Everything 2.0

I've been sharing security issues related to enterprise setting in my previous posts and this time around I'll move my focus to the place where we live and love, our home.

Let's rewind a few years back, say 5 years? We organically had handful of cables connecting to entertainment equipments whether in living rooms or bedrooms. Remember those bulky cables like RCA, component cables, and for certain audiophiles, there were optical S/PDIF (TOSLINK) cables meshed behind the TV stand? Main contributors to these cable mess were VCR, DVD player, satellite receiver, home theaters and whatnot for living room.

Fast forward to the present day, those bulk of cables are now largely replaced by the adoption of HDMI for various devices, and there is one more, Ethernet cable or WiFi to offer the extension of Web 2.0 beyond our computing devices. If you happened to purchase anything ranging from Bluray player to Smart TV to AV receiver recently, you are in the club of Everything 2.0 which means they have either or both of network connection mentioned above.

Now, let me bring up the reason why I pick up these devices and how they are leveraging the same (if not, more) security awareness as in corporate networks. While connected to the Internet, the rule of thumb is that you are vulnerable whether you are at home or at office. In fact, if you are at office you are considerably safer than in your home (and if you don't get this feeling, make some noise to your IT boss) provided that there are layers of security such as firewall, IPS, email gateway and so forth. So the network services you receive at your workplace could do less harm to your personal life.

So we could put up a list of average household items that we might have for infotainment.

1. Smart TV
2. Apple TV
3. Set-top box
4. AV receiver
5. Bluray player
6. HTPC
7. NAS with DLNA support

And what makes me concerned of security at home with these toys? Network connection is one thing, yet another thing, they have something more serious, operating systems or firmware. For computers, we are more or less familiar to do software updates or even for smartphones we would naturally apply the OTA releases when pushed from the service providers. This is where the gap comes in. How often your instinct tells you to update your bluray player's firmware, with "Java" running inside, too common in almost all players and receivers sold today? And if your answer is somewhat between "No" and "should I?", you've been warned.

For customers of Hulu, Netflix or other pay-per-streaming services, these devices happily store your credentials as soon as you sign in. Another factor is that your home network is as secure as the strength of your home routers, in case you happened to own Huawei routers, please accept my sympathy. In addition, the release of Cloud-manageable home routers from Cisco - Linksys (yes, I mean EA series) which opened more possibilities to be exploited.

When I read this post about Java ME (embedded version 3.2), it gave me a chill because in near future, we may be seeing Stuxnet-like attacks to them as it was for Siemens SCADA. I dearly hope it doesn't materialize by any chance, if it were, the scale would be humongous.

So, in order to round things up, you have to ensure those devices listed above can receive updates, and better yet, apply the update automatically. Be on alert to periodically, if not religiously, check firmware updates for your home gateway. In some cases, if you have been using port forwarding (PAT) on your router to access other devices like wireless camera, make sure you put a STRONG password.

Over and out. À bientôt.

APT, AET and IPS (Part TWO) - A quick revisit to OWASP

For those waiting after the part one, apologies to keep you stranded as I was tied up for few days for mitigation of Zeus (yes, we've got some in network, no very proud of but was a true story caused by wireless guests) and it was a good time to give some exercise to IRT monkeys.

Let's pick up where we left.

Before Stonesoft introduced Evader back in July at Black Hat 2012, there were some tough time to test evasion techniques within the network. With the tool, many IT security folks can leverage some of the advanced evasions which are already in the wild without raising any alerts in normal IPS or NGFW, and conduct effective POC to validate where they stand in this scenario.

The following list will show some of possible evasion techniques we can expect.

1. Encoding
2. Obfuscation
3. Tunneling
4. Injection

Any of them can be combined to establish phone-home connection from botnets to C&C servers that we have already seen.

1. Encoding

While I found this diagram very useful to explain what levels of application and interaction in Web 2.0 era, this is also true for some of the malwares that are already based on this architecture.

Ref: Semantic Web Architecture in layers

Let's start from the beginning to set the scene. I'll make it as much readable as I could to keep you entertain.
URI - Uniform Resource Identifier
RDF -  Resource Description Framework
RDFS - RDF Schema
SPARQL - Simple Protocol and RDF Query Language
OWL - Web Ontology Language
RIF/SWRL - Rule Interchange Format/Semantic Web Rule Language


Whilst the original architecture was to enhance information shared on WWW, I will utilize it as the basic of encoding evasion techniques. For this topic sake, I'll just emphasize on UNICODE, URI and Cryptography.

First, UNICODE. It is a known method in XSS (OWASP 2010 - A2). It can be used to mask the malicious web requests and other HTTP URI-based attacks. URI has been in used for directory traversal attacks and when such requests use encoding, a poorly configured web server is vulnerable to unauthorized information disclosure.

As the main purpose of today's malware is to stay under the radar, additional efforts have been done to secure the communication channel between the infected host and the bot controller using encryption. In early days, cybercriminals used RC4 to hide payload, communication or code. Some have gone further miles by using AES or customized encryption.

2. Obfuscation

This has long been used for legitimate purposes for developers to protect their codes from being reverse-engineered by others, especially in OOP languages. The use of obfuscation has been grown widely as it can be seen in phishing, Javascript-embedded documents and again XSS just to list a few.

3. Tunneling

Here comes my favorite part. As we slowly adopt the transition to IPv6, there has never been a better time to find more and more tunneling methods in the network to support new and existing application and infrastructure. When we think about about tunneling, let's consider some remote administration tools that are already in play. An array of LogMeIn, TeamViewer, GoToMyPC and infamous Ammyy (associated with scamming, 1 and 2) use tunneling via standard http or https ports based on the fact that these are generally unrestricted traffic.

Another issue is encapsulation. For example, 6to4 tunneling is a kind of encapsulated traffic on native IPv4 environment (RFC6343, RFC3964). As mentioned in the latter, there are four identified attacks to 6to4 tunnels.

a) Attacks with Neighbor Discovery (ND) Messages
b) Spoofing traffic to 6to4 nodes
c) Reflecting traffic from 6to4 nodes
d) Local IPv4 broadcast attack

A fine details of security concerns on IP Tunneling is explained in RFC6169.

4. Injection

Last but not least, I save the best for the last. This issue has topped OWASP 2010 as A1 and personally I believe it will maintain its position should the OWASP refresh their Top 10.

When you hear about injection, the first thing would come to your mind might be SQLi and for a fact, this has been in the news most often than others. A recent revelation about Sony attack was a good highlight of how prevalent the exploitation can be. We can break down injections into following categories, sorted by severity.

a) SQL injection
b) Shell command injection
c) Script injection
d) File injection

a) SQL injection
Such injections can occur when the developers allow the user-side to create dynamic queries based on supplied inputs. The reason of having highest severity is simple. It can be applied to ANY database with ANY programming language. Do I have your attention now? So what can we do to restrict and prevent this vulnerability. Here's how.

i) Use parameterized queries
ii) Use stored procedures
iii) Use escaping schemes

I ain't no DBA, but had a good time reading this Cheat Sheet to recall my days with SQL Server 2000 and MySQL.

b) Shell command injection
Yet another malicious traffic can be seen within HTTP and HTTPS is the shell injection. The can vary from real shell commands to other utility programs depending on how the web server is set up. The culprit of this is that all injected codes will execute at same privilege as the web application. Again, how do we defend this? You can locate the following items and filter if deemed suspicious.

i) HTTP header
ii) HTTP post
iii) form items
iv) hidden fields
and so on.

We should validate any inputs passed from the interface before they are processed and executed.

c) Script injection
I don't think this one requires much introduction. To name a few well-known scripts, we can start with these.

i) HTML - a very nice description of this was done by Gunter Ollmann
ii) ASP
iii) Javascript
iv) PHP
v) CGI
vi) LDAP

Again, we can better fence them off by input validation and sanitization.

d) File injection
Known as remote file inclusion and usually associated with CMS components. This attack could cause one or combination of damage from the list.

i) server-side code execution

ii) client-side code execution, followed by XSS
iii) DoS
iv) data disclosure

If you start to feel this post sways from its purpose, please don't. By now, you get to familiarize what can you see and look out for specific things in your existing IPS traffic. I guess we already have more than enough confidence to suspect all inbound and outbound data and we need to ensure adequate and sufficient filters are enabled. By adequate means we are not disrupting any legitimate flow and by sufficient means you have got to make sure to follow up the logs and/or packet captures gathered by these filters.

Con te partirò, Java?

When I first read this article exactly six weeks ago, I was thinking C'mon, yet another marketing stance to promote .Net. Fast forward today, we've learned a shameful (sorry, painful) disclosure made on pastebin, the very same (or just variant) of what Matt Oh mentioned, AtomicReferenceArray (CVE-2012-0507) was used to exploit one 3-letter Special Agent's notebook.

With the recent spate of Java vulnerabilities, now it is well above 'concerned' state in every network security personnel. Firefox 15 and 16 disables those affected, unpatched Java plugins as soon as they installed. Users are required to update should they (really) need to use those plugins. Don't be shy to periodically check your Firefox plugins. Another noteworthy resource from Rapid7, www.isjavaexploitable.com will detect with their own Java test to determine whether your browser has necessary updates.

If you see something like this, you can sleep easy (for today).

Besides user intervention for checking updates, let's do a reality check, do we really need Java?

As Chester Wisniewski of Sophos described, the most consumers do not need JRE, only for corporate users who need WebEx and GoToMeeting to work. That article also outlined some useful workarounds to protect against further vulnerabilities. For enterprise environments, there was a chaos due to new updates received for IPS last week and two days later, there were new vulnerabilities discovered.

Last time, Apple decided to disable Java upon new patch. Users will need to enable it and if it isn't used for some time, it will go back to 'sleep'.

When Andrew Brandt gave in the epic weakest link of current security, using Fort Knox as an example, I would have said the same thing.

So long, Java. See you when I see you!!!