Network Security Blog

We’ve been hearing about the Aurora attacks on Google and a host of other companies since early January.  So why is it that NSS Labs is finding that the majority of the End Point Protection (aka AV) companies aren’t protecting against the vulnerability yet?  And why is AVG upset with NSS Labs and their testing methods? To answer these questions and many more, Rich and Martin were joined tonight by Vikram Phatak, the CTO of NSS Labs.  Vik gave us some of the back story on why they were testing AV products and some of the surprising discoveries they made.  It’s not easy being an independent testing company and sometimes you’re going to annoy people despite your best efforts.  And sometimes people are going to be annoyed with you no matter what.

One point Vik wanted to make that didn’t make it into the podcast is that the 0day that was used in the Aurora attack is not just being used against corporate targets.  It’s being used against consumers as well, so it’s important that the average home user be aware that their AV product may not be protecting them at this point.  What is part of the podcast is a discussion of how many AV vendors are trying to protect against the payload that malware is attempting to deliver, not the exploit itself.  Both are important points people need to be aware of.

Network Security Podcast, Episode 189, March 16, 2010
Time:  39:56

Show Notes:

• Vulnerability-based protection and the Google “Operation Aurora” attack
• NSS Labs’ Questionable Report – Note that the screen shot shown is of the Firefox browser, not IE in any form
• AVG & The Aurora Exploit
• Questionable Questions (and some answers)
• 7th Annual ISSA Security Conference
• Please take our short listener survey to help us create a better podcast!

I’m not an expert on web application firewalls, which is why I’m asking for feedback on the Mykonos Security Appliance.  I was given a demo of the product at the RSA Conference this year and it’s one of the few products I’ve seen lately that’s doing something new and innovative.  Or more accurately, it appears to be doing something new and innovative; it’s still in beta and this is a technology that’s outside my comfort zone.  If you’re someone with an expertise in WAF’s, it should be worth at least a short look.

In a lot of ways, Mykonos appears to be a standard WAF; it can be used to protect your site from many of the standard coding errors that a WAF is designed to deal with.  It addresses the OWASP Top 10, it has all the reporting capabilities to tell you something’s wrong; in this area it doesn’t appear to have a lot of extra punch you can’t get elsewhere.  The place it does start to have some distinguishing capabilities is in the tracking, categorizing and response to malicious attacks on your web site.

You want to know more about who’s probing your web site?  Mykonos will dynamically modify the code your site is serving to get you more information on who’s attacking.  It’ll tell you about the level of sophistication of the attacker, whether they’re just trying to manipulate a price in the shopping cart, if they’re trying a SQL injection attack or if they’re working on something at the higher end of the attack scale.  And it gives you a lot of choices about how you want to respond; simply block the user, send custom code telling them they’ve been identified and logged or act as a honeypot to get even more information about the attacker and how he’s planning on attacking your site.  The tracking and information gathering abilities seem to be pretty impressive and it may be worth looking at for that alone.

Mykonos looks like more than a plain vanilla web application firewall and the downside to that is it requires more work from the administrator and more work from your developers to make full use of it’s capabilities.  This also means it’s potential for becoming shelfware is much greater as well.  But if you’re looking for more than what a standard WAF offers, it might be worth looking at this product.  And once you do, I’d appreciate feedback on your impression of the product.  Is Mykonos a potential new product market, a single product with greater capabilities or just a flash in the pan that won’t amount to much?

I knew it had to be just a matter of time before someone took advantage all of the jailbroken iPhones and created another malicious tool to pwn them.  This time the attacker has been RickRolling iPhone users, changing the background on the phones to a picture of Rick Astley.  The worm is fairly simple and uses the default password set up on the SSH daemon when you jailbreak your iPhone, so if you’ve taken the 5 minutes required to change the password, you’re perfectly safe from the effects of the worm.  Of course, it’s written by someone in Australia going by the name of ‘ikee’ and generally has only been hitting phones down under, but given that the ikee code was released, along with an interview, it’s only a matter of time before someone else creates a new version that does something much nastier than putting up a picture of an 80’s pop icon.  I can think of a couple of people I know who’d be willing to put pictures of goats or lemons or things with spelling close to that on your iPhone.  And those are just the people who are there to be playful.

I’ve said it a number of times in the last week, but it bears saying again:  If you’ve jailbroken your iPhone, change your iPhone’s root password immediately!

By the way, I don’t know anyone who’s jailbroken their iPhone in order to access pirated software, everyone I’ve talked to did it so they could install software that unlocks capabilities that Apple doesn’t want us to have in existing apps, for example tools like xGPS and SBSettings.

I mentioned a couple of days ago that once you jailbreak your iPhone, you’ve bypassed many of the security protections Apple put in place.  One of the biggest concerns once you do this is the SSH service running on the iPhone, since it’s relatively easy to find the default password for the phone (it’s ‘alpine’).  My solution is to use SBSettings and simply turn off SSH on the iPhone all together.  But if you have reason to leave SSH running, you need to at least change the password, especially if you’re going to any security conventions or will be traveling through target rich environments that might draw the attention of malicious elements (aka, hackers).  You know, places like airports, train stations, Las Vegas, New York, etc.

How to Change the iPhone’s Root Password

Jailbreaking an iPhone unlocks some very useful features that the iPhone is lacking and gives you the control over your device that you should have in the first place.  Just getting access to the xGPS project and it’s turn by turn directions has been more than enough reason for my friend Bob to jailbreak his phone multiple times.  But as Uncle Ben once told Peter Parker, “With great power comes great responsibility.”  Apple locked down the iPhone in part to protect users from the bad guys out there and if you’re in the Netherlands with a jailbroken iPhone, you may be regretting having a taken your security into your own hands.

A Dutch hacker has started breaking into iPhones that have been jailbroken and left SSH running with the default root password.  This enabled the hacker to log into the iPhones and send the owner a message telling them their iPhone is insecure.  It goes on to give them a link and asks for 5 euros in order to secure the phone.  This has been sighted on a relatively few iPhones so far, but it’s not inconceivable that this could be weaponized and used on a much wider scale.

This just highlights that the act of jailbreaking your iPhone or hacking any manufacturer’s device places the onus of securing the device back on the owner rather than on the manufacturer.  I have no problem complaining about companies like Time Warner who’ve consistently given their users given their users insecure routers.  The company is supplying and configuring the device, the responsibility (and the power) to secure the routers is theirs and theirs alone.  The user has no ability to make changes and in most cases, probably doesn’t know much more than how to plug the router in and turn it on. 

But once you’ve taken the steps to jailbreak an iPhone or hack your router, you’ve relieved the company of that responsibility.  It may not take much, but if you’ve done the necessary research to download the tools to free your device, you are also taking on the responsibility of securing the same device.  So take the time to do a little more research and figure out what steps you need to take beyond just jailbreaking to secure your iPhone, or whatever device you’re hacking into today.

I imagine there are a fair number of people out there who are like me and instead of a cup of coffee and the morning paper they take the same cup of coffee and open up their favorite news sites online to get the morning’s news.  So I imagine there were more than a few people who were surprised yesterday morning to get a little something extra when they opened the New York Times site yesterday and got a pop-up ad telling them that their computer was infected with several hundred viruses and that they needed to buy some wonderful new anti-virus product to secure themselves.

We don’t know exactly how the NYT site was compromised and this code implemented, but there is a good analysis of the malware at Inputs & Outputs.  The ad used a scare tactic but by itself it didn’t do much.  But this phishing scheme did point users to a small program that probably did some very interesting things to the end user’s computer if you believed you actually were infected.  If you’re a Firefox user with NoScript installed, you probably didn’t even notice that this fun piece of code had been added to the NYT site.  Score one more for blocking scripts by default.

Looking at the analysis of this compromise, it appears that the code wasn’t directly on a NYT server, rather it was served up by one of the third-party services that provide ads for the NYT.  Once again, it shows that even if you trust a particular site you’re visiting, the interaction between that site and the secondary systems supporting it offer a great attack vector for the bad guys to gain access through.  The New York Times probably has a great security team who’s up on the latest vulnerabilities and does an excellent job protecting their site, but if the other companies they rely on for additional code can’t protect their systems, even the best team at the NYT won’t be able to do a thing.  It’s something for anyone who relies on third-party code on their site to think about.

Rich Mogull took the time to read through the entire indictment against the hackers who targeted not only Heartland, but also 7-Eleven and Hannaford as well.  The first thing that really leaps out at me about this is that the attacks were using command execution via SQL injection or XSS via SQL injection.  Given that these are both methods of attack that the PCI DSS specifically calls out to protect against, this blows a pretty big hole in the case Heartland CEO Robert Carr made that his QSA let him down.  We’ve known about SQL injection for years and there should be no need for a QSA to tell a company or it’s security team about the problem.  There should also be no reason that SQL command execution should be enabled on any SQL server that’s exposed to potentially malicious traffic.   As Rich points out, on most modern SQL servers, this is a capability that has to be enabled, not a feature that’s turned on by default.

It’s a little surprising to me that one group of hackers is connected to so many high profile breaches, including TJX, OfficeMax and Dave & Busters.  Are they an isolated group who managed to find a way into these networks or are they just the group of hackers that was stupid enough to get caught?  The possibility that these guys are just the hackers who were unlucky enough to get caught worries me, since their capture may lead a number of security professionals to breath a sigh of relief and get back to life as normal.  Which means arguing with management to get new tools and toys for the network while ignoring serious configuration errors like having SQL command execution enabled on transaction servers. 

When heading to Las Vegas for Black Hat and Defcon, there are a number of basic security measures many of us take.  Phone wireless off:check.  Phone bluetooth off: check.  Laptop wireless and bluetooth off: check.  Use an ATM that’s no where near either Caesar’s or the Riviera: check.  Which turned out to be a very good decision as a fake ATM showed up at the Riviera and the machines at the Rio Hotel were debiting accounts but not dispensing money.  And people were wondering why the ATM’s on the conference floor at the Riviera were all unplugged from power when we arrived.  Of course the network cables for the ATM’s were still in place, but I hope the hotel was proactive enough to disable those ports on the switch as well.  The fact that I saw one hotel information machine with an error message about network connectivity tends to support that possibility.

It’s not a joke when the networks at Black Hat and Defcon are called some of the most dangerous networks in the world.  Attendees take the safety of their computers into their own hands when they connect to either network.  The best answer is to not connect to the network at all if you can avoid it, but if you have to connect, encrypt every packet and every connection and use a computer with a new, patched image that you wipe as soon as you get back from the event.  These aren’t the only steps you should have taken over the last week, but it’s a good start.

Along the same lines, it was a good idea to take out the money you thought you’d need before you ever got to Las Vegas for last week’s events.  I have to admit I didn’t take this precaution myself, I was busy and forgot to hit an ATM before boarding the plane for Vegas.  I had to take my chance with an ATM in my hotel, which luckily was not Caesar’s, the Riviera or Rio.  I chose a machine that was in a heavily monitored and travelled area, looked for anything suspicious and crossed my fingers.  So far it looks like my luck has held.

It’s no joke that ATM’s are not secure.  Many of them run on a Windows OS and have all the vulnerabilities associated with Windows, especially since I highly doubt many ATM’s are configured to patch themselves with any regularity.  Plus there are little things like the software my coworkers at SpiderLabs found on ATM machines in Europe earlier this year.  The fact is, the entire ATM infrastructure is under attack on both a physical and virtual level.  And if someone like Chris Paget, a professional who specializes in credit card and hardware security can’t recognize a compromised machine on sight, the rest of us don’t have much of a chance.

It’ll be interesting to see how this plays out.  The fake ATM that was placed in the Riviera lobby will likely have a fair amount of interesting forensics evidence, not the least of which will be potential for fingerprints inside the machine.  The attackers might have thought it was a fairly harmless joke to show how stupid other security professionals can be, but I doubt the FBI will show much of a sense of humor.  The Riviera staff likely took the most prudent route in disabling their ATM’s in the conference center, but this sort of antic has to be trying the patience of a hotel who needs the business that Defcon brings.

Repeat after me:  “Being compliant does not mean you’re secure.  Being compliant doesn’t mean you’re secure.”  Keep muttering that to yourself while you read the rest of this post.  If you have a bluetooth headset, people might not even think you’re crazy.

If you haven’t already heard, over the weekend Network Solutions announced that they’d been compromised and over half a million credit card records had been stolen.  All we know about the attack so far is that it used ‘unauthorized code’ which could mean anything from a wholesale compromise by an outside attacker to a malicious insider placing the code for his own profit.  In other words, they’ve really told us almost nothing about what happened and it’s quite likely that’s about all we’ll find out.  The code transferred the the information to servers outside the company and while there’s no evidence yet that the stolen credit cards have been used for fraud, there’s also no evidence that they haven’t. 

So why are we spending so much time on PCI if it doesn’t make our merchant and service providers secure?  Network Solutions had been validated as PCI compliant by Payment Software Company (PSC) last October, so they were secure weren’t they?  Once a merchant or service provider is compliant, that’s it, isn’t it?

The Payment Card Industry Data Security Standards are not a magic potion that will make a company secure.  The requirements are mostly good practices and the annual review that merchants and service providers go through is not exhaustive and do not touch on every server in a company’s PCI environment.  The PCI DSS is a minimum baseline companies should be complying with in order to take credit card numbers.  Each network and each business is too different for any standard to cover in a horizontal market that includes everything from your corner Mom’n'Pop store to the likes of Amazon, Best Buy and Walmart.  What PCI does, and does well, is raise the baseline of security for the entire market and hopefully makes it a little harder for the bad guys.  But raising the bar for everyone may not raise it high enough to actually secure any one company and it’s up to the security professionals who work at those companies to realize that PCI isn’t a stopping point, it’s just one milestone along the way to securing the systems at their companies.

Network Solutions had been validated by a QSA, nearly a year ago.  If you’re ever curious, Visa keeps a list of the validated service providers on their site.  Pay very close attention to a short clause they have on every page of the document:

(1) PCI DSS assessments represent only a “snapshot” of security in place at the time of the review, and do not guarantee that those security
controls remain in place after the review is complete. These reviews did not cover proprietary software solutions that may be used or sold by
these service providers.

Yes, Network Solutions was listed as having been validated last Halloween.  Take a moment and think back to how your own network was configured and maintained last Halloween; have there been any changes to your network since then?  Has anyone made any configuration mistakes on your systems in the last 10 months?  Have there been any 0-day vulnerabilities that affect your servers since then?  If you can answer ‘no’ to all of those questions, you’re either the best systems administrator I’ve never met or you’re lying to yourself.  I’d lean towards the latter.

The PCI requirements don’t require a QSA to check every server on the network or even in a company’s PCI environment.  They require the QSA to check a sample of systems for all of the PCI requirements.  My own experience has been that you can tell pretty quickly if a merchant or service provider is following their own configuratioin and hardening standards or not.  If they are, you might be able to reduce the sample size some and if they’re not, you might have to increase the sample size you’re assessing.  In all except the very smallest merchants, there’s is no way even the most competent QSA can assess more than a sample of systems involved in the PCI process.  It’d be great if we could review each and every system involved with cardholder data, but that’s why companies retain security personnel. The job of the QSA is not to verify every system, it’s to assess the security of a company as best they can in the few days they have on-site.   It’s the job of the security and system professionals who work at a company day after day the rest of the year to ensure that the baseline of security PCI requires is kept current and that even the systems the QSA didn’t check are secure.

Like my friend Anton, I wish people would stop taking every breach of a PCI compliant company as proof that PCI has failed.  We don’t scream that Microsoft is a failure every time a Windows server is compromised or state that the OWASP top 10 is worthless if a company follows the guidelines but still turns out insecure software.  We acknowledge that the system has weaknesses, that people don’t follow guidelines as well as we might like and we move on.  Just because one part of an overall system is flawed, we don’t declare the whole thing a failure.  Instead, we work on improving the system and making it better so that the same problem doesn’t happen again.  Or at least we try to.  So why does anyone expect the PCI system to be perfect?

I have to admit, as a security professional, I’ve been woefully lacking in my exploration of the 4chan site.  More accurately, I’ve been unwilling to stick my nose into what is known as one of the most disturbing and contentious sites on the entirety of the Internet. I know what 4chan is and have a number of friends who spend significant amounts of time there, but I’ve never had the need or desire to explore or spend any time on the site.  But one thing I do know about 4chan is that you don’t want to stir up it’s denizens and find yourself on the receiving end of more unsavory attention than you even knew existed.  Apparently AT&T didn’t understand that basic tenet of the Internet and started blocking 4chan in SoCal over the weekend, nearly creating a digital uprising they not have been able to handle.  Luckily for them, they relented and unblocked 4chan before the real storm started.

4chan’s members range from web neophytes to some of the most talented hackers out there.  The last time 4chan was in the news was this April when they gamed a Time poll to find the top 100 most influential people.  Talent aside, just the sheer number of people who use the 4chan site worldwide is enough to cause a serious problem for AT&T, especially given their excitable nature.  And all it would have taken on AT&T’s part to avert this disaster is a little bit of transparency, provided their reasons for blocking the site in the first place were authentic.