In InfoSec risk management, one area that does not get much press is risk transference. That is, using insurance (or agreements) to transfer the risk to a third party. Brian Krebs makes the case, anecdotally, on his blog.

 

After an incident in which the attackers raided a company’s bank for $750K, “The company managed to recover three of the fraudulent transactions, and its total loss now stands at just shy of $100,000. Golden State Bridge is confident that after paying its $10,000 deductible, the insurance company will cover the rest…” 

http://krebsonsecurity.com/2010/06/the-case-for-cybersecurity-insurance-part-i/

Google’s announcement that it is pulling out of China over continued hacker attacks has highlighted problems in Internet Explorer. Wired has an article in which Dmitri Alperovitch says of the Google attacks: "We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack."

 

McAfee’s CTO blog breaks it down further and gives the name Operation Aurora to the attack. Technical details on "Operation Aurora" exploit and payload are on McAfee Labs Blog. McAfee will be hosting a webinar on Thursday to discuss the exploit and attack. Meantime, for those of us who like to play with Aurora, HD Moore recreated the exploit for Metasploit.

 

One concern that I have is script kiddies downloading and running the exploit across anything they can get their hands on, particularly in light of the press.

 

I wager many of you (like me) have to use Internet Explorer for business purposes. So please note that the current "Aurora" public exploits do not work if you are running IE8 with DEP enabled. If you are running older versions of IE, you might consider upgrading while Microsoft prepares the patch.

 

There is rumor that the exploit could be modified to bypass DEP. Such a modified exploit is currently not publically available. It will take some time before a modified exploit to be developed, which should give Microsoft time to patch.

These steps will install Matriux into a Hyper-V vm (2008 or 2008 R2) and integrate the network and storage adapters.

Create a Hyper-V vm with the legacy network adapter and a 10 GB vhd.
Download Matriux and install onto the local vhd. 

Configure apt-get to download the Lucid (2.6.32-7) kernel.

 

sudo bash

nano /etc/apt/sources.list

 

# added by -JWG- for Hyper-V integration

# The Lucid repository contains the 2.6.32-7 kernel

deb http://archive.ubuntu.com/ubuntu/ lucid main

 

apt-get update

 

Install the kernel and then comment out the repositories.

 

apt-cache search linux-image-2.6.32

apt-get install linux-image-2.6.32-7-generic linux-headers-2.6.32-7-generic build-essential

 

nano /etc/apt/sources.list

Comment out the #deb line

 

Validate the kernel after rebooting to ensure we are on 2.6.32-7.

 

uname -r

 

Enable the GPL integration components.

 

uname -r

sudo bash

cd /lib/modules/2.6.32-7-generic/kernel/drivers/staging/hv

insmod hv_vmbus.ko

insmod hv_blkvsc.ko

insmod hv_netvsc.ko

insmod hv_storvsc.ko

 

Add the modules to the startup file.

 

nano /etc/initramfs-tools/modules

 

# added by -JWG- for Hyper-V integration

hv_vmbus

hv_blkvscb

hv_netvsc

hv_storvsc

 

update-initramfs -u

reboot

 

 

Confirm that the modules are loaded. You will have full network and disk integration. The mouse integration (Inputvsc) is currently provided by Citrix Project Satori and has not yet been patched to 2.6.32-7.

 

lsmod | grep vsc

 

These steps will install Matriux into a Hyper-V vm (2008 or 2008 R2) and integrate the mouse, network adapter, and storage adapter.

Create a Hyper-V vm with the legacy network adapter and a 10 GB vhd.
Download Matriux and install onto the local vhd. 
Download the Linux Integration components for Windows Server 2008 R2 (LinuxIC v2.iso).
Download the Citrix Project Satori mouse driver (Inputvsc.iso)

Configure apt-get to download the previous version of the kernel, which includes first flushing and renewing the encryption keyring.

 

sudo bash

 

apt-key list

apt-key del 437D05B5

apt-key del FBB75451

 

apt-key list should now return an empty list.

 

Install the keyring

apt-get install debian-archive-keyring

 

Load the key for the ftp.us.debian.org and security.debian.org.

 

cd /home/tiger/.gnupg/

mv gpg.conf gpg.con~

 

gpg --keyserver wwwkeys.eu.pgp.net --recv 9AA38DCD55BE302B

gpg --list-keys 9AA38DCD55BE302B

gpg --export 9AA38DCD55BE302B > 9AA38DCD55BE302B.gpg

apt-key add ./9AA38DCD55BE302B.gpg

apt-key list

 

Add the repositories to the end of the sources list, and update the apt list.

 

nano /etc/apt/sources.list

 

# Repository for older kernel versions

# added by -JWG- for Hyper-V integration

deb http://ftp.us.debian.org/debian etch main

deb http://security.debian.org/debian-security etch/updates main

 

cd /usr/src/

apt-get update

 

Install the kernel and then comment out the repositories.

 

apt-cache search linux-image-2.6.18

apt-get install linux-image-2.6.18-6-amd64 linux-headers-2.6.18-6-amd64 build-essential

 

nano /etc/apt/sources.list

Comment out the two #deb lines.

 

Modify the menu.lst file so it defaults to the 2.6.18-6 and reboot.

 

nano /boot/grub/menu.lst

default 2

reboot

 

Validate the kernel after rebooting to ensure we are on 2.6.18-6.

 

uname -r

Insert the LinuxIC v2.iso disk, copy locally, and install the drivers.

 

sudo bash

 

mkdir /opt/linux_ic

cd /opt/linux_ic

cp -R /media/CDROM/* /opt/linux_ic/

./setup.pl drivers

cat drvinstalls.err

 

The only error should be "make: udevcontrol: command not found" and "make: *** [install] Error 127". These simply indicate that we will need to manually add the services to the init modules file.

 

Insert the Inputsvc.iso disk.

 

mkdir /opt/inputvsc

cd /opt/inputvsc

cp -R /media/CDROM/* /opt/inputvsc/

./setup.pl drivers

cat drvinstall.err

 

Again, the only errors should be related to the modules. Edit that file now.

 

nano /etc/initramfs-tools/modules

 

# added by -JWG- for Hyper-V integration

netvsc

blkvsc

storvsc

inputvsc

 

update-initramfs -u

reboot

 

Confirm that the modules are loaded. Then it is play time.

 

lsmod | grep vsc

Matriux is a vulnerability assessment / penetration testing Linux distribution. The team's beta release was the beginning of this month, and I have been playing around with the distro for the past couple weeks. What can I say? I am a sucker for Latin motto's ("Aut viam inveniam aut faciam" or "I shall find a way or make one") and for cleanly laid out VA/PT toolsets.

The bonus, for those running Hyper-V, is that Matriux is a Kubuntu based and comes with the Jaunty kernel (2.6.28-13-generic). Setting up a Hyper-V security appliance is as simple as creating a vm, using the legacy network adapter, skipping the hard drive, and booting off the downloadable ISO. Matriux works right out of the box within Hyper-V.

You can compare this to the Slax VA/PT distros, which do not support the network adapter. Often times, these distros do not even support the mouse. Using the Matriux Live CD in Hyper-V is a breeze. For an environment to support a demo or an occassional vulnerability assessment, you cannot ask for more.

If you are doing regular assessments, there are a couple limitations with Hyper-V. The legacy network adapter performs at 100 Mbps (significantly slower than the 10 Gbps speed of the standard network adapter.) The Live ISO is read-only, too. The mouse integration is present, but it is not the seamless integration one is used with Windows vms. Oh, and the mouse integration does not work when connected to Hyper-V over RDP. To get full functionality, you will need to install Matriux into a vhd and install the Hyper-V integration components.

The Jaunty kernel does not support integration. You have two options: (1) downgrade Matriux's kernel to 2.6.18 and install Hyper-V's integration components; or (2) upgrade Matriux to the Lucid kernel (2.6.32-7) and enable the Hyper-V GPL code. Option (2) provides faster performance and is in-line with the Matriux planned Beta 2, but it does not support the full mouse integration.

Detailed steps for both options are in the links above. For those who want to skip to the chase and simply try out Matriux under Hyper-V, I have done the steps for you. You can download the security appliance from SimWitty's website. Enjoy!

Matriux beta (0.9.4) with 2.6.18-6 kernel
Matriux beta (0.9.4) with 2-6-32-7 kernel

Thank you to the Matriux team for a smooth, well done security distribution beta. Thanks goes, too, to Tom Houghtby for providing the Linux knowledge and guidance that made the integration possible.

jwg

An SSL/TLS renegotiation attack has been carried out against Twitter. The Register has some details on the Twitter attack, while Educated Guesswork has the technical details on the renegotiation vulnerability itself.

 

SSL/TLS renegotiation has been used to get a web server to downshift its cipher and key length before. The new angle is using renegotiation to cause both the web server and the browser to renegotiate and create a man-in-the-middle scenario. Once in the inserted in the middle of web server and browser, the attacker can access the HTTP stream unencrypted.

 

Being an IT operations security guy, my focus is on auditing for and protecting against the weakness. The mitigation is simple: disable renegotiation. As for auditing, you can use openssl on any Linux OS to test.

 

sudo openssl s_client -connect www.yourhosthere.com:443

 

You will see the certificate chain, server certificate, SSL handshake, and SSL session details. The session is established when you get prompted verify return code: 0 (ok).

 

Now suppose OpenSSL reports verify error:num=20:unable to get local issuer certificate.)I have seen this error on GoDaddy websites. To resolve, browse to the website with Firefox. Open the certificate viewer and click the details tab. There, below the details, click the Export button. Save the certificate file in the x.509 PEM format with a .pem extension (Example: godaddy.pem). Then rerun OpenSSL and specify the certificate authority file.

 

sudo openssl s_client -connect www.yourhosthere.com:443 –CAfile godaddy.pem

 

Make an HTTP request and then request renegotiation.

 

HEAD / HTTP/1.0

R

 

The error ssl handshake failure indicates the web server is denying renegotiations.  If OpenSSL renegotiates successfully, you will see a new certificate path and then read read:errno=0. Contact your web server administrator if the server renegotiates.

 

 

(Update 2009-12/18: You can use the Matriux distro to perform the above steps.)

In the classic ASP days, there were a few ways to deliver content to the client in Excel. The more difficult way was to install Office XP/2003 on the web server. Then the ASP code would use COM to bind to Excel, CreateObject("Excel.Application"), and create the workbook and sheets programmatically. This was a bit of work and required a second, separate block of code that duplicated in Excel the code that created the web page report.

Now since the primary web page report was generally a table, an easier way to export to Excel was to send the same Html table. The ASP code would simply switch the content MIME type, Response.ContentType = "application/vnd.ms-excel". Some developers went the extra step to specify the file name and extension, Response.AddHeader "content-disposition", "attachment;filename=Output.xls". You could also do the same for a .csv file using "text/csv" and "attachment;filename=Output.csv. " This was cleaner and meant that essentially the same code created both the Excel and the web output.

The trick worked as follows: Internet Explorer opened the web page, the web server returned Excel’s MIME type, Internet Explorer passed the file onto Excel, Excel opened it and converted the Html to the columns and rows the person expected. That the file extension (*.xls) did not match the file content (Html) was not really a concern. Excel did its trick and the content was displayed.

The problems began when attackers used the same trick to send malformed files thru Internet Explorer to Excel. Several security hotfixes addressed the various malformed spreadsheets (MS07-015, MS07-023, MS07-025, MS07-044, MS08-016, MS08-043, MS08-057, MS08-074). These all addressed the various ways Excel could be compromised by files with content other than well-formed Excel, but of course did nothing to prevent malformed Excel content in the first place.

To address this point, Excel 2007 introduced the concept of Extension Hardening.  Extension Hardening does checks ahead of time to ensure that the file content matches the extension and, if applicable, the MIME type. The upside of Extension Hardening is that it blocks one vector for malformed Excel content attacks. The downside is that it also breaks the classic ASP method of Excel reporting.

Further, there is no granularity in the setting. Extension Hardening cannot be turned off for some websites or content sources, and on for others. It can only be disabled, enabled with a prompt, or enabled with blocking. Extension Hardening can be controlled during installation by the Office Deployment files, or afterwards by group policy or editing the registry.

Registry:

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security]
"ExtensionHardening"=dword:00000000

Possible value settings: Allow different (dword:00000000); Allow different, but warn (dword:00000001); Always match file type (dword:00000002). If the 
ExtensionHardening value is not present, Excel defaults to Allow different, but warn.

Group Policy Administrative Template (Excel12.adm):

Node: Microsoft Office Excel 2007 \ Excel Options \ Security
Setting: Force file extension to match file type
Possible values when enabled: Allow different (dword:00000000); Allow different, but warn (dword:00000001); Always match file type (dword:00000002).

Microsoft Office Deployment:

Node: Microsoft Office Excel 2007 \ Excel Options \ Security
Setting: Force file extension to match file type
Possible values when enabled: Allow different (dword:00000000); Allow different, but warn (dword:00000001); Always match file type (dword:00000002).

Implications of the Setting:

1. When set to allow different, Excel 2007 behaves like Excel 2003 and opens files from the web with Html content and application/vnd.ms-excel MIME type.

2. The following dialog box will display for web content when Extension Hardening is set to allow different, but warn:

The file you are trying to open, 'filename.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?

3. The following dialog box will display for web content when Extension Hardening is set to always match file type:

Excel cannot open the file 'filename.xls' because the file format for the file extension is not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file.

(In the warning dialog, you can press Ctrl-Shift-I to display the error code 101590 in the lower-right corner.)

For more information:

Microsoft Article 199841, How To Display ASP Results Using Excel in IE with MIME Types
http://support.microsoft.com/kb/199841

Microsoft Article 317719, How To Export Data in a DataGrid on an ASP . NET WebForm to Microsoft Excel
http://support.microsoft.com/kb/317719

Microsoft Article 948615, When you open a file in Excel 2007, you receive a warning that the file format differs from the format that the file name extension 
specifies
http://support.microsoft.com/kb/948615

 

 

There are several laws of information security. Ask ten InfoSec pros and you will likely get ten different lists of laws, but I wager every one of them will agree on a couple fundamentals. If an attacker can gain physical access to the computer, or if an attacker can modify the operating system, then the attacker can compromise the computer. The reason is physical access allows an attacker to bypass the OS and directly access the data, and bypass the security controls.

 

Now, switch gears and picture a virtual environment. The physical analog is the hypervisor. If an attacker can gain access to the hypervisor, he has the same abilities as if he had access to the physical computer. If an attacker can exploit the Windows or Linux server hosting Hyper-V or XenServer, then the attacker can compromise all virtual computers on the host.

 

It is a subtle shift in the way of thinking. In the past, only one server ran on one piece of hardware, and the security boundary was the server itself. Thus you would place a physical web server in the DMZ and physically wire it to the firewalls. Computers with different security postures (e.g., domain controllers) would be on separate physical hardware and wired into separate physical networks.

 

Thus the hypervisor should host servers that have relatively the same security posture. One should not, for instance, host domain controllers and public-facing web servers on the same hypervisor. Even if the public-facing web server is on a separate virtual network, you still run the risk of its compromise affecting the domain controllers.

 

The security boundary is the physical hardware, not the computer itself.

Here is an interesting article that dovetails 1930s radio legislation with the Obama administration's Cyberspace Policy Review:

 

"Seventy-five years ago today, on May 29th, 1934, Egyptian private radio stations fell silent, as the government shut them down in favor of a state monopoly on broadcast communication. Egyptian radio 'hackers' (as we would style them today) had, over the course of about fifteen years, developed a burgeoning network of unofficial radio stations. They offered listeners an unfiltered, continuous mix of news, gossip, and live entertainment from low-powered transmitters located in private houses and businesses throughout Cairo."

Read more of How a Resilient Society Defends Cyberspace.

 

One project in my portfolio at the moment is building what I call a disposable end-point model. It is a low priority project, but an ongoing one. The goal is to deliver the best user experience at the lowest price-point.

Portability is a must. Think about the concerns over swine flu and the like. What is your pandemic plan? My pandemic plan, at least from a technology standpoint, is straightforward. People work from home over the vpn and run apps from Citrix. So the end-point devices must be portable and dual-use.

Yet traditional notebooks are expensive. My firm, like most, has an inventory of aging notebooks. These older computers are costly to maintain (studies show ~$1K per device per 2 years) and replace if lost or stolen (studies show ~$50K per incident).

The sweet spot are computers that are cheaper than supporting aging devices and disposable if lost or stolen. No local data means no security incident, which erases the risk exposure of stolen devices. These inexpensive computers should be light-weight and easily ported from office to home. So I am looking at netbooks, which run around $500.

I spoke with Jeff Vance, Datamation, about these ideas. He recently wrote an excellent article that summarizes the netbook market and how data center managers are looking to use the devices: Will Desktop Virtualization and the Rise of Netbooks Kill the PC?