Friday, March 26, 2010

iPhone Security: SMS Database Owned in Seconds

The exploit, which was demonstrated at Pwn2Own contest at CanSecWest and targets a non-root user named "mobile" is able to access SMS data, including previously deleted messages according to ZDNet. The exploit relies on a chained return-into-libc, a reasonably common buffer overflow attack.

The data that could be stolen by attacking Safari includes the phone contact list, the email database, photographs and iTunes music files.

Apple is sure to release a patch soon, but the underlying issue with code signing and stack protection is likely to remain. The important question is whether Apple will fix their approach to stack protection and will futher lock down the access provided to their browser user.

Thursday, March 25, 2010

Followup: GIAC Certificate Renewals

I recently posted about GIAC's new renewal process, and inquired with SANS about how the renewal tracking would work. Here's their answer:

"SANS training no earlier than two years prior to your certification expiration date is eligible for CMUs toward your certification renewal. Once you register and pay for your renewal, you will need to fill out the Submission Form and fax it 866-627-6387 for review."

Hopefully SANS will follow in the footsteps of their peers as they work with this process, and will automatically count SANS courses toward a rolling renewal total.

Tuesday, March 23, 2010

Snort ACID MySQL Database maintenance...

I've recently inherited a Snort installation that uses MySQL/ACID/BASE which had run itself out of room on the root partition where everything was stored. After some emergency resuscitation of the LVM, I set out to create a few MySQL statements that will remove data that are older than X days old. These specific commands can be run from the mysql command line (in order) replacing X with the number of days you want to keep:

DELETE FROM data USING data LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM iphdr USING iphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM icmphdr USING icmphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM tcphdr USING tcphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM udphdr USING udphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM opt USING opt LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM acid_event USING acid_event LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM ag USING acid_ag_alert AS ag LEFT OUTER JOIN event AS e ON ag.ag_sid=e.sid AND ag.ag_cid=e.cid WHERE e.sid IS NULL;
OPTIMIZE TABLE event, data, iphdr, icmphdr, tcphdr, udphdr, opt, acid_event, acid_ag_alert;

Of course if you want to automate this you can place these commands and any others you need to execute (such as archiving the database first) in a script and use the ".my.cnf" mysql configuration file to store your user/database information. Don't forget to secure the preferences file!

Have you got any suggestions to make this better? Leave a comment on how you maintain the Snort data - and play some golf with the commands.

Monday, March 22, 2010

Dealnews Ad Feed Hit With Malware

On March 19th, an ad served by's third party ad service started distributing FakeAV malware. Dealnews response is below:

"Updated: An ad served from a major third-party ad server generated "virus warnings" when those ads were viewed on dealnews, as several readers found. The ad has been disabled, eliminating any threat. In at least some cases, the ad attempted to download an ".exe" file and execute it, which is what caused the virus warnings. If you visited dealnews since Friday, use a Windows PC, and are concerned about this possibility, we suggest that you run an anti-virus check. We apologize profusely for any inconvenience.

We are deeply troubled by even the possibility that any of our readers' computers could be affected, and we're working hard to put processes in place to prevent such incidents from happening in the future. Thank you to the readers who alerted us of the warning from their antivirus software."

Until ad networks vet code more thoroughly, users will have to continue to protect themselves by using NoScript, a sandbox program, or through some other method of protecting their browser from attacks. The slow update cycles for browser plugins continues to make them a threat for most users.

Wednesday, March 17, 2010

New GIAC Certification Maintenance Process - Keep your GIAC cert without retesting

SANS is moving their GIAC certification maintenance to fit a model closer to that used by (ISC)2). Now, options are both a re-certification exam or a "Certification Maintenance Unit" (CMU) approach requiring 36 CMUs over a 4 year time period. The cost to renew - $399 - is still required, although additional certifications that expire within the next two years are done at half cost.

The main options are course based CMUs and GIAC Gold papers, although the standard certification exam remains an option, and a number of smaller CMU count secondary activities are available.

In brief:

  • Retaking and passing the test is worth 36 CMUs
  • A GIAC gold paper is worth 36 CMUs
  • A completed 6 day SANS or "qualifying non-SANS" course is worth 36 CMUs
  • A 1 day course is worth 6 CMUs.
  • Documented work experience is worth 12 CMUs
  • GIAC or SANS community participation is worth 6 CMUs
If you have a SANS certification, this is an attractive option - you'd pay the same for the test, and can likely complete enough coursework over four years to finish 36 CMUs. Will these requirements keep GIAC certification holders up to par? Only time will tell.

I've queried SANS about how they're tracking existing training during the past 4 years for those who have pending renewals, and if they will provide a tracking mechanism like (ISC)2 does for CISSP holders, and I'll post their response.

Friday, March 12, 2010

Why Stopping Modern Malware Isn't Working - Fighting Torpig, Sinoval, and Mebroot

Those of us who have been in the IT world for a while recall when viruses were transferred by floppy disks, creating infection patterns that could be easily handled by simply cleaning up a lab or a small group of friends who used the same PCs. Over time, we became used network based infections as Code Red and Nimda hit our networks.

Since then, we've seen far fewer heavy hitting worms as our systems and our networks have been armored against such exploits. Over the past few years, we've begun to see a transition to malware that relies on users to spread. This malware such as the broad family of Fake AV products require a user to click, and are usually aimed at the user themselves. Fake AV, for example, typically seeks to get users to provide their credit card number to remove the fake malware it lists.

Nastier malware is out there, however. Mebroot, a particularly nasty specimen, is often the first step in a hard to handle infection. Mebroot is often spread through web based ad networks - so called "drive-by downloads" or "drive-by infections" targeting browser plugin and browser vulnerabilities. Once there, it injects itself into the PC's master boot record. As F-Secure puts it, "In the competition between rootkits and rootkit detectors, the first to execute has the upper hand."

Once Mebroot is on a system, Torpig, a botnet client often follows. Torpig, like Mebroot, comes in many flavors, but most attempt to steal user credentials, credit card information, and bank account details, which they send to central servers. One group of researchers observed 70 GB of stolen data in a 10 day exercise conducted against a Torpig botnet. The same researchers observed 180,000 infections during that time.

The Torpig botnet is well protected - it uses domain flux to keep the controller nodes moving, and when paired with a Mebroot infection, Torpig itself can be both very hard to find, and extremely hard to remove. Thus far, my own work with it has shown that manual capture and analysis of the MBR using tools like Virustotal and Norman Sandbox is somewhat successful, although the quick changes that the malware authors make mean that most mainstream antivirus is useless, and the more targeted tools like GMER can't always keep up.

There's not a silver bullet for these infections yet, other than running an OS that is not targeted by the malware. Thus, MacOS and Linux users remain safe, although that may change over time. If you're stuck in a Windows environment, particularly if you're using Windows XP, you're in much greater danger. Those users running Windows Vista and Windows 7 are likely to have a better chance of avoiding infection thanks to UAC.

For those looking for a solution, sandbox technologies like Sandboxie may be a good option. As always, patching your browser and all of its plugins is still a reasonable best practice, but many plugins have unpatched holes for weeks or months at a time.

In the meantime, show your senior management this New Zealand Herald article - it provides one of the better mainstream media writeups I've seen.

Thursday, March 11, 2010

Battery Chargers and Trojans, Oh My!

Energizer recently confirmed the existence of a vulnerability in the charging status software provided with their Duo Charger. The software was found to contain a back door called "Arucer.dll", which is a remote access Trojan. This trojan is set to autorun, and on will request a firewall exception when it runs.

US-CERT provides full detail, including removal and cleanup information.

This is another great reason to periodically run a report of the firewall exceptions allowed in your organization (using SMS or another tool), if they're allowed at all.

Thursday, March 4, 2010

How Not To Destroy a Flash Drive..and How To

The Smoking Gun describes a recent incident in which a New York city man under investigation by the Secret Service for ATM skimming "grabbed Subject Flash Drive 2, which had been on his person at the time of his arrest, and swallowed". Unfortunately for the subject, after four days had passed without the reappearance of the flash drive, it was surgically removed.

The article does not note whether the data on the drive was recoverable, but the list of other evidence indicates that this probably just added another charge to the accused's list of charges.

If you actually do want to erase a thumbdrive, your best bets are:

  • Eraser for Windows
  • Disk Utility for MacOS
  • DBAN, if you're careful to only wipe the device you mean to, or a simple commandline: dd -if=/dev/zero -of=/dev/your device bs=1M (you can also use urandom to fill with random data, and can adjust your blocksize for speed) for Linux
If you're more interested in destruction, most of the typical processes used to physically destroy hardware work, from a hammer to an appropriately powerful shredder. Remember that they're not magnetic media, and that you degausser won't do you any good.

Monday, March 1, 2010

When System Issues Look Like Malware...But Aren't

"My computer is typing to itself" - that's one of those lines that gets the attention of any IT person, and particularly gets a security analyst to sit up and pay attention.

Thus, when I heard those words, I headed down the hall to check out the system in question. It was definitely typing to itself. The sytem - a laptop, would fill in text wherever the cursor sat, and would open a search bar if no application was active. Left to its own devices, rather oracular sounding text like the following was appearing:

"The you know you are using the zone to the net and what it is a young man in a long line of you didn't know as soon the room will send you wish you sell and move the mean no longer be a U.N. own movie and more than one and one was injured when an E. and in an And move is not invite you to UNITA has not been a move that was a year in and was thrown in the sense that certainly room move on and down and was down there that are the men and women in the news and then an And you you and you end up in a bit of the moon and when you move in the middle of the yen is wrong in what"
It looked a bit like every chat session on the network was being dropped in fragmentary fashion into the applications that were open. What it didn't look like was malware. That meant that we could satisfy curiosity rather than pull out the event response process.

The usual tricks - disconnecting the network, disabling network devices, ensuring that no Bluetooth or IR activity was possible, and of course, removing the wireless USB keyboard and mouse had no effect. This was obviously coming from the local system.

The interesting thing is that the text reminded me of a text to speech program, but the user didn't use one - they did note that they had used one years ago, but not since, and that Office had been upgraded in the interim.

Keeping the room silent and saying easily distinguishable words did not result in matching - or even similar text. The result continued to look like this:

Rebooting the system made it stop...for a while. Dogbert may have had a point.

It has been a while since I was a full time desktop support person, so I enlisted the aid of a couple of senior user support folks in case there was something common that I hadn't dealt with before. The answers that came back could be paraphrased as "That's really weird" and "That does look like some sort of text to speech".

Further digging showed that yes, the system's built in microphone was on, and that it used an integrated sound driver. The microphone's gain was so high that it was generating significant amounts of data even in a completely silent room - and our source of oracular typing was found.

We disabled the microphone, and since then, the system has kept its literary attempts to itself. As for your friendly local security guy? Well, I had a good laugh - and I know where to find a good source of random when I need one.