my opinion) advertisement on download.com (Right hand “Bad Link” in screenshot below) to install a “shades of gray” program called CyberDefender instead of malwarebytes (a trusted whitehat community supported malware scanner).

Tricky Tricky for the average user

This program has a history of being considered actual malware, but apparently was taken over by different management whose is supposedly trying to legitimatize it circa 2006.  I decided to check it out a bit and am suspicious enough to recommend NOT installing it.

Some issues that make me dubious to install the software…

  • Inflates the severity of the findings (ie. Detected sysinternals processmonitor as a HIGH risk)
  • Opens a high tcp port and listens on it. (In 2 separate installs and 1 reboot on a clean VMware image I saw 1stcdas.exe listening on tcp/5710, 2ndcdas45.exe on tcp/5754, and 3rdon reboot saw tcp/5779 (from THE SAME installer file))
  • Advertises with shady deceptive ads
  • Finds different threats with a program uninstall/reinstall and subsequent rescan with Cyberdefender
  • Offered me to buy the product for 250.00 after an add/remove programs uninstall (clearly a ripoff)

Cheap Website Monitoring…

A big part of being a security analyst is figuring out why something you admin is blocking what a customer is trying to get to.  I actually like those problems because I look at them like a mini-puzzle. The key to these issues, and many others for that matter, is being able to recreate the trouble with your own equipment.  I usually tell people, if it’s blocked for me too then I will be able to fix it.  The hard problems come when it’s an occasional issue, or only from one part of the network, etc.

Anyway, the latest scenario involved a city employee trying to get to a local high school’s website to get their layout.  The site was blocked with the category pornography, which seemed like a miscategorization.  After recreating the problem on my desktop I got a hunch, which leads me to the reason for this post.  I headed to google and searched “site:xxxxxx.edu nude”  and it came back with the results that would make any webmaster wince.  Pictured below (anonimized to protect the innocent)…

So that was quickly solved by making the school’s webmaster aware of the injected HTML SEO poisoning keywords and asking our vendor to re-evaluate the site once cleaned.  But more to the point such Google searches are a really cheap way to do some manual monitoring for websites under your protection. I personally do searches like these every few weeks, on the off chance one day I will get something other then no webpages found.  Don’t forget to submit requests to clear the major search engine’s cache if you’re hit or these results will stick around for a while.

PS I’ll leave it up to the reader’s imagination on which keywords to use.

Update to filter IP ranges in SMTP headers…

I have an email address set up that customers can send false negative SPAM to should it get through the Email gateways.  One I received the other day shows just how allowing country IP blocks to be searched would benefit anti-spam gateways to clean up the relatively few number of false negatives they let through. I blogged about that below.

 The below is a cleaned up part header of an email one of my coworkers received that was a 419 SPAM with a word attachment delivering the social engineering “payload.”  It was sent from what I believe to be a Sun OS webmail server from a large well known east coast university ( I have notified the who-is abuse contact already.)   The IP from Nigeria ( 78.138.3.237), is what directly connected to the webmail server with an account of a college user and sent the SPAM through an already trusted infrastructure.  If the college or I was able to search for Nigerian IPs anywhere in the received lines this would have been dropped or quarantined.

Received: from iron1-smtp.xx.xxxx.edu ([xxx.xxx.127.241])  by
SannetSmtp1-in.sannet.gov with ESMTP; 25 Jun 2009 10:09:32 -0700
X-SenderBase: None
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhMJAEZMQ0qApIMj/2dsb2JhbACONYhfgkyocIc9iE6EDQU
X-IronPort-AV: E=Sophos; i=”4.42,291,1243828800“; d=”scan’208″;a=”44717911”
Received: from optimus.xx.xxxxx.edu (HELO xxxx.edu) ([xxx.xxx.131.35])  by iron1-smtp.xx.xxxxx.edu with ESMTP; 25 Jun 2009 13:09:34 -0400
Received: from [78.138.3.237] by prime.xx.xxxxx.edu (mshttpd); Thu, 25 Jun
2009 18:09:34 +0100
From: Rxxxxx Hxxxxx <rxxx@xxxxx.edu>
Message-ID: <fce1a4442b7d.4a43bd5e@xxxx.edu>
Date: Thu, 25 Jun 2009 18:09:34 +0100
X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.04 (built Aug 17 2006)
MIME-Version: 1.0
Content-Language: en
Subject: Respond ASAP
X-Accept-Language: en
Priority: normal
Content-Type: text/plain; charset=”us-ascii”
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Return-Path: rxxxx@xxxx.edu

Filter Country IPs in SMTP Received Headers…

My displeasure for the “send me money” scammers has been documented in previous entries so I won’t bore you with that again, although I did want to talk about an idea I had to fight those losers.  Basically I want to write SMTP gateway Anti-SPAM policy that can filter for IP address ranges (dashed range or CIDR) in ANY received header.  I have a feature request into our vendor for this very ability and am looking forward to seeing how well it will work if they can make it happen.

My reasoning behind this is to fill in a gap that I see in the current Anti-SPAM tactics, which are mainly sender IP reputation and content matching.  419 emails seem to be best making it through those traps because the “last hop” before your SMTP server is some bot host here in US or the most commonly they are sent from a free email service directly (Yahoo, Gmail, Hotmail, etc) so sender reputation isn’t all that effective (neither is SPF, SenderID, DKIM) and since they are very businesslike text, content catching the Spammyness is also hard.   However, if I was able to look for trouble country IP ranges in any of the SMTP Received lines there’s a good chance I could catch many of these sent from or through foreign nations.

See some of the free webmail providers include this line to show the IP address of the computer that sent the through the browser.

Received: from [79.80.169.10] by web36802.mail.mud.yahoo.com via HTTP; Sun, 31 May 2009 17:00:44 PDT

Being able to filter on the CIDR ranges (countryipblocks.net or maxmind.com) in any received line, not just the last one with sender reputation, would greatly increase the granularity for keyword lists.  For example you can write a 419 keyword policy but you will get MANY false positives if you apply it to all email, whereas I’d like to check it only if the email was sent from or through for example Nigeria, China,  Romania,  Russia, or Poland IP ranges.  Pseudo policy below….

#SPAMKeywordsfromNigeria

SPAM_KeywordsInBodyorAttachment:

If (dictionary-contains (‘SPAM_Keywords_BodyorAttachments’)) AND

If (header-dictionary-received-contains (‘NigerianIPs’))

{

Quarantine (‘419 from Nigeria’);

}

I’ll update my blog if I’m able to apply this and how effective it is.

AutoRun part 3 and final…

So I heard through SANS ISC that M$ has decided to announce through their blogs that they are going to turn off autorun by default.  They didn’t say how exactly yet but I think it’s a good thing for all the regular users who don’t realize how dangerous that innocent thumb drive really is.  Link here…. I, nor the City of San Diego, has to worry about it as I got to have part 1 and part 2’s “learning experiences” which although frustrating were educational, and effectively turned off autorun for all PCs.

AutoRun/AutoPlay part 2…

This is an update to the “AutoRun/AutoPlay Disabling Confusion” blog entry below. I’ve been working with the WSUS admin and we have not gotten the KB950582 to install on machines below Vista. Not good.  I even checked several C$ machine shares and did not see the patch’s install folder, proving the “not applicable” option in screen
shot below.  Again Not good.

WSUS showing patch as either applied or not applicable..

However, just yesterday I logged onto one of my XP machines and I got a Windows update rompt, but that was odd because I was sure I was up-to-date. The prompt says you need  B967715 which is a patch that correctly disables AutoRun. Nice! So, MS did simplify the whole thing. They released Security advisory 967940 which points to patch 967715 for 2000,XP,2003. And to top it all off MS even addresses the confusion I mentioned in their FAQs. So my new suggestion is to apply the GPO and include the 967715 to your WSUS required patches and you should be good to go. Thanks for addressing the issue MS, maybe Bill Gates reads my blog?

Here are the links…

http://www.microsoft.com/technet/security/advisory/967940.mspx

http://support.microsoft.com/kb/967715

PS. If you already installed KB950582, you won’t need the KB967715 and it won’t show as needed.

Why are there two places to get this update?

These updates are available in two places due to the way the updates were originally offered. The updates that were offered in Microsoft Knowledge Base Article 953252 were not available from automatic updating (including Automatic Updates, Windows Update,
and Windows Server Update Services) and therefore required users to manually find these updates and install them. The updates that are offered in Microsoft Knowledge Base Article 967715 contain the same updates that correctly respect the registry keys values to disable Autorun as in Microsoft Knowledge Base Article 953252, but are being distributed via automatic updating.