Category: security

Electronic or Computer Log Categories

I have been working on various SIEM (Security Information and Event Management) and log retention policy related projects lately. Through these projects, and others that I did as a security consultant, I have developed a list of log categories (or log types).

Surprisingly, I have found little to no authoritative document that provides such a list.

I have read through various RFCs, The NIST SP 800-52 Guide to Computer Security Log Management and a large number of other documents. And still not found a comparable list.

Because of the lack of existing lists I wanted to post what I have come up with in hopes that it will help others seeking out the same information, or at least generate conversation and point out other resources or types that I may have missed.

  1. Audit Trails: logs that document application or OS changes made and/or specific actions taken by a user. Also includes “object access/change” logs… This would include output from change management systems and system integrity logs like tripwire produces
  2. Event Logs: internal system or application events that are not specific to a user or user generated
  3. Traffic/Access Logs: web server hit logs, contain url accessed, visitor ip, browser, ect.
  4. Filter device Logs: allow/denies from: firewall, ips, acl enforcing routers, ect.
  5. Exception Logs: error logs
  6. Network Traces: packet captures, flow data, ect.
  7. Authentication Logs: login/log out/invalid logins and session tracking
  8. Physical Access Logs: visitor log, biometric/badge/token door logs
  9. Transaction Logs: database generated
  10. Data Logger: statistical or numeric data. Data center environmental monitors, web hit counters, manufacturing equipment output data, ect.

Obviously some systems would lump data from multiple categories into one physical file. This is where a good parser or SIEM product would come into play.

These categories also only include log data that would generally be ‘computer generated’ and are to be considered top level categories. Many different sub categories may exist under each.

Chinese Hard Drive Manufacturer Embeds Trojan

“Around 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif, the bureau under the Ministry of Justice said.”

“The affected hard discs are Maxtor Basics 500G discs.”

“The bureau said that hard discs with such a large capacity are usually used by government agencies to store databases and other information.”

“Sensitive information may have already been intercepted by Beijing through the two Web sites, the bureau said.”

source: http://www.taipeitimes.com/News/taiwan/archives/2007/11/11/2003387202

This sounds rather sensational, eh? I certainly hope it is.

Lets start with the “carried two Trojan horse viruses” part. This is a common mistake made by writers who don’t know anything about technology or information security. The word “viruses” is incorrect. To qualify as a virus the malicious software would require a propagation mechanism. As best I can tell from the articles, this is just a run of the mill trojan.

Next we see that they believe a hard drive shipped to a defense contractor or government agency wouldn’t be formated before being put into production. I will admit that from time to time large organizations may seem inept (none of us are as dumb as all of us) but policy and procedure should be in place to prevent things like this.

The same hysteria came about in May of 06 with Lenovo at which time I made the same argument. The only difference in this case is that this is an actual threat instead of a perceived threat.

In the article it also says…

“The tainted portable hard disc uploads any information saved on the computer automatically and without the owner’s knowledge to www.nice8.org and www.we168.org, the bureau said.”

So following this trail starting with nice8.org we come up with;

Domain ID:D145807509-LROR
Domain Name:NICE8.ORG
Created On:11-May-2007 07:20:24 UTC
Last Updated On:27-Sep-2007 05:57:07 UTC
Expiration Date:11-May-2008 07:20:24 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:JHV8DUH7W9TIL
Registrant Name:ga ga
Registrant Organization:gaga
Registrant Street1:gagaga
Registrant Street2:
Registrant Street3:
Registrant City:gaga
Registrant State/Province:Beijing
Registrant Postal Code:126631
Registrant Country:CN
Registrant Phone:+86.2164729393
Registrant Phone Ext.:
Registrant FAX:+86.2164660456
Registrant FAX Ext.:
Registrant Email:safsafsa@ca.ca

Apparently we are dealing an evil mastermind named “Ga ga” who lives on “gagaga street”.  I have heard grumblings of this mad man in the hacker underground.  Okay, so its made up… probably random keyboard bashing.  Dead end.  You get similar worthles results when whois’ing we168.0rg.  Both of which are down now.

Mac OS X Trojan in the Wild

There are reports of an in-the-wild Trojan horse program that targets
Mac OS X systems.  Users are encouraged to visit malware-serving sites
through spam messages in Mac forums.  The Trojan, which pretends to be
a QuickTime plug-in, can hijack users’ search results, sending them to
websites the attackers want them to visit.

http://isc.sans.org/diary.html?storyid=3595
http://www.scmagazineus.com/Trojan-targets-Mac-users/article/58290/

This is yet another example of malware exploiting stupidity and thats all.  I am sick of people jumping at every trivial little article they find regarding mac malware and saying “see, the mac isn’t safe either”.

First off, nothing is ‘safe’… just safer.  Second, you can have the most secure operating system in the world but if someone is stupid enough to install malicious software onto it then it will be infected just like windows.

When I see a self-propagating  worm that exploits a zero-day vulnerability in OS X, only then will I change my rant… but only slightly. 🙂

Microsofts ‘Stealth’ Update

Microsoft has done it again.

We receive reports from our WSUS server telling what updates are rolling out to what servers. So when I started receiving TripWire reports indicating files being altered on a bunch of windows boxes I got concerned.

I started opening the files with hex editors looking for strange junk and ran sigverif to see if files are properly signed. After doing that I detected nothing fishy.

So why did these files change?!

After doing a couple quick searches the answer became clear… Microsoft pushed some updates that it told no one about. These updates come even if you choose not to have updates downloaded automatically.

In this world of heightened security awareness, file integrity verification and patch pre-validation I can’t think of why they would do this.

I guess its just Microsoft’s way.

Juniper NetScreen Policy Configuration Cheat Sheet

NetScreen Config Cheat Sheet (Thumb)I use a lot of NetScreens at work and found myself sprawling notes containing syntax of different commands for the ScreenOS CLI (Command Line Interface). Being the OCD type of person I am, I decided I needed something more zazzy… yes, more zaz. So here is the pdf and original graffle of my NetScreen policy config cheat sheet.

Coming soon: “Netscreen VPN Cheat Sheet” and “NetScreen Debug Cheat Sheet

NetScreen Config Cheat Sheet (PDF)
md5: f69855226d84eccdfc8bc4cb64d527ea

Change Log 

06-08-2007: v1.4
Updated the “set policy” line to include dst_zone.

TippingPoint UnityOne Super User (root) Password Reset

Last night after doing about 20 google searches for every possible combination of words I was unable to locate the procedure on how to reset the root password on a tipping point IPS.

I was also unable to locate any sort of online manual.

I am making this post in hopes that google indexes it and it helps others that are attempting to do the same thing I was trying.

1. Attach a serial cable to the management port on the front of the unit. (set it to 153,000 bps)

2. Reboot the IPS. Obviously this will kill all traffic that would normally flow through the unit, so schedule it!

3. After it displays the “Tipping Point” ascii logo it will say “Loading”. Within 3 seconds of that type “mkey” and hit enter.

4. You will prompted for a default security level, username and new password.

Enjoy.

Microsoft’s .ANI Fix Timeline

Microsoft announced today that it will issue an urgent, out of cycle patch for the ‘recent’ animated cursor vulnerability (CVE-2007-0038)… a whole week ahead of its precious and ill-conceived patch tuesday.

Some would claim that this an example of Microsoft doing the right thing, getting urgent issues resolved quickly and cutting through their own patching release cycle. Upon closer examination you will find this to be false.

This vulnerability affects all version of MS Internet Explorer and Windows. All an attacker would have to do is embed a malicious animated cursor into a web page and anyone who visits the page is ‘auto-attacked’. Its important to keep in mind that sites like myspace allow anyone to modify their own pages and embed anything they like. Its also important to remember that hackers take over legitimate, commercial sites and embed their nastys. They get more bang for their buck that way.

To support my belief that MS is still only talking big and not following through, I present to you the time-line.

December 2006 – Determina discovers .ANI 0-day vulnerability and reports its findings to Microsoft
March 23 2007 – Microsoft releases MSIE patch MS05-020 to fix vulnerabilities related to this. This patch was shoddy and still allowed exploitation of this specific vulnerability
March 26 2007 – Security researchers start to see exploits for this vulnerability in the wild
March 27 2007 Determina releases their own ‘3rd party’ patch to mitigate this vulnerability
March 30 2007 eEye follows suite and releases their own patch
April 3 2007Microsoft releases MS07-017 ‘out of cycle’ to patch this bug

Exposure Times
System exposure since discovery: 93 days*
System exposure since active exploits discovered: 8 days

*This is a conservative estimate. The article states “In December 2006”. For fairness sake this figure assumes 12/31/06 but the figure could in fact be as large as 123 days, if it was discovered 12/01/06

sources:
http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0038

Pretexting

I have seen “pretexting” in the news far too much without commenting on it.

What is pretexting? According to wikipedia it is “the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone”.

So in other words its a specific type of social engineering. Or as I like to call it: fraud.

Lets not beat around the bush on this one. If you contact a company and pretend to be me in order to get information about me, or acquire a service or funds that you are not entitled to, you are committing fraud (and I will beat you down).

Having been the victim of both identity and credit theft, I take privacy very seriously. But yet even a thorough understanding of privacy and paranoia is still not enough.

The first time it happened someone forged my signature (convincingly too) to have all of my mail forwarded to Texas. The motivation on this one is still unclear, but it took the post office months to straighten my mail out.

The second time I was a victim of credit card “double-swipe”. While at a gas station in Ontario, CA someone swiped my debit card through a modified card reader. This reader recorded the information stored on the strip on the back of my card. They also recorded my CVV (the 3 digit code on the back of the card) and used the information to print a new magnetic strip and clone my debit card. It was used for ‘card in hand’ transactions in Toronto.

Neither of these events could have been prevented… by me. However with proper legislation our government could force private industry to implement effective safe guards against these sorts of attacks. Unfortunately until these safe guards are mandated or they become cost effective, they will never happen, and we as consumers will continue to suffer.

A prime example of this country moving in the wrong direction is the recent HP verdict. The top levels of the company condoned (nay, encouraged) pretexting and got off with no jail time.

And now we are seeing pretexting causing issues with xbox live.

We have to be clear with law makers that we will no longer sit by and let our personal data be stolen and sold.

Until we can convince law makers that this sort thing will not be tolerated all we can do is learn how to protect yourself and support organizations that are trying make things right.

Electronic Privacy Information Center (EPIC)
Identity Theft Resource Center
Privacy Rights Clearinghouse
Privacy Laws by State (source: Epic.org)

Navigation