Tue, 19 Apr 2011
HBGary Open Letter - Air Gap
Our source code has always been air gapped from the Internet. The forensic examination confirmed that software development servers and workstations were not affected by the incident -- from HBGary
Anyone else find it hard to accept that none of the developers, testers, documentation writers or build people ever accessed source code from their Internet connected laptops / workstations? Especially considering the state of their other security measures.
Don't get me wrong, in some cases it's a sensible solution ( off-line key signing for example) but for entire teams working on a shared code base?
Thu, 08 Jan 2009
Limiting Failed SSH Logins using PAM
Ever wanted to limit the number of ssh login attempts a user can make before their account gets locked? Well, not really, but when brute force tools are so common and easy to use it's another useful trick in the sysadmins arsenal.
In this example I'll show you how to install, configure and audit failed ssh loging attempts on Linux. While the PAM mod_tally module is available for a number of different distros and Unix variants we'll set it up on Debian. First of all grab the package if you don't already have it -
apt-get install libpam-modules
Now we've installed mod_tally you have to add a couple of lines to the
/etc/pam.d/ssh PAM config file for ssh.
$ vi /etc/pam.d/ssh # add before @include common-auth # lock the buggers after 3 attempts auth required pam_tally.so onerr=fail deny=3 # add before @include common-account # resets count if login successful account required pam_tally.so reset
The ordering of the lines is important. In some configurations previous PAM checks can shortcut the full process. While this post isn't the place to learn all about PAM the first line of the example sets what to do if something strange happens, such as the log file being unavailable (onerr=fail) and how many times a login can fail before being locked (deny=3). The second line tells PAM to reset the counter once a successful login has occurred for a specific user. If you leave this one out every failure is remembered for ever and eventually all will be locked out.
Now you're up and running how do you find out what's happening? If you
want to look at the current status then you can run the
pam_tally command and you'll see output like this -
root@pam:/etc/pam.d# /usr/sbin/pam_tally User ajones (1000) has 2 User lockme (10010) has 4
pam_tally also logs wherever your authentication events go
/var/log/auth.log on Debian by default ) so you can keep
historical information or feed the attempts in to your normal log
# sample log line Jan 8 19:16:24 pam pam_tally: user lockme (10010) tally 4, deny 3
To close the loop let's cover resetting the locked accounts. If you have
a user complaining then you can run
pam_tally --reset --user
lockme to clear their tally. Another option (worth considering) is a
scheduled reset. This gives you the benefit of slowing down brute force
attacks while not requiring you to unlock all accidentally locked accounts.
The simplest way to do this is to add a cronjob that runs a reset. Newer
versions have an
unlock_time=n option you can supply in the
ssh PAM config file but that didn't work for me under Etch.
Thu, 21 Sep 2006
Run Security Scans from Visio
I'm not a huge fan of Visio but the ability to connect the MBSA to individual hosts and trigger scans is very neat. I'm also assuming that you can use the Visio scripting interface to mark machines that fail as a different colour. Full details over at the Visio Connector for MBSA article.
Wed, 06 Sep 2006
Own a SQL Server 2000 Machine and get ALL Passwords
Watch it be done in under five minutes in the MS SQL Preauth Attack, Pwdump and John the Ripper video. Surprising? No. Fun to watch? Yes! Every now and again it's nice to be reminded our systems are not as secure as we'd like to think.
Wed, 16 Aug 2006
Incompetents, Security and Hellish Policies
"You do not secure the liberty of our country and value of our democracy by undermining them. That's the road to hell.
-- Lord Phillips of Sudbury (source: BBC News - "Police decryption powers 'flawed'"
I don't normally post on politics or law because I'm not an expert and, to be honest (judging by my apache logs), they're only interesting to a small fraction of the people that stop by here. However, two of the security related news stories I've seen today need to be pointed out, first of all we have proof of the old saying, "if they want you bad enough they'll get you".
Only in this case "they" turned out to be a 12 year old child (and no, I don't read the Express - it's the only instance of the story I could find to link to) who'd run away from a care home in Merseyside. And made it on to a jet during "one of the tightest lock-downs in airport history". He only managed to sneak through passport control. And police. And security. And a metal detector and pad down. And the ground control checks. And through the departure checks.
Who ever said "The guards are most diligent after the break in" has obviously never met any of the massively skilled people at Heathrow. I liked "we're launching an investigation", I don't want an investigation, I want a full witch hunt; with bloodhounds. Followed by lots of high level sackings and possible prosecutions. Airports are a vital part of our infrastructure, something like this must be as near to criminal negligence as you can get without seeing a nice cell and that guy called "Bruiser" with the pretty tattoos on his knuckles...
Now I've released my bile let's get to the other story, well, another link. Some peers have claimed the Police decryption powers are 'flawed' and risk being abused.. No shit.
Mon, 26 Jun 2006
When it comes to host-based intrusion detection I'm most familiar with the Tripwire OpenSource Edition, while shopping around for a HIDS to deploy on a play box I decided to try AIDE. And got stopped at one of the first hurdles.
Tripwire has an interactive update mechanism, it runs a scan (based on your config file) and then prompts you to except, reject or mark changes as pending - within one operation. Unless I'm missing something, AIDE takes a generate signatures, user checks the output, generate signatures approach, which leaves a huge race condition open. Any files created / edited between the check and second generate steps will slip through the net.
Am I missing something or is this really how it works?
Wed, 08 Mar 2006
Know Thy Open Network ports
Which ports do your servers have open right now? How did you check? Netstat? Are you really sure that it's doing the right thing? What the host claims to be exporting isn't always the same as what other hosts on the network see. When did your DNS server start exposing that TCP port? Has it always been there?
I want a tool that keeps track of what ports a machine has open and shows me changes (and tracks when things change). It has to scan the whole port range from top to bottom and it needs to do UDP scans in under a couple of hours. Think of tripwire but for network ports. Changes have to be approved or they keep being flagged as suspicious. As a side effect it'll also show you when things go away. Hard to write? Not really. But why don't most of us already have it built and running?
It's also worth pointing out that this isn't the same role that programs like Nagios fill. You tell Nagios what to watch and it picks up changes in that limited scope. I want something to watch the whole (finite) port range and show me things I didn't think about.
Mon, 06 Feb 2006
Patching for Custom Config File Locations
While discussing the FIA via SSH article, one of my comments got some feedback; the comment was sudos config potentially giving the game away. A number of people suggested the same solution, patch where the source looks for the config file and compile it yourself. The idea is that you put a fake config file in the usual place, patch the source to use a different location and then compile the application. When it runs it leaves the fake config alone, uses the custom location you added and the attacker is none the wiser.
This isn't difficult to do. For example a number of honeypot articles recommend patching syslog so the attacker doesn't see a "log to remote host" config setting. Technically this works just fine. But that's not where you pay the price...
Doing something like this is a small security win but a huge usability loss. Firstly, every time you want to upgrade the binaries you need to patch, compile and occasionally even package them. After you've done this step you need to find a way of incorporating their distribution with the rest of your software. Lastly you have the enjoyment of having a sysadmin spend half an hour changing settings, restarting the command/daemon and NOTHING HAPPENS! Why? Because they changed the default config file. Which is a fake... You'll do this once and then swear off the technique for anything except a one man research box that you don't want to keep current.
Sat, 04 Feb 2006
File Integrity Assessment via SSH Article - Sysadmin Article
Hal Pomeranz has an interesting article on File Integrity Assessment via SSH over at sysadmin magazine (well worth a subscription). At my last job a couple of us discussed doing something similar so I enjoyed the article; it's nice to see someone actually implement the damn thing.
The basic idea addresses one of the implicit weaknesses with FIA tools. You give the attacker an obvious target to try and subvert. While there are little tricks you can employ to make their life harder (add a false positive so if they replace the binary with a fake it doesn't report everything you'd expect etc.) Hals technique moves the whole FIA setup off the machine. You only copy the FIA tools in when you're going to run the scan. This won't stop kernel level hacks written just for screwing with FIA but it does raise the bar a fair bit.
One of my suggested tweaks for this would be to replace the null passphrase root SSH. Firstly I dislike allowing root to SSH to a machine. Secondly, keys with no passphrase are often a bad thing. While SSH agent can make them better, a non-privileged account, sudo and the NOPASSWD option are often a better choice.
The config in '/etc/sudoers' will make it easier for a competent attacker to work out what's going on (although to make life harder you can still rename commands as mentioned in the article) but this is better than allowing such a dangerous entry point to all your systems.
Sat, 28 Jan 2006
Over Mounting in Linux
A topic that's been discussed to great length on one of (many) Linux lists I lurk on has been that of mounting one file over another. It's easier to show this with an example:
$ cat password dwilson:password $ cat fakepassword attacker:fakepassword (root) $ mount --bind fake_password password $ cat password attacker:fakepassword
While this requires root access (or flimsy mount permissions) to execute, it is a nasty little trick. An 'ls' won't show anything strange but a 'mount' command will. It's also worth noting that this can be done with binary and executable files. 'root# mount --bind /tmp/attacker_ps /bin/ps' works as well as the example did.
Sat, 12 Nov 2005
Sudo Article Promoted Bad Behaviour
I like sudo, it allows you to give people (and automated jobs) more privileges without having to hand out the root password. One of the more important aspects of its use is restricting the commands a user can run. After all, limiting peoples access to rootly powers doesn't help much if they can just shell out to bash or edit the shadow file (or other important files) and locally escalate their privileges.
Unfortunately a Linux.com sudo article shows new users a number of ways of doing this without explaining why it's a really bad idea. I understand that a lot of people just give themselves full root powers using sudo (hell I do on my own machines) but in an article pointed at beginners, especially one that has examples of using an interactive editor with sudo, the concepts need to be explained and some good practices presented. More why with the how please.
The highlight of the article for me was introducing new users to the 'sudoedit' and '-e' options: "but it uses the editor in your $EDITOR environment string". How often do you check the value in $EDITOR? Neither do I. And you're expected to blindly trust, with full root powers, whichever command it points to?
OpenCON 2005 OpenBSD Slides
The OpenCON 2005 OpenBSD Slides are now available and linked to from undeadly.org. When ever the OpenBSD people get together and present on security it's worth ten minutes of the admins day to have a look for the new ideas, after all they'll often appear ever where else over the next year.
The highlights of this batch include an overview of how the congestion indicator works and allows you to log in even when getting DoSed, the changes to the ports and package tools (which are moving to Perl!) and the whole of Theos Exploit Mitigation Techniques slides. Especially the Stackgap slide.
PS: MagicPoint needs to output HTML with access-keys defined. It'd make the slides a lot easier to read...
Sun, 02 Oct 2005
Toorcon 2005 Slides Available
I've never been able to get to a Toorcon but from reading the Toorcon 2005 slides it seems they have a number of quality speakers. The three highlights from this years sessions seem to be Introducing the Bastille Hardening Assessment Tool by Jay Beale, How Big is that Foot in the Door by Foofus and Simple Nomads How Hackers Get Caught.
The intro to Bastille does both a good job of explaining why you should care about hardening, which includes some great quotes: The NSA's Information Assurance Directorate evaluated a system locked-down following CIS's Windows 2000 guide. 90 percent of all the vulnerabilities in this platform were mitigated by the guide. It also introduces some of the knowledge required to add your own Bastille checks.
Foofus's talk is an ideas spring board and well worth a read. His slides show mapping out relationships between machines and how a single compromised password can bring down a large chunk of your infrastructure. I can't wait for a canned tool, sysadmin friendly, that I can use for this.
Simple Nomads talk is less technically focused but more entertaining. He covers some of the back and forth of attacking and the stupid thing skiddies do. It's worth a read and serves as an amusing refresher.
Fri, 25 Mar 2005
F-Secure Blacklight Windows Rootkit Detector Beta
F-Secure has released a blacklight beta download that is available in both GUI and command-line versions. The full Blacklight details are now online and after a quick play it seems pretty nifty, and most importantly, has a command-line version for automated deployment and scanning. One to watch when it goes gold.
Sat, 19 Mar 2005
Follow the Bouncing Malware -- ISC Handler's Diary
Tom Liston wrote up an excellent (and scary!) analysis of what happens to an unpatched machine when it goes to a less than reputable site. The full details, part 1, part 2, part 3 and part 4 are well worth a read. You'll be stunned at how much shite comes down from a single executable that the user never even gets a choice whether to run.
Thu, 10 Mar 2005
Address Book Phishing and Information Leakage
Firstly let's define Phishing, "The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft." While most phishing attacks are done over the web consider how they could be tailored to abuse email and local address books.
Lets consider a scenario, a non-technical (and busy) receptionist or assistant (Alice) sends a number of email's from her pet executive to certain people outside the company. Assume an accountant, insurance broker and some other highly paid but pointless consultant, you probably have about six names in your head right now :) For the sake of this example they are all public members of the company (AGM meetings, stockholders or even just pages showing previous customers).
The villain of our story, the dastardly Bob, purchases a domain similar to the one used by one of our external parties, Carol. He then sends an email to Alice (getting the name of the financial controllers PA isn't that hard...) from this dodgy domain with the name looking pretty much identical to Carols. Maybe an i is a 1 or something similar but awkward to notice. Bob then either plays it safe and just asks an innocuous question just to get a reply (wait for it :)) or tries to social engineer his way into having Carols original details removed. This is risky but makes the attack a lot more successful.
One day Alice takes some notes, types them in, cleans them up and then sends them to the external parties, including Carol. Since Alice has a nice, shiny and helpful mail client it added the address (which was received and replied to) to it's personal address book and offers it to her when she types in Car. In some cases it'll even hide the ones offered by the global address-book and allow you to get even nastier. The auto-complete will pop-up and most people will either select the top option out of habit or not even notice that their were multiple entries, muscle memory is a wonderful thing once you know how to exploit it.
Is this likely? Not really, it involves a lot of work for a difficult to execute attack. Could the local address book fiddling be added to an existing worm or malware to make it even worse? Quite easily. Still it was fun to think through; it's nice to be the (theoretical) attacker now and again.
Thu, 27 Jan 2005
MySQL Worm Hits Windows Machines
You know you've hit the big time when you get your own worm! The MySpool worm is turning badly configured MySQL installations (on Windows) into zombies in a huge bot net. Now I'm not even going to ask why so many people have MySQL installations listening to the network (Debian disables this by default so bonus points to them) but it is depressing. To stop it doing this just add "skip-networking" to the [mysqld] section of the config file.
I think it's about time someone wrote a MySQL vulnerability scanner to pick up weak passwords, unprotected accounts and similar. Judging by the number of machines out there that are being broken into by this thing there is a market...
For more technical coverage of the problem have a look at SecuiTeam's MySQL UDF Dynamic Library Exploit.
Sat, 15 Jan 2005
Some of the worst internal incidents I've been involved in were those where the attacker either rebooted into a live Linux CD or had a second hard drive that was mostly left unwired. This made tracking and auditing his actions extremely difficult due to the nature of his attack platform.
While tools like arpwatch look for the more obvious changes of MAC addresses using something like P0F or a PF based firewall it'd be possible to look for operating system changes on the network in cases where the MAC address isn't changed, and if it is changed the firewall can block and flag the unknown address. After all if a MAC tied to a Windows machine suddenly changes to a FreeBSD box for example it certainly warrants investigation.
Limiting Administration by OS
This is the third and probably last of my ramblings on the subject of locking down a machines potential attack footprint by mass filtering. While I've already mentioned blocking certain ports to entire countries (mostly to stop SPAM) and only allowing access to other ports to geographically local IPs (to stop attacks on critical services like SSH for admins) it is also worth mentioning OS detection.
Certain products and operating systems, such as P0F, OpenBSD's PF etc, can detect what operating system someone is trying to connect with. Now this alone isn't very interesting but when you build it in to a firewall such as PF you suddenly gain another trick in the tool box.
Most machines in botnets for example are Windows machines. If your admin team use Linux 2.4 then lock down the settings on your firewall to only allow 2.4, this way even if the attackers are local (in terms of geographical IP ranges) they still need to be using the correct operating system to even attempt a connection.
Putting the three concepts I've discussed together you've reduced the potential for attack on your administration services from anyone in the world, to anyone in your city / country and then to anyone in your city / country running your chosen operating system. And then you can require them to get through key authentication AND a username password check :)
Wed, 15 Dec 2004
MS Network Access Protection (NAP) -- Paranoid Visions
TheRegister has an informative, and pretty short, article on MS NAP, a technology that should help keep networks clear of worm activity by requiring all machines to have up-to-date patching and anti-virus before the network equipment will let them play with others.
Now lets gloss over the more obvious question, how do you get a machine on the network for the first time, as it's simple, the kind of company that actually needs this will have a patch management system in place for new builds (maybe just something like MS SUS) to bootstrap the process. The real questions to ask are, will any anti-virus software except MS Anti-virus (or what ever they call it by then) actually work with this? And more importantly will it be easy to turn this feature off so we can add *Nix boxes to the network?