Microsoft Releases Emergency Patch

The same principals behind gaining a root shell for a Unix system, apply for Windows systems allowing the attacker to execute remote code.

Today Microsoft release an emergency patch with a maximum severity rating of “Critical”, for Windows 2000 SP4, Windows XP SP1, SP2 and SP3, and Windows 2003; and with a severity rating of “Important”, for Windows Vista and Windows 2008 servers.

In this particular instance the attacker would craft RPC connection to TCP port 139 and/or 445 on a target system, looking to overflow the buffer, thus gaining access to execute remote code. This would allow the attacker to gain full access to the system, with the ability to install programs, view, change and/or delete data, or create accounts.

The Microsoft Security Bulletin MS08-067, provides details on the issue as well as the download links to the patches for the affected platforms.

This particular vulnerability makes use of a buffer previously unchecked in the “Server Service”, which provides RPC, file and print, and named pipe sharing support over the network.

Microsoft has acknowledged that over the last three weeks, criminals have been targeting systems using this vulnerability, but decided to rush out the patch since after handling close to a 100 incidents relevant to this flaw, had seen that number rise significantly.

As I wrote in my past blog on Root Shell – The Holy Grail, it is very likely that a worm will surface on the Internet taking advantage of the gap between the patch release date and when this patch is actually applied by IT departments worldwide.

Install the patch immediately if you are running any of the affected systems and if you are running anything older then upgrade.

[ad]

UPDATE: 9:21pm – Definitely did not expect it to happen this soon, but the New York Times is reporting that attack code to exploit the vulnerability has surfaced just hours after the patch was announced. This vulnerability is so serious that a worm with viral characteristics could be Blaster all over again.

Auditing SMS and PIN Messages on a BES

Contrary to the popular belief that is not possible to log SMS messages on a Blackberry, here are instructions on how to do just that.

Although SMS messages really do not touch the Blackberry Entreprise Server (BES) when they are sent or received, its possible to get the BES to synchronize all SMS and PIN’s to the server and thus allowing these to be logged as of version 4.1.

To modify the settings for PIN and SMS message logging, complete the following steps:

  1. Open BlackBerry Manager and select the BlackBerry Enterprise Server to be modified.
  2. Select the Server Configuration tab and click Edit Properties.
  3. Click Sync Server.
  4. Double-click Audit Root Directory.
  5. To save the log files, type the file path where the files are to be saved and click OK.
  6. In the left pane, click BlackBerry Domain.
  7. Select the Global tab and click Edit Properties.
  8. Click IT Policy.
  9. In the IT Policy Administration section, double-click IT Policies.
  10. Select one of the policies in the list.
  11. Click Properties > PIM Sync Policy Group.
  12. To monitor SMS or BlackBerry smartphone PIN messages, complete the steps in the following table.
    1. Click Disable SMS Messages Wireless Sync.
    2. In the drop-down list, select False.
    3. Click Disable PIN Messages Wireless Sync.
    4. In the drop-down list, select False.
  13. Click OK to close the open windows.
  14. Restart the BlackBerry Synchronization Service.

[ad]

Employees Cause Most Corporate Data Loss

According to a new study (PDF, info required) from Compuware, IT departments should take a bow—only 1 percent of corporate data losses this past year were due to hackers. Unfortunately, the good news mostly ends there. Negligent employees are far and away the largest cause of data breaches, but IT managers also listed outsourcing and malicious employees (possibly ex-employees as well, one assumes) as two significant reasons why data breaches often occur.

Security threats have been and continue to be ignored by corporations and institutions, despite a laundry list of laws that mandate data be kept safe and private. This is most prevalent in smaller private companies and institutions, were unfortunately management just don’t care.

I have been in many potential “whistle blower” situations and gone to great lengths to explain imminent dangers, their fixes and the law. Unfortunately since my interpretation of the law goes against management’s self-indulgent wishes, the risks persisted.

It is a well known fact that even though a good perimeter firewall/IDS combination will deter most attacks, the probability of attacks originating from within and thus defeating the firewall, more than double threats from outside the network.

Whether its an infected laptop from a visitor, a key-logger on an administrative system or a disgruntled employee engaging in a deliberate attack; the potential for a security breach from inside the network is much more likely.

Several steps must be taken in order to protect the data and all revolve around taking information security serious.

  • Training, Training, Training
    In my experience one of the biggest security risks anywhere is the lack of understanding regarding computer systems and the technical aspects of data security. Users are told how important “safeguarding” data is, but not technical reasons for why data should be stored in a specific place.
  • Network Access Control
    Not knowing who is on your network is like not knowing who is in your building. Let’s ponder about this statement a little more. How valuable is client information, customer credit cards or social security numbers? Is it as valuable as money? Would you leave money laying around? Would the money be in a safe or vault?
    Wouldn’t it be important for you to know who is near or in the safe?
    I would be willing to bet what I would hear from a network admin, if I asked who/what is on your network. An empty stare with “Sounds of Silence”.
  • Policies and Procedures
    Here’s a novel idea. Let’s put all the money in the bank vault and not leave it in drawers or on desks!

    The best chances of protecting something are achieved if its all in one place. Remember, security is only as strong as the weakest link. In order to accomplish this outcome, confidential data should not be stored on individual computer systems and as computer equipment leaves the company any remaining data must be erased.
    A popular application to deal with this is Identity Finder, which scans your PC for confidential information including credit card, Social Security Numbers, etc. giving you the capability to permanently delete it from the hard drive.

Identity theft statistics point to over 226 million data records of U.S. residents having been exposed due to security breaches since February 2005, which is extremely alarming.

The most common forms of identity theft:

  • Credit card fraud (25%)
  • Phone or utilities fraud (16%)
  • Bank fraud (16%)
  • Employment fraud (14%)
  • Government documents/benefits fraud (10%)
  • Loan fraud (5%)

[ad]

Root Shell – The Holy Grail

The “Holy Grail” of any attack is the creation of a root shell. On UNIX/Linux, the “root” user is a superuser account that has the capability of running any process on the machine. An exploit will attempt to gain root access to a system by obtaining a root shell prompt from which any command can be executed.

The hacker will attack a system running an exploit script that breaks into the system, following with establishment of a root shell bound to a TCP connection, which will then allow the attacker to remotely enter commands into the system.

There are basically three way that these shells can be bound to a TCP connection:

  1. Conversion – The TCP connection used to exploit the server (such as SMTP, DNS, FTP) is converted to a shell prompt.
  2. Listen – The most popular method is to register a shell (/bin/sh, /bin/ksh, etc.) within a service bound  to a particular port.
  3. Connect – This exploit will create a outbound connection back to the attacker.

In the early days, these exploits were developed by the “Leet” hackers using either reverse engineering and/or a trial and error approach to see how applications/systems behaved when unexpected packets were sent their way.

Later tools started to appear in the wild on the Internet, which then prompted the existence of the term “Script Kiddie“; allowing people without the ability to write hacking programs on their own to target machines on the Internet.

On the security consultant side, vendors in the late 80s and early 90s provided extremely expensive equipment/software such as NetTest, NetScout Systems and Sniffer Technologies as well as automated scanning tools such as ISS’ Internet Scanner.

Online vulnerability repositories like http://rootshell.org were used target specific applications to determine actual levels of threat probabilities.

With the open source initiative, many of these high-end tools have become widely available and have even matched and in some cases mastered their proprietary counterparts. Examples of these are Ethereal which then became Wireshark, Nmap, Nessus.

Rootshell.org has since disappeared and been replace by Milw0rm.com, an online exploit database. Hacking tools have become much more sophisticated in methods and automation, for instance the “Metasploit Project” providing information about security vulnerabilities and aiding in penetration testing with the capability of querying exploit databases in real-time to scan and attack for the most recent exploits.

This without a doubt raises serious questions on the approach security professional and system administrator need to take to protect and guard their systems.

We are well past the point when hacking was for the elite, when ill-intentioned people can monitor the release of security patches released by vendors and using the window of time between the patch release date and when patches are actually applied to make mischief.

[ad]