Category Archives: Computer Security Software

Patches! We don’t need no stinking Patches!

And you thought implementing a vulnerability program was too expensive!

Recently the CSIS Denmark released a report which highlighted 99.8 % of malware or virus infections could be mitigated by patching five key applications. Those applications, some of our favorite:

Internet Explorer – Lots of bells and whistles elements built into the browser which must be kept up-to-date for them all to be as secure as possible. IE is now a very secure browser for the most part, if kept patched! As with all browsers, if there is a dodgy website setup to exploit a browser weakness, unless it is a zero day (rare), patching will protect from this risk and is easy to deploy locally and administratively.

Windows Vista & Server 2003 – Both operating systems need to be kept up-to-date with a roadmap for upgrade to Windows 7 & Server 2008 respectively. If you weren’t aware, most users would rather still use Windows XP over Vista and would love to be upgraded to Windows 7. Both Server 2003 and Windows Vista have been out for a number of years and those naughty cyber-criminal syndicates are very familiar with exploitation. The operating systems are weaker than their upgrade counterparts due to some architectural flaws. An operating system infection is dreadful, you can’t trust any installed applications or the OS itself. They can also take the greatest amount of time and highest cost to remediate.

Adobe Acrobat Reader/Writer – The business, internet, research, and education necessary applications all computer users at one time (or 20 times today) have used much to our delight and frustration. Due to the widespread usage of the apps and lack of patch management they are a juicy, luscious easy target.

Java JRE– Again, widespread usage and lack of general patch management is a driving force behind infections. Also, this application, similar to many Adobe products, suffers from a less than favorable security reputation.

Here how expensive not patching and vulnerability testing is:

You have to call the CEO and or the board to an emergency meeting. A trusted third party supplier infected your network and compromised very publically a primary database of customer information. It seems quite sensitive customer information that is. The CEO and or other higher up well known for arse-chewing or at least the level that can terminate you instantly is on vacation. As an extra bonus, it is 2 am his/her friendly, understanding corporate officer’s local time. No matter if your IT Security department had sign off, documented meetings, warnings etc.… to the upper management or board that a program was needed it will still cost reputation, business and possibly jobs before the dust is all cleared.

If you are new to the topic, a fantastic resource for assistance is Reddit NetSec and need some solid answers. Try to avoid loss from the door being left unlocked to all your organization’s information because of an aged or insecure application that in most cases just needs a free patch. If your patch and vulnerability testing is lacking, get up to speed now. If all else fails, you can learn to use some new tools and update your CV/resume, just in case due to pressures within your organization there is a risk of ever having to make that loud, uncomfortable and/or demoralizing phone call.

There are low cost, awesome, high feature, speedy tools that can be used to express the importance of patching and vulnerability testing. They also have a low learning curve for new users:

Nessus– There is a limited free version which is perfect to perform quick (non) commercial tests. If you contact them and explain you wish to use a demo with more features I’m guessing they will likely send you one. Once you use Nessus it’s a fairly easy sell after presenting the app’s generally solid results.

FOCA-This is one of my favorite tools, always impressed when I use it. It is a succulent, meta-data driven beauty that makes basic to medium level pen testing feel like a holiday on a warm tropical beach during winter. At a push of a button, to paraphrase from their Hack in the Box presentation: Perfect for the lazy pen-tester. FEAR the FOCA!

Belarc Advisor– There are fully functional (free) home and low cost corporate versions. Its HTML based and can be parsed with functions such as displaying software keys, if patches were correctly installed with hyperlinks for rectification, review of user accounts and a custom security score. I have used it for more years than I care to reveal lest I date myself out of the abundant job market.

   
 

   
 

   
 

   
 

   

FBI DNS Changer Deadline Extended to 9 July, 2012

FBI DNS Changer Deadline Extended to 9 July, 2012

The US FBI was granted an extension on the court order to maintain control of the DNS Changer IP ranges until 9 July, 2012. This extension was granted based on the large amount of computers and routers which were still making DNS requests to these IP ranges. According to The Register, a research group called IID found about 18.8% of all US Fortune 500 companies surveyed were affected on 23/02/2012. This is a substantial decrease, down from 50% of US Fortune 500 companies in January, 2012 based on a previous study by IID.
The FBI court order might not be extended again due to substantial decreases in the number of USA based suspected infections. Conversely, our group has observed suspect infections in approximately 25% of the networks we advise and consult for in Europe, Africa, Middle East and Asia Pacific. The infections in the USA might be dropping; however, too many non-USA geo-located IPv4 sources remain infected. The majority of identified assets were fully updated and patched end point assets, critical servers with up-to-date Anti-virus software or routers with modified configuration files.

Why do so many suspected infections remain? 

  1. Over reliance on Anti-virus software.
    1. A clean anti-virus scan does not equate to a clean asset, it just means that version and vendor of anti-virus was unable to find an infection at this time. Malware can be written specifically to evade or disable certain features of anti-virus software.
  2. Inability to understand the risks of allowing external DNS requests to untrusted locations.
    1. You wouldn’t knowingly ask the enemy for directions to your own ambush. The same principal applies to allowing or not investigating external DNS requests to un-trusted or suspected malicious DNS servers.
    2. Also, just because a firewall dropped outbound activity does not mean there is no risk to the network. You still have a suspected infected machine that requires investigation.
  3. Inability to find the end points due to short TTL’s in large DHCP based networks or other issues.
    1. Finding end points has been a big challenge for our clients. Their networks have grown or merged in many cases without full documentation or change control. This is a huge gap in security for many but one that can be easily remedied through documentation and network mapping applications.
  4. Lack of time or fiscal budget to properly review logs.
    1. Please review your firewall and proxy drops, this is very, very important.

If your organization has assets making DNS requests to the FBI controlled IP ranges related to the DNS Changer they need to be investigated. We start in the following order in large networks with many possible infections:

  1. Revise firewall or other perimeter controls to avoid more assets making suspect requests, e.g. close the hole.
  2. Investigate all assets which successfully made DNS requests.
  3. Investigate assets attempting to make DNS requests by frequency and criticality of the asset.
    1. If the asset in question is a critical router or server, especially a DNS server open an incident immediately as further compromise of the network is suspected.
    2. If one asset is making 1000 DNS requests while another made 25 investigate the more active asset.
    3. Review the configuration file of routers which might be compromised and check through the DNS settings.


Source: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

 

Reporting can be your friend and can lead to pro-activity, i.e. don’t wait for your anti-virus to alert you to an infected machine. For example we wrote a very basic series ArcSight reports which runs on a daily basis:

  1. All assets making DNS requests to the FBI DNS Changer IPv4 ranges successfully.
  2. All assets attempting to make DNS requests to the FBI DNS Changer IPv4 sorted Z-A showing the assets making the most DNS requests at the top of the report with a bar graph.
    1. Using graphs can help visualize the problem to management and gain their buy-in. Looking at the problem from a business standpoint does not make you less technical but better at communicating the issue to those that approve budgets, staff and possibly investigations.

If you have any questions, concerns or techniques which have been successful in your organization please feel free to share them.