August 20, 2014

The Top Six Benefits of Event Log Analyzers

One of the best applications you can add to your systems administration toolset is an event log analyzer. These applications enable administrators to go from reactive management to proactive management, which is good for all concerned. The business has better uptime, management is happy, and the admins don’t get calls in the middle of the night. While those are all actual benefits of being proactive, here are six tangible benefits you can get out of an event log analyzer:

GFI EventsManager - EventsManager management console

GFI EventsManager – EventsManager management console (Source: http://www.gfi.com)

1. Centralized logging

With diverse systems across your datacenter or across the globe, event log analyzers can bring all those logs from all those systems into one place, where they can be parsed, analyzed and stored.

2. Support for multiple log formats

There are almost as many log formats as there are systems and it can be a daunting task to understand them all. But an event log analyzer can understand protocols and log formats from syslog to Oracle, SNMP to IIS and anything in between – letting admins focus on the content and not worry about the format.

3. Fine-grained control

If there’s one thing admins know, it’s that event logs have a lot of fluff and noise. Event log analyzers can help admins cut through all the excess, so they can focus on what’s really important.

4. Search and filtering

Even when you tune out the noise, if you are searching for a specific event amongst millions of records, you need to find what you need quickly and be able to filter down to just what you need. Event log analyzers excel at find what you need, when you need it.

5. Security capabilities

Security incident response always starts with the logs. The problem with that is it’s after the fact. Event log analyzers with Security Information and Event Management (SIEM) can detect issues before they become incidents, helping you to lock down and secure your environment.

6. Compliance capabilities

PCI, HIPAA and other regulations and standards all have the expectation that admins are reviewing logs. Event log analyzers can help your company meet those requirements easily and economically.

Event log analyzers can take the overwhelming task of managing all the logs on all your various systems, and turn that into a simple-to-manage, largely automated process. When you proactively manage your systems using an event log analyzer, you can get ahead of issues before they become problems. Uptime goes up, and so does your quality time.

Editor Note: This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Find out more on how you can benefit from an event log analyzer.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

In Brief: GFI LanGuard 2012 SR1 released

(LiveHacking.Com) –  GFI has released the latest version of its LanGuard product suite. By acting as a virtual security consultant it combines three key activities into one software solution: patch management, vulnerability assessment and network auditing. This means that LanGuard has the potential to reduce costs as well as help secure your network. It can also be of use in asset inventory, change management, risk analysis and proving compliance.

New in 2012 SR1 is the addition of patch management capabilities for Mac OSX systems as well as traditional Windows systems. Also the new version has better compliance reporting and can create reports for a variety of standards including the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Digital Security Standard (PCI-DSS).

You can download a 30 day free trial from here.

Coverity releases open source library to help developers fix XSS issues in Java web applications

(LiveHacking.Com) – A new, open source library has been released to help developers easily fix cross-site scripting (XSS) security defects in Java web applications. The library, which gives developers a range of  free escaping and encoding functions, has been released by Coverity, a development testing company who invented a new way to test source code to reveal critical software defects.

The idea is that the new library will enable developers with limited security expertise to quickly fix XSS security defects in Java web applications. It does this by providing a set of functions for data escaping and encoding.

“Asking developers to write their own data escaping routines is a recipe for getting it wrong,” said Andy Chou, Coverity co-founder, CTO and head of the Security Research Laboratory. “The incomplete set of escapers in some libraries encourages developers to use the wrong ones. We need to empower developers to be part of the security solution with the right technologies and actionable information to help them fix defects quickly and without slowing them down. With the Coverity Security Library, developers now have a powerful and easy-to-use library to help them plug some of the most common security holes early in the development process when they are easiest to fix.”

The company has released the Coverity Security Library to the open source community on  GitHub and Maven as a standalone repository. The important question is why do developers need another security library?  Coverity’s answer is that many existing libraries are incomplete and the one that are complete are too  complex and inefficient. The end result was that Coverity couldn’t find a freely available library that it felt comfortable recommending to users.

Coverity is also looking for contributions from the community as it expands the library in the future. It hopes to earn the trust of users and believes that making the library available under a liberal BSD-like open source license will help increase the transparency.

Although the library is open source, the advantage for Coverity is that the library can also be used in conjunction with the Coverity® Security Advisor, a commercial product within the Coverity Development Testing Platform that can further analyze security defects and assist in finding fixes.

The Top Nine Best Practices for Network Scanning

(LiveHacking.Com) — Systems admins and security personnel looking to get the most out of their network scanners want to make sure they are using their tools in the right way. Follow these nine best practices for network scanning, and you’ll get the best bang for your buck out of your network scanner.

1. Update regularly

Generating general network reports

Generating general network reports (Source: gfi.com)

A network scanner helps you to find when your systems are out of date, and with new vulnerabilities discovered regularly, it is critical that you update your scanner each time you go to use it. Either set up a process to check for updates daily, or run the update process each time you go to perform a scan.

2. Scan early, often, and on a schedule
Using a network scanner should be a regular part of your systems security and maintenance. You should scan early in the deployment of any new system, and scan your entire network on a regular basis, not just when someone reads about a new vulnerability. By the time a new vulnerability makes it into the press, the bad guys already know about and are attempting to exploit it.

3. Scan new systems before they go into production
You want to make sure a system is fully up-to-date before it goes into production, so you can patch it as necessary. Once it is in production change control will apply.

4. Scan everything
Scanning a subset of systems may be quicker, but scanning your entire IP range makes sure you catch everything, including those rogue systems that someone deployed outside of your normal processes.

5. Scan internally
Whether the threat is a malicious user, a worm, or just someone with too much curiosity, don’t assume your firewalls will protect your internal systems. Scan everything you have internally to make sure all systems are up-to-date.

6. Scan externally
Attackers are scanning your external networks regularly. See what they see by scanning your systems from an external network so you know exactly what is accessible to the rest of the world.

7. Check those deltas
When you perform regular scans, you can see what changes over time. Investigate any deltas between one scan and the next to confirm that any changes were appropriate and authorized.

8. Share the results
Too many companies keep the security scans a closely guarded secret. I don’t suggest you publish the results on your website, but make sure that all the admins are aware that you are scanning, see what you find, and know where their systems stand.

9. Remediate what the scanner finds
Using your network scanner to find vulnerabilities is only half the task; you must remediate what the scanner finds. Make sure that senior management understands the results of the scan, and makes remediation a priority.

Follow these nine best practices for network scanning to get the best use of your network scanner. Don’t underestimate the importance of that first step. New vulnerabilities are discovered regularly, and checking your systems with an outdated scanner is as bad as running with outdated virus definitions. The sense of false confidence can lead to disaster. Maintain your network scanner like the fine tool it is, and you’ll get years of great use out of it, helping maintain secure and updated systems.

Editor Note: This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on the importance of using a network scanner.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

Microsoft releases Attack Surface Analyzer 1.0

(LiveHacking.com) — Microsoft’s Attack Surface Analyzer has come out of beta with the official release of V1.0. The tool, which Microsoft first released as a beta in January, is designed to help developers better understand changes to the attack surface in a Windows machine due to the installation of new applications.

A system’s attack surface is the exposed points of entry in which a hacker can enter a system and potentially cause damage.  The attack surface includes user input fields, protocols, interfaces, and software services; the smaller the surface the more secure the system.

By highlighting the changes in system state, runtime parameters and securable objects, developers can see any increases in the attack surface caused by installing applications on a machine. The tool checks for a variety of changes including newly added files, registry keys, services, ActiveX Controls, listening ports and access control lists. Any of these things can increase a computer’s attack surface.

New for version 1.0 are performance enhancements, bug fixes and improvements to reduce the number of false positives.  This release also includes in-depth documentation and guidance to improve ease of use.  The tool has a stand-alone wizard to help guide users through the scanning and analysis process. There is also a command-line version to help IT professionals integrate the tool with existing enterprise management tools.

Summary

The Attack Surface Analyzer enables:

  1. Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
  2. IT Professionals to assess the aggregate attack surface change by the installation of an organization’s line of business applications
  3. IT Security Auditors to evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
  4. IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)

New version of Wireshark fixes vulnerabilities in the PPP and NFS dissectors

(LiveHacking.Com) – Versions 1.6.9 and 1.8.1 of Wireshark, the open source network protocol analyzer, have been released to address two vulnerabilities that could be exploited by a remote attacker to cause a denial of service (DoS).

The first problem is a crash in the PPP dissector. It is possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. Versions affected are 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0.

The other vulnerability in the NFS dissector can cause excessive amounts of CPU. It is possible to provoke the condition by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. Versions affected are 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0.

Upgrading to 1.6.9 or 1.8.1 fixes both problems. More information (including a full list of known issues and changes) can be found in the 1.6.9 and 1.8.1 release notes. Wireshark 1.6.9 and 1.8.1 are available to download  for Windows, Mac OS X 10.5.5 and above (Intel and PPC). The source code is also available.

New version of Netsparker is quicker while using less CPU

(LiveHacking.Com) – Mavituna Security has released version 2.2 of its Netsparker web application security scanner. The new release focuses mainly improving the performance of Netsparker while scanning big websites and reducing CPU usage. As part of the performance drive, Netsparker now makes less requests while crawling a web application (but without sacrificing the coverage) and has the ability to handle huge websites and process very long scans without a performance hit.

Besides the performance improvements, Netsparker 2.2 improves a number of its checking techniques. First its Remote Code Evaluation checks have been improved and checks for Perl Remote code Evaluation have been added. Also Local File Inclusion (LFI) vulnerability checking has been improved along with Remote File Inclusion (RFI) vulnerability checking. RFI checking catches vulnerabilities based on a hacker’s ability to injected a file (not already on the server) into the attacked page and include it as source code for parsing and execution. Also improved is Netsparker’s PHP Source Code Disclosure checking.

Web applications have been under the spotlight recently with sites like LinkedIn and Yahoo! suffering security breaches which resulted in log in details (including email addresses and passwords) being stolen and posted online. Tools like Netsparker are increasingly becoming “must haves” in the arsenal of web application developers. Netspaker is also quite unique in the web application security scanning market in that it includes a built-in exploitation engine to positively confirm vulnerabilities.

Yahoo’s recent security breach, in which details of 450,000 accounts where stolen and posted online, is thought to have occurred because of an SQL Injection attack. Tools like Netsparker can detect various forms of SQL Injection vulnerability. They can also detect Cross Site Scripting vulnerabilities (XSS), Command Injections (where input data is interpreted as an operating system command) and CRLF injection issues (which can lead to XSS and session hijacking attacks).

Mavituna have published a full list of all security checks made by Netsparker and a demo version can be downloaded from their site.

DarkComet RAT developer shuts down project

(LiveHacking.Com) – The developer of the DarkComet Remote Administration Tool (RAT) has put an end to the project because of its abuse and use by malware writers. Jean-Pierre LESUEUR posted the announcement on the official site as well as on Twitter and Pastebin.

Once installed on a remote machine, the DarkComet RAT allows a remote “administrator” to completely control the target machine. Its functionality included webcam streaming, desktop streaming, micro streaming and keylogger. Because of its effectiveness it became the preferred tool of malware writers who would include the RAT as part of their payload. The tool was implicated in many different types of attacks including attempts to spy on anti-regime activists in Syria.

The tool was designed to be covert and as the feature list mentioned it can be used “without disturbing the remote user”. It was capable of reading passwords from web browsers including Google Chrome, Opera and Mozilla FireFox. It could also record video and audio from any attached webcams or microphones.

“I have devoted years with a nonprofit philosophy for you to enjoy without asking anything in return other than respect of the rules, unfortunately some of you couldn’t respect the terms so because of you (generally speaking) made the DarkComet RAT geo cruiser end,” said Jean-Pierre LESUEUR.

It seems as if pressure had been mounting on Jean-Pierre for the misuse of his software. In his statement he added  “so many of you seem to believe I can be held responsible of your actions, and if there is something I will not tolerate is to have to pay the consequences for your mistakes and i will not cover for you.”

Recent changes to laws in various countries have left developers accountable for the misuse of their security tools. In June, for example, the developer of the Blackshades RAT was arrested. However it is worth noting that Blackshades was developed with malicious intent (unlike DarkComet).

Jean-Pierre re-emphasised his original goal of proving tools for educational purposes and for people who legitimately want to check on remote machine (for example parents with their kids).

The official website has been significantly cut down and the tools is now no longer available for download. However two related tools are still available on the site, one to detect any running instance of DarkComet in memory (even packed/compressed/virtualized etc…) and another one to extract the data in a darkcomet stub. Fortunately the source code for DarkComet has never been released and hopefully the future lack of development will mean its use will whither away.

 

CrowdStrike unleashes CrowdRE to promote collaborative reverse engineering of malware

(LiveHacking.Com) – CrowdStrike, a security technology company which employs some big industry names like former McAfee CTO George Kurtz, Dmitri Alperovitch (McAfee’s ex-VP of Threat Research) and former FBI executive Shawn Henry, has released a new collaborative platform designed to speed up the reverse engineering of malware.

Known as CrowdRE, the cloud based service was originally developed for CrowdStrike’s  internal use but the company decided to release it for free after it realized that the broader security community can benefit from it by encouraging information sharing and collaboration.

The idea is simple, while a single person can statically reverse engineer a small downloader or dropper, it can take weeks or even months to properly analyze complicated malware like Stuxnet and Flame, especially when they are developed by a well-funded adversary (such as a nation-state). To this end CrowdRE  has been developed to allow security analysts all over the world to perform collaborative reverse engineering.

The platform works like this. Bob is working on disassembling the code and as he does so he names local variables, adds annotations and works out what certain functions do. Once he is happy with his work he can upload them to the CrowdRE servers. At the same time Alice is working on a different part of the malware and notices calls to certain functions. At this point Alice syncs with the CrowdRE servers and discovers that Bob has already annotated and analysed those functions.  Now Alice can continue reverse engineering the malware with the Bob’s function annotations included in her analysis.

A more detailed example can be found in a recent blog post where Jason Geffner, a senior security researcher at CrowdStrike, demonstrates how CrowdRE could be used to analyze a malware sample known as “Comment Panda.” Comment Panda was part of the malware family behind the Shady RAT attacks and is known to include command-and-control commands inside HTML comment tags.

CrowdRE has plugins for popular tools like IDA Pro and development continues. The team hopes to bring support for Linux and Mac OS soon, along with social ratings of other users’ annotations (so you can see what other people think is reliable), access control lists (to allow only specific people to see your annotations) and better fuzzy matching of functions.

Three expert tips on business web security

If there is one thing we can be sure of is that when it comes to our IT infrastructure security, it is that we need to cover a lot of ground. Threats to our business can come from a

Dashboard Activity - GFI WebMonitor™

Dashboard Activity – GFI WebMonitor™

wide variety of sources: emails, portable storage devices, insider attacks, remote attacks, physical attacks, as well as web usage. Every single vector requires its own considerations and should not be neglected. After all, your security is only as strong as your weakest link.

So how do we go about ensuring our business web security?

Antivirus Technology:

One of the major risks of providing web access is that it can lead to the introduction of malware on your network. To counter such risks we need to employ antivirus capabilities that can detect and stop malware from spreading.

There are a few things you should look out for to ensure your investment provides maximum protection. There are various technologies that antivirus solutions use to detect malware. For example, there is manual virus analysis by engineers who then release specific rules for their antivirus solution through updates. In addition, there is heuristic analysis in which the antivirus solution detects the malware based on the malware’s behaviour. However, different antivirus solutions can have varying degrees of success, so using multiple antivirus engines can give you an edge in keeping your network secure against malware.

Anti–Phishing:

After malware, the biggest risk posed by having web access is probably phishing attacks. Specifically crafted web sites, made to look like legitimate business services your organization makes use of, can trick your employees into disclosing confidential information, such as financial credentials. Various solutions designed to ensure your business’ web security provide a number of options to protect your users from phishing attacks. These can include finger print information, as well as databases of various known phishing URLs.

Malicious Websites:

The most common way employees get their computers infected with malware is through social engineering which encourages them to download malware and run it. Some malicious websites, however, do not need to rely on this step at all. Using exploits or misdirection, they can either get the web browser to download the malware and infect the victim’s machine without the user being aware, or they can even manipulate the user into downloading particular malicious software they might believe to be safe as it appears to come from a specific reputable source. In fact, such malware would actually come from a source the attacker chooses.

Ensure your network has controls that can help your users avoid such scenarios. Good web security software should include a number of features that prevent such occurrences. The ability to analyse and detect malicious code, databases that contain finger printed data of such malicious attacks, as well as a list of URLs of known malicious sites are all useful in keeping your network secure. Other, more advanced, products can also utilize technologies such as web categorization, which allows an administrator to configure access to web sites based on your company needs and thus keep risks to a minimum.

We all know business web security is a priority if we want to ensure proper business continuity. The three tips discussed above go a long way to protect your business from downtime due to a web security compromise.

Editor Note: This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more on what your web security solution should include.

Disclaimer: All product and company names herein may be trademarks of their respective owners.