LSEC - Leaders in Security

LSEC Information Security Newsletter 19.04.2011

LSEC Infosecurity Mid-Week Report

Every Wednesday LSEC publishes the LSEC Infosecurity Information Security Newsletter, a Mid-Week Report with a list of IT-security issues you may want to have a look at, a few freeware tools to test or use and a few reports to read. It is called the LSEC Infosecurity Mid-Week report, still providing you a couple of days to manage the most critical issues.

Information is collected from various sources and has been reviewed and edited by some of our experts.

Web Site Management : Google search tip for securitypeople Nr 1

If you have a site you can search everything Google knows about it (and is showing the world). This is quite simple. You type - site:mysite.com (or whatever the name of your site) - and you will see all the pages that were found by Google. If you have a big site you can add certain special words after it like - “admin or logon or password” - or any other function or page that you thought was hidden. If you have interactive functions on your site or you want to search for spammers that are abusing your site you can add “porn mp3 viagra warez” and you will find all their references. If you have a site you should also make a Google account and insert the Google code in your site so that Google knows that you are the owner of that site. If your site is infected or defaced you will have it easier to ask Google to update the index of the site after you have cleaned it up and Google can even send you a warning if it thinks your site is infected. You can also make Google Alerts so that you will receive an email every time Google finds a new page for your site (even if you didn’t update it lately) or discovers new spammers who have been inserting bad links in your forum.

Patches part 1 : Oracle

Oracle launched 73 patches April 19th, nearly half of them are highly critical because they allow to take ownership of the application or database remotely without authentification. You will have to test them on a virtual version of your applications before installing them definitely if the application developers did add some personal functions to it. Meanwhile you will have to monitor your applications more closely for any dangerous connections.

Patches part 2 : Microsoft

Professionals follow the discussions about and the issues with the monthly Microsoft patches through the Internet Storm Center because it is where you heard it first. First there could be some issues with Exchange servers running on windows2008 R2 but this is not confirmed yet. Secondly these pathes are really important and they will protect you against a whole set of new attacks and harden your systems. These patches are not to be overlooked and network adminstrators should really follow the patchrate (number of machines against those patched with the latest patches) very closely especially for machines that are used by possible ‘targeted’ managers. Secondly don’t be fooled about the colors of the urgency, you will have to install all of them anyway. And last but not least, patching will only work perfectly on machines running the latest OS. If you are still running Vista, XP or older, you are vulnerable to a whole set of attacks even if you apply those patches.

Attacks against some of those security vulnerabilities (indicated ‘Patch Now’) were already taking place.
The ‘Patch Now’ indication means that you should update your internetconnected servers immediately even if you have a traditional ‘waiting and test period’. In practice it means that those patches will be installed immediately on servers that have internetconnections while the ‘internal backoffice’ will have to be tested before.

Individual users should go to http://update.microsoft.com

Network administrators should start controlling the state of the installed windows updates (and the presence of an updated antivirus on the machine) before giving machines access to critical resources. (Network Access Policy).  Most VPN-SSL, Firewalls and proxies now have this feature available.

Patches part 3 : Adobe

Adobe has updated the Flash player and this should be followed immediately as there are now attacks taking place against this vulnerability. Normally Firefox will warn you if your flashplayer is out of date.

Adobe is for the moment not only taking a beating from the malware developers but also from the security community and the network administrators because they don’t seem able to catch up with the stream of attacks that are hitting their products. The proof is that the next patches for Adobe products are only ready late april and june which is rather late as a response to ongoing attacks.

The PDF reader for windows (version x) has now a sandbox that will limit the success of attacks because it will stop any code from leaving the document and installing itself on the computer or connecting to the internet. The best thing to do is to upgrade the PDF readers - especially for managers - and activate the sandbox.

Sometimes one could wonder where the simple secure PDF document has gone. It did nothing special but was very secure. Nowadays a PDF can do nearly everything but it seems as if every new line of code or new function introduced also ten times more vulnerabilities and mistakes. It could be interesting to re-launch a simple stupid read-only PDF document that has as little coding and functionality as absolutely necessary. “Cut the crap” - a manager would say.

Patches part 4 : And you didn’t forget to update

* Java client. This is a very important (older) update that we need to remind you of because the number of online attacks against unpatched local javaclients is still growing. The problem for network administrators is that some internal applications may not work with the updated javaclient and that the application may need some upgrades. The solution is to disactivate the old javaclient except when it is needed by that application while using the more secure javaclient when surfing the internet.

* Browsers like Firefox, Chrome, Internet Explorer, Opera etc.....  XP users should use Internet Explorer 8 while Vista and Windows7 should upgrade to Internet Explorer 9. Only Windows7 users can test Internet Explorer 10 beta. This is another reason why critical machines shouldn’t be on XP anymore. As internetservices have become essential in any business and have also become the main method for infecting machines your browser is the most important free line of defence against attacks your antivirus can’t handle (yet).

* Servicepack 1 for windows 7 and Servicepack 2 for windows 2008. Available on many DVD’s of computermagazines if you don’t like to download it.

* Apple or Macintosh users have major updates and will also receive now an integrated antivirus because there are finally also viruses against Apple.

Some interesting databreaches that made the news in 2011

* Even the best get hurt : Barracuda Networks got breached when they took their webapplication firewall offline for maintenance during a few hours. On their OLD IIS 6 server the SQLinjection attacktool found some script that allowed the attackers to download their internal employee list and a list of future clients. 

useful attention points :  - It is very difficult to protect an IIS 6 server, upgrade to IIS 7 and windows 2008.
- If you have such old infrastructure you can never leave it without an Application Firewall.
- Of all hacked IIS servers, the IIS6 is by far the most popular victim.
- SQL injection is still the most popular and effective attacktool

* SSL certificate seller Comodo had two affliates who were breached with a SQL injection which gave the hacker access to a server which gave access to a desktop on which the hacker found the necessary technical information and programs to analyze and understand how he could register some certificates for very important internetdomainnames through the local backoffice without any control by the main server at Comodo. This is not the case with many other important sellers of certificates.  Maybe it is time that the sellers of certificates are .... audited and certified.

attention points :
- You should make sure that your users have upgraded their browsers so they have revoked the stolen SSL certificates.
- at Comodo it isn’t the first time even if they have promised to review their security, they will stay the a popular target.
- Breached once means that you will always be tarteged.

* Millions of emailaddresses were compromised because of a breach of a major databroker in the US. All compromised accounts should receive an email (and a flood of spam and scams).

attention points : 
- It is important that your users don’t use their workrelated emailadresses for private newsletters or communication.
- hacking of servers and forums in search of data about users is becoming epidemic. It is important that users use different emailaddresses for different kinds of online activities. With some emailproviders you can also create and delete aliases.

DNS.Be in the news

DNS.be is the organisation responsable for the management of the .be domainextension. It has been twice in the news lately. The first incident was an article that claimed that the .be domainextension was nearly thrown off the internet after a technical incident. The truth seems to be more complicated. DNS.be had some (undocumented) technical problems when they implemented DNSsec on the opensource Bind software that runs on their DNS servers. Some people believe that such critical infrastructure shouldn’t rely solely on opensource software for such complicated tasks. If you want to implement DNSsec you should take those issues into account because they won’t be acceptable for your business clients or contacts.

The second article claimed that DNS.be was nearly pushed off the web by an attack from a botnet. The first thought was revenge because DNS.be is refusing botnetdomains since many months now.  After an investigation by CERT it seemed the reason was a bad configuration by a botnet with a DDOS effect. The problem with the article is that you shouldn’t publish important technical details that we are not going to repeat here. DNS.be will now have to ‘up the ante’. After all it was a good exercise for the the anti-ddos procedure. You should also have an anti-ddos protection and procedure if you have a critical network or function because DDOS has become one of the many problems networkadmins have to deal with on a frequent basis.

DNS.be says that it has a backup system of servers and that the internetusers didn’t notice anything.

Some updated freeware to add to your library

Systernals is the best free collection for windows if you need to analyse some processes, logs or software on the server or PC.

wireshark is the best free datasniffer and has been updated because of some securitybugs.

metasploit is the best free attack tool that is also used to test webservices for vulnerabilities before they are put on the internet. It is now updated with beta plugins so that new exploits and attacks can be inserted in this platform before all the bugs are found.

Dead site alert

‘Google Video’ will stop. Youtube won’t take over the video’s automatically, so you will have to transfer them manually before the 13th of May.

If you have tips or research that may be of interest you can send it to midweekreport@lsec.be.

By Ulrich Seldeslachts

19-Apr-2011