Clap…Be Amazed…Now Go Defend

What does it tell you when SC Magazine’s Best Security Company of the Year bases it’s business on helping organizations recover from all the failures of the layers of prevention and mitigation on which we focus so much of our time and money? The typical IT security environment today is focused on two things: prevention and vulnerability management. Problem is you can’t prevent what you don’t know is coming and with most preventative solutions in place today your best hope is that you’re not the first (or earliest) to see an attack and that whoever is can and will share that intel. Risk worth assuming? Are we better served with the Sisyphean task of continuous patch management than we would be were we to focus most of those resources (people and money) on early detection and response?

Whether you agree with these types of awards or not, Mandiant deserves the recognition. They’re a great company and group of people and are model givers to the Info Sec community which helps people like me do my job better. They’ve assembled some of the best talent in the business as well. All deserving reasons.

I’ll give you one more.

For all the money we spend in Info Sec trying to prevent attacks, and a lot is spent, what happens when an attack gets through? We know prevention is going to fail. Yes. Prevention WILL fail and regularly does. If you don’t have any level of network monitoring in place then you’re doing it wrong. And there’s no excuse for it. In fact, there’s no excuse for not leveraging the latest and greatest technologies available to mitigate attacks when the financial cost is moot and your security posture could be strengthened immensely. For larger organizations who already have commercial solutions in place, are you able to afford the extent of coverage required for maximum visibility? What if you could get that coverage without the lofty hardware and support costs?

How do you save money on network security monitoring? You open your eyes to the low cost potential of open source initiatives and brilliant minds eager to share, like a few of those that Mandiant has shepherded through the Info Sec world. Doug Burks (@DougBurks), of Mandiant, has provided one such solution with Security Onion, a network monitoring Linux distribution that is only limited by the hardware you have at your disposal on which to run it. And what’s even better? He’s made it so easy to setup and configure that even complete strangers to Linux can figure it out. If you know how to boot off of a DVD you’re in business. Need a deployed infrastructure? Setup one Security Onion host as a server and deploy others as sensors. Standalone works just as well. Heck, I run it in a virtual machine on my laptop and it’s the best host-based IPS money can buy…but doesn’t need to. I’m not kidding about how easy this is to deploy and if you take 20-30 minutes and watch one of Doug’s presentations (links available on the Security Onion site) demonstrating just how easy it is, you’ll thank me. Then you’ll show him thanks by downloading it.

When you look at the arsenal of monitoring tools that Security Onion brings to the table you’ll be even more amazed as you peel back the layers and get a handle on just how powerful the solution is.

You get Snort, the great open source intrusion detection/prevention system from Sourcefire (another incredible company; see my Razorback post then go download the new version). Maintaining Snort with Security Onion via PulledPork for signature management is a breeze and easily supports Snort (get thee an Oinkcode! ) and Emerging Threats signatures.

You get full packet capturing with Sourcefire’s Open Source Daemonlogger.

You get OSSEC, a host-based intrusion detection system, which helps you monitor your network security deployment out of the box and the capability to extend that detection to Windows, Linux, and MacOS via the OSSEC agents.

You get Bro IDS, an alternative approach to IDS that I’m just now learning myself and have been continually blown away by the visibility it provides. I hope to cover it more specifically in a future post, as educational resources for using Bro are a little scarce. It’s described as a network analysis framework and it comes preloaded with a few obvious examples that will give you an idea of what the framework can do. It collects basic connection data for every connection, http, ftp, syslog and SMTP data, SSL certificates (both known and the suspicious unknowns), SQL injection attacks, and more. It will continue to amaze you when when the framework reveals its capabilities with events like HTTP::Malware_Hash_Registry_Match, indicating a file has been downloaded, the file hashed and the hash matches a known malicious software hash in the Team Cymru Malware Hash Registry.

All that and more, packaged up nicely saving you all of the headaches of deploying a comprehensive network monitoring suite of Open Source solutions from scratch.

Once you start collecting data you’ll have the powers of Squil, Squert, and Snorby at your disposal for monitoring and analysis. If you prefer, you can also grab a copy of Splunk.which installs fairly painlessly on Security Onion. (Only issue I had was the default Splunk port was in use; I typically use port 81 without problems.)

Take a day. Install a Security Onion VM. Run some sample pcaps through it. See how easy it is to deploy and detect the activity. Now think how much better you might be able to defend with this kind of visibility at next to no cost (how many old servers are being retired and replaced with virtual machines? Reuse them!). Then with all the money you’ll be saving go hire some gifted local talent with dedication and passion to learning and an accepted understanding that they’ll always be a day behind. Do this and you’ve improved your overall security posture immensely and put yourself in a much better position to detect and respond to an incident. Even if you aren’t doing the responding! If the FBI shows up at your door, you’re going to need help. The data you would be collecting would be invaluable to resolving an incident efficiently and effectively.

Now do you start to see why I think Mandiant deserves Best Security Company recognition? And this is just one example. Have you looked at the free tools they offer? Have you ever heard of TaoSecurity Blog? Dustin Webber, the author of Snorby (although he’s with Tenable now I believe)? Their efforts with Jamie Butler, who literally co-authered the book on rootkits? The latest is Michael Sikorski’s contributions with his new book Practical Malware Analysis accompanied by the release of FakeNet, a malware network analysis tool. The list goes on. They’re a company of talented people, providing tools and sharing knowledge to build stronger and more capable communities to build a safer Internet.

Any company like that deserves the title Best Security Company, especially when compared to companies who profit from you for solutions that you buy with the  expectation that they will fail you at some point. Mandiant profits when those companies fail you. And then they (Mandiant’s family) turn around and give, yes give as in free, you a way to do a lot if not more than what you’re paying good money for, or aren’t paying for at all because you can’t afford it. They’re doing something about enabling small/medium businesses and personal networks to adopt affordable security approaches. They’re providing security practitioners with tools and technologies to perform better, defend more wisely and “find evil” more efficiently with less technical skill than was required 2 years ago. They’re doing it in their 9-5 jobs. They’re doing it as hobbyists. They’re doing it as caring volunteer citizens.

They should be recognized and thanked…

And you should go download Security Onion and start protecting your personal and professional assets…like now.

Setup Razorback Release 0.3.0 in VirtualBox

If you’ve not yet heard of Razorback, start listening. Sourcefire, the company behind the incredibly popular and effective Snort IPS, are working on a new project to extend detection capabilities beyond their traditional IPS. The best part: much like Snort, Razorback is an open source project, which will likely be incorporated into Sourcefire commercial solutions at some point while still maintaining the free version. In the age of security budget cuts despite the so-called “Year of the Hack” free is a good thing.

So what is it? Razorback is an attempt to separate traffic capturing and detection. Traditional IPS solutions capture traffic and analyze it real time, which has limits in terms of exactly how much analysis and reconstruction it can perform. Razorback takes the approach of capturing data based on what type of data is being exchanged then submitting content for analysis to additional processes, such as ClamAV scans, dissecting PDFs, submitting file types to Virustotal, and more. Check out the Sourcefire team’s presentation at DefCon 18 if you want to learn more about it before diving in.

Razorback is young, but it’s growing up fast and the latest release overcomes one of the biggest obstacles in deploying the solution for testing: setup and configuration. Sourcefire has released a virtual machine appliance that can get you a Razorback installation up and running in less than 20 minutes. I’m going to walk you through doing just that with VirtualBox.

First you’ll need a PC with at least 8gb of RAM and two NICs. You’ll also need the ability to mirror the traffic you want to monitor via port span, hub or tap. You can download VirtualBox here and don’t forget the VirtualBox extensions here. The Razorback VM can be found here.

  1. Install VirtualBox then install the VirtualBox extensions. Defaults in both cases should be fine.
  2. Launch VirtualBox and click File > Import Appliance. Click the Choose button and browse to where you downloaded the Razorback virtual appliance file, Razorback-0.3.0-Release.ova, and click Open then Next. I’d suggest selecting the check box to re-initialize the MAC address of the appliance’s network card then click Import. It should only take a couple minutes to import the appliance.
  3. Once the appliance is imported, the first thing you’ll need to do is edit the VirtualBox network settings. Right-click the Razorback-0.3.0-Release machine name and select Settings. When the Settings window loads, select Network.Razorback VirtualBox Network SettingsFirst we want to make sure the first network adapter is set to Bridged Adapter. Make sure the “Name” field indicates the network card you want to be the management interface. Next click little triangle next to “Advanced.” You’ll need to change the “Adapter Type” to get it to work with FreeBSD so choose “PCnet-PCI II (Am79C970A).” Since this is only a management interface, don’t worry about Promiscuous Mode. Do NOT create or configure a second adapter for the monitor interface…yet. Choose OK when you’re done with the settings.
  4. Right-click the Razorback-0.3.0-Release VM and choose “Start” for your initial boot. It will take a couple minutes to boot and once it’s done you’ll see a command line menu and if you dither you’ll start to see some “razorback masterNugget” log events writing to the console. Click in the VM and press enter to see the menu again if it gets away from you. You should see a URL for the system management web interface.Razorback ConsolePort 8080 is the admin interface, port 80 is the user interface. If you don’t see the URL/IP address or if it’s not valid, reconfirm the network settings above.
  5. Open a web browser and browse to http://<Management IP>:8080/. Login as admin, password: razorback. Click Network > Interfaces > Add Interface. This is where you configure the Razorback management interface. The NIC should be le0. You can give it whatever interface name you like and setup DHCP or a static IP for the management interface. Scroll down and Click OK when you’re done.
  6. Shutdown the appliance. You can do so either from the command line menu or from the web UI.
  7. Once it’s shutdown, go back into VirtualBox Settings > Network (right-click the Razorback VM). Now we need to add a second adapter where your port mirror/span/tap should be. SaaC (Snort as a Collector) will monitor this interface. So click Adapter 2, enable it and set it to bridged. The “Name” should be the physical network card used for the port mirror. Click Advanced and set the “Adapter Type” to “PCnet-PCI II (Am79C970A).” This time we want to set “Promiscuous Mode” to “Allow All.” Click OK.
  8. Restart Razorback virtual appliance.
  9. This is where it gets tricky…if you don’t know vi. Basically, we need to edit /etc/rc.conf to configure Snort to monitor the proper interface. If you don’t know vi you can always learn the basics in 5 minutes here. From the Console Setup text menu on the Razorback VM, enter “9” to get Shell access. Type “vi /etc/rc.conf” and scroll to the bottom of the file. You’re looking for the lines following: “## TAP/Span interface on em1”.We need to change “em1” to the interface name “le1” on both the ifconfig_le1 and snort_interface lines as seen in the screen shot above. Save the file.
  10. Back to the browser, access the Administration web UI at http://<Management IP>:8080. This time, head to Services > Control Services and click the On/Off button next to Snort.Razorback Administration Control ServicesIf everything goes as planned the button should turn blue/on.
  11. Open up a new tab and browse to http://<Management IP>/ and login as admin, password razorback and watch for events and more importantly alerts.

That’s about all there is to it. Monitor performance as high bandwidth can really tax the system. If you have the resources, adding more RAM to the VM can help.

When you start to see events and alerts you’ll see something like this:Clicking on the Alert count will show you which inspector alerted and provide a little information as to why, in this case OfficeCat found an Office vulnerability. Drilling into the Metadata count can get you a good bit more detail. In this case the vulnerability was found in a downloaded file from Yahoo!Mail.And we can tell from the HTTP Response what file we need to be worried about. This type of data can be really handy for creating indicators of compromise ( you give it a go, please consider joining the Razorback mailing list and supporting the development with testing feedback.

Happy hunting!

Tough Love, End Users

Next time you get infected, take a few minutes and learn from the experience.

You get infected and luckily your antivirus detects it and tells you as much in a nifty little pop up window. (In a majority of cases, that’s about the only way you’ll know you got infected or came in contact with malware.) What do you do? Do you thank your antivirus software and carry on? Do you wonder whether it caught everything? Or if it will come back? Do you get curious about how or why? Do you care?

I’ll answer the last question. You better. Your computer holds keys to your financial data, whether you’ve ever logged on to an online banking or financial site from it. It contains information about you that can be used fraudulently and to gain more information about you. It can also reveal information about your friends, family and co-workers, thanks to the boom in social networking. Carelessness puts not only you, but everyone you interact with online at risk.

If your computer gets 0wned (fully controlled by an attacker) the attacker has more control over your computer than you do, because they know how to use it in ways you likely haven’t imagined. For example, at work, you might not have access to personally identifiable information (PII), but your actions can lead to a compromised host and an internal launching point for deeper attacks that will. The PII could be ex-filtrated without ever coming in contact with your computer. Scary, eh? Potentially very damaging to all involved too.

What can you do? Endpoint security software (firewalls, antivirus and IPS) can do a moderately effective job of protecting your host. In most cases, the fault of an infection isn’t that the security vendors “missed” it. They catch a lot and work hard at getting better and stopping more. Harder than you do I bet. Eh? Computers have software and hardware that can help detect and prevent malicious attacks. What do you use?

From the keyboard to the chair is your responsibility. Be responsible! Educate yourself. Learn to defend yourself and identify attacks on you. As long as you aren’t willing to put in some effort to learn about how you can be attacked, how you can identify those attacks, and how you can avoid them in the future, you are the biggest unpatchable vulnerability affecting your computer.

If you still don’t care, then thanks for stopping by and may your fortunes be secure. If you do care, then lets talk a little about attacks and defenses.

You’ve likely heard about phishing emails and spam containing malicious attachments or links. Some of these are very sophisticated and seem very trustworthy. Trust nothing when computing. Any email, attachment, or link you encounter via email or social networking should be considered untrustworthy until you’ve ascertained the source is valid and the source intended the information for you. Think about whether the person who posted that link on your Facebook profile is the type who would have validated the information. If there is even the slightest doubt about whether it’s secure, consider it insecure until you have verbally spoken with the sender and taken measures to identify if the link or file is malicious. (Virustotal allows you to submit potentially malicious files for scanning by more than 35 a/v vendors and gives you a good idea if the file is good or bad. They also have a URL scanner if you’re unsure about a link. Neither of these are 100% assurances however, so you start to see how this is about reducing risk, not eliminating it.)

Sometimes even the wisest are fooled if the scam is good enough or they are caught with their guard down. And sometimes the completely innocent are victimized. Drive by downloads take advantage of browsing-related vulnerabilities to exploit a computer without the user doing anything other than browsing to the wrong site at the wrong time. Malvertisements use social engineering to entice users to run a program, such as the Fake A/V attacks. And those of us who like Macs need to get over the false notion that Mac OS X is more secure. It’s binary code written by humans and potentially vulnerable to being exploited by humans. Mac’s are gaining popularity and with that will come attention and attacks.

A familiarity with what your programs are supposed to look like can help you identify anomalous behavior. Know what your antivirus alerts look like so when you see a fake one it’s obvious you’re being attacked. Patching is another solid defense. At the bare minimum always patch operating systems, browsers, and the Adobe products Flash, Shockwave, Reader and Acrobat as soon as patches become available…on all platforms.

I highly recommend Secunia PSI for Windows users. It’s free for home use and will monitor your computer for updates specific to your hardware and the software installed. It provides assistance with remediation as well, providing links to patches or details on how to close the gaps.

I bet you’d be hard pressed to find anyone who has used the Internet for more than a year who hasn’t run into something malicious, whether they are aware of it or not. People cling to guns for self-defense from an enemy they’ll likely never encounter. Yet they’ll pay no attention to a virus detection or the fact that their computer “might” be infected. I realize education and awareness aren’t as exciting as guns, but they’ll protect you from a whole lot more than a gun probably ever will.

Educate yourself.

End User Defense: Literacy is a Linebacker

Today marks the first in what I hope will be an ongoing series of entries focused on End User Defense. The end user is the single point of exploitation that cannot be protected with hardware/software and is vulnerable primarily due to ignorance and a lack of awareness; awareness of both the trends and tactics of attackers and the dangers that result. Let us begin with using what most Americans should already know as a layer of defense: the English language. It will require some mental CPU cycles for sure, but being attentive to detail is a skill everyone should practice.

Fake antivirus attacks have been growing steadily since they first started popping up (literally) in 2006. Due to the success of this style of attack campaign, fake antivirus programs are getting new and improved capabilities. The original campaigns had one focus: defraud users of money with fear and a little social engineering/manipulation. As of late, the original focus is still going strong and quite profitable, but the attacks are also carrying more dangerous payloads beyond the obvious, turning infected machines into bots for additional nefarious purposes.

One of the easiest ways to thwart a fake antivirus attack is to use what we know against them: the English language. It’s no mystery that the majority of these attacks originate in Eastern Europe and Asia. Language barriers often get in the way of these attacks being as refined and accurate as they could be which leaves an opening for us as users to identify and evade an attack. The reality is the most obvious giveaway that something is not right when you’re presented with a trojan is the words used to engineer the user. This holds true in web based attacks as well as spam/phishing e-mail attacks

The gang at F-Secure recently had a great blog post citing some examples. You might have to look a bit for the errors, but most of them are fairly obvious that they shouldn’t have made it through a development and testing cycle from a legitimate corporation.

Our defense is to exploit the attacker’s weakness crossing the language barrier to identify and avert an attack before it’s too late. If you ever get a pop-up or prompt that seems a bit unexpected and attempts to catch you off guard, look at the language being presented. Is it grammatically correct? Are words misspelled or misplaced or just don’t sound right when read aloud? If so, then there’s a good chance it’s malicious.

The best way to avert such an attack of pop-ups or prompts is ALT-F4 (press and hold the ALT key while pressing F4). ALT-F4 is a shortcut key in Window that closes whatever application has focus (meaning the window that is currently selected and staring you down). That key combination will close the window without requiring you to click or otherwise interact with the attack. Clicking the red X at the top of the window is risky as many attacks use graphics that are linked to malware to entice the user to click the evil red X instead of the Windows one (if you’re even presented with a real Windows one).

Not all applications with typos are evil, so be alert. Pay attention to the details. If you’re getting a pop-up for something you think is legit and interests you, take note of the company providing the service/product and Google the company. A little leg work to validate your perception doesn’t take long and sure beats reinstalling Windows and the potential loss of data or worse.

You, Your Company, and Some Asshats in Eastern Europe

We in security see slivers of this just about everyday. The Washington Post has an article titled Eastern European Cyber Criminals Target US Businesses. It’s the same old (spear) phishing scheme…with a little trojan or browser based exploit thrown in. As easy as it was to infect and defraud residential users, it’s apparently just as easy and more profitable if they target the place where you work. It’s really a twofer as the untold story here could lie in the status of the Comptroller or Treasurer’s personal finances when all was said and done.

Fraud via computer technology is a big money game. If you have money and use a computer consider yourself a target. Yes, it is that simple. From online shopping and online banking to social networking, everything you do online sprinkles little pieces of you and your money all over the web. Sure they use trojans/rootkits to gather the intelligence, but they have to get them on the machines in the first place and to do that you need to go phishing.

So please, think before you do anything online. They are after your money as much as your employer’s. Don’t open attachments you aren’t expecting….period. Confirm with the person purportedly sending it by phone or in person before opening it. Likewise, don’t click on links in e-mail. If you don’t know how to tell the real destination of a link in an e-mail, then don’t risk the click. Before logging into to pay bills ask yourself if your computer has had any issues lately? Blue screens? Errors or popups? If you’re not 100% certain your computer is clean, get help. The following won’t stop everything, but they’ll definitely help and they’re free.

AVG Free Edition

Avira Antivir Free

F-Secure Online Scanner

Windows Live OneCare Safety Scanner (They rate a lot better than anyone is giving them credit for in detections of current threats.)

TrendMicro HouseCall

Be smart, because I promise you there are people much smarter than you who want your money…and you and your actions are the only thing standing in their way.