As a result, the SANS Internet Storm Centre has raised their InfoCon threat level to Yellow. This is because weaponised versions of functional exploit code are expected over the coming days and weeks, with past experience making it likely that the exploit will be linked to worm capabilities for automated propagation.

So, the sky is falling right? Not as much as the furore would have you believe. Despite this does have the potential to become a well known, well exploited and long running bug; it is defensible with solid practices in play.

1. Turn it off: If you don’t need RDP (or any port/service for that matter), turn it off. Reduces the attack vector against known or unknown weaknesses in the service
2. Patch it: Microsoft released a patch of the weakness on Tuesday BEFORE exploit code was widely publicly available. You should be patching systems as standard operations; if you’re not, no would be a good time to catch up and remove the oversight.
3. Limit access: If you can’t turn the service off because you need it, does it need to be available to world? If not restrict access to trusted source locations only via either perimeter or host based firewalling (or both). It doesn’t remove the threat completely, but it should severely reduce the risk if you’re not accepting connections from any machine on the internet. Only allowing access to the port via a VPN connection would also reduce the ability of a malicious source to connect to the service.
4. (Bonus Point) Logging: Make sure you keep a close eye on your system logs; if you do get compromised, the damage could be limited if you can identify and respond to the breach promptly.

I’ve enjoyed watching the action this week, and the potential fallout has the potential to be more interesting still; but you should be able to prevent your systems from become part of a large statistic of low-hanging fruit with a few easy or common steps to securing your environment against the threat.

–Andrew Waite

I’m a geek (no surprises there), and thanks to too many hours hunched of the keyboard in the dark coding away into the small hours I’ve come to resemble the stereotype; overweight, four-eyed and (preferably) in black. I always assumed that this was me, and was happy with that; but towards the end of last summer there appeared to be an increase in geeks and hacker-types pushing to get fitter: Hackerrun came and went, and a couple of my clients participated in a local 10k run. So I thought I’d see what all the fuss was about and join in.

Running

At the time I came across the Couch to 5k program, which claims to be a nine week training program that will take you from zero fitness to being able to run 5k. Three workouts a week, no more than 30minutes a workout; even I can find time to squeeze that into my routine when I try to. I can definitely vouch for the zero fitness aspect of the program, the very first workout has you running for only one minute at a time (and who can’t run for a minute?). Well, it turned out I couldn’t…..

I’m still not running 5k yet despite being training for more than nine weeks, but I’m definitely getting there and I’m now completing training sessions that would have killed me 6 months ago without complaint.

Strength

Running has been going well, but I wanted to round out my training to get stronger as well as fitter; but as I don’t have room at home for large and expensive weight machines and don’t want to get locked into paying a gym for the next 12months or more I was struggling to find a way to incorporate this, until I came across the 100 pushup challenge.

The theory and training programme are similar to c25k, which I’m already comfortable with, follow a training plan and in eight weeks you’ll be able to do 100 consecutive pushups. Starting with an initial strength test of ‘how many pushups can you do without collapsing’ (I managed a meagre 6) you find a column on the training programme, and again have three workouts a week. This takes even less time than the 30minutes needed for the running sessions, I completed each of the week 1 sessions in ~5minutes each.

I only completed the last workout session of week 1 this morning, and already I managed a total of 44 pushups, with my last set being 12; twice what I was capable of at the start of the week. How’s that for progress?

IT Angle?

So, why am I sharing this? For one, I’m hoping that by throwing the fact that I’m training out in the public domain I’ll generate some peer pressure to keep going. It’s harder to stop if you have to explain to everyone why you’ve gone back to being lazy and unfit. Secondly, I wanted to share some of the apps, tech and services I’ve used so far in the hope it might help someone else.

I track all of my runs (and longer dog walking sessions) with RunKeeper. With the Runkeeper app on any GPS enabled smartphone it will track your route and pace of any run. Personally I find having stats, maps and other geekery tracking my progression helps keep my attention overtime. It’s also very simple to program the c25k workouts into runkeeper so your phone will beep when you’ve reach the time to switch between running and walking. Security warning: runkeeper doesn’t enforce HTTPS at login or elsewhere on the site, make sure your protected when you connect.

One word of caution, I found the GPS antenna on my phone becoming flaky so I recently upgraded to a dedicated sports watch, Garmin Forerunner 110. Not cheap, but still far cheaper than my outlay would have been if I was pounding the treadmill in a gym rather than the pavement for free.

On the pushup front, I’ve been using the Stronger app for tracking strength training and integrates nicely with RunKeeper to keep everything in the same place. The app works well, but I’ve found it to be ssssllllllloooooowwwwwwww at times.

Peer pressure time; if you’re a RunKeeper user my profile is here, feel free join my street team. If you’re not a RunKeeper user you can still use the same link to track my training progress and give me a friendly kick if I stop being active

Never thought I’d say this, but I’m actually enjoying doing physical exercise now. And losing 10% of my starting body weight so far doesn’t hurt either; if I can do it, anyone can.

–Andrew Waite

(*) for the none ‘nix geeks reading this, the post title is a Bash one-liner. With the sed command changing the eventual output from fat to fit…..

Download Pipal from here

I’ve not had too much opportunity run the tool myself, as Robin has been quick to release the results of Pipal’s analysis whenever a new breach has been made publicly available, results of this analysis can be found here.

So, trying to find an opportunity to give Pipal a run out, I decided to take a look at the passwords gathered by my Kippo installation. First up, I decided to take a look at the passwords used with added accounts once intruders compromise the system. Curious to see if the passwords chosen by those that break systems are vulnerable to the same weaknesses of standard users. This password list is quite short, so I’ll just add below:

• zmxncbv
• martin4e
• sanja123hack
• i123456
• sistem123q
• madaucusania
• zaq12ws34edc
• 3rwin89
• b3s3mn0gumala
• mylove120
• zipp3r21
• 19U!&u178
• sor123in

The full results of this analysis is available here.

Pipal’s output from the analysis can be found here. I was surprised with some of the findings, >;60% of the passwords were 8 characters or less, many based on dictionaries words and only one utilising non-alphanumeric characters. Considering the people choosing these passwords gained access to the server by taking advantage of weak root password, I’d really expect better awareness of the importance of generating strong passwords. Guess not…..

Next up, I wanted to take a look at the passwords that are being used by bruteforce and scanning attempts to gain access to the honeypot installation. This password list is far longer than the list above, totalling 382374 entries. The full list input file is available here, and was generating by running the below SQL query against Kippo’s database. For the purposes of this analysis I decided to ignore authentication attempts that use blank passwords, but for the curious, attempts with passwords number 244062 attempts.

select count(password) from auth where password ;”";

For those not familiar with Kippo, it’s worth noting that it’s default root password (which I stuck with for this analysis) is ’123456′, this will definitely have had an impact on the results below; partly because it features more prominently as attackers knowing the password confirm and utilise the the credentials, and bruteforce scanners will (may?) stop their attack once valid credentials are found, so that attempts which would have been made after ’123456′ are not seen by the Kippo sensor.

The full output from Pipal from this analysis can be found here. Whilst the advice is weaker than ‘best practice’ advice on creating secure passwords, this data set indicates that simply choosing a password with 10 or more characters will avoid more 80% of remote password cracking attempts (local, offline attacks will be a different matter so take with a pinch of salt.

From finally getting my hands dirty with Pipal it’s a great tool, that does exactly what it sets out to do; give the users the numbers, so they can tell the story of the dataset.

–Andrew

<DISCLAIMER: This may not be the best network design for running honeyd, this is merely how my environment is configured and it works for me as a research platform. As usual, your mileage may vary, especially if your use-case differs from my own>

As can be seen, the design has three distinct network segments:

• Publicly route-able IPs
• Internal network for honeypot hosts
• Virtual network for honeyd guest systems. These IP addresses sit on loopback interface on the host, with a static route on the firewall to pass all virtual traffic to the honeyd host.

Using a perimeter firewall with NAT/PAT capabilities allows easy switching between emulated systems and services if your public IP resources are limited; a large network of guests can be configured in advance and left static, then a quick firewall change is all that is required to expose different systems to the world.

Additionally, as much as honeypot systems are designed to be compromised and collect information of malicious attacks (or perhaps more correctly, because of this) , low-interaction systems like honeyd is designed to avoid full compromise. If something goes wrong and the host system gets fully compromised, a (sufficiently configured) perimeter firewall provides some control of outgoing traffic, limiting the attackers options for using the honeypot sensor to attack other systems.

Not much to it really; if you use an different setup and/or can suggest ways to improve the setup let me know, always looking to improve my systems where possible.

– Andrew Waite

[...] Cuckoo Sandbox is a malware analysis system.

Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.

It’s mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.

Considering Cuckoo is the combined product of several tools, mostly focused around VirtualBox, I found install and setup was largely trouble free, mostly thanks to the detailed installation instructions from the tools online documentation. I only encountered a couple of snags.

No VMs

[2011-12-29 17:21:56,470] [Core.Init] INFO: Started.
[2011-12-29 17:21:56,686] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.2_Ubuntu”, good!
[2011-12-29 17:21:56,688] [Core.Init] INFO: Populating virtual machines pool…
[2011-12-29 17:21:56,703] [VirtualMachine] ERROR: Virtual machine “cuckoo1″ not found: 0x80bb0001 (Could not find a registered machine named ‘cuckoo1′)
[2011-12-29 17:21:56,704] [VirtualMachine.Infos] ERROR: No virtual machine handle.
[2011-12-29 17:21:56,705] [Core.Init] CRITICAL: None of the virtual machines are available. Please review the errors.

The online documentation specifies creating a dedicated user for the cuckoo process. Sound advice, but if you create your virtual guest machines under a different user (like I did, under a standard user account), then the cuckoo process cannot interact with the virtualbox guests. Either changing ownership of cuckoo, or specifically creating the guest VMs as the cuckoo user will solve the issue.

Creating Database

Last problem encountered was Cuckoo’s database, which if it doesn’t exist when the process will create a blank database. Which (obviously, in hindsight) will fail if the running user doesn’t have permissions to write to Cuckoo’s base directory.

cuckoo.py

With problems out of the way, Cuckoo runs quite nicely, with three main parts. the cuckoo.py script does the bulk of the heavy lifting and needs to be running before doing anything else. If all is well it should run through some initialisation and wait for further instructions:

/opt/cuckoo $ ./cuckoo.py
_
____ _ _ ____| | _ ___ ___
/ ___) | | |/ ___) |_/ ) _ \ / _ \
( (___| |_| ( (___| _ ( |_| | |_| |
\____)____/ \____)_| \_)___/ \___/ v0.3.1

www.cuckoobox.org
Copyright (C) 2010-2011

[2011-12-29 20:27:17,120] [Core.Init] INFO: Started.
[2011-12-29 20:27:17,719] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.2_Ubuntu”, good!
[2011-12-29 20:27:17,720] [Core.Init] INFO: Populating virtual machines pool…
[2011-12-29 20:27:17,779] [VirtualMachine.Infos] INFO: Virtual machine “cuckoo1″ information:
[2011-12-29 20:27:17,780] [VirtualMachine.Infos] INFO: \_| Name: cuckoo1
[2011-12-29 20:27:17,781] [VirtualMachine.Infos] INFO: | ID: 9a9dddd8-f7d6-40ea-aed3-9a0dc0f30e79
[2011-12-29 20:27:17,782] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
[2011-12-29 20:27:17,783] [VirtualMachine.Infos] INFO: | Memory Size: 512 MB
[2011-12-29 20:27:17,783] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
[2011-12-29 20:27:17,784] [VirtualMachine.Infos] INFO: | State: Saved
[2011-12-29 20:27:17,785] [VirtualMachine.Infos] INFO: | Current Snapshot: “cuckoo1_base”
[2011-12-29 20:27:17,785] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:BD:9C:4F
[2011-12-29 20:27:17,786] [Core.Init] INFO: 1 virtual machine/s added to pool.

submit.py

The submit.py script is one of the ways for getting cuckoo to analysis files:

python submit.py –help
Usage: submit.py [options] filepath

Options:
-h, –help show this help message and exit
-t TIMEOUT, –timeout=TIMEOUT              Specify analysis execution time limit
-p PACKAGE, –package=PACKAGE           Specify custom analysis package name
-r PRIORITY, –priority=PRIORITY              Specify an analysis priority expressed in integer
-c CUSTOM, –custom=CUSTOM                 Specify any custom value to be passed to postprocessing
-d, –download                                                   Specify if the target is an URL to be downloaded
-u, –url                                                                Specify if the target is an URL to be analyzed
-m MACHINE, –machine=MACHINE          Specify a virtual machine you want to specifically use for this analysis

Most of the options above are self-explanatory, just make sure to select the relevant analysis package depending on what you’re working with; possibilities are listed here.

web.py

Finally, web.py provides a web interface for reviewing the results of all analysis performed by cuckoo, bound to localhost:8080.

I’d like to thank the team that developed and continue to develop the cuckoo sandbox. I look forward to getting more automated results going forward and hopefully getting to a point where I’m able to add back to the project; until then I’d recommend getting your hands dirty, from my initial experiments I doubt you’ll be disappointed. But if you won’t take my word for it, watch Cuckoo in action analysing Zeus here.

– Andrew Waite

From the timescales involved, kingpin covers many years and several of Max’s ‘projects’ made national headlines at the time. Some, like the Pentagon being hacked via a weakness in BIND were folklore by the time I personally entered the infosec profession. While others, like the ongoing wars and takedowns between various carder forums were more recent and featured heavily in the press at the time.

The part of the book that I found fascinating throughout was that I was unaware that many of these, on the surface, unconnected stories were linked to the same individual; plus several more on the legal/whitehat side of the community, some of which I have used and experimented with prior to reading Kingpin, it’s usually interesting to get some of the backstory behind tools in this industry, but it’s especially the case with this backstory.

Equally, I found the portrayal of Max’ early years to be intriguing, reading Kingpin I had the feeling (rightly or wrongly), that the outcome of the story could have been different had a couple of actions and/decisions gone the other way, leaving Max as an asset to the infosec community rather than running one of the largest criminal forums on the net. Can’t help wondering if Max could have ended up being a positive force in the infosec community, or if those that are could have ended up going the same route had circumstances been slightly different.

From the right side of the law, I was fascinated with the details of Special Agent Mularski’s undercover work as Master Splyntr. Like a lot of the content of the book I was familiar with the impact Splyntr had had within carding community from several press articles at the time, but hadn’t dug in too much depth. Knowing more about the time and dedication required by one man that ultimately lead to many arrests I’d like to make an offer to Agent Mularski: if we’re ever in the same place, introduce yourself and the drinks are on me (and hopefully the war-stories are on you).

If you’ve got any interest in information security or crime in general, I’d strongly recommend that you put a few hours aside read Kingpin. If you’re disappointed after you finish I’ll be surprised.

–Andrew Waite

The scope of the plot starts out slow, and rapidly expands to cover a full gamut of topics, from skiddies in IRC channels and Russian hackers for hire, to corrupt government officials and Al Qaeda terrorist plots (even Bin Laden turns up in person). Dispite the Hollywood style plot elements, Russinovich keeps the technical aspects of the plot grounded in reality, even to the level that the odd code segment included can be reviewed by a (semi)proficient reader can determine the next plot arc before the characters reach the same conclusions.

The overall story, and the culture the characters operate in clearly show the difference between an author with a technical background and plenty of real world experience with the subject matter, over a proficient author who has had expert assistance to get the technical aspects of a story to a plausible level, and makes a very welcome change in this growing area of fiction. Russinovichs experience working with government and industry parties as part of the recent clampdown on botnets, the work in this area is a clear influence for the Zero Day story arc. Thankfully, Despite this being Russinovichs first novel I found it surprisingly well written, with believable characters and a plot that I became emotionally invested in (and without spoilers, cheered inside when a certain character got what I’d felt from first introduction that they deserved).

If you’ve got any interest in information security, computer/network administration to just good sci-fi I’d strongly recommend picking up a copy of Zero Day, it may be shorter that I would have liked (only because I want MORE) but I thoroughly enjoyed the time spent in its created scenario. Hopefully it will serve as a warning of what could happen, rather than a premonition of an actual occurrence; unfortunately it’s likely that those with the true power to stop events similar to the books plot won’t be interested in the story summary and will miss the warning.

– Andrew Waite

Artillery is a combination of a honeypot, file monitoring and integrity, alerting, and brute force prevention tool. It’s extremely light weight, has multiple different methods for detecting specific attacks and eventually will also notify you of insecure nix configurations.

Installation of Artillery is currently really simple, download via svn, run the installer script, edit the config file (if necessary) and run:

$svn co http://svn.secmaniac.com/artillery artillery/

$./installer.py

$nano config

$./artillery.py

N.B. don’t make the same daft error I made initially by editing the files in the svn download. Once the installer.py script has been run, cd to /var/artillery.

Artillery goes beyond typical honeypots, as it actively blocks remote clients and protects the system it’s running on. Artillery listens on a number of common ports (configurable, look at the PORTS variable), if it receives a connection on any of the fake ports it permanently blocks the source IP address by adding a DROP rule to iptables.

From my experience Artillery gets results REALLY quickly. After getting the system online I performed a quick test from another host under my control and starting writing up this post; in the time it’s taken to write the content above Artillery has already added 8 addresses  to iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source                                destination
DROP       all  --  host-31-42-163-53.pois.com.ua         anywhere
DROP       all  --  net242.187.188-2.oren.ertelecom.ru    anywhere
DROP       all  --  94-21-36-156.pool.digikabel.hu        anywhere
DROP       all  --  89.122.216.109                        anywhere
DROP       all  --  ras.beamtele.net                      anywhere
DROP       all  --  dsl5401A8C9.pool.t-online.hu          anywhere
DROP       all  --  catv-178-48-151-67.catv.broadband.hu  anywhere
DROP       all  --  176.14.205.91                         anywhere

Other functionality included in Artillery mirrors that of Tripwire, monitoring the contents of different directories (again, configurable) and generating alerts if the contents of the directories and files changes.

I really like the premise of Artillery, and Dave in his usual fashion is coding like a madman adding fixes and new functionality (new version, 0.1.1 was released 24hrs after initial announcement). I’d be wary where you set this system up to test it though due to the automatic lockout; if Artillery is on a remote system, and you connect to a dummy port from your location to test you’ve just been locked out of your own server ;)

Looking forward to seeing Artillery mature, thanks Dave.

–Andrew Waite

During a recent job I came across a new (I’m assuming, hadn’t noticed it before) feature of AVG free, the PC Analyzer component. Being the curious sort I hit the go button, scan ran for around 5 minutes and I was presented with this:

PCAnaylzer-results

Ouch, I was surprised with the number of errors as this is a machine I keep a regular eye on, and in some cases use myself (it’s the missus’). Time to panic? Let’s see:

• Registry errors: Errors affect system stability: (125)

That doesn’t sound good, checking the ‘Details…’ link presented me with a long list Registry keys, which to a standard end-user would result in turning on BofH’s Dummy Mode. In reality, it found a lot of keys to set the ‘open with’ right-click function depending on file extension. ‘Affect system stability’? Not so much, and I find the links useful enough that I’ve previously researched how to add my own…

• Junk Files: These files take up disk space: (599)

Again checking the details, long list of randomly named files. In the temporary folder. All ~600 took a total of less the 300MB, and the machine has more the 200GB free. Something to correct come next house cleaning session, but not really a problem.

• Fragmentation: Reduces disk access speed

In fairness to the tool, it did come back clean and we know that fragmentation can be an issue. But that’s why every machine I’ve ever used has come with a defrag utility, as standard, for free. (OK, my BBC Micro B didn’t, but then it also had a cassette deck rather than a hard disk).

• Broken Shortcuts: Reduces explorer browsing speed(42)

Ok, so I forget a folder of shortcuts to junk that came pre-installed with the system. I’d deleted the junk, forgot the shortcuts. Thanks for the reminder, fixed.

Summary

Plenty of ‘problems’ highlighted, time to run out and drop £25 for an annual subscription to the clean-up tool? Nope, ignoring the fact that many of these issues are system settings that actually aid the end user, the remaining issues won’t have any negative impact that the end-user will notice.

In my own opinion, AVG is taking a leaf out of the fake AV scams and scaring non-techies into parting with their hard earned coin in a bid to keep the computer running and bank details away from the scary hackers that the nice lady on the news keeps taking about. Presenting a list of meaningless (to most) information and saying it’s bad is exactly the tactic I encountered with cold call scammers earlier in the year.

As a final side note, I’ve lost two of my ‘users’ this year to AVG simply because when the AVG free license I’d installed expired, they couldn’t find a link to download the latest free version, only MANY links to the paid version. As my users are nice people (latest ‘victim’ was my grandfather), they decided themselves that it was better for them to pay the small fee than have to call me and interrupt my life.

Can anyone recommend a free AV suite that doesn’t con the unwitting into unnecessary purchases to perform a cleanup that could be performed manually with around 5 minutes and half a clue? AVG Free is a great tool, and for free I shouldn’t really complain, but when the sales tactics change to make money selling things people don’t need, to those that don’t know any better?

–Andrew Waite

Anyone who’s taken Offensive Security training should be familiar with KeepNote (similar to Leo, for those that took early versions of the courses). If you’re not familiar with KeepNote it does exactly what you’d expect from the name, provide a handy way to keep and organise information. And it does a good job of this, until….

Traceback (most recent call last):
  File "/usr/local/lib/python2.6/dist-packages/keepnote/gui/__init__.py", line 469, in open_notebook
    version = notebooklib.get_notebook_version(filename)
  File "/usr/local/lib/python2.6/dist-packages/keepnote/notebook/__init__.py", line 248, in get_notebook_version
    raise NoteBookError(_("Notebook preference data is corrupt"), e)
NoteBookError: SyntaxError('junk after document element: line 11, column 0',)
Notebook preference data is corrupt
root@bt:~/pwbv3/labnotes#

Aaaarrgh!

After much searching I found several posts discussing similar issues but following the same resolutions did not resolve by problems. With this I resorted to my fallback plan, create new notebook and begin to repopulate with my content (each node is stored as a plain text file, so I was looking at lots of cut and paste). Then a thunderbolt hit me.

I copied each branch of the original note tree to the new tree, and hay-presto! functioning notebook retained and disaster averted.

cp -r ~/old-notebook/branch/ ~/new-notebook/.

Of course a better solution is just to hit the ‘File>Backup Notebook’ option occasionally.

–Andrew Waite