web analytics

SSL Proxies

Aug 23

Because it is open outbound from the firewall, many applications send their traffic across port 80 to avoid firewall issues.   This has led to port 80 being called the Firewall Traversal Exploit.   Port 443 then is the Secure Firewall Traversal Exploit because it allows traffic out in an encrypted fashion.

Because its encrypted users bypass protections in place for HTTP to download viruses, access forbidden sites and leak confidential information.  This is limited only by the availability of SSL sites.     In recent years webmail like GMail has gone to full SSL sessions.   Bad guys can easily set up SSL as well.  Without a SSL proxy, all you can do to address these concerns is block by IP address.   IP addresses change frequently and are less likely to be categorized in a URL block list.

When you use a SSL proxy, the web traffic is terminated at the proxy server and a new request is made to the remote server.   The client browser uses a certificate from the proxy to secure data during the first leg of this transaction.   This will result in a certificate error if you don’t deploy the proxy’s self-signed certificate as a trusted root.   Because the client never sees the certificate of the remote server, the user does not get information about the trustworthiness of that certificate.  For this reason it is necessary to either block all bad certificates or make sure your SSL proxy can pass on that certificate info when the certificate is expired or does not chain to a trusted root.

The SSL proxy can use the hostname (CN) in the server certificate to make a  URL categorization decision to intercept or tunnel the traffic. 

Because you can intercept based on URL categorization, you could choose to intercept (and block) only websites that are in your blocked categories.  This is the simplest implementation of a SSL proxy.    It blocks site that wouldn’t have been blocked before and it doesn’t interfere with anything else.   If a computer doesn’t have your certificate in their trusted root, it’s not that bad because the site would have been blocked anyway.

A slightly more intrusive step is to also intercept webmail sites.   Webmail sites have the potential to download malware although the site itself is valid.   By intercepting the site the download is scanned by the antivirus layer.   A related idea is intercepting all uncategorized sites so they can be scanned.

A full implementation involves intercept everything not categorized as a financial site.  It is not recommended to intercept financial websites for obvious reasons.
Intercepting everything allows you to scan all downloads for viruses.  The main drawback is you’ll have more issues with web applications not conforming to HTTP standards.  

I think the simplest option of only intercepting websites classified in categories on your block list is best.   It provides additional security without potential for complications.  You’d have to make a security decision for your own environment.

There are security considerations to intercepting traffic.   When you only intercept a site to block it you don’t have sensitive data but as you intercept other categories, you must take care.  Sensitive data may now be exposed in clear text.  You may want to think twice about what you are logging and caching.  If any offbox analysis is performed you need to encrypt the connection and make sure nothing is on the remote box. 

A lot of attacks occur over the web and its important to provide the best defense.  It’s no longer good enough to ignore 443/TCP.

Go to Source

Read More

But I’m trying Real Hard to be a Sullenberger

Aug 23

Since it’s not obvious, the blog title is an allusion to Jules’ big speech in Pulp Fiction.

I read a couple interesting blog entries on Friday.  John Pescatore asks “Are Security Professionals Like Stephen Slater.”  In another blog, Foilball asks us to look in the mirror and see if we’re more Sullenberger or Slater.

Slater is the air-raging flight attendant who let the frustrations of life take over, stole a couple of beers and headed down the emergency slide.  He made Joanna’s method of quitting Chotchkie’s in Office Space look quite reasonable.

Pescatore  doesn’t actually compare Slater and information security personnel.   Rather than anything specific to this situation, he compares infosec people to the typical condescending flight attendant who does not explain the rules and only gives you a half can of Pepsi.

Is it really necessary for the flight attendant to explain that you need to leave the seatbelt on so you don’t become a human projectile mid-flight.   Or that your laptops need to be stowed not just for dubious electronic interference problems but so they don’t smack someone in the head during take off and landing.   Why does the sun visor need to be up during take off and landing.  I don’t know, but I have enough sense to know that having that discussion as we’re first in line for take off isn’t a good idea.  

You can get 20 years for interference with flight crew attendants and members.  Don’t even think of disabling the smoke detector.   I wonder if I can arrange similar penalties for disabling the antivirus or interference with infosec personnel.

The foilball article caused deeper thought.  Going through life, there are days when you’re hit in the head by luggage or cursed out by  a passenger.  There are days when you want to escape down the slide and it takes every ounce of control not to.   I’ve heard it said you can’t control your circumstances, but you can control how you react to them.   I look in that mirror and I see more Slater than I’d like to admit.   But I’m trying real hard to be a Sullenberger.

Go to Source

Read More

This Month in the Threat Webscape – July 2010

Aug 23

Month of July
This month the world saw the Microsoft Windows LNK shortcut flaw bring a smile to black hat hackers running Stuxnet, Chymine, Vobfus, Sality and Zeus, as they quickly updated their malware to leverage the vulnerability. In addition, we'll talk about banking Trojans piggy-backing on social-networking sites, the YouTube XSS vulnerability, malicious browser add-ons, brand-jacking, and more.

Also this month, the Websense Security Lab researchers presented at Black Hat Las Vegas and Hack In The Box in Amsterdam.

Major Hits

Ever wonder where your search engine stands relative to others based on malicious links they serve up in their search results? A two-month study by Barracuda Labs provides these estimates (be careful clicking those links!). Total malware by search engine:

  • Google: 69%
  • Yahoo: 18%
  • Bing: 12%
  • Twitter: 1%


The Windows LNK shortcut flaw (CVE-2010-2568) made a huge splash this month, a problem exacerbated by a computer worm dubbed Stuxnet that uses this flaw as one of the worm's propagation methods. Stuxnet targets Siemens SCADA systems, used to control production at industrial plants.


Strictly speaking, the LNK files themselves were correctly formatted (as opposed to a file crafted to exploit a buffer overflow) and they were legitimate .lnk files, except that they were allowed to link to (and run) executable files located elsewhere — an ugly design flaw. The bad guys simply took the opportunity to make shortcuts to malware, and sent these shortcuts around to victims. The shortcuts could be activated without actually clicking on them. Using Windows Internet Explorer, merely browsing to the folder containing the malicious .lnk file triggered the bad stuff. Here is our technical analysis on the Microsoft LNK vulnerability.


Hot on the heels of Stuxnet, malware makers of Chymine, Vobfus, Sality, and Zeus updated their unwanted products to benefit from this vulnerability. Additional mitigation advice can be found here: US-CERT VU#940193

Web 2 dot uh oh

Last month in this section we mentioned that new ways to exploit social networks continue to surface. This month was more of the same. The RSA FraudAction Research Lab was among many to observe social sites being used to operate a banking Trojan virus. Once the Trojan infects a user's computer, the virus accesses a specific social profile, Google Group, or even a Twitter feed, all set up by the controller of the virus. From these sites, the virus, trained to parse text, can receive instructions embedded in posts, feeds, etc. This sophisticated exploitation of social sites bypasses the cost and maintenance of independent servers dedicated to doing the same thing. Using these free sites, communication with the Trojan can be done for no cost with little risk. It is up to the site to remove these malicious throw away accounts.


The other notable exploit of Web 2.0 functionality in July was YouTube's XSS vulnerability.  The visual effects of this vulnerability were seen by many users when only the top few comments of a post were loaded, along with a script comment regarded mostly as spam. Fortunately this was the extent to which the vulnerability was exploited before Google patched the YouTube service. Potentially this could have been used to force the browser to execute embedded malicious script code disguised in the YouTube page.

Browser and friends

Mozilla has blacklisted a third-party add-on called "Mozilla Sniffer". The add-on submits the login form of any website, with the password field, to a remote location. The add-on has been downloaded about 1800 times. Those who installed it are advised to change their password in case of attack. Mozilla also released two security updates this month; 15 vulnerabilities have been patched.


It has been disclosed by researcher Jeremiah Grossman that the "autofill" feature in Apple Safari has a security vulnerability. The autofill feature can be hacked to steal data from the computer's address book. Apple provided a quick response; a patch was released a few days later. In all, 15 vulnerabilities were fixed this month, including the autofill problem.


Google released a security update for Chrome. Five bugs were fixed in the patch.


The good news from Adobe is that Adobe Reader is going to add Protected Mode in the next version. Protected Mode is a sandboxing technology based on Microsoft's Practical Windows Sandboxing technique. It is similar to the Google Chrome sandbox and Microsoft Office 2010 Protected Viewing Mode. All operations required by Adobe Reader to display the PDF file to the user are run in a very restricted manner inside a confined environment. More good news is that Adobe will join Microsoft Active Protections Program (MAPP), in which vulnerability information is shared to security software providers in advance.


Aside from the major LNK vulnerability brouhaha mentioned above in the Major Hits section, Microsoft patched a vulnerability in Windows Help and Support Center (MS10-042), Canonical Display Driver (MS10-043), MS Office Access ActiveX Control (MS10-044), and MS Office Outlook (MS10-045). The Windows Help and Support Center  zero day (MS10-042) saw at least 25,000 attacks as confirmed by Microsoft, largely in Russia and Europe.

Hello Threatseeker. You've got mail!

This month there was a lot of follow up on the previous month's email threats.  In addition, there was no shortage or end to the abuse of social networking sites such as Facebook and hi5.  The more interesting attacks within the email space were focused on "brand-jacking" where Gumblar seem to have made a come back impersonating Amazon.com.  The aim of the campaign was to trick unsuspecting users to visit a client-side exploit serving URL.


Other attacks include but are not limited to the influx of Youtube themed spam requesting users to confirm their email address, the fake ImageShack Registration emails, and Welcome to My Opera account activation.






Security Trends

A low-cost, home-brewed GSM hacking device, developed by researcher Chris Paget, mimics more expensive devices already in use by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content.

According to Secunia’s recently released report, between 2005 and 2010 Apple Inc. had the most reported security vulnerabilities.

Some motherboards in 4 models of Dell PowerEdge servers were shipped to customers with malware code on the embedded server management firmware. A Dell representative confirmed the issue on Dell’s community forum.

A fake technical support phone call was used to spread malware. The attackers in this scheme cheated targeted users by calling them and helping them to install malware, remote desktop applications etc.

The Secunia Half Year Report 2010  asserts that a typical end-user PC with 50 installed programs had 3.5 times more vulnerabilities in the 24 third-party programs than in the 26 Microsoft programs.


Thanks to this month's roundup contributors:


* Lei Li

* Douglas Libby

* Amon Sanniez

* Ulysses Wang

* Jay Liew

Go to Source

Read More

SCUP and Flash

Aug 16

I deployed Adobe Flash 10.1 through System Center UpdatesPublisher (SCUP).  Its kind of sad how excited this makes me.

SCUP is a framework that allows you to integrate third-party update deployment into your SCCM/WSUS server.   Companies can provide a CAB file that you import into SCUP, approve updates and publish them to your SCCM server.  From there, to the SCCM admin they are deployed like any Microsoft patch.   The user experience is just like Microsoft patches as well.  

While I have only deployed SCUP in a test environment.  I think it has the potential for there to be less work in deploying updates.   A more consistent user experience can be achieved by deploying these updates through the same methods.   Currently I have a separate wrapper script that tells the user an update is available.   Even if I don’t ultimately deploy all my patches using SCUP, I can use it to deploy Dell and HP BIOS, firmware and driver updates.   As people try to do more with less, computers are being used longer.   It is thus more important to not ignore security and bug fixes in these items.

When you obtain a license to distribute Flash, Adobe sends you a link to download the MSI, EXE or CAB file.   I pointed SCUP directly at the CAB file.   The first time I tried to deploy to a client the install failed.   WindowsUpdate.log reported the error as 0×80070667.   Google (or Bing) tells me that error indicates bad command line switches.   The log file showed the switches as “/qn reboot=reallysuppress allusers=1 msirestartmanagercontro=disable reboot=reallysuppress”.   That has duplicate commands.   I recalled a Jason Lewis blog entry recommending the command line switches be left blank in the CAB file.   SCUP will automatically add silent install switches.  After removing the command line switches in SCUP, I published the change back to SCCM, synced everything and Flash installed without any further problems.

While I haven’t used SCUP in-depth yet, I am excited about what I do have in place.   My thanks go out to Jason Lewis, Program Manager at Microsoft,  for his great blogcasts showing how to set up SCUP.   I also found a PDF from Dell – Dell Catalog to Support Microsoft System Center Configuration Manager for Dell Hardware Updates by Dustin Orrick and Angela Qian to be very helpful.

Go to Source

Read More

Jailbreaking – Unsafe at any speed

Aug 16

Look at me, making Ralph Nader references whether they work or not.

Back in July, the US Copyright office ruled it is legal to jailbreak your iPhone in order to install non-appstore apps or even to unlock the phone to use with another carrier.

What does this mean for iPhones used the enterprise?

Just because something is permissible under the law, that does not mean that a corporation must allow it.    Apple may still make it a violation of their terms of service and void the warranty. 

Jailbreaking  offers a greater potential for malware to be run on the phone.  Do you remember the iPhone jailbreak worm?   A popular jailbreaking technique was setting up SSH and leaving a default password.   Doh!

Dave Zatz had a recent post asking if there was even a case for jailbreaking anymore.

So while my company is full of engineers who like to tinker.   While the phone has corporate data, we need to enforce a no jailbreaking policy.

Go to Source

Read More