Posts Tagged business

Tools for reviewing infected websites, (Fri, Sep 27th)

At the ISC we had a report today from Greg about obfuscated Javascript on the site hxxp://  A little research revealed that this site has been infected in the past. Nothing extraordinary, just another run of the mill website infection. 

What did strike me is how the nature of this research has changed  in recent years.  Not so long ago checking out a potentially infected website would have involved VMs or goat machines and a lot of patience and trial and error.  Today there are so many sites that will do the basics for you.  Greg sent us a link to URLQuery which displays a lot of information about a website including the fact that this one is infected.

I am increasingly become a fan of Sucuri for this type of research.  Like URLQuery Sucuri finds this website infected.

Sucuri also provides some other details that are interesting.  A dump of the Javascript code:

In this case what most intrigued me was the blacklist status of the website.

At the time of my review the infection was still being picked up by the various blacklist websites.  Between the time I took this screenshot and when I finished this diary, SiteAdvisor had picked it up and I will assume the others will follow close behind.

Definitely easier than in the past.  Now to find some time to work on that JavaScript.

Have any web based tools you like?  Please pass them on through comments to this diary!

Have a great weekend!

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

IDS, NSM, and Log Management with Security Onion 12.04.3, (Tue, Sep 24th)

This is a "guest diary" submitted by Doug Burks. We will gladly forward any responses or please use our comment/forum section to comment publicly.

I recently announced the new Security Onion 12.04.3:
What is Security Onion?
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Can I see it in action?
The video and slides from my recent BSidesAugusta presentation are available:
I also just published a series of walkthrough videos as well:
How do I get it?
Download our ISO image (based on Xubuntu 12.04 64-bit) OR start with your preferred flavor of Ubuntu 12.04 (Ubuntu, Kubuntu, Lubuntu, Xubuntu, or Ubuntu Server) 32-bit or 64-bit, add our PPA and install our packages.  Please see our Installation guide for further details:
Lots o' Logs
If you connect Security Onion to a tap or span port, it will generate lots of logs out of the box:
– NIDS alerts from Snort or Suricata
– Bro conn.log (session data)
– Bro dns.log – all DNS transactions seen on your network
– Bro http.log – all HTTP transactions seen on your network
– Bro notice.log – events of interest
– Bro ssl.log – SSL cert details
– and many more!
In addition, you can install OSSEC agents on other boxes on your network and point them to the OSSEC Server that's already running on Security Onion.  You'll then get the raw logs from those OSSEC agents and you'll also get HIDS alerts as the OSSEC Server analyzes those logs.  For those devices that can't run an OSSEC agent, you can point their syslog to the syslog-ng collector on Security Onion.
How do we manage all those logs?
ELSA is a great tool for hunting through your logs.  Martin Holste, the author of ELSA, describes it like this:
"ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web."
Take a look at the following ELSA video to see how you can slice and dice your logs very quickly and easily:
Doug Burks
Want to learn more about Log Management?  Join me for SANS SEC434 Log Management In-Depth in Memphis TN on October 16th and 17th! 


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Am I using my Fingerprints yet?, (Mon, Sep 23rd)

I came across an article today that demonstrates a compromise of the new Apple 5S fingerprint reader:!

In other words, a copy of your fingerprint is your fingerprint.  And as Johannes discussed in the first article on this (, the screen on your phone is one of the better fingerprint collectors out there !
For me, this brings up both sides of "the fingerprint discussion"

  • You can't change your fingerprints – once a real copy of them are compromised, they are compromised forever
  • A representation of your fingerprint is stored on the device.  So if the device is lost or stolen, this representation could be used to compromise other things, if they use the same representation of your fingerprint (ie – any other device that uses the same manufacturer's hardware).  Again, once stolen, they are stolen forever.
  • After a couple of years, you'll likely trade your phone in for a new one, and today there isn't a way to know that a wipe of the phone wipes the saved representation of your fingerprint
  • Your fingerprint may be backed up with your phone backup.  Historically, your phone's backups have been easier to pillage than your phone.
  • If your phone is damaged, you may not have a way of wiping it

On the other hand:

  • On any given day, using your fingerprint is likely MUCH more secure for you than the 4 digit code you are likely using
  • Since your phone code likely matches either your phone number or your bank code, either it's very easy to guess, or compromising it might have other unpleasent consequences for you.

There's lots of discussion on this online, I think we're still waiting on Apple to respond definitively on any of them.

Anyway, none of these arguments are new, we've been round and round on them anytime these last 10 years, since they started putting readers on laptops for login.  What's changed is that there are way more phones than there are laptops, and in most cases the 4 digit unlock code on your phone is all that protects your chequing account, your facebook, paypal, twitter and email accounts.

So, am I using my fingerprints yet?  Not on any of my laptops, but once I upgrade my 4S to the new model, it'll be awfully tempting to take the plunge – I guess I'm still thinking about it.  If Apple would implement a "fingerprint + PIN" two factor authentication solution, it'd be an easier decision.

We welcome your comments in our discussion forum (comment button below).

Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

How do you spell "PSK"?, (Mon, Sep 23rd)

In my line of work, there is a lot of uses for a random sting of text.  Things like:

  • VPN Preshared Keys
  • RADIUS or TACACS  "shared secrets"
  • Windows Service Account Passwords
  • Administrative accounts (Windows local or domain Administrator, in some cases root in *nix)

You get the picture.  Strings that you need to key once, or once per instance.  In most cases, these are strings that after creation, you don't neccesarily need to know what they are, you just need to know how to change them.

With this list of parameters, you'd think that folks would use random characters for these functions right – at least do the random keyboard walk for it?  In my experience, this is almost NEVER the case.  People try spell things – "l3tm31n", D0ntg0th3r3" and the like.  They'll use their Company name, or the street address of their organization, or some other "meaningful" string.  And after using "leet-speak" passwords, they then carefully record the password and save it to a text file, usually on the server that's using the password.  As a pentester, this is a win for me, I don't even need to crack the password, you just gave it away!  As a system administrator, this horrifies me!

So, what to do?  In the past, I've used an excel spreadsheet to generate a random string of "n" characters, selected from a set of characters that do not include the "confusing" ones (Oo01lIiL and so on).   The "randomness" was defined by how long I felt like leaning on the F9 key that day.  After creating the string, I would then try to get my client to NOT write down the string – this almost never works, but it's worth a try.

For today's story, I decided to improve on this a bit, and re-coded it in python.  This was a 5 minute script (as most of mine are), so if you see a way to improve or neaten this up in any way, please – don't be shy – use our comment form.

========================================= =========================================

from random import randint
import sys
if not (len(sys.argv) == 2):                                           # verify syntax
        print "Syntax PSK LENGTH_OF_PSK"

rndstrlen = int(sys.argv[1])                                           # how long is the output string?

chars = "abcedfghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ23456789"       # define the list of valid characters
charlist = list(chars)                                                 # change it to a list for lookups

numchars = len(charlist)  -1                                           # get length of string list, -1 for start from zero

for i in range (0, rndstrlen):
     c = charlist[randint(0,numchars)]                                 # pick a random char from the list
     outstring += c                                                    # append it to outstring

print outstring


Running this as "python psk 15" will create a 15 character pseudo-random string:

C:> python 15

C:> python 15

C:> python 15

C:> python 15

C:> python 15

You can change the values that are permitted to be in the string (to exclude lower case values, or to add special characters) by adding or removing characters in the "chars" string.  Changing the length of the string is as simple as changing the  value in the command line option:

C:> python 32

C:> python 64

And please, in most cases there is NO reason to write down this password.  Your "windows service password for whichever service" for instance should be changed periodically, but in most cases there is no reason that you should know what it is, you just need to be able to change it. 

Also, if you use this to create a random pre-shared-key for your ste-to-site VPN, emailing it in cleartext is what we call "a bad idea".  Not only is it open for theft as it transits the internet (and both internal networks), it's also stored (likely forever) in your sent mail and in the recipients inbox, and likely in the Exchange Server message store – the whole cleartext data at rest / cleartext data in transit concept should ring a bell, especially if you've been audited for PCI lately.

As always, in these days when brute-forcing is simple, quick and cheap, bigger is in fact better.  For pre-shared keys or "write only" passwords, I generally start at 32 characters and go up from there.  Since you never need to re-key the thing, after it's generated you can cut/paste it and forget it.

I hope that you find this simple bit of code useful.  If you've got a simpler way of getting to the same results, or if you can improve on my quick-and-dirty python, please post to the comment field below!

Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 403 of 410 «...380390400401402403404405...»