February 26, 2017

Three expert tips on business web security

If there is one thing we can be sure of is that when it comes to our IT infrastructure security, it is that we need to cover a lot of ground. Threats to our business can come from a

Dashboard Activity - GFI WebMonitor™

Dashboard Activity – GFI WebMonitor™

wide variety of sources: emails, portable storage devices, insider attacks, remote attacks, physical attacks, as well as web usage. Every single vector requires its own considerations and should not be neglected. After all, your security is only as strong as your weakest link.

So how do we go about ensuring our business web security?

Antivirus Technology:

One of the major risks of providing web access is that it can lead to the introduction of malware on your network. To counter such risks we need to employ antivirus capabilities that can detect and stop malware from spreading.

There are a few things you should look out for to ensure your investment provides maximum protection. There are various technologies that antivirus solutions use to detect malware. For example, there is manual virus analysis by engineers who then release specific rules for their antivirus solution through updates. In addition, there is heuristic analysis in which the antivirus solution detects the malware based on the malware’s behaviour. However, different antivirus solutions can have varying degrees of success, so using multiple antivirus engines can give you an edge in keeping your network secure against malware.

Anti–Phishing:

After malware, the biggest risk posed by having web access is probably phishing attacks. Specifically crafted web sites, made to look like legitimate business services your organization makes use of, can trick your employees into disclosing confidential information, such as financial credentials. Various solutions designed to ensure your business’ web security provide a number of options to protect your users from phishing attacks. These can include finger print information, as well as databases of various known phishing URLs.

Malicious Websites:

The most common way employees get their computers infected with malware is through social engineering which encourages them to download malware and run it. Some malicious websites, however, do not need to rely on this step at all. Using exploits or misdirection, they can either get the web browser to download the malware and infect the victim’s machine without the user being aware, or they can even manipulate the user into downloading particular malicious software they might believe to be safe as it appears to come from a specific reputable source. In fact, such malware would actually come from a source the attacker chooses.

Ensure your network has controls that can help your users avoid such scenarios. Good web security software should include a number of features that prevent such occurrences. The ability to analyse and detect malicious code, databases that contain finger printed data of such malicious attacks, as well as a list of URLs of known malicious sites are all useful in keeping your network secure. Other, more advanced, products can also utilize technologies such as web categorization, which allows an administrator to configure access to web sites based on your company needs and thus keep risks to a minimum.

We all know business web security is a priority if we want to ensure proper business continuity. The three tips discussed above go a long way to protect your business from downtime due to a web security compromise.

Editor Note: This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more on what your web security solution should include.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

Secunia Released Secunia Personal Software Inspector 3.0

(LiveHacking.com) – Secunia, the Danish IT security solution provider has released Secunia Personal Software Inspector 3.0.

Secunia Released Secunia Personal Software Inspector 3.0

Secunia Released Secunia Personal Software Inspector 3.0

According to Secunia official press release which has been sent to LiveHacking.com; The Secunia PSI 3.0 is a free personal vulnerability scanner which identifies software applications that are insecure and in need of security updates, or patches.

Secunia PSI 3.0 New Features & Improvements

  1. Simple User Interface: The new and simplified user interface displays the key information that users need to know such as scan results, the security status of installed software, and the last update dates. Further, the new settings menu allows users to select whether or not to install updates automatically, and which drives are to be scanned.
  2. Automatic Patching: Secunia PSI 3.0 receives automatic updates for all software supported by the application.
  3. Localization: The Secunia PSI 3.0 can be installed in any one of five languages including French, Spanish, German, Danish and English.
  4. Program Ignore Rules: Users have the ability to ignore updates to a particular program by creating ignore rules.
  5. Scan History: Reports about the updates installed and scans conducted can be accessed at any time through the history feature.

The Secunia PSI 3.0 is available to download here.

New Version of the Ubiquitous Network Discovery and Security Auditing Tool – Nmap 6.0 Released

(LiveHacking.Com) – One of the most ubiquitous tools used by network administrators, system administrators and security specialists alike has received an update. Nmap has been updated to version 6.0 and brings a wealth of new features including full IPv6 support.

Since there are no more IPv4 address available the inevitable move to IPv6 is starting to happen (slowly). Nmap took the lead in this change way back in 2002 when it first offered basic IPv6 support. But now, with the release of version 6.0, Nmap has full IPv6 support. IPv6 tools included are OS detection, advanced host discovery and raw-packet IPv6 port scanning. To invoke the IPv6 functionality just add “-6” as a command line option! Also the Nmap website is now available over IPv6.

Nmap 6.0 also offers better web scanning capabilities. As the web has grown and developed the need to scan more than just a set of TCP or UDP ports has arisen. Web applications are accessed via a URL running on port 80. So scaning for the web server (on port 80) is now no longer sufficient. Nmap now includes many techniques for enumerating these web applications. It can also perform a wide variety of other HTTP tasks including web site spidering and brute force authentication cracking.

Other new features in Nmap 6.0 include:

  • An enhanced scripting engine – The Nmap Scripting Engine (NSE) allows users to automate a wide variety of networking tasks. In version 6 the underlying NSE infrastructure has improved and the number of scripts has grown from 59 in Nmap 5 to 348 in Nmap 6.
  • New Nping Tool – The newest member of the Nmap suite of networking and security tools is Nping, an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing full control over protocol headers.
  • Faster scans – Since Nmap 5, the traceroute system has been rewritten for higher performance and increases the parallel execution abilities of the Nmap Scripting Engine and version detection subsystems.

A full list of new features and more screen shots, can be found in the release notes while more detailed information can be found in the change log and supporting documentation. You can download Namp 6 (including the source code)  for Windows, Mac OS X, Linux and several UNIX platforms here.

Tenable Network Security Released Nessus 5.0.1

(LiveHacking.Com) — Tenable Network Security has released version 5.0.1 of its famous vulnerability and configuration assessment scanner, Nessus.

Nessus 5.0.1 is a bug fix and enhancement release with the focus on a packet forgery fix on Windows setups and a compatibility fix on reading 64-bit database on a 32-bit systems and vice-versa.

Here is the list of enhancements and bug fixes with reference to Nessus 5.0.1 release announcements:

  • Resolved an issue where packet forgery was not working on some Windows setups
  • Improved the Windows installer which would fail on some setups
  • Fixed several thread synchronization issues leading to a crash in certain situations
  • Imported v1 reports are more legible
  • Nessus can now read a 64-bit database on a 32-bit system and vice-versa
  • Identified and resolved a minor memory leak issue occurring on all platforms
  • Scanning with a SSL certificate defined in the policy would sometimes cause a scanner crash
  • Workaround for CVE-2011-3389
  • Worked around a possible incompatibility with the Fedora 16 / Debian 6 memory allocator
  • Restored the ability to log in via certificate authentication on port 1241 when “force_pubkey_auth = no
  • This version of Nessus now includes OpenSSL version 1.0.0h

Nessus 5.0.1 can be download from here.

Adobe Releases Malware Classifier Tool as Open Source

(LiveHacking.Com) – Adobe has released a new command line tool for quick malware triage. Known as the “Adobe Malware Classifier“, this Python based tool was developed by Adobe’s Product Security Incident Response Team (PSIRT) who used it as part of the initial response to security incidents.

“I’ve since decided to make this tool available to other first responders (malware analysts, IT admins and security researchers of any stripe) as an open-source tool, since you might find it equally helpful,” said its creator, Karthik Raman.

The tool classifies Windows executables (EXEs) and dynamic link libraries (DLLs) into one of three categories: “0” for clean, “1” for malicious and “UNKNOWN”. To do this it uses machine learning algorithms that process seven key features extracted from a binary and then, based on one or all of four classifiers, and presents its classification results. Specifically, the tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a data set of approximately 100,000 malicious programs and 16,000 clean programs.

Testing

To test this tool I downloaded the file onto a Ubuntu 10.04 machine. To run, it needs some additional Python modules which I installed:

sudo apt-get install python-pefile
sudo apt-get install python-argparse

The tool supports a few command line options:

usage: AdobeMalwareClassifier.py [-h] [-f filename] [-n model] [-v [verbose]]

Classify an unknown binary as MALWARE or CLEAN.

optional arguments:
  -h, --help    show this help message and exit
  -f filename   The name of the input file
  -n model      The ordinal for model classifier: 0=all (default) | 1=J48 |
                2=J48Graft | 3=PART | 4=Ridor
  -v [verbose]  Dump the PE data being processed

I tested the tool on several different types of .exe including 7-Zip, VLC and the Java runtime:

  • All the .exe files test returned UKNOWN except for the Java runtime.
  • The Java runtime returned MALWARE!
  • The tool can’t read .msi files

Conclusion

Although this looks like interesting research it really can only be seen as a triage tool. Maybe if I had tested it against some actual malware I might have got some better results.

5 Threats Posed by Vulnerabilities

(LiveHacking.com) – A vulnerability scanner is an essential tool for any systems administrator. Vulnerabilities on your network and in your software can easily lead to compromised systems. There is a false impression that it requires a lot of skill to compromise a computer system. However, in reality, the number of incidents where machines are compromised due to trivial events is substantial. And these could all be identified and prevented up by a good vulnerability scanner.
In this article we outline five threats posed by vulnerabilities and juxtapose them with five real-life cases.

1. Change to a network – In 2004, a postal bank office in Israel suffered a break-in. A quick investigation found that nothing went missing, so the whole episode was dropped as some prank. In the following days however, the office noticed that tens of thousands of shekels were going missing. A more thorough investigation revealed a rouge access point installed on the network. The thieves had broken into the postal bank office to install it a few days earlier. The break-in obviously went unnoticed. A vulnerability scanner would have done a wealth of good in this case as it monitors changes to the network, advising the administrator when hardware is added or removed. Such an action would have alerted the administrator of the rouge access point the minute it was installed.

2. Creation of an account and irregular use – In April 2011, a story broke out about a former Gucci employee illegally accessing Gucci systems and causing $200,000 worth of damage. It all started when the Gucci employee was fired. His administrator promptly disabled his accounts as good security practices recommend. However, before being fired, the employee had created a fake user account that the administrator was not aware of, and which he then used to access Gucci systems. In this case, a good vulnerability scanner would have proved useful in detecting the threat firstly by alerting the administrator when the account was created, and secondly by notifying them when the account had been used on an irregular basis, so the administrator could then delete the unnecessary account.

3. Deploying a patch – On April 13, 2004, Microsoft released a patch for a security flaw in its Windows operating system. A few weeks after the patch was made available, a malicious computer worm was released on the internet. This Sasser worm exploited the vulnerability and caused wide-spread chaos even though companies had a few weeks’ head start to deploy the patch. This caused a news agency to lose satellite communications for hours, an airline to cancel flights and a financial institution to close 130 of its offices due to widespread infection. An important function of a vulnerability scanner is to scan the network for vulnerable applications for which a patch is available and inform the administrator. Provided the administrator is proactive in testing and deploying the patch, a few weeks would be more than enough to secure a network.

4. Creation of blank passwords – One of the top hacker stories recurring in the news over the past five years is that of Gary McKinnon. Out of his conviction that the United States government had certain information about extraterrestrials and knowledge of anti-gravity and free energy, in February 2001, McKinnon started looking for proof by trying to gain unauthorized access to US military and NASA’s computer systems . He allegedly scanned the system for administrator accounts using blank passwords, and actually managed to find quite a few systems, which he then compromised. A good vulnerability scanner will help in two ways in such a situation. First and foremost, it will scan and report on a system’s password policies, enabling the administrator to determine if users can create weak passwords. Additionally, a vulnerability scanner will also check administrator accounts for blank passwords.

5. File sharing software –We all know that the US military takes secrecy seriously, and there is no doubt that some of the most secretive details revolve around the presidential helicopter defense system. In March 2009, however, news broke out that details about Marine One’s missile system were being shared on a P2P network from a computer in Iran. It turned out that an employee of the contractor in charge of the helicopter had installed file sharing software and inadvertently shared the classified file. The dangers of file sharing software in relation to data leakage are well known. A good vulnerability scanner will not only inform the administrator if new software is installed on a system but also when file sharing software is installed on a scanned computer.

These threats could have easily been brought to the attention of the systems administrator by means of a vulnerability scanner. Vulnerabilities can cause a number of issues that can lead to a system compromise. The number is so staggering that it might not be possible to stay ahead without a systems support. A good vulnerability scanner nowadays checks for many vulnerabilities at the click of a button and can indeed provide the necessary information to help an administrator avoid many pitfalls, such as those discussed in the five examples above.

Editor Note: This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging need. Learn more on what to look out for when choosing a vulnerability scanner.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

CrySyS Lab Updates its Duqu Detector Toolkit to Recognize New Variant

(LiveHacking.Com) – CrySyS Lab has updated its Duqu Detector Toolkit to v1.24 to add new signatures for a new variant of the Duqu malware found by Symantec. The classification of the new variant is based on a file Symantec received, however it is only one component of the whole Duqu malware (in this case the loader file that is used to load the rest of the malware when the computer restarts). The file is called mcd9x86.sys and it has a compile date of February 23, 2012. In an attempt to bypass anti-virus software the file has been compiled with different options compared to those used in the previous version. There are also some code changes connected with decrypting the configuration block and loading the malware’s payload.

The Duqu malware has been a topic of constant discussion among security experts since its discovery in October 2011. Recently while analysing its structure, researchers at Kaspersky Lab concluded that the parts of the code which communicate with the command and control (C&C) servers are written in an unknown programming language. Unlike the rest of the Duqu body, it’s not C++ (or Objective C, Java, Python, Ada, Lua). Compared to Stuxnet (which is considered to be a cousin of Duqu and is written completely in C++), this unknown language is one of the defining features of Duqu. Further analysis then revealed that the mystery programming languages was in fact a custom extension to C, generally called “OO C” and that these parts of Duqu were written in “C” code compiled with MSVC 2008 using the special options “/O1” and “/Ob1”

Duqu Detector Toolkit

The detector uses simple signature and heuristic detection techniques to find Duqu infections on a computer or in a whole network. It is able to find traces of infections where components of the malware have already been removed from the system. The Duqu malware got its name because of the temporary files it uses beginning with ~DQ. The detector toolkit also includes a tool to find all Duqu related temporary files on a system.

New Version of Metasploit Targets IPv6 Risks

(LiveHacking.Com) – Rapid7 has released a new version of Metasploit, its popular penetration testing toolkit, with new functionality to assess the security of IPv6 enabled systems. With Metasploit 4.2 users can test whether IPv6 addresses on their network are vulnerable to cyber-attacks. The framework includes hundreds of working remote exploits for a variety of platforms and the new IPv6 tests are important for organizations that have not methodically implemented an IPv6 network but rather has allowed it to creep in as operating systems and devices starting enabling IPv6 functionality by default.  For example, the default setting in Windows 7 and Windows Server 2008 is to give a higher priority to the IPv6 interface, rather than the IPv4 address, for management traffic and network shares.

“The number of IPv6-enabled systems has quadrupled over the last three years, broadening the attack surface for cyber attackers, with over 10% of the world’s top web sites now offering IPv6 services,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project.

Since IPv6 runs in parallel with IPv4 it is often not as well managed as an existing IPv4 network. It is essential that companies perform security assessments to audit IPv6-enabled internal and external hosts. Rapid7 cite the example of organizations who have blocked zone transfers on their DNS servers for IPv4, but left this common flaw wide open on IPv6. Another real world example is the use of firewalls that have been correctly configured to  filter IPv4 traffic but that accept all IPv6 traffic. Further more, some older Intrusion Prevention Systems (IPS) may even be completely unaware of IPv6 traffic.

Metasploit 4.2 is available immediately from rapid7.com. The new features are available in both the open source and commercial editions of Metasploit.

 

 

Updates Released for IPFire Open Source Firewall

(LiveHacking.Com) – Two new core updates for the IPFire firewall distribution have been released. Core update 54 contains minor feature enhancements and bugfixes, while core update 55 incorporates the six security updates recently released for OpenSSL.

Core update 54
Update 54 adds the latest Intel network drivers (for igb 3.2.10, e1000 8.0.53 and e1000e 1.6.3) and updates the web proxy service to consumes less memory in some occasions. The intrusion detection system rules download is working again for the latest ruleset and the hardware status section on the web user interface recognizes more harddrives.

The detail are as follows:
Package updates: squid 3.1.18, snort 2.9.1.2 (daq 0.6.2), smartmontools (5.42)
Network drivers: Intel network drivers (igb 3.2.10, e1000 8.0.53, e1000e 1.6.3), ath9k-htc (USB) firmware 1.3, timezone and hardware database, GeoIP database
Small bugfixes: Syntax error in DHCP client script, H.323 connection tracking modules are not loaded when the system starts.

Core update 55
The recent updates to OpenSSL, the popular open source toolkit for SSL/TLS, which fixed a total of six security flaws made the bulk of the changes for update 55. The only other update of interest is that OpenSSH has also been updated to version 5.9p1.

More information about these updates can be found in the release announcement, plus in the Core 54 & Core 55 change logs. IPFire 2.11 Core 55 is available to download from  here.

Wi-Fi Protected Setup Vulnerable to Brute Force Attack

(LiveHacking.Com) – Security researcher Stefan Viehböck has revealed a design and implementation flaw in Wi-Fi Protected Setup (WPS) that that makes Wi-Fi networks vulnerable to brute-force attacks.  US CERT has issued an advisory which suggests disabling WPS. The WPS specification has three methods of simplifying the connection of wireless devices to WPA2 protected access points. One of those methods involves using an eight digit PIN from a label on the router which authorizes the client to obtain the WPA2 configuration details.

An eight digit pin should have 100,000,000 different combinations, however a design flaw means that one of the digits is just a checksum and so reduces the possibilites down to 10,000,000. However the real weakness is that the protocol is designed in such a way that the first half and second half are sent separately and the protocol will confirm if just that half is correct. This reduces the number of PIN possibilities to 10,000 (4 digits) plus 1,000 (3 digits as checksum can be calculated) which is just 11,000 possibilities.

According to Viehböck  this means that some routers, which don’t employ any mechanisms to slow down brute force attacks, can be cracked within 44 hours. More information about this vulnerability can be found in Stefan’s paper: Brute forcing Wi-Fi Protected Setup. He has also released a PoC Brute Force Tool that can be found here.

Note: This vulnerability was also independently discovered by Craig Heffner (/dev/ttyS0Tactical Network Solutions) who has released a tool called “Reaver” on Google Code.