SANS

SANS Consolidated Security News

1. Social media a boon for businesses, but creates security quagmire (NetworkWorld Security)
2. British hackers get jail terms (Heise Security News)
3. "Basic Requirements for IPv6 Customer Edge Routers" - Hemant Singh, Wes Beebee, Chris Donley, Barbara Stark (Internet Drafts)
4. ZTE Score M Android Phone backdoor, (Fri, May 18th) (InternetStormCenter)
5. Learning to code, should everyone do it? (IT Toolbox Blogs)
6. CVE-2012-2121 (linuxkernel) (Natl. Vulnerability Database)
7. Atlassian warns of critical security flaw (The Register)
8. Vuln: pidgin-otr 'logmessagecb()' Function Format String Vulnerability (SecurityFocus Vulnerabilities)
9. Terrorists and Nation States May Attempt To Exploit Anonymous (May 17, 2012) (SANS Newsbites)
10. Survey: BYOD, Mobile Security Polices Leave Enterprises Vulnerable (Network Computing Security)

SANS Handler’s Diary

1. PHP 5.4 Remote Exploit PoC in the wild, (Sat, May 19th) -
   There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port.
   
   Since there is no patch available for this vulnerability yet, you might want to do the following:
   
   Block any file upload function in your php applications to avoid risks of exploit code execution.
   Use your IPS to filter known shellcodes like the ones included in metasploit.
   Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336 registered at the beginning of the month.
   Use your HIPS to block any possible buffer overflow in your system.
   
   Manuel Humberto Santander Pelez
   
   SANS Internet Storm Center - Handler
   
   Twitter:@manuelsantander
   
   Web:http://manuel.santander.name
   
   e-mail: msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2. ZTE Score M Android Phone backdoor, (Fri, May 18th) - The ZTE Score M phone, apparently available via Metro PCS in the US, comes with a special suid backdoor. The backdoor for a change does not use a fixed secret root password. But instead, the suid binary sync_agent has to be called with a special parameter.
   If you do have an Android phone, take a look if you have this application in /systen/bin. At this point, only this one particular model is reported to have this application present, but it would be odd to not have ZTE use the same backdoor on other models.
   Cataloging and limiting suid applications should be a standard unix hardening step. The simplest way in my opinion to find suid binaries is to use this find command:
   find / -x -type f -perm +u=s
   Files with the suid bit set will run as the user owning the file, not as the user executing the file. This is typically used to allow normal users to execute particular administrative tasks. So verify if you need or don't need to execute a particular binary as normal user before removing the suid bit.
   Update: The file has also been found on the ZTE Skate.
   
   ------
   
   Johannes B. Ullrich, Ph.D.
   
   SANS Technology Institute
   
   Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
3. ISC StormCast for Friday, May 18th 2012 http://isc.sans.edu/podcastdetail.html?id=2545, (Fri, May 18th) - (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
4. ISC Feature of the Week: Tools->Information Gathering, (Thu, May 17th) -
   Overview
   
   One of the sections on the ISC Tools page is Information Gathering at https://isc.sans.edu/tools/#info-gathering. This collection will help you easily find out how your browser and plugins look to the outside and lists some other information lookup tools.
   
   Features
   
   Browser Headers - https://isc.sans.edu/tools/browserinfo.html
   
   How a server sees your browser.
   
   https://isc.sans.edu/tools/browserinfo.html#your-info - You public IP and various pieces of Header iformation
   https://isc.sans.edu/tools/browserinfo.html#additional - Additional lookups that require javascript be enabled
   https://isc.sans.edu/tools/browserinfo.html#plain-text - Plain text information summary you can copy/paste for analysis
   
   
   Browser Plugin Detector - https://isc.sans.edu/tools/adobinator.html
   
   This page attempts to detect various browser plugins. The detection code used was created using PluginDetect.
   
   Lists plugins detected and various version information for each.
   
   
   Site Availability Check - https://isc.sans.edu/tools/sitecheck.html
   
   Checks if hostname is reachable.
   
   Single input box.
   Displays failure if unreachable.
   If reachable, outputs:
   
   Page load time
   Page size in bytes
   Return status code (ie. 200 success)
   Final URL
   
   
   
   
   Site DNS Check - https://isc.sans.edu/tools/dnscheck.html
   
   Hostname to IP DNS resolver.
   
   Single input box.
   Output IP if system is able to resolve.
   
   
   Whereis[IP] - https://isc.sans.edu/tools/whereis.html
   
   Multi-line input box. Enter one(1) IP per line.
   Output table contains:
   
   IP ADDRESS queried
   ASN of IP
   NETWORK assignment
   COUNTRY abbreviation
   ISP name
   RIR - Name of registry
   
   
   
   
   Content Security Policy Test - https://isc.sans.edu/tools/csptest.html
   
   Created for Firefox 4 but features may be found in other browsers.
   
   Lots of details and information on the test outlined and explained on the page
   
   
   
   
   Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
   
   --
   
   Adam Swanger, Web Developer (GWEB, GWAPT)
   
   Internet Storm Center https://isc.sans.edu
   
   (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
5. New IPv6 Video: IPv6 Router Advertisements https://isc.sans.edu/ipv6videos, (Thu, May 17th) - (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
6. Do Firewalls make sense?, (Thu, May 17th) - Once in a while, someone comes up with the idea that firewalls are really not all that necessary. Most recently, Roger Grimes of Infoworld [1][2]. I am usually of the opinion that we definitely probably need firewalls. But I think the points made by the anti-firewall faction offer some insight into not only why we really need firewalls, but also what people don't understand about firewalls.
   To clarify from the start: I am talking here about good old basic network firewalls. No deep packet inspection rules and no host based firewalls.
   From a security point of view, firewalls offer two main functions: They regulate traffic, and they provide logs. The second part is often neglected. But look over some of the stories here, and quite frequently, you will find cases in which firewall logs tripped the scale. For example the duplicate DNS response issue earlier this week was initially found by an observant reader watching firewall logs.
   When it comes to filtering, some consider firewalls not worth the trouble because they only filter on ports that are closed on the server anyway. I think this shows a lack of understanding of what a firewall can do protecting servers. My best firewall wins came usually from outbound filtering from traffic trying to leave the server.
   The next argument against firewalls is that there are usually better devices to do the filtering: Proxies have real application insight, router and switch ACLs can usually pick up the low end port filtering part. As far as the proxy is concerned: I say get one too. But proxies are usually rather complex devices to configure correctly and I rather get the easy stuff out of the way first using a firewall. At the same time: How do I make sure my traffic actually uses the proxy? That typically involves a firewall.
   A switch or a router may have many features that are found in a classic firewall (even state-full rules and some application logic). They may be perfectly fine for a home user or a small business. However, in particular in an enterprise context, you probably want to split the firewall functionality to a different device, and with that to a different group of people. The people dealing with routing and network performance (packet movers) are usually not the same people that are dealing with firewalls and filtering (packet droppers).
   But how many modern attacks are really blocked by firewalls? Aren't they all sending a spear phishing email to the user, tricking the user to download malware some chinese kid wrote via the filtering proxy we installed? Next they exfiltrate the data via that same proxy (or DNS, or SMTP... or other services we have to allow)? In part, these modern attack are a testimony to the effectiveness of firewalls. An attacker would probably rather still use the same tool they used back in the 90s to brute force file sharing passwords and download data straight from the system. But sadly, because now even some universities block file sharing using a firewall, these attacks no longer work.
   Against these modern attacks, we have other defenses. Some may work against the older versions of these attacks as well. In short, these defenses can be summarized as end point protection (whitelisting, anti-virus, host based firewall, hardening of the system...). Hardening a large number of end points is however a lot more difficult then configuring a few firewalls well placed at the right choke points.
   By now, you are probably going to ask yourself: Why hasn't he talked about defense in depth yet? The argument doesn't really apply if you are trying to argue removing a device. Each additional security device can be justified with defense in depth. But some security devices don not add enough value to justify the expense. I don't think defense in depth itself can be used to justify a *particular* security device. It rather justifies the fact that some of our security devices are redundant and fulfill similar,-) .
   Thoughts? Flames? Use the comment feature or sent us a non-public comment via the contact form.
   [1]http://www.infoworld.com/d/security/the-firestorm-over-firewalls-193409
   
   [2]http://www.networkworld.com/news/2005/070405perimeter.html
   ------
   
   Johannes B. Ullrich, Ph.D.
   
   SANS Technology Institute
   
   Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
7. ISC StormCast for Thursday, May 17th 2012 http://isc.sans.edu/podcastdetail.html?id=2542, (Thu, May 17th) - (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
8. Reserved IP Address Space Reminder, (Wed, May 16th) - As we are running out of IPv4 address space, many networks, instead of embracing IPv6, stretch existing IPv4 space via multiple levels of NAT. NAT then uses reserved IP address space. However, there are more address ranges reserved then listed in RFC1918, and not all of them should be used in internal networks. Here is a (probably incomplete) list of address ranges that are reserved, and which once are usable inside your network behind a NAT gateway.
   
   List of Reserved IPv4 Address ranges
   
   
   Address Range
   RFC
   Suitable for Internal Network
   
   
   
   
   0.0.0.0/8
   RFC1122
   no (any address)
   
   
   10.0.0.0/8
   RFC1918
   yes
   
   
   100.64.0.0/10
   RFC6598
   yes (with caution: If you are a carrier)
   
   
   127.0.0.0/8
   RFC1122
   no (localhost)
   
   
   169.254.0.0/16
   RFC3927
   yes (with caution: zero configuration)
   
   
   172.16.0.0/12
   RFC1918
   yes
   
   
   192.0.0.0/24
   RFC5736
   no (not used now, may be used later)
   
   
   192.0.2.0/24
   RFC5737
   yes (with caution: for use in examples)
   
   
   192.88.99.0/24
   RFC3068
   no (6-to-4 anycast)
   
   
   192.168.0.0/16
   RFC1918
   yes
   
   
   198.18.0.0/15
   RFC2544
   yes (with caution: for use in benchmark tests)
   
   
   198.51.100.0/24
   RFC5737
   yes (with caution: test-net used in examples)
   
   
   203.0.113.0/24
   RFC5737
   yes (with caution: test-net used in examples)
   
   
   224.0.0.0/4
   RFC3171
   no (Multicast)
   
   
   240.0.0.0/4
   RFC1700
   no (or unwise? reserved for future use)
   
   
   
   Most interesting in this context is RFC6598 (100.64.0.0/10), which was recently assigned to provide ISPs with a range for NAT that is not going to conflict with their customers NAT networks. It has been a more and more common problem that NAT'ed networks once connected with each other via for example a VPN tunnel, have conflicting assignments.
   Which networks did I forget? I will update the table for a couple days as comments come in.
   ------
   
   Johannes B. Ullrich, Ph.D.
   
   SANS Technology Institute
   
   Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
9. Avira Antivirus false positives http://forum.avira.com/wbb/index.php?page=Thread&threadID=144875, (Wed, May 16th) - ------
   
   Johannes B. Ullrich, Ph.D.
   
   SANS Technology Institute
   
   Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
10. New Version of Google Chrome released (19.0.1084.46) , (Wed, May 16th) - ------
    
    Johannes B. Ullrich, Ph.D.
    
    SANS Technology Institute
    
    Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

All SANS related items, feeds and articles are the property/copyright of SANS or the original author. This site is in no way affiliated with/or endorsed by SANS.