Incident Handling for the masses
Some time since I posted here (work, travel. holiday and other excuses) but I hope to have a little more spare time in the future.
I woud like to use this post to raise some awareness on basic incident handling procedures. I learned some time ago at SANS that Incident Handling is a process which consists of the following steps:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Special Actions for Responding to Different Types of Incidents
- Incident Record Keeping
- Incident Follow-Up
I am not going to explain each step of the process as this would take this article too far. I would just like to stress that there is more to it than just eradicating the problem.
The reason why I am stressing on this, is that in most cases, people who are infected with some kind of malware tend to think of only one thing: get the thing removed from their system and carry on. It is interesting to see that most people don’t really care what the purpose of the malware was! And some companies do so too.
Let’s say you were infected with some kind of banking trojan, wouldn’t you want to make sure that your bank account isn’t missing a few euros? And if it was a password stealing malware, wouldn’t it be a good idea to change that password you use at every site you visit?
I am not saying that you should start going through the complete incident handling process every time your non-IT savvy friend’s PCs are infected with the latest spyware but at least keep the incident handling process somewhere in the back of your mind. If it is only one kind of malware, investigate and inform your friend what the malware’s purpose was and what he or she should do with that information. If it is a whole zoo of malware living on your friend’s system, I would not only flatten & rebuild the system but would also give some generic advice on what he/she should do now after the mass infection. This would include basic housekeeping like change passwords, keep an eye on his accounts, etc. I also would give some advice on how to prevent infection in the future and explain how he/she might likely have been infected.
Off course, your non-savvy friend might not understand or even be frightened and you might think that their ignorance is your bliss but I am convinced that without spreading a little awareness, you are fighting a fire with a very limited supply of water.
Vista Gadgets
While I was looking into writing my own gadget for Vista’s Sidebar to display my Google Reader news, it hit me that Gadgets are really simple web browser applications.
They consist of only 1 XML and 1 HTML file in general and can contain JavaScript, vbscript, wmi scripts,… (everything basically). This should make you think because XSS, XSRF and all kinds of web exploits can potentially work in your sidebar if the right precautions have not been made!
Vista’s UAC warns you when you install a gadget or when the gadget isn’t signed but how many users would click yes to install ‘that cool gadget which also happens to contain a little bit of malicious code’? Most likely all of them.
There are even more attack vectors for the Vista Gadget API and I found an interesting paper which discusses these and also shows which precautions Microsoft made: http://www.portcullis-security.com/uplds/Next_Generation_malware.pdf
It is not too long and goes not too deep but gives the reader enough info and links to investigate further if wanted. The portcullis-security.com website also has a nice download section which contains a lot of interesting tools.
Free Online Security CheckUp for 3rd party apps
With the application vulnerability threat landscape evolving more and more towards 3rd party application exploits (Flash, Adobe, Winamp,….) instead of the classic network worms based on Microsoft Windows exploits, it becomes more and more needed to keep this 3rd party software up to date as well.
In large managed environments this is done by a central system which updates the software on your PC to the latest (and secure) version as soon as the central administrator deploys it. It is the network administrator’s task to keep track of what software requires an update.
In small environments (or at home) where these kinds of systems are not in place, you have to do it for yourself! For Microsoft software, this is no problem as it is handled through Windows Update. But how do you know which of the software tools installed on your system urgently needs an update?
Well, F-Secure released a free online checkup tool which you can let loose on your system.
It reports for all software on your system whether it should be updated or if it is configured in an unsecure manner.
The tool itself runs only through an ActiveX control in Internet Explorer which is the only disadvantage of the tool. I would have preferred a stand-alone application but I am not going to look a gift horse in the mouth.
Patch Tuesday January 2008
Microsoft just released their monthly patches.
It contains:
- one important patch (LSAS, local exploit)
In my opinion, especially important for systems like terminal servers or shared multi-user systems. - one highly critical patch (vulnerability in TCP/IP stack)
The reason why I am writing about this and put the TCP/IP vulnerability in bold is that this is one which goes against the trend. It is a remotely exploitable vulnerability on the network level. A crafted IGMP / ICMP message triggers the exploit. Even Vista is vulnerable out of the box (for the IGMP part, not for the ICMP part).While the trend is moving more and more to 3rd party applications and no longer pure network worms, this is a vulnerability which is perfect to create a network worm. It can be mitigated by classic protections:
<quote from Microsoft>
Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Perimeter firewalls that block multicast traffic (IGMPv3 and MLDv2 specifically) help protect internal network assets from this attack that originate outside of the enterprise perimeter.
</quote from Microsoft>
Another observation is that the past months, we have seen several vulnerabilities for MS Vista. Interesting enough Windows Vista was the first OS to be spawned from Microsoft’s Security Development Lifecycle, a process designed to produce more secure products. Although Microsoft is one of the ONLY software vendors who follows these strict security development and patching guidelines (not even security vendors like McAfee, Symantec,..do so !), it is not perfect yet. But at least, they are already on a good path.
MD5 collisions
MD5 hashes are no longer safe as a hash for signing applications or fingerprinting documents
It is possible (in a ‘chosen prefix attack scenario) to generate identical MD5 hash values for two functional different binaries.
Security software which checks the MD5 signature of an application/document to verify its integrity is no longer to be trusted to provide the correct results.
What about VPNs?
This does not mean that it is now possible to alter the integrity of a VPN connection. Simple reason for this is that in a VPN scenario, data flows continuously over the network and an MD5 hash is only valid for a matter of milliseconds (time the data needs to go from point A->B). It is currently not (yet) possible to alter data, calculate and update identical hashes on the fly. The researchers used a PlayStation 3 with its advanced cell processor to calculate collision hashes as fast as a 30 PC cluster but still it took hours or even days to perform the calculation. Time based security is what effectively protects a VPN in this scenario.
SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 are still considered pretty safe and are mandatory in US federal organizations.However, SHA-1 has been reported broken back in 2005 and it was advised to move away from SHA-1 then as well.
Currently the NSA is considering candidates for the next generation hashing algorithm.
Most likely not. Simple things still work for the average attacker so there is no need for them in investing in this attack scenario. Especially not for infecting the general public and expanding current botnets.
For targeted attacks and corporate/international espionage scenarios, the story is different. There the attacker might go through the difficulties of this attack because the stakes are higher.
Fiber Cable Not Safe Against Eavesdropping After All?
It seems that it is possible to listen to the signal of a fiber cable with a piece of hardware which costs less than $1000.
Organizations where eavesdropping of cables is not an acceptable risk and who have invested in fiber everywhere (instead of EM radiating copper cable) have to make sure that their cabling is physically protected, that encryption is used in every protocol sent over the cable and, if needed, implement a Fiber IDS system.
OpenVPN and Linksys WRT-54G
This weekend, I put a Linksys WRT54G at my sister’s apartment to enable her(and her boyfriend) to share the internet connection. No big deal off course but I also thought it would be nice if the router could act as an OpenVPN client so my network and her network would be securely connected through the VPN. This enables her to pop mail from our mailserver in a secure manner and it enables me to give some remote support by VNC-ing to her computer.
So how to do this?
- Upload DD-wrt’s latest ‘VPN’ firmware build for the WRT 54G
- Generate certificates for the WRT router on the central server (a linux box at my home network in this case which hosts the PKI)
- Add the following to the central server OpenVPN conf file: route 192.168.10.0 255.255.255.0
- Create a ccd file with the same filename as the name you chose for the WRT during certificate setup and put the following in the file: iroute 192.168.10.0 255.255.255.0
- Make sure the WRT syncs its time through NTP. Otherwise certs might be detected as invalid!
- Paste these certs in the web interface of the DD-WRT and do the basic configuration through the webinterface.
- Adapt openvpn.conf to my specific setup by enabling the following in the DD-WRT startupscript:
sleep 20 echo "auth SHA1" >> /tmp/openvpn/openvpn.conf echo "cipher AES-256-CBC" >> /tmp/openvpn/openvpn.conf killall openvpn openvpn --config /tmp/openvpn/openvpn.conf --route-up /tmp/openvpn/route-up.sh \\ --down /tmp/openvpn/route-down.sh --daemon
- Adapt the firewall script to disable natting and accept traffic for the OpenVPN interface on the WRT. Real firewalling will be done on the central linux box
iptables -t filter -I FORWARD -i tun0 -j ACCEPT iptables -t filter -I FORWARD -o tun0 -j ACCEPT iptables -t filter -I INPUT -i tun0 -j ACCEPT iptables -t filter -I OUTPUT -o tun0 -j ACCEPT iptables -t nat -I POSTROUTING -o tun0 -j ACCEPT iptables -t nat -I PREROUTING -o tun0 -j ACCEPT
- Done! Both networks are now interconnected!
It took me some time to get it up and running Saturday but I think that the little hangover I had from a fine party I attended Friday night in Leuven was to blame for that (damn you Cristal beer 
)
Strong Authentication, Online Banking and Phishing
When my bank started with online banking a few years ago, the authentication they used was a client certificate protected by a password. From time to time one had to renew the certificate and change the password. Off course, this type of authentication is vulnerable to various phishing attacks.
Last year, they rolled out a digipass system to authenticate their users in a more secure way. This particular digipass works with a challenge response code. A challenge is displayed on the website. The response code, which authenticates the user, can be generated by the digipass. The digipass can generate the correct response only by inserting your smart bank card in the device and entering your pin code on the digipass. This makes the authentication strong and two-factored. It consists of something you have (your bank card/digipass) and something you know (your pin code). Furthermore the challenge/response changes every time so it cannot be reused.
However, this system is still vulnerable to phishing proxy attacks. In these attacks, the phisher lures the victim to his website. The attackers’ website merely acts as a man-in-the-middle reverse proxy to the real banking website. This way, the strong authentication gets passed on to the bank but the attacker has a way to modify the transactions.
Off course you might think that SSL would prevent these types of phishing and in a way it does. However, we are now seeing an emerging number of so called bank trojans. These trojans manipulate the data before it enters the SSL secured channel. They wait until the authentication is complete and when a transaction is made, they can add their own malicious transactions masqueraded from the user.
The major vulnerability which both of these attacks exploit is the integrity of the transaction. You have SSL securing the channel, Strong Authentication to add security to the authentication but no integrity of the data transferred in the transaction.
Last month, my bank upgraded the security of the online banking application to mitigate this vulnerability. As you can see in the screenshot below, the response to authorize a transaction is now the result of a cryptographic function which includes the total amount of money in the transactions.
This is explained to the user by highlighting the total value of the transactions in red so the user can make the connection and can check if it is valid or not.
For the Bank Trojans, this is bad news as the user will now notice when a hidden transaction is smuggled in the application because the red value would be different than the one the user would expect.
I can only applaud my bank for following up on the latest threats in phishing and online bank fraud.
The greatest threat to the current system I currently see is end-user awareness. If the user does not understand or see the importance of the ‘red’ numbers, the banking trojans still win.
Certified Mail from GoodMail systems
I read an article today about major US ISPs which are signing up for GoodMail.
Goodmail offers CertifiedEmail which according to their website does the following:
The Certified Email™ Solution
What is CertifiedEmail?
CertifiedEmail is a premium delivery option for qualifying senders that positively affects email marketing metrics. Once you have been accepted into the program, your marketing and transactional messages become trusted-class email at participating ISPs. Since they know that your email is authentic and comes from a verified sender, these ISPs convey special privileges.100% Assured Delivery
Spam filters inadvertently send up to 20% of your permission email into junk folders. In contrast, CertifiedEmail is routed automatically to the inbox, past content and volume filters. You get 100% of your email delivered.Links and Images Rendered by Default
Nearly all ISPs today disable links and images on default as a protection against phishing. CertifiedEmail messages are presented with all images intact and links working. Users can’t respond if they don’t see your email. With CertifiedEmail, they’ll see it.Special Blue Ribbon Envelope Icon
ISPs specially mark all CertifiedEmail messages with a blue ribbon envelope icon, which tells consumers that your message can be trusted and is safe to respond to. The email you send as CertifiedEmail is visually differentiated from other volume messages. CertifiedEmail is marked with a blue ribbon envelope in your inbox. When you open a CertifiedEmail, you’ll see the blue ribbon envelope icon again – just outside the body of the email message.
It is troubling that large ISPs like Verizon, At&T, AOL and Yahoo are falling for this marketing nonsense. Much of the same arguments are valid against this technology as I mentioned in a previous post about Domain Keys.
Even worse in this technology are the 100% delivery guarantee and the guarantee that images are displayed in the e-mail client. Of course these are handy guarantees if you are a legit mass mailer but two major problems pop up in my mind.
A promise of 100% delivery guarantee is something no one can ever make good. The reason for this is that the sender does not control the final destination (my mail client/mail server). If the receiver has a spam system which does not care about GoodMail, then it falls back on the usual spam detection filters. I wonder how GoodMail’s legit mass mailers will react when they see that the 100% they bought isn’t really what they thought it would be. The same goes for the displaying of images. You cannot guarantee that if you don’t control the end point.
The other problem is the scary thought that some of the CertfiedEmail senders might get owned by a spammer and become zombie hosts in the spammer’s botnets. In this scenario, the spammer will be able to send out CertifiedEmail by using the zombies as a relay point. This would be great from the spammer’s point of view because much of the spam filters get bypassed.
Still not a good solution for the spam issue, it seems.
0xa12:0×0001
For the ones who did not read Max Moser’s paper about converting a cheap USB bluetooth dongle into a full blown bluetooth sniffer, the code 0xa12:0x0001is the devide ID for the cheap CSR based bluetooth device which Max used to do the conversion.
The reason why I am so happy with this code is that this code is exactly the code which came on my linux computer when I inserted my new Bluetooth USB key and typed ‘lsusb’.
I also found a good howto which brings Mosers’s theory into practice. I did not have much time this weekend so I will try to test the howto during the next days.
On the non-IT side, I celebrated my 27th birthday this weekend, went to a little festival in Olen (pics), attended my second cousin’s baptism party and enjoyed a few bbq meals in between (despite the rainy weather).