April 2009 Archives

A Bill to Amend the Federal Power Act - Critical Electric Infrastructure
With more than a trillion dollars worth of assets, 200,000 miles of transmission lines, and 800,000 megawatts power serving 300 million people, the electric infrastructure has been become increasingly dependent on computer control systems and are now connected directly or indirectly to open systems networks. Legislators are concerned that our electric power grid will come under cyber attack by foreign nations, or e-social protests as well as exposed to EMP "Magnetic Pulse Events." Legislators and the Department of Homeland Security believe that utilities are only reporting a small percentage of their Critical Infrastructure Assets.

The Bill states that the Secretary of Homeland Security working with other National Security Agencies will identify threats and vulnerabilities that require immediate proactive correction, and that the DHS will perform ongoing threat and vulnerability assessments. FERC may issue orders or rules needed to protect the critical electric infrastructure and may issue an emergency rule without prior notice or review effective for 90 days.

Georgia Tech Information Security Center Hosted the Global DNS Security, Stability, Resiliency Symposium. " The first of its kind to bring together cross-functional stake holders to address DNS Risk.

DNS ( DOMAIN NAME SERVICES ) is the glue that binds internet resolution, so when a user types in the browser https://www.isc.org/solutions this naming convention magically works without the user have to maintain ip addresses.

Last summer, Dan Kaminsky's DNS Vulnerability really started to point out the weaknesses in the system.

The DNS Symposium points out some major flaws in domain registration, DNS Security Usability ( DNSSEC ).

The Symposium has posted some solutions and possible actors:

The creation of a DNS CERT - An organization devoted to security and resiliency of DNS act as a clearing house for DNS. Capacity Building Programs. Training and Testing, Information exchange, Raising Stakeholder Awareness.

There were concerns about the scability of IPV6 DNSSEC, and IDN's.

Kolkman, Olaf - NLNetLabs
"A Perspective on Categorizing Problems"
Supporting Material: http://www.nlnetlabs.nl/downloads/publications/se-consult.pdf

DNS is certainly the target for "INFO WARS" and Social E Protest"
The people that maintain this vast infrastructure in the public and private sector don't believe enough is being done to protect this global resource and there is a global controversy about who should be the top authority on strategic leadership ( ICANN )

netForensics' recent acquisition and debut of its Cinxi SIEM/Log Management Appliances was revealed at the RSA Security Conference in San Francisco. Cinxi's ability to jump start an Information Security Program was well received by attendees looking to meet Information Security Governance and Regulatory Compliance Requirements by getting their Security Event Management, Log Management, and Incident Response Management under control.

Cinxi's effective and efficient Security Analyst UI is built so that an IT Operations, NOC, or SOC can quickly start utilizing an intelligent workflow for identifying and managing incidents, while dynamically identifying and building Asset Management Information, Network Topology design, and the Security Control Environment that protects them. Cinxi provides a sensible and easy to use Log Management facility maintaining and securing all raw events for audit and compliance requirements.

Cinxi's full feature SIEM and Log Management software, superior sustainable EPS rates and sensible storage management for appliances, out performs all of its competitors in usability and performance while maintaining a price that its competitors cannot match.

To learn more about Cinxi, read here>

With all the personal information we are entering online for Web 2.0 Services, many have started asking - is the data still ours? Can you as the content creator modify the information? And can you take it back?

Hence the vision of Data portability. Data portability enables a borderless experience where people can easily move between network services, reusing data they provide while controlling their privacy and respecting the privacy of others.

For the User:
With data portability, you can bring your identity, friends, conversations, files and histories with you without having to manually add them to each new service. Each of the services you use can draw on this information relevant to the context. As your experiences accumulate and you add or change data, this information will update on other sites and services if you permit it without having to revisit others to re-enter it.

For the Service Provider:
With cross-system data access, interoperability, and portability, people can bring their identities, friends, conversations, files, and histories with them to your service, cutting down on the need for form-filling which can drive people away. With minimal effort on the part of new customers, you can tailor services to suit them. When your customers browse networked services and accumulate experiences, this information can update on your service, if people permit it. Your relationship remains up-to-date and you can adapt your services in response, even when they don't visit. With mutual control and mutual benefit, your relationships remain relevant, encouraging continued usage.

Data portability is a new approach, where it is easier to use and deliver services. This frictionless movement through the network of services fosters stronger relationships between people and services providers and helps build a healthy networked ecosystem.

Google and Facebook have recently signed on to support the The Data Portability Project

Your Information, your Choice The Privacy Commissioner of Canada's Blog on Data Portability, shows how this is a concern not only for privacy and security groups but a concern of governments.

Canada's PIPEDA Legislation, the protection of personal information is Canada's National Privacy Act.

Why are you paying to view your own personal information? Who is gathering this information for sale?

Spock.com : Spock uses a spider to crawl websites specifically for personal information. They then post this collected data together in one place, optimize it for search engines and wait till you google yourself (or get googled) for you to sign up and manage that data.

An ongoing practice of credit agencies is to charge consumers to see their own credit scores. Transunion, for example, charges a whopping $14.95 for a basic credit report.

Alec Saunders article Call for a Privacy Manifesto for the Web 2.0 Era describes 4 principles that users should have online with their online personal information.

Also check out A Bill of Rights for Users of the Social Web by Joseph Smarr, Marc Canter, Robert Scoble, Michael and Arrington.

- OpenID, OAuth, Poco and Open Stack Bingo - thesocialweb.tv. Identity Wars - who will be the Identity Manager of choice across the internet,offering Federated Identity and User Data Sharing across Social Web Site? When a user signs on to one site, data from across all sites can be shared. For example, Plaxo will be doing away with User Registration Forms. Share data / content across web.

We will have to see how all of this plays out. There is a concern about identity theft and seamless authentication between web services and how easy it will be to unravel the onion. Will one mistake at a global identity manager be enough allow seamless access? Will two factor authentication be a requirement before all of this federated single--sign-on occurs? This has a lot of great features for business, marketing, and the end user usability, but we will have to see if the framework can hold up, how many ways will there be to digitially become anyone you want to be. How many online identities will automatically be linked between providers and service subscribers? How much data sharing of your personal information will you be allowed to opt out of the in the beginning.

Erez Metula's (ErezMetula@gmail.com) presentation at Black Hat will explain a method for the .NET Framework for inserting RootKits.

.NET Rootkits will be presented at BlackHat Europe 2009, April 16-17 2009 at the Moevenpick City Centre hotel.

This type of RootKit exploitation can only occur as a second level compromise where the system was previously compromised. Of course there are some cases where a distribution could be modified and when the systems are regenerated or updated all systems would have the rootkit installed.

ApplicationSecurity.co.il .NET Framework Rootkits.

Disassembly of a .NET .dll and making the modifications recompiling and putting the .dll back in place, "the signature of the DLL itself is irrelevant, the only
thing that matters is the directory in which it is located."

In order to use our modified version, we will explicitly tell the framework not to use
the native version, by issuing this command: ngen uninstall mscorlib and removing the native version of this DLL, by deleting the content of this directory rd /s /q c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib"
.

NET-Sploit is able to:
* Modify a given function
* Inject payloads
* Execute payloads
* Takes care of "code reshaping"
* Pull the relevant DLL from the GAC
* Generate a deployer for the modified DLL

.NET-Sploit is inspired from H.D. Moore's amazing "metasploit" [9] exploit platform.
Its specialty is the abstraction from which code injection is composed, and the
separation of the following building blocks:

* Function - a new method to extend a specified DLL
* Payload - code that is injected into specific method
* Reference - reference to other DLL (if necessary)
* Item - XML based composition the above building blocks

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Adaptive Security Appliance and Cisco PIX Security Appliances

VPN Authentication Bypass Vulnerability
+--------------------------------------

Cisco ASA or Cisco PIX security appliances that are configured for IPsec or SSL-based remote access VPN and have the Override Account Disabled feature enabled are affected by this vulnerability.

Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). Cisco ASA and PIX software versions 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. This feature is disabled by default.

Crafted HTTP Packet DoS Vulnerability
+---------------------------------------

Cisco ASA security appliances may experience a device reload that can be triggered by a series of crafted HTTP packets, when configured for SSL VPNs or when configured to accept Cisco Adaptive Security Device Manager (ASDM) connections. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability.

Crafted TCP Packet DoS Vulnerability
+-------------------------------------

Cisco ASA and Cisco PIX security appliances may experience a memory leak that can be triggered by a series of crafted TCP packets. Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected when configured for any of the following features:

* SSL VPNs
* ASDM Administrative Access
* Telnet Access
* SSH Access
* Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs
* Virtual Telnet
* Virtual HTTP
* Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access
* TCP Intercept

Crafted H.323 Packet DoS Vulnerability
+-------------------------------------

Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of crafted H.323 packets, when H.323 inspection is enabled. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability.

SQL*Net Packet DoS Vulnerability
+--------------------------------------

Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of SQL*Net packets, when SQL*Net inspection is enabled. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability.

Access Control List Bypass Vulnerability
+---------------------------------------

A vulnerability exists in the Cisco ASA and Cisco PIX security appliances that may allow traffic to bypass the implicit deny behavior at the end of ACLs that are configured within the device. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

The crafted TCP packet DoS vulnerability was discovered and reported to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon Business.

The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and Jeff Jarmoc from SecureWorks.

The Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports.

All other vulnerabilities were found during internal testing and during the resolution of customer service requests.

Microsoft warns of old virus being modified to take advantage of the MS08-67 vulnerabilities. The Neeris Worm has been around for a long time but has been modified.

The following registry autostarts modification:

• Adds value: "GON"


• With data: "%windir%\system\VMwareService.exe"


• To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
  
  Another variant of this worm may copy itself as the following file: %windir%\system\netmon.exe. The worm may be present as a file with a two digit name and .SCR extension such as 21.scr. The registry data may be created to execute the worm when booting in Windows safe mode:
  
  Adds value: "netmon"
  With data: "%windir%\system\netmon.exe"
  To subkey HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  
  Adds value: "(default)"
  With data: "service"
  To subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\netmon32
  
  Adds value: "(default)"
  With data: "service"
  To subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\netmon32

  Spreads Via...
  1) MSN Messenger
  2) Win32/Neeris.gen!C spreads by sending a copy of itself to all of a user's contacts in MSN Messenger. The attached copy is usually a ZIP archive containing the EXE copy of the worm.

  Win32/Neeris.worm.101376 (AhnLab)
  Win32/IRCBot.KA (CA)
  Win32/AutoRun.IRCBot.Q (ESET)
  Worm.Win32.AutoRun.fla (Kaspersky)
  W32/IRCbot.gen.a (McAfee)
  W32/Neeris-A (Sophos)
  W32.Spybot.Worm (Symantec)

  Win32/Neeris.gen!C

Has China virtually won?

In the online magazine "The National" from Dubai UAE, Michael Smith writes about the advances in China's Cyber Intelligence gathering, targeting key political figures across the globe. The Article goes on to talk about the giant telecommunications company Huawei (translation "For China"). Huawei has grown to be an international communications provider, especially in the Middle East. British Telecom is also using Huawei components in its global infrastructure. According to the article the Rand Corporation published, reports that Huawei is closely linked to the Chinese military "which serves a multifacted role as a important customer, as well as Huawei's political patron, and R&D partner." Huawei has recently tried to merge with 3Com but this was blocked by US. government for security concerns. According to the article British Intelligence chiefs are concerned about Huawei's ties to GhostNet Intelligence gathering.

GhostNet Tracking

"GhostNet represents a network of compromised computers resident in high-value political, economic, and media locations spread across numerous countries worldwide."

Milworm posts Profinet POC:

Milworm posts Profinet DCP Wireshark vulnerability

or

PCAPR.NET pcap entries - "Convert any packet into a DoS generator"

What is Profinet: PROFINET is the open industrial Ethernet standard of PROFIBUS & PROFINET International (PI) for automation. PROFINET uses TCP/IP and IT standards,and is, in effect, real-time Ethernet.

Other Links:
SIEMENS Industrial Ethernet
PI International

This article refers to the Rockefeller-Snowe legislation would require NIST to establish cybersecurity standards that would apply to private and public companies.

The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser

In December 2008 the Center for Strategic & International Studies publishes Securing Cyberspace for the 44th Presidency (former Senator Sam Nunn is chairman of the board of trustees).

Securing Cyberspace for the 44th Presidency

This study calls for a National Office for Cyberspace the "NOC" and a partnership with the Private Sector on key infrastructures with the Telecommunications Advisory Committee. The study also calls for the President to end the division of technical standards between civilian and national security systems.

This is an interesting study worth reading and may be an influential guide to the way the government's direction will be taken on cybersecurity and the protection of U.S. interests in the private and government sectors.

From the English Parliament to CBS News, and the April Fools Day announcements - Conflicker Botnet infections have gained media attention. Microsoft and most of the security industry have been reporting the urgency of addressing this issue since before Nov. 2008. We have been reporting on this issue since our blog space began. Below are some links addressing detection and removal of Conflicker. However it is not only one backdoor botnet infection that you need to fix, it is other code that may have been installed or information communicated after the first beach head was installed. The best thing to do is to follow Microsoft's advice on virus and worm outbreaks save what you can and re-image the OS and Applications back on to your PC.

Below are a list of removal and detection resources:

1) IT RISK SPACE

2) EEYE offers a Free Conflicker Scanner

3) McAfee Threat Center

4) Trend Micro House Call

Is it too early to declare that nothing has come of the hype around the wildly successful conficker worm's purported April 1st surprise? So far, press reports like this one seem to indicate a lack of any April Fool's Day fireworks.

Experts are quick to point out, however, that whatever the owner of this enormous botnet has planned doesn't necessarily need to be executed today. While that is true enough, I wonder who's side time is on.

Despite their popularity and longevity as a genre of malware, individual botnets tend to have an expiration date. This is natural. The lifecycle curve generally starts with a big push of initial infections (if the writers are lucky), AV updates and platform patches, and then a gradual slope downward as the worm becomes trivial to block or remove. Malware variants are, of course, a problem but can vary in the success of their continued evasion.

So far conficker has done a great job in its initial phases, but its success may precipitate its downfall. The amount of publicity and awareness combined with the widespread availability of removal tools and information are going to gradually reduce the size and value of this particular botnet, perhaps more rapidly than most.

In that case, doesn't it make sense for the botnet owners to strike while the iron is hot? A day or a week won't make too much difference, but I think if we don't see the horsemen of the Internet apocalypse in a week or 2, we can probably get a good night's sleep - the end is not nigh. Of course, this worm and others like it are still a huge issue and need to be continually addressed, but there's something about this whole 4/1/9 conficker scare that smacks of y2k fever.