Security News

I’ve been blogging recently on Inputs vs Outputs, or Why Controls Are Not Sufficient. I’ve also been writing about Wall Street for the past year and a half. What we are seeing in the business realm is one of the biggest incident response engagements the world has ever seen.

This morning on CNBC’s Squawk Box, reporter Steve Liesman summarized the market’s reaction to the ongoing crisis. The latest jobs report had just been released, and panelists were debating the effectiveness of the administration’s announcements of various plans. Steve said:

It’s not what you’re doing that matters; it’s whether or not it works.

In other words, focusing on the inputs as a measure of success is a waste of time. You have to know the score of the game. In the business world, the score of the game is measured using employment numbers, stock market prices, the London Interbank Offered Rate (LIBOR), currency valuations, and so on. My post Controls Are Not the Solution to Our Problem has one set of ideas for measures in the digital security world.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

Proofpoint Messaging Security Gateway 5.5 is a unified email security appliance that delivers a host of features to protect inbound and outbound messaging.

Network Guardian is a self-contained software appliance that incorporates SmoothWall’s exclusively dynamic and intelligent approach to web content filtering alongside anti-spyware, anti-virus and browser exploit prevention.

A vulnerability in Google’s Gmail that enables cross-site request forgery (CSRF) attacks has been recognised since 2007, but a proof-of-concept (PoC) was only released on Tuesday.

A vulnerability in Google’s Gmail that enables cross-site request forgery (CSRF) attacks has been recognised since 2007, but a proof-of-concept (PoC) was only released on Tuesday.

We’re pretty pumped here at RSA, since today we’re releasing our latest and greatest version of RSA enVision.

RSA enVision 4.0 has some really cool new features, and should be a boon for anyone trying to get a better handle on using log data to deal with any bad stuff that may be going on in their IT environment.

Earlier this week I attended an IANS Mid-Atlantic Information Security Forum. During the conference Phil Gardner made a good point. He noted that the ongoing credit crisis has fundamentally altered the world’s perception of business risk. He said the changes to financial operations are only the beginning. These changes will eventually sweep into information security as well.

This reminded me of the world’s reaction to 9/11. The day the attacks happened, I was working at our MSSP. Some of my customers called to ask if we were seeing unusual digital attacks against their systems. That really surprised me, but it emphasized the fact that 9/11 introduced a new era of security-mindedness. I believe that era has largely passed, but for the better part of this decade 9/11 stimulated security thinking.

I watch as much CNBC as possible (during lunch and dinner) and I am hearing the term “stress cases” repeatedly. This is not the same as Treasury Secretary Geithner’s “stress tests,” but it is related. Businesses are essentially doing planning for various levels of financial stress. In other words, they analyze financial operations in the case that their assets are worth 50% of book value, or 40%, or 30%, and so on.

From a digital security standpoint, that sounds like incident response planning. You make plans for various contingencies and decide how to handle them. I think this will manifest itself when you hear your CxO ask “what will you do if X, Y, or Z happen?”

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. “Super Early” Las Vegas registration ends 15 Mar.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

(Ok, a typo in the subject, but it was funny so left it in)

The Technet blogs require registration to comment, and don’t allow me to use my Microsoft Live account to log in, much less openID. I didn’t feel like registering for yet another “community” so I left without commenting.

The ISA server product team blog at Technet wrote about a case where the customer Cannot Browse a HTTPs Site Published by ISA Server 2006 without using TLS 1.0 on Internet Explorer

I chuckled reading that headline because I’ve been there before.

When I upgraded to ISA 2004, I installed from scratch and applied a recommended hardening policy. I tested it with my computer using Internet Explorer and Firefox, and went home happy. I couldn’t understand why I received email from my manager reporting that people couldn’t get in.

I figured out relatively quickly that my system had TLS 1.0 enabled and the systems that couldn’t access using IE did not. That lead me to the FIPS compliant setting in group policy. I actually blogged about this in 2006.

The problem also occurs if you configure that setting on the clients. In January 2008, I also wrote about this setting and the FDCC and what a mistake I thought it was to require clients to turn it on.

Coupling strong authentication with enterprise single sign-on can enable organizations to achieve both strong user and strong application authentication with little incremental integration costs.

Black Hat was kind enough to invite me back to teach two sessions of my new 2-day course at Black Hat USA 2009 Training on 25-26 July and 27-28 July 2009 at Caesars Palace in Las Vegas, NV.

This class, completely new for 2009, is called TCP/IP Weapons School 2.0. These are my last scheduled classes in the United States in 2009.

Registration is now open. Black Hat set five price points and deadlines for registration.

• Super Early ends 15 Mar
• Early ends 1 May
• Regular ends 1 Jul
• Late ends 22 Jul
• Onsite starts at the conference

As you can see in the Sample Lab I posted last week, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work — an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher’s guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerPoint slide parade.

If you’ve attended any of my previous classes, you are most welcome in the new one. Unless you attended my Black Hat DC training last month, you will not see any repeat material whatsoever in TWS2. I look forward to seeing you, either in Las Vegas or Amsterdam. Thank you.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

I was asked today about using Bro to record details of SSL certificates. I wanted to show an excerpt from one of my class labs as an example.

In one of the labs I use Bro to generate logs for a network trace. The idea is that by looking at the server subject and server issuer fiels, you might identify odd activity.

First I generate Bro logs.

analyst@twsu804:~/case03$ /usr/local/bro/bin/bro -r/home/analyst/pcap/tws2_15casepcap/case03.pcap weird notice alarm tcp udp conn httphttp-request http-reply http-header ssl dns

You can see Bro summarize the SSL connections it sees on port 443 TCP by default.

analyst@twsu804:~/case03$ grep https.start ssl.log1230953783.860406 #1 192.168.230.4/1700 > 67.199.36.111/https start1230953792.363305 #2 192.168.230.4/1702 > 67.199.36.111/https start1230953999.730060 #3 192.168.230.4/1712 > 63.245.209.118/https start1230954052.303861 #4 192.168.230.4/1735 > 194.109.206.212/https start1230954060.752904 #5 192.168.230.4/1742 > 24.92.58.169/https start1230954060.811960 #6 192.168.230.4/1743 > 88.84.144.63/https start1230954060.843277 #7 192.168.230.4/1740 > 92.195.102.210/https start1230954060.860087 #8 192.168.230.4/1744 > 85.125.106.58/https start1230954060.879373 #9 192.168.230.4/1746 > 82.94.251.204/https start1230954061.166306 #10 192.168.230.4/1747 > 124.16.143.97/https start1230954061.167447 #11 192.168.230.4/1738 > 220.175.170.133/https start1230954064.376426 #12 192.168.230.4/1748 > 82.29.1.204/https start1230954064.408963 #13 192.168.230.4/1749 > 87.97.231.238/https start1230954075.839499 #14 192.168.230.4/1754 > 91.143.87.107/https start1230954136.655647 #15 192.168.230.4/1763 > 140.247.60.83/https start1230954136.763340 #16 192.168.230.4/1764 > 62.141.58.13/https start

You can take a deeper look at these SSL connections using Bro. First I create a list of search terms for grep, and then I grep for those search terms in ssl.log.

analyst@twsu804:~/case03$ cat ssl_grep.txtserver subjectserver issuer

Here is the grep.

analyst@twsu804:~/case03$ grep -f ssl_grep.txt ssl.log1230953999.730060 #3 X.509 server issuer /C=US/O=Equifax/OU=Equifax Secure CertificateAuthority1230953999.730060 #3 X.509 server subject /C=US/ST=California/L=MountainView/O=Mozilla Corporation/CN=*.addons.mozilla.org1230954052.494060 #4 X.509 server issuer /CN=www.z72ey43i.net1230954052.494060 #4 X.509 server subject /CN=www.defgig6t6azjbr2.net1230954060.813874 #5 X.509 server issuer /CN=www.kmz5vo6e6.net1230954060.813874 #5 X.509 server subject /CN=www.pkpwmlwen7vge.net1230954060.932578 #6 X.509 server issuer /CN=www.ne2jqp556.net1230954060.932578 #6 X.509 server subject /CN=www.dpcmd6qbqlpabomp5ki5.net1230954061.007888 #8 X.509 server issuer /CN=www.rdsm2znz.net1230954061.007888 #8 X.509 server subject /CN=www.dme2njaquxi.net1230954061.022973 #9 X.509 server issuer /CN=www.hqnn5zhz.net1230954061.022973 #9 X.509 server subject /CN=www.76grma4ml.net1230954061.500215 #10 X.509 server issuer /CN=www.4h33vtek5c4p57wuae.net1230954061.500215 #10 X.509 server subject /CN=www.tx7iuwu56.net1230954061.510028 #11 X.509 server issuer /CN=www.npn3go6542.net1230954061.510028 #11 X.509 server subject /CN=www.fqhbh226p.net1230954063.926987 #7 X.509 server issuer /CN=www.ennvjjpqlvnehtbqae74.net1230954063.926987 #7 X.509 server subject /CN=www.3lp45iastk.net1230954064.513351 #12 X.509 server issuer /CN=www.3bxwanjs7lrqrduij.net1230954064.513351 #12 X.509 server subject /CN=www.5cioy5x224bja6wnf.net1230954064.575053 #13 X.509 server issuer /CN=www.i6rtf7w3bdbdh.net1230954064.575053 #13 X.509 server subject /CN=www.r7thso6x.net1230954076.059391 #14 X.509 server issuer /CN=www.uiwpjnmjsqgatlo2ppik.net1230954076.059391 #14 X.509 server subject /CN=www.r4g5fuzu3rybrf.net1230954136.715980 #15 X.509 server issuer /CN=www.dsl47i66rnpesdparhj.net1230954136.715980 #15 X.509 server subject /CN=www.zgxc7xvt6aj2xqo7z.net1230954136.904599 #16 X.509 server issuer /CN=www.u2vuanrtt6v3ckj77u.net1230954136.904599 #16 X.509 server subject /CN=www.b6w4ffeimiezuhp7bilm.net

If you’ve ever looked at Tor SSL certificates you’ll recognize the traffic here.

In a later lab I show how to ask Bro to look at SSL to any port.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

On March 3, 2009 the PCI Security Standards Council announced a new resource to promote adoption of the PCI DSS.  According to the Council, the “Prioritized Approach” provides six security milestones that will help merchants and other organizations
incrementally protect against the highest risk factors and escalating threats
while on the road to PCI DSS compliance.  As I previously
mentioned, this announcement has been anticipated since the 2008 Council
Meetings.

This Web site was created to be a clearing house for technical IT Security queries, and we are still fielding quite a few of those. But we continue to receive a broad variety of fascinating questions …

What will the Information Technology world look like in a hundred years? Here are the final three of five predictions for the state of data transport, storage, computer processing, and brain wave input devices in the year 2109. Each prediction is soundly based on our current scientific theories and understandings plus a healthy dose of imagination. These predictions are the original work of myself and my buddy and fellow security collaborator Eddie Mize. This is part 2 of 2, click to read part 1. Enjoy!

Read more

Many people buy a SIEM system looking for a tool that will spot things they might
not on their own, or things that a single data source might not. Here’s
an example of correlation that will work – given the right input, an analytic
engine and some expert knowledge.

The Cisco Network Admission Control (NAC) solution including the NAC Appliance, NAC Network Module for Cisco Integrated Services Routers (ISRs), NAC Agent, NAC Profiler, and Cisco Secure Access Control Server (ACS) just received Common Criteria EAL2+ Certification. This certification assures customers that Cisco’s NAC solution has gone through a rigorous analysis and testing process and conforms to standards sanctioned by the International Standards Organization.

Read more

Today while spending some time at the book store with my family, I decided to peruse a copy Craig Hunt’s TCP/IP Network Administration. It covers BIND software for DNS. I’ve been thinking about my post Asset Management Assistance via Custom DNS Records. In the book I noticed the following:

“Responsible Person” record? That sounds perfect. I found RFC 1183 from 1990 introduced these.

I decided to try setting up these records on a VM running FreeBSD 7.1 and BIND 9. The VM had IP 172.16.99.130 with gateway 172.16.99.2. I followed the example in Building a Server with FreeBSD 7.

First I made changes to named.conf as shown in this diff:

# diff /var/named/etc/namedb/named.conf /var/named/etc/namedb/named.conf.orig132c132< // zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };---> zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };274,290d273< zone "example.com" {<  type master;<  file "master/example.com";<  allow-transfer { localhost; };<  allow-update { key rndc-key; };< }; < < zone "99.16.172.in-addr.arpa" {<  type master;<  file "master/example.com.rev";<  allow-transfer { localhost; };<  allow-update { key rndc-key; };< };< key "rndc-key" {<  algorithm hmac-md5;<  secret "4+IlE0Z/oHoHok9EnVwkUw==";< };

To generate the last section I ran the following:

# rndc-confgen -awrote key file "/etc/namedb/rndc.key"# cat rndc.key >> named.conf

Next I created /var/named/etc/namedb/master/example.com:

# cat example.com$TTL 3600

example.com. IN SOA host.example.com. root.example.com. (

     1 ; Serial     10800 ; Refresh     3600 ; Retry     604800 ; Expire     86400 ) ; Minimum TTL

;DNS Serversexample.com.  IN NS  host.example.com.

;Machine Nameshost.example.com. IN A  172.16.99.130gateway.example.com. IN A  172.16.99.2

;Aliaseswww   IN CNAME  host.example.com.

;MX Recordexample.com.  IN MX 10 host.example.com.

;RP Recordhost.example.com. IN RP taosecurity.email.com. sec-con.example.com.gateway.example.com. IN RP networkteam.email.com. net-con.example.com.

;TXT Recordsec-con.example.com. IN TXT "Richard Bejtlich"sec-con.example.com. IN TXT "Employee ID 1234567890"sec-con.example.com. IN TXT "Northern VA office"net-con.example.com. IN TXT "Network Admin"net-con.example.com. IN TXT "Group ID 0987"net-con.example.com. IN TXT "DC office"

Then I created /var/named/etc/namedb/master/example.com.rev:

# cat example.com.rev $TTL 3600

99.16.172.in-addr.arpa. IN SOA host.example.com. root.example.com. (

     1 ; Serial     10800 ; Refresh     3600 ; Retry     604800 ; Expire     86400 ) ; Minimum TTL

;DNS Servers99.16.172.in-addr.arpa. IN NS  host.example.com.

;Machine IPs1                       IN      RP      networkteam.email.com.  net-con.example.com.2   IN PTR  gateway.example.com.130   IN PTR  host.example.com.130   IN PTR  www.example.com.

;RP Record2   IN RP networkteam.email.com. net-con.example.com.13   IN RP taosecurity.email.com. sec-con.example.com.

If you caught my ommission, I’ll point it out near the end of the post.

Finally I edited /etc/resolv.conf so it pointed only to 127.0.0.1, and restarted named:

# /etc/rc.d/named restartStopping named.Starting named.

Now I was able to query the name server.

# dig @127.0.0.1 version.bind chaos txt | grep version.bind; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 version.bind chaos txt;version.bind.   CH TXTversion.bind.  0 CH TXT "9.4.2-P2"version.bind.  0 CH NS version.bind.

Let’s do zone transfers for the forward and reverse zones.

# dig @127.0.0.1 axfr example.com.

; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 axfr example.com.; (1 server found);; global options:  printcmdexample.com.  3600 IN SOA host.example.com. root.example.com. 1 10800 3600 604800 86400example.com.  3600 IN MX 10 host.example.com.example.com.  3600 IN NS host.example.com.gateway.example.com. 3600 IN RP networkteam.email.com. net-con.example.com.gateway.example.com. 3600 IN A 172.16.99.2host.example.com. 3600 IN RP taosecurity.email.com. sec-con.example.com.host.example.com. 3600 IN A 172.16.99.130net-con.example.com. 3600 IN TXT "Network Admin"net-con.example.com. 3600 IN TXT "Group ID 0987"net-con.example.com. 3600 IN TXT "DC office"sec-con.example.com. 3600 IN TXT "Richard Bejtlich"sec-con.example.com. 3600 IN TXT "Employee ID 1234567890"sec-con.example.com. 3600 IN TXT "Northern VA office"www.example.com. 3600 IN CNAME host.example.com.example.com.  3600 IN SOA host.example.com. root.example.com. 1 10800 3600 604800 86400;; Query time: 41 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Sun Mar  1 04:22:57 2009;; XFR size: 15 records (messages 1, bytes 480)

# dig @127.0.0.1 axfr 99.16.172.in-addr.arpa.

; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 axfr 99.16.172.in-addr.arpa.; (1 server found);; global options:  printcmd99.16.172.in-addr.arpa. 3600 IN SOA host.example.com. root.example.com. 1 10800 3600 604800 8640099.16.172.in-addr.arpa. 3600 IN NS host.example.com.1.99.16.172.in-addr.arpa. 3600 IN RP networkteam.email.com. net-con.example.com.13.99.16.172.in-addr.arpa. 3600 IN RP taosecurity.email.com. sec-con.example.com.130.99.16.172.in-addr.arpa. 3600 IN PTR host.example.com.130.99.16.172.in-addr.arpa. 3600 IN PTR www.example.com.2.99.16.172.in-addr.arpa. 3600 IN RP networkteam.email.com. net-con.example.com.2.99.16.172.in-addr.arpa. 3600 IN PTR gateway.example.com.99.16.172.in-addr.arpa. 3600 IN SOA host.example.com. root.example.com. 1 10800 3600 604800 86400;; Query time: 27 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Sun Mar  1 04:26:36 2009;; XFR size: 9 records (messages 1, bytes 380)

Now let’s pretend we have a security incident involving 172.16.99.2. You want to know who owns it. Let’s query for RP records.

VirtualBSD# host -t rp 172.16.99.22.99.16.172.in-addr.arpa domain name pointer gateway.example.com.

Ok, I see that I get a PTR record for 172.16.99.2. I can look for a RP record for that hostname.

# host -t rp gateway.example.com.gateway.example.com has RP record networkteam.email.com. net-con.example.com.

That worked. I see the email address for the Responsible Person is networkteam@email.com (you have to imagine the @ instead of the . there), and I also get indication of a TXT record. I query for that next.

# host -t txt net-con.example.com.net-con.example.com descriptive text "Network Admin"net-con.example.com descriptive text "Group ID 0987"net-con.example.com descriptive text "DC office"

Great, I have some additional details on the network team.

What if I try 172.16.99.130?

# host -t rp 172.16.99.130130.99.16.172.in-addr.arpa domain name pointer www.example.com.130.99.16.172.in-addr.arpa domain name pointer host.example.com.

# host -t RP www.example.com.www.example.com is an alias for host.example.com.host.example.com has RP record taosecurity.email.com. sec-con.example.com.

# host -t TXT sec-con.example.com.sec-con.example.com descriptive text "Richard Bejtlich"sec-con.example.com descriptive text "Employee ID 1234567890"sec-con.example.com descriptive text "Northern VA office"

How about 172.16.99.1?

# host -t rp 172.16.99.11.99.16.172.in-addr.arpa has no PTR record

That was the error in the example.com.rev file I posted earlier. Or is it an error? Maybe not:

# host -t rp 1.99.16.172.in-addr.arpa 1.99.16.172.in-addr.arpa has RP record networkteam.email.com. net-con.example.com.

If we query for the IP in in-addr.arpa format, we can find a RP record. So, it’s possible to have IPs without hostnames in your DNS and still have RP records. You just need to know how to ask for them.

I think this is really promising. At the very least, an DNS admin responsible for hosts in a certain subnet could add RP records, like that of 172.16.99.1, for every host. This would probably work best for servers, but it should be possible to extend it to hosts with dynamic DNS assignments.

Incidentally, RP records do not seem very popular on the Internet. If you find any in the wild, please let me know.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)