Sourcefire released iPhone App
October 30, 2009 by theipsguy · Leave a Comment
Sourcefire has released an iPhone application. It has the widely recognized snort Pig as the icon. You can view the latest rule sets, top malware threats and the latest news from the VRT team. This a must have for the mobile security geeks. You can download the app from iTunes at the below link.
http://itunes.apple.com/us/artist/sourcefire-inc/id331567916
Obsolescence of traditional defenses
October 29, 2009 by theipsguy · Leave a Comment
I attended a lunch and learn event hosted by Bayside Solutions and presented by Paul Henry. Bayside Solutions provides these monthly lunch and learn events and they are top notch. They are unique in that they are not sales events but focus on providing relevant information on issues within Information Security. Paul Henry is extremely knowledgeable and well known in the security industry.
The discussion was on how traditional port based protections are not longer enough. This is spot on and not necessarily new but it a great point that needs to be reinforced. With the advent of Web 2.0 it is no longer necessary for an attacker to penetrate your firewall. They only need to wait for you to visit a compromised website. Since very few companies block outbound HTTP or HTTPS it is virtually impossible to prevent these attacks. The only way to prevent these attacks is to use more protocol based defenses. An example, would be Intrusion Prevention. I see malicious IRC traffic being blocked on a daily basis that is not using standard IRC ports. Also many applications such as Instant Messaging clients will attempt to use different ports to find a way out of the network. When vendors develop products to bypass filters it is officially game over!
This doesn’t mean we eliminate our traditional firewalls but more is needed to provide true defense in depth protection. As Paul mentioned defense must be moved closer to the endpoint. Good old fashioned patch and system management would reduce these attacks but this is much harder to do than buying a new appliance to put on the network. 
Gumblar is back or never left
October 22, 2009 by theipsguy · Leave a Comment
ISS X-Force has raised the AlertCon to 2 because of increased Gumblar activity. Gumblar has updated the exploits it uses to take advantage of recent Adobe and Microsoft vulnerabilities. Unlike the previous version, the new and improved version hosts the exploits on the compromised web server and infects clients as they visit the website.
Microsoft October Bulletins
http://bit.ly/jg0jh
Adobe Updates
http://bit.ly/49Y6nA
IBM/ISS Signatures to detect Gumblar
http://bit.ly/18avBV
PDF_JavaScript_Exploit
PDF_Obfuscated_Stream
PDF_Encoded_JavaScript_Tag
PDF_JavaScript_Hex
PDF_JavaScript_Detected
PDF_Shellcode_Detected
Multimedia_File_Overflow
JavaScript_Obfuscation_Rue (PDF obfuscation)
Swf_Suspicious_ActionScript (Flash obfuscation)
October Microsoft Updates
October 17, 2009 by theipsguy · Leave a Comment
IBM/ISS
MS Bulletin |
Coverage |
Coverage Date |
MS09-050 |
XPU 29.091 |
9/11/2009 |
MS09-051 |
XPU 29.091 |
9/11/2009 |
MS09-052 |
XPU 29.1 |
10/13/2009 |
MS09-053 |
XPU 29.1 |
Multiple Signatures and dates |
MS09-054 |
XPU 29.1 |
Multiple Signatures and dates |
MS09-055 |
XPU 29.1 |
Multiple Signatures and dates |
MS09-056 |
XPU 29.08 |
8/11/2009 |
MS09-057 |
XPU 29.1 |
10/13/2009 |
MS09-058 |
Scanner Only |
10/13/2009 |
MS09-059 |
||
MS09-060 |
Scanner Only |
10/13/2009 |
MS09-061 |
XPU 29.09 |
9/8/2009 |
MS09-062 |
XPU 29.09 |
Multiple Signatures |
Cisco
MS Bulletin |
Coverage |
Coverage Date |
MS09-050 |
S438,S441 |
Multiple Dates |
MS09-051 |
S441 |
10/13/2009 |
MS09-052 |
S441 |
10/13/2009 |
MS09-053 |
S441,S430 |
Multiple Dates |
MS09-054 |
S441 |
10/13/2009 |
MS09-055 |
||
MS09-056 |
S441 |
10/13/2009 |
MS09-057 |
S441 |
10/13/2009 |
MS09-058 |
||
MS09-059 |
||
MS09-060 |
S422 |
8/4/2009 |
MS09-061 |
S441 |
10/13/2009 |
MS09-062 |
S441 |
10/13/2009 |
Mcaffe and IBM Comparison
October 6, 2009 by theipsguy · Leave a Comment
IBM |
||||
Device |
GX4004 |
GX5008 |
GX5108 |
GX5208 Read more |
Forrester Network Mitigation Report
September 26, 2009 by theipsguy · Leave a Comment
I recently read the TechRadar for Security & Risk Professionals: Network Threat Mitigation, Q3 2009 by Forrester. This report reviewed 14 different threat mitigation categories. These included encryption, wireless IDS/IPS, UTM, Intrusion prevention, network access control,Web-content filtering and a few others.
It is obvious that the bad guys are highly organized and very skilled. The number and sophistication of attacks do not seem to be going down but instead increasing. Forrester identified three areas they see in their client companies:
-
The current controls are either not able to prevent the type of threats we see today of the solutions and how they are used need to be re-thought.
-
Companies fear inline protection. Even though many companies have successfully deployed Intrusion Prevention, there is a general fear the IPS will block legitimate traffic.
-
Companies lack visibility into what is really happening on their networks. This is somewhat by design because what you do not know you do not have to address.
Forrester did a good job of grouping the type of technologies and providing a ranking on their business value. I agree in general with their assessments.
Technology |
Business Value |
Firewall Auditing |
Low |
Network Encryption |
Negative |
Network Threat Modeling |
Negative |
Network Access Control |
Low |
UTM |
Low |
Email Security Gateway |
High |
Network Firewall |
High |
Vulnerability Scanners |
Medium |
NBAD |
Negative |
IDS |
Negative |
IPS |
High |
Web Proxy |
Medium |
Application Firewalls |
Low |
Wireless IDS/IPS |
Medium |
Forrester states that NBAD is declining and will be replaced with and NBA. Further they predict NBA will likely be added to other security appliances. I agree with this assessment and vendors are working hard to integrate NBA into their Intrusion Prevention systems. Mcafee will be doing this soon as well as IBM/ISS and Cisco already does this.
One item I noticed and this is likely a mistake on the part of the authors is that they listed Snort/Sourcefire in the IDS only category. While I agree with the general categorization of Snort as an IDS only I do not agree with Sourcefire being in this category and I doubt Martin Roesch would either.
Forester rates Network Intrusion Prevention as a High business value and I would of course tend to agree but I may be a little biased. They see their clients replacing older IDS based systems with IPS and relying on this technology as a key control in their network. Many vendors are beginning to add other features to their IPS devices. Companies like IBM/ISS have limited DLP functionality in their network intrusion prevention devices and IBM/ISS recently released web application firewall functionality.
Network Intrusion Prevention continues to be a key control used by businesses and is only going to continue to grow. I believe we will see IPS become a platform for more services like DLP and NBA similar to how firewalls have integrated IPS, content filtering and other technologies.
Technorati Tags: intrusion prevention wireless intrusion prevention
September Microsoft Bulletins
September 9, 2009 by theipsguy · Leave a Comment
IBM/ISS Coverage
| MS Bulletin | Coverage | Coverage Date |
| MS09-049 | Scanner Only 1.59 | September, 8 th 2009 |
| MS09-048 | XPU’s 20.90, 1.71, 1.72, 28.010,28.150,29.130,
29.030,29.070,29.080 |
Multiple dates of coverage. 2006, 2008, 2009 |
| MS09-047 | XPU 20.90 | September, 8 th 2009 |
| MS09-046 | XPU 20.90 | September, 8 th 2009 |
| MS09-045 | XPU 20.90 | September, 8 th 2009 |
Cisco
| MS Bulletin | Coverage | Coverage Date |
| MS09-049 | NA | |
| MS09-048 | S430, S248, S431, S242 | Multiple dates of coverage |
| MS09-047 | S431 | September, 8 th 2009 |
| MS09-046 | S431 | September, 8 th 2009 |
| MS09-045 | S431 | September, 8 th 2009 |
Mcafee
| MS Bulletin | Signature ID | Coverage Date |
| MS09-049 | Foundstone 7110 | |
| MS09-048 | 0×9E00, 7106 | September, 8 th 2009, September 9 th, 2009 |
| MS09-047 | 7108, 7109, 0×40265D00,0×40265E00 | September, 8 th 2009, September 9 th, 2009 |
| MS09-046 | 0×40266900 | September, 8 th 2009 |
| MS09-045 | 7098, 0×40266800 | September, 8 th 2009, September 9 th, 2009 |
Microsoft Security Advisory (975191)
September 3, 2009 by theipsguy · Leave a Comment
Microsoft has announced a vulnerability in the IIS FTP service. This vulnerability allows a stack-based buffer overflow, caused by improper bounds checking by the FTPd service. By sending an overly long NLST command, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.
| IPS Vendor | Protection | Date | Link | |
| IBM/ISS | yes | Jun 6, 2002 Sept 3, 2003 |
http://bit.ly/2loiYU | |
| Cisco | yes | Sept 2, 2009 | http://bit.ly/YJ97S | |
| Mcafee | yes | Aug 31, 2009 | No link |
It is nice to see IBM/ISS with coverage dating back 6-7 years! The primary signature FTP_Mkd_Overflow was originally developed for a vulnerability in the WS_FTP Server will provide protection for this vulnerability as well, this signature is enabled by default.
Exploit code has been placed on Milw0rm and has been added to MetaSploit.
Blogger Labels: Microsoft,Advisory,FTPd,NLST,attacker,Cisco,Mcafee,coverage,signature,WS_FTP,Exploit,MetaSploit
Detecting bot-nets
We here a lot about the rise of organized crime and the sophistication of the attackers. While this is true, in many cases I still see amateurish type attacks.
While reviewing an IPS I found the following messages. IPS still provides a great way to detect bot-nets and while there is an obvious problem on this network these IRC connections are being blocked by the IPS.
An interesting article related to this can be found here.
IRC Messages
| :nick | :msg | ||||
| #usb | Infected usb drive: E: |
Interesting Nicknames to an IRC channel
VirUs-rigvgunl
VirUs-rflkbvny
VirUs-rexehaxz
VirUs-rcpcmobp
VirUs-rboinhcv
VirUs-raquheuv
VirUs-raozodkn
VirUs-racgucrn
VirUs-quyozuoc
VirUs-qufnunld
VirUs-msubtplz
[03|MEX|XP|981734]
[03|MEX|XP|444546]
Thinking about 10 gig IPS
I have been looking at 10 gig solutions for IPS and I have to say there is a wide difference in the way the different vendors are doing this.
IBM
Network Security Controller allows for two 10 giga-bit networks to be connected in an active/passive configuration. You would then connect the copper IPS devices to the controller and the controller spreads the load among the connected IPS devices. This would provide IPS with the ability to inspect up to 10 gigabit of traffic assuming the IPS devices connected to it can inspect up to 10 gig. The GX6116 has an inspected throughput of 6 Gbps. IBM has no native 10 giga-bit interfaces on their IPS devices.
Mcafee
Mcafee offers two devices with 10 giga-bit interfaces. The M8000 has 12 10 giga-bit Ethernet ports and a maximum throughput of 10 Gbps, the M6050 has 8 10 giga-bit Ethernet ports with a maximum throughout of 5 Gbps.
Sourcefire
Sourcefire has the 3D9800 with four Fiber 10 Gbps interfaces with up to 10 Gbps line speed and the 3D9900 with 4 10 Gbps SR interfaces. The line speed is up to 10 Gbps.
TippingPoint
The TippingPoint Core Controller has six 10 Gbps Ethernet interfaces(3 segments). This is similar in design to the IBM solution. The controller distributes the load across the connected backend IPS devices. The total inspected bandwidth is dependant on the backend IPS devices.
