More SANS Mentor Training in DFW

I’m on the schedule for at least two Mentor classes in 2015.  The first will be SEC504 that I’ve led a couple of times before, and the second is SEC560, the SANS Penetration Testing course.  Here are the details.

SEC504: Hacker Techniques, Exploits, and Incident Handling
Tuesday nights starting 20 Jan 2015

Your chance to learn:

  • Preparing for an incident: Not if, but when
  • Legal issues and when to involve outside entities
  • Common tactics used by attackers
  • Vulnerabilities in operating systems, applications, and networks
  • How to look for, respond to, and recover from attacks

Sign up by 23 Dec 2014 for discounted rates!

When registering, please enter “MENTOR RECRUIT” in the Comments section of the registration.

https://www.sans.org/event/38062

 

SEC560: Network Penetration Testing and Ethical Hacking
Tuesday nights starting 21 Apr 2015

Your chance to learn:

  • How to properly scope a pen test
  • Writing an effective report for the client
  • Finding and exploiting weaknesses in the target
  • Pivoting to inaccessible targets
  • Cracking passwords
  • Why getting root/SYSTEM isn’t enough

Sign up by 24 Mar 2015 for discounted rates!

When registering, please enter “MENTOR RECRUIT” in the Comments section of the registration.

https://www.sans.org/event/38067

Court rules against Google, makes all infosec people wiretappers

On 10 September 2013, the US Ninth Circuit Court of Appeals ruled in Joffe v. Google that Google’s capture of payload data from unencrypted WiFi networks while it capturing Street View images from its specially-equipped cars.  In some sense, this isn’t surprising, but the way that the decision was worded makes it appear very easy for anyone to accidentally become a wiretapper, and puts in danger those of us who perform captures for a living.

Continue reading “Court rules against Google, makes all infosec people wiretappers”

July 2013 patches for Microsoft, Adobe, Oracle

It’s the second Tuesday of the month, and that means it’s Patch Tuesday once again!  Well, for two of the companies mentioned.  Oracle still sees the need to do things their way, so their patches are out a week from today.  Still, be aware that Java might (read: probably will) be patched here in the near future.

But let’s focus on what’s out today, shall we?  I’m going to try to display the information in a useful format without getting into tables and without extending things too long.  Microsoft has 7 patches that address 33 vulnerabilities; Adobe has 3 patches that address 6 vulnerabilities.  They’re all pretty much in the “patch ASAP” category.

Microsoft

  • MS13-052 – Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution, Elevation of Privilege
    • Products Affected:
      • .NET Framework on Windows (all versions)
      • Silverlight 5 running on Mac or Windows
    • Vulnerability Count: 7
    • Public Status: 2 disclosed, none in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: Silverlight is a little like Java in that its presence as an application framework is sometimes required for business purposes, but it should be removed where possible.  Unfortunately, Netflix requires it for PC viewing on Windows, so many millions of systems have it installed.  Fortunately, even Microsoft sees an end in sight for Silverlight and has largely discontinued its use.  Here’s hoping that the remaining users also see fit to scrap it.
  • MS13-053 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution, Elevation of Privilege
    • Products Affected:
      • Windows (all versions)
    • Vulnerability Count: 8
    • Public Status: 2 disclosed, none in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: One of the public fixes is the bug that Tavis Ormandy found and published a couple of months ago.  Microsoft is downplaying the risk, saying that an attacker needs to have local access for the likely scenario to work, which presumes that a system not patched for this will be patched for everything else or that it won’t come in via e-mail or a web download.  I’ve leveraged it in a pen test through another remote vulnerability that wasn’t patched.  It’s really not hard to do.
  • MS13-054 – Vulnerability in GDI+ Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all verions)
      • Office (all except 2013)
      • Visual Studio .NET 2003
      • Lync Client for Windows (all versions)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: I considered putting this in the 30-day category, but it affects such a wide variety of software that I could not in good conscience do so.  This is probably going to be a quick target for attackers.
  • MS13-055 – Cumulative Security Update for Internet Explorer
    • Severity/Impact: Critical / Remote Code Execution, Information Disclosure
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 17
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: It’s Internet Explorer.  It needs to be patched.  Sixteen of the vulnerabilities are memory corruption reported to Microsoft by at least a dozen people.  Memory corruption is a big topic of research these days.
  • MS13-056 – Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: This has to do with specially-formed GIF files, a file format in very wide use on the Internet, hence the short patch period.
  • MS13-057 – Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: Most video is played back in Flash or HTML5, but there are still plenty of ways to get Windows Media Player to play something from the Internet.  Patch soon.
  • MS13-058 – Vulnerability in Windows Defender Could Allow Elevation of Privilege
    • Severity/Impact: Critical / Elevation of Privilege
    • Products Affected:
      • Windows Defender when installed on Windows 7 or Server 2008R2 (does not affect Security Essentials or other Microsoft security software)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: It’s antivirus software, so you should be patching it pretty much immediately.  However, my actual recommendation is to get a real AV product.  If you’re a business, you need to spend some money, but it’s worth it.  If you’re at home, there are plenty of good, free AV options to go with such as Avast or AVG if you don’t want to buy something.

Adobe

  • APSB13-17 – Critical security update for Adobe Flash Player
  • APSB13-18 – Critical security update for Adobe Shockwave Player
  • APSB13-19 – Critical security update for ColdFusion 10, Important update for 9.x

June is here: Patches galore!

So June 2013 has arrived, and with it, so many security updates.  Some have been released, some have not, and some won’t be patched until at least next month.

Here are the patches that have been released, or at least scheduled.  (I’m probably not going to do my Microsoft overviews anymore.  They take a LONG time to write up and are useful to only a niche crowd that can find the details elsewhere.  I’ll still post when bad things come along, but not with as much detail.)

Microsoft Windows, IE, and Office

Microsoft released a few patches this week.  Of special note:

  • MS13-047: Internet Explorer gets updates, and a lot of them.  How many?  This update includes fixes for NINETEEN vulnerabilities.  While they weren’t known to be publicly exploited as of Tuesday, frameworks like Metasploit have already caught up to May’s updates, and odds are that June’s updates will be covered soon.
  • MS13-051: Office gets an update (or several of them, judging by Windows Updates for me), covering attacks that are already in the wild.  Yep.  Microsoft patches something the bad guys know is broken.  Time to patch now and break the bad guys’ hearts.

What has not been fixed is Tavis Ormandy’s odd little find from the last month or so.  While it’s a local privilege exploit, don’t dismiss it, as I used it on the path to Domain Administrator access in a recent test.  It absolutely works (sometimes, but for me when it counted).  No word on when it will be addressed, but it probably won’t be before 12 July 2013.

Adobe Flash

Adobe released a Flash update, as they do pretty much every month.  Either update Flash or Chrome (or both for those that run Flash outside of Chrome, which is most of you).  Adobe Reader seems to be unaffected, but here’s a random reminder to check your installed version.  If you’re not on 10.x or 11.x, you’re at serious risk.

Oracle Java

Oracle has not released a Java patch this month…yet.  No, that’s not until next week.  That’s when Oracle releases an update that fixes 40–that’s forty, as in four times ten–known vulnerabilities.  How badly does it affect Java?  The update announcement includes mention of Java 7 b21 and earlier, which isn’t surprising.  But it also mentions Java 6 b45 and earlier, which is funny because Java 6 support was supposed to end in February with a one-time extension in April.  However, it also mentions Java 5 b45 and earlier.  Java 5 was supposed to be EOL last year.  It looks to me like Oracle has had to face the very ugly truth that people don’t upgrade like Oracle wants them to.  Even if they fix Java 7 and 8 with a crash security program such as was seen with Microsoft and Windows XP SP2, I expect that Java problems will be with us for a long, long time to come.

John the Ripper 1.8.0 released

A new version of pre-eminent password cracker John the Ripper has been released.  Bringing the version up from 1.7.9 to 1.8.0, the biggest change is a boost in performance, in some cases nearly doubling performance.  The performance edge seems to drop off as the checks go longer, but it’s still present.  The formal jumbo patch isn’t done yet, but it should be here soon.

I expect to see it in Kali and other security distros soon.  Passwords are growing less safe by the day.

Don’t use APNIC ranges for test addresses

A tip for those of you who manage DNS servers:

If you absolutely MUST put a fake entry in your zone, DON’T point it to 1.1.1.1 or 1.2.3.4.  Either point it to an address (of your own!) that you know to be unused or point it to an RFC5737 address (192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24).  It’s still not a good idea, but at least they’re non-routable addresses that you’re (probably) not using in your network so it won’t give away internal information.

Pointing it to anything in the 1.x.x.x range sends the resulting traffic to APNIC parts of the Internet that include Asia and Australia.  You have no control over these addresses.  Don’t put your customers in danger.

How to Pick Your Antivirus

I get asked this question a lot.  “What antivirus program should I use?”  It’s also probably the question I dread the most, in large part because if I recommend something and someone gets infected anyway, it’s suddenly my fault.  So before I provide any semblance of an answer, I want to start off by making something very clear.

All antivirus software sucks.

Yeah, all of it.  Even what I run, which is currently ESET NOD32 (which, despite its name, also comes in a 64-bit version), has some really severe limitations based on how it works.  I run it at home because historically, it’s pretty solid, doesn’t break many things, and fits what I need.  But I’ve run up against it in a penetration test and got past it.  The question invariably comes around: Then why run it?

Continue reading “How to Pick Your Antivirus”

An unusual IM spam

I’m on pretty much every major IM program, and have been since introduced to ICQ way back in the 90s.  I have multiple accounts on most of them, too, some of which are rarely used and then only for spam.  I get the usual dating and pr0n spam, but every once in a while, I get something new.

Continue reading “An unusual IM spam”