http://isc.sans.edu en-us Thu, 23 Feb 2012 05:08:04 +0000 Thu, 23 Feb 2012 02:40:51 GMT (C) SANS Institute 2012 isc rss feed maker 30 handlers@sans.org (ISC Handlers) http://isc.sans.org/images/status.gif http://isc.sans.org http://isc.sans.edu/podcastdetail.html?id=2347 http://isc.sans.edu/podcastdetail.html?id=2347 Thu, 23 Feb 2012 02:40:51 GMT http://isc.sans.edu/diary.html?storyid=12646&rss http://isc.sans.edu/diary.html?storyid=12646&rss Internet Storm Center features daily handler diaries with summarizing and analyzing new threats to networks and internet security events. Diaries range from 0day vulnerability announcements to the latest software update releases. If it's security related, we'll probably put up a diary about it!
The ISC homepage https://isc.sans.edu always displays the last 24 hours of diaries. The top and bottom of every diary, wherever it is listed, contains a previous/next navigation link that will iterate through all the diaries in order. You can click the title to view the full diary page.
What's in a Diary?
A Diary title is always an active link so you can right-click and copy to send to a friend or co-worker you think would be interested in the information. Alternatively, there is a Share menu to the right of the title if you want to publicly share on any number of social networking sites!!
Under the title you will see the original published date and the last updated date if any changes have been logged to the diary. Below that you will see the name of the handler that authored the diary and version number. The Rate this diary is currently disabled but should be back soon.
The number of comments displays how many comments have been added and is a link that will take you straight to the comments section below the diary. You can leave a comment if you are logged to your ISC/DShield account. Not logged in? No worries, just click the link, login and you should be brought right back to leave your comment. The Alias will default to what you have set in Your Information https://isc.sans.edu/myinfo.html but you can change it to whatever you want. Every comment is vetted by the handlers and inappropriate or blatant ads are removed.
The diary content will vary. It can contain anything from just a few lines of text, sometimes with web links, to a full tutorial with illustrated graphics. A handler will have their own custom signature at the end of every diary posted. If an announcement is short and doesn't require a lot of detail, a handler may post a oneliner which is highlighted with a different background/border and generally just one sentence.
A Keywords list follows the diary content. This is a individually linked list that will take you to a page displaying a table of all the diaries that contain that same keyword, along with the date published and author.
How can I find past dairies?
The easiest way to find past diaries is to search for keywords as explained here https://isc.sans.edu/diary/ISC+Feature+of+the+Week+ISC+Search/12496. ALL the diaries can be listed by date on the Diary Archives page https://isc.sans.edu/diaryarchive.html. This is useful if you know the general timeframe or title text of a specific diary or just want to skim titles as an entire month is shown at once.
The site footer always contains some of the most recent Diary Archives in the center as well as a link to all the archives page. The homepage also lists some more of the most recent diaries as well as a link to the Diary Archives page https://isc.sans.edu/diaryarchive.html. There is also a link to the archives after every comment section on the diary page.
How can I get these diaries you speak of?
Well, you can make https://isc.sans.edu your default browser page so you don't miss anything.
You can also receive full or title only diaries by subscribing in your favorite RSS reader. The links can be found here https://isc.sans.edu/xml.html#rss

Let us know in the section below if you have suggestion or feeback about our diaries or send us any questions or comments in the contact form at https://isc.sans.edu/contact.html
--


Adam Swanger, Web Developer (GWEB)


Internet Storm Center (http://isc.sans.edu)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> Wed, 22 Feb 2012 21:48:50 GMT http://isc.sans.edu/diary.html?storyid=12643&rss http://isc.sans.edu/diary.html?storyid=12643&rss - more granular logging. Logging is always a tedious and often overlooked security component. Apache 2.4 will allow for log levels to be configured on a per-directory level.
- various changes to timeouts. We had a number of tools over the last few years that attacked web servers by exhausting connections. The new timeout changes may help with that, but over all, I don't think there is a simple fix for this problem.
- changes to the proxy configuration. Some use apache not just as a web server, but as a proxy to restrict access to resources, or as a load balancer. This can help with security, but in the past, bugs in Apache's implementation of these features has caused problems.
- Apache now includes a mod_session that will have Apache take care of sessions. This includes support for encrypted sessions, and support for session based authentication. Really have to see how this will all work in more detail. It appears that headers will be used to add data to sessions. This could be a new opportunity to exploit http response splitting. Note that the session information may be stored on the client, not just the server. Unencrypted sessions on the client could pose interesting security issues.
- mod_ssl has been improved to allow it to check for invalid client certificates via OCSP.
Version 2.4.1 is now available for download. I recommend you start testing it, but hold off on using it in production until some of the features have been debugged.
[1] http://httpd.apache.org/docs/2.4/new_features_2_4.html
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> Wed, 22 Feb 2012 13:59:08 GMT http://isc.sans.edu/podcastdetail.html?id=2344 http://isc.sans.edu/podcastdetail.html?id=2344 Wed, 22 Feb 2012 02:33:16 GMT http://isc.sans.edu/diary.html?storyid=12631&rss http://isc.sans.edu/diary.html?storyid=12631&rss iOS uses a pretty simple and effective security model to fight malware: Whitelisting. All software installed on an iOS device has to be digitally signed. In order to be digitally signed, the software has to be reviewed by Apple. Only software that uses standard Apple vetted APIs is considered trustworthy to be signed, making it difficult to sneak in malicious code. If malicious software slips through, it can be recalled later.
Over the last few years, the opposite model, blacklisting (Anti Malware) has failed spectacularly. Even many desktop users now use third party whitelisting software which is usually more granular then what Apple proposes.
Apple's approach allows for essentially three different settings:
- Only allow Apple approved software (pretty much what iOS does)

- allow Apple approved software, but also allow software signed with specific additional certificates (you could use this to sign your own software. Kind of like accepting the certificate from an iOS developer for testing)

- allow all software (pretty much unlocked in iOS terms)
There are some specific limitations to Apple's approach:
- the signatures are only tested during install. If malicious software passes the install, it will not be inspected further.

- only executables are checked. A malicious PDF may still cause havoc, even if it may no longer be able to then download and install additional malware



The best part in my opinion is that the functionality was already pushed out to systems as part of the last OS X update (10.7.3). So you can already experiment with the feature and see how well it works (or doesn't work). I am running it now for a while off and on and so far, haven't experienced any ill effects, aside from it blocking me once or twice from installing software. Each time, I just disabled it temporarily (which could be considered a weakness).
The command line utility spctl can be used to enable or disable the feature. spctl --enable will enable it, spctl --disable disable it. You need to be root to run the utility.




------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> Wed, 22 Feb 2012 02:16:20 GMT http://isc.sans.edu/podcastdetail.html?id=2341 http://isc.sans.edu/podcastdetail.html?id=2341 Tue, 21 Feb 2012 02:58:44 GMT http://isc.sans.edu/diary.html?storyid=12625&rss http://isc.sans.edu/diary.html?storyid=12625&rss With the FBI's March 8th deadline for disabling the DNSChanger resolvers rapidly approaching, the predictable fearmongering is beginning in the blogosphere and the regular press. Rest assured that DNSChanger infected a relatively small number of computers compared to most infections, and turning off the temporary resolvers will barely be blip on the Internet. There are some suggestions that the FBImay extend this deadline to permit companies to complete their cleanup. Frankly Iam on the fence about whether or not an extension is a good idea. Icertainly don't want to entertain the possibility that the companies that Ido business with, and entrust my personal information to, may take more than 4 months to cleanup a known malware infection.
The fact is that DNSChanger has provided us a rare opportunity. DNSChanger itself never reached its full potential because of the FBI's intervention, but analysis of DNSChanger infected computers has revealed that computers infected with DNSChanger are nearly always infected with a range of other malware including malware that disables automatic updates and antivirus products. Others have been found with credential stealing Trojans and rootkits. Certainly the detection of this sort of malware should result in immediately taking the computer off the network and rebuilding it.
The symptoms of a DNSChanger malware infection are relatively easy to detect. From shortly after the FBI's Operation Ghost Click was revealed, the DNSChanger Working Group (DCWG) provided instructions on how to determine if your computer is infected, and shadowserver.org has made reports available which permit anyone who owns their own address space to reliably detect the presence of DNSChanger infections, and by extension associated malware.
In the last month or so another way of detecting DNSChanger infected computers has been made available. Several countries have launched eyechart sites which will tell you if the machine you are on is infected with malware. For the most part these sites follow the pattern of dns-ok.CC where CC is the country code of the hosting country. Some that are available are dns-ok.us (U.S.), dns-ok.ca (Canada), dns-ok.de (Germany), dns-ok.be (Belgium) and Iam sure many others. They all follow a familiar pattern. If the site is a friendly green your computer is not infected with DNSChanger, a not so friendly red requires further investigation.
One caveat. It appears that in relatively rare circumstances, DNSChanger may infect SOHOrouters. So although the eyechart may be red, it may not be the computer you are on that is infected. It may be the router. Either way you know that some investigation is warranted.
Please consider using these available tools to cleanup malware infections on your network...before the FBIturns off the resolvers.
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> Mon, 20 Feb 2012 23:05:35 GMT http://isc.sans.edu/diary.html?storyid=12622&rss http://isc.sans.edu/diary.html?storyid=12622&rss That's definitely a really broad question, because sometimes each malware may need a different approach. However, there are some simple tools that can help on a first approach and sometimes will give all the answers you need, without the need to go deeper on more complete debuggers and disassemblers as OllyDbg and IDA Pro, which by the way are two great tools!
For this diary I am not considering exploits, like pdf or java exploits, but just plain PE files ( EXE and DLLs).
As part of my first look kit I use the pescanner python script from Malware Analysis Cookbook, which the authors made available here.
This script can give you some valuable information about the PE file, like the PE Sections, Version information (if available), and compilation date. Because there are some known bad indicators, the script will also print out the [SUSPICIOUS] word when it finds one of those indicators, such as strange compilation date, and strange entropy values found on the PE Sections.
Once you are used to the analysis, a simple look on this will help you to identify possible malicious files. Since it was based on Ero Carrera's pefile python module, you can modify and add additional features if you think is necessary. One addition I did on mine was to show if the file contains an overlay. On a few situations you should see valid overlay in files, and it is very common to find parasitic virus including its code as an overlay on the PE file.
Another great tool that I use is called HIEW (Hacker's View) hex editor. It is a really complete old-style tool. I mean old style because it uses a DOS window, there is no GUI...:)
It has a lot of features, from a complete HEX editor, an ASCII view of the file, and a Decode view, where you are presented with a disassembler. It also contains several shortcuts with pre-defined functions, as to show you the basic PE information, the number of sections, the entry point address and much more.
It also allows you to go straight to section you want or jump to a specific address on the file, list the imports and exports and even edit the file.
It is a paid tool available here, but it contains a free version (6.50) which does not contain all features but can definitely give you a feel of it.
There was a open source product called Biew that had almost the same features of Hiew, but seems that it is not being updated since 2009.
Another tool that I've been checking lately is called HT Editor, that is a promissing project. It still doesnt have a lot of feaures but I like it. You may check it here
Enjoy!
------------------------------------------------------------
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> Mon, 20 Feb 2012 16:46:34 GMT http://isc.sans.edu/podcastdetail.html?id=2338 http://isc.sans.edu/podcastdetail.html?id=2338 Mon, 20 Feb 2012 02:17:10 GMT http://isc.sans.edu/diary.html?storyid=12616&rss http://isc.sans.edu/diary.html?storyid=12616&rss I have recently looked over a number of OS X hardening guides, and found that not many specifically address the latest version of OS X (Lion, 10.7), nor are they necessarily well maintained. Instead of coming up with another (soon to be outdated) guide, I am trying to come up with a meta guide. If you know of a good hardening guide for OS X: Please let me know. Also, if there are any tricks that you find useful (or things that fired back and didn't work at all): Let me know too.
Most notably: Apple released a guide for each version of OS X up to Snow Leopard, but I can't find one for Lion. Does it exist?
Here are some of the guides that I have sound so far:
Apple: http://www.apple.com/support/security/guides/

NSA Guide:http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf

Mac Shadows:http://www.macshadows.com/kb/index.php?title=Hardening_Mac_OS_X

Univ. Texas:https://wikis.utexas.edu/display/ISO/Mac+OS+X+Server+Hardening+Checklist

Center for Internet Security:http://benchmarks.cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.os.unix.osx


------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> Mon, 20 Feb 2012 02:04:54 GMT