Friday, May 15, 2009

OLE2 Fragmentation Befuddles Most AV Vendors

BreakingPoint Labs has discovered heavily fragmenting Office documents causes AV and IDS products to miss exploits embedded in them the majority of the time. Writeup by H.D. here.
it's important to note that Sourcefire's Office Cat tool uses the OLE API to parse the stream and find the exploit regardless of how fragmented it is.

Viruses Adopt New Stealthier Methods

As reported by Kapersky Labs, it's been discovered that a new variant of Sinowal or Torpig is writing itself to the hosts Master Boot Record and is avoiding AV detection. It's been spreading via Web sites and through the previously reported Adobe Reader vulnerabilities. Writeup in ZDNet found here.

Thursday, May 14, 2009

Tips For Budding Packet Jockeys

If you are interested in becoming a packet jockey, i.e. getting into the Network Security side of IT Security, there's a lot of things you'll need to learn to do your job properly.
I started in this field coming over in IT from the desktop support side, so I didn't have a lot of networking or scripting experience. To make things even more interesting, there were NO IT security folks at the time. I was the first and not only learned by OTJ training, I determined what that job was and gave myself the training!

If I were to list what I think someone interested in getting into NetSec could look at learning, based on my past experience and what I learned after I DID get some real training, I'd suggest the list below.

1. Linux - Although a lot of network security tools have been ported over to Windows, a whole lot more have not and most of them run much better on Linux anyway.
If you are going to do serious intrusion analysis, you're going to have to learn Linux. In following posts I'll suggest some ways to learn each of the items I list if training through a company isn't an option (or you haven't landed a job yet).

2. tcpdump - There are more esoteric tools one can use, like Wireshark, but to learn packet analysis, you need a tool that doesn't do all the decoding for you. Once you are familiar with all the protocol headers and start to learn what is normal and what is anomalous, Wireshark and commercial tools can decode just about any protocol you'll see. I still use tcpdump 99% of the time because I can easily filter it and script it to parse the packets as they are captured.

3. Snort. If you want to do IDS, learning to set up, maintain and use Snort will help with about any other one you'll encounter. Once you have a Snort install loaded and start looking at alerts, you'll soon learn to determine what are false positives, what is normal traffic that can be filtered and what needs your attention. And it's a never-ending process as new attacks are released and the Bad Guys learn new ways to broach your defenses. Also, learning to write Snort signatures will really help you learn how to analyze packets as you find out what needs to be looked at and where.

4. Logs - Once you begin looking at packets, you'll need to learn to correlate them with logging from network devices and servers. A central syslog server will allow the aggregation of logs from different devices. To familiarize yourself, working with some open source tool like swatch is helpful. There are newer, better tools but using swatch will help you learn to install from source and use simple reg ex to filter.

5. Parsing tools - Packet sniffing tools record a LOT of packets. Using BPF's (Berkeley Packet Filters) with tcpdump will help a lot to narrow down what you need to see, but you'll need further filtering to refine your results or logs for analysis or to share with others. awk and sed can help a lot to pull out relevant parts of your packet data. Learning some shell scripting or better yet, a little bit of Perl will allow you to write some scripts to run your data through and find EOI's, Events of Interest.

Wednesday, May 13, 2009

Adobe Patches Released

Adobe has released patches for a critical vulnerability in Adobe Reader (including one version for Linux) and Adobe Acrobat. You can read the bulletin here as well as download the patch for your version and platform. Or you can simply open up Reader and go to Help, Check for Updates. Either way, suggest you patch as soon as possible.

Sunday, May 10, 2009

Happy Mothers Day!

Happy Momma's Day to all the NetSec mothers who parse packets by day and fix boo boos and read bedtime stories by night!

Wednesday, May 6, 2009

Adobe Patch

Adobe has announced it will release a patch next week for the zero-day flaw in Acrobat and Reader. Versions to be fixed:

Windows Adobe Reader versions 7, 8 and 9
Windows Acrobat versions 7, 8 and 9
Mac: versions 8 and 9
Linux: versions 8 and 9

The chief security researcher from F-Secure even went so far as to recommend that users uninstall Reader and install an alternative .pdf viewer, noting that six vulnerabilities have been found in the software.

This might be a good strategy for home users, but I seriously doubt any corporate environments of any size would go through the evaluation process, uninstall of Reader, installation of a new product and training needed to do this, especially now that Adobe has made the announcement of the forthcoming patch.

Daily Podcasts

The SANS Internet Storm Center puts out a daily podcast, a mini, 5 minute summary of what's happening and what to be aware of in the NetSec world. This is in addition to their lengthier full podcast put out on a less regualr basis. The recordings are done by Johannes Ullrich, Chief Research Officer for SANS and the original founder of Dshield. Here's a link to all the "Stormcasts" as they are called.
Link
They are very informative and definitely worth the listen.

Friday, May 1, 2009

H1N1 (the virus formerly known as swine)

With all the coverage of the swine, er, H1N1 flu outbreak, might be a good time to find out what your companies procedures are in case of a pandemic outbreak. And have a talk with your manager and find out what the realistic expectations are as far as staffing the data center, NOC, desktop support, etc. Most companies want anyone who even thinks they might be infected to stay home, but the IT functions have to keep chugging along as always. If you have remote access, but haven't used it in a while, this would be a good time to log in and make sure your client version is up-to-date, and changed passwords or passphrases have been updated as well and you can get to every area of the network you need to if you should have to work from home.
I telecommute twice a week anyway, so I know I'm good. =-)

Blog Archive