news from the noc – penetrated

Our onsite office security audit/pen-test has begun in earnest late this afternoon by doing some quick full scans and hitting our servers and network infrastructure.

The two testers loaded up some initial tools. The Mac user loaded Rendezvous Browser and immediately spotted some interesting things. First, he was able to locate our printers with little effort. Second, he was able to spot our two Mac computers. Third, he spotted 4 iTunes users (2 Macs, and 2 iPods). Fourth, he spotted two iTunes installs that had open guest listening. Fifth, one of the Macs had Appleshare turned on. And lastly, shared on that Appleshare was a licensed piece of software which I am unsure is licensed or not. Whew…all in minutes with one unobtrusive free tool.

Pen-testing kicked off later. The Mac user ran down an nmap scan while the PC user loaded up and struck up the ISS Internet Scanner program. They also talked about using John the Ripper, Cerberus, and kismet (wireless) for further testing.

A number of things were spotted, and I’ll just go through a laundry list for my own benefit…please remember, this is just day 1/2.

  • we allow open email access, i.e. people can download hotmail mail. Also, SSL mail is not enforced.
  • Two of our switches have old firmware which is easily overrun.
  • Our switches have HTTP turned on, which is not cool.
  • Domain password policies do not seem to be working globally. Some passwords are beyond easy.
  • People running as local admin appeared to be of some concern, since that allows circumvention of acceptable use policies.

At any rate, I’m not terribly surprised by the results, and this sort of thing excites the heck out of me, especially to see tools and users like this running away and basically verifying what I’ve always known about how to use these tools effectively, but have just never had the confirmation that I’m down with the knowledge. I am, however, concerned with what they find, since every bit they find will mean additional talking about why it is bad, and additional time spent to mop it up or attempt to wrest.

the wrong reasons to blog

Been looking for links to put on this site, links of active and useful sites that I can peruse and browse when I have the time; sites that will benefit me personally or professional in my chosen areas of interest.

However, it is far too often that I come across blog-like sites that have one post in the past 4 months, or a recent post about how the author has to suspend the site for this reason or that.

Now, I know people love to self-publish and feel important, but I think some people have latched onto this whole “blog” culture far too heavily and for the wrong reasons. I think people think they have some weird insights into life or an industry…insights that other people don’t have and thus want to read about from them.

Anyway, here’s an example post that I’m going to use to dissipate this diatribe before I get carried away:

I feel exactly like decafbad wondering why he would be recycling all the news the rest of the world is talking about. Well, at least he has 889 subscribers using Bloglines (and I guess a lot more in reality) as of today, which is much.. really much more than I have 🙂 This means there’s probably more than a thousand people who care about what he says. That could be some stimulant maybe? Well, as for me, I’m actually very surprised that you’re even reading this, as chances are very very little that you would. Anyways, the point of this post: there is just so much happening outside which I just want to know about. And then, having read all stuff, I’m just tired, having no idea what’s interesting anough to blog about. Is there really anything that you user want me to talk about. Then please please let me know, because me is out of ideas and on the brink of quitting

Anyway, I’m happy to say that I “blog” (God knows I hate that word and term and “culture…” I keep journals damnit!) for myself, and for myself alone. Some other people might read this (although I’m trying to keep it private), but really..this is for me. I have this site to compose my thoughts, continue writing to keep in practice, assimilate the many sites and bits of information that zing past my eyes and ears on any given day that I might find useful at some point in the future. I work in a field that encompasses such knowledge and bredth of technology that it is already overwhelming (and that’s not getting into how rapidly and fully it changes every day). Anything I can do to filter it for my own use will be something I will be grateful for in the future.

Hehe, this is why I “journal” and this is my manifesto.

news from the noc

Next week we have a security audit for 5 days on our local network; basically inside the company from the perspective of an insider or someone who has gained some sort of access to the inside (either on the network or physical access).

Will we pass? I truly think so, since we’re not morons about what is secure or not. I think companies that fail things like this are the ones who have a nonexistent or weak IT department. We, however, have enough of an IT department to more than provide the necessary baseline of defense and diligence.

Will it be pretty? I don’t think so. I know there are many issues that I could come up with with our local systems, but sometimes there is just no justification in devoting the time and the limiting of user “freedom” in order to make things much more secure. I think too many people have no idea about such technical things and what security means in terms of limiting usability in the process.

Some issues I could point out immediately:
– sniffing passwords would be trivial over our wire; FTP, HTTP, and POP3 are all over the place. Email is also obviously readable. Considering we are a web app technology provider, a few months of password harvesting in such a manner would gather a huge foothold into many things.
– employees have local administrator rights on their computers, which means they can install anything they want, including worms, keyloggers, and malicious tools. They also have unfettered access to local SAM files.
– wireless is in heavy, but non-critical use, which means less money is devoted to it than critical things like actual network access on the wired network, making the potential for wireless DDOS fairly high (recently released vulnerabilities inherent in 802.11b (and g I think) illustrate that once an AP drops under 20mbps, someone up to 2 km away can send traffic to the AP that basically closes it to all traffic indefinitely). I don’t like such unnecessary and widespread wireless activity.
– widespread laptop use means our effective network spreads to user home networks, which tend to be far less protected. Vulnerabilities in home networks suddenly pose a threat to our protected network when someone is infected with a worm at home and brings it into the work network.

I could go on, but I think the bottom line to any issue we have stems from two causes:

– lack of manpower to implement improvements and reearch. Our team spends most of its time dealing with actual open issues, and many things rarely get looked at until it rises to emergency level (or someone higher up gets whiff of the issue and applies pressure that basically makes it critical). This also means we all do only what we know, and any learning is done “while under fire” or on our own time.
– lack of knowledge and awareness (training) in the areas of personal computing and security.

Back to the security audit, I’m quite happily excited to be going through it. Not only do I get to see what people in such jobs do, but I finally get some third-party validation and insight into my network and my systems. Perhaps their feedback reports will help fuel reasons to pursue avenues of improvement in various areas. Who knows, maybe they will be more impressed than I expect, and we’ll all get a round of congrats…but honestly, I like constructive criticism on things that are wrong more than I do validation that everything is fine. I want something to be wrong, so to “keep it real” and improving.

using Google for easy Web hacking

I’ve known this for some time, but finally have a good post to link. Tom’s Hardware has a review of a Black Hat dat talk about the dangers and uses of Google in hacking.

I firmly believe that famed Adrian Lamo, the “drifter” hacker who performed his hacks using only a web browser and open cybercafe computers, utilized search engines in smart ways to find vulnerable sites.

You can easily do a search for the title of a web admin interface page and come up with potentially unprotected hits. For instance, I once found an open Linksys WRT54G web interface by typing in some combination of text that is found on the admin web interface. Limit a search for “admin” to a particular domain or company, and you might just find pages that some admin thought were hidden because no pages linked to them and they weren’t know…i.e. they thought obscurity was enough security.

Just think, using Google to look up default and running VNC installs open to the public…just connect and 0wn.

bagle.X semi-infection

Today a user reported that her local Antivirus software popped up a message about a Bagel.X worm being present. She swiftly reported it to someone nearby who got me involved, and also took a screenshot of the warning: “File Deleted.” I liked the Deleted part, but having an actual worm is not a good sign.

AC reported drvdll.OPENEXE as the offending file, and promptly deleted it, which removed any chance I had of determining the date of creation of the file.

After talking to the employee, she turns her computer off every night and had not clicked on or opened any attachments with just one exception: she had just gone to and downloaded a new user download of AIM software (and along with it, the Weatherbug and WildTangent installs that piggyback along), Right after installation, the AV warning came up.

I did more checking on the system, and found one more piece of evidence of an infection: In the registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run was a key to start up the offending executable file upon next reboot.

Being a Bagle worm, I attempted normal programs like netstat to see if the worm was running and terminating such processes (like it does and should) and to see if the telltale backdoor had been dropped on a high port. Nothing came back positive. I also examined the running processes using ProcExplore from SysInternals for the telltale Skynet mutex…again, no sign of it.

I determined that this worm infection was brand new, and did not execute itself. However, it was poised to execute on the next computer reboot if AV and an alert employee had not intervened.

The insertion vector? I can only guess that it piggybacked on with an AIM installation (waiting and scanning the news for this incident if it did happen) or the new exploit in AIM dealing with Away msg URL buffer overflows was somehow encountered (although I consider this latter case to be highly unlikely).

Bottomline in all of this: I am getting faster and more thorough with diagnosing desktop incidents like this…and I am becoming more confident and versed in my chosen toolkit to assist in such issues.

remoteregistry issues

For the past few months there has been a very minor and seemingly random issue where antivirus was not able to be pushed out from a server to an XP workstation. Other small issues continued to develop as more and more XP workstations were rolled out to new employees. Some of DameWare’s tools were not responding properly, and other network tools like psservice would simply return a “network path not found” even though I could ping the heck out of the device.

Today, I was attempting to “patch” systems with a registry key that would block XP SP2 from being rolled out. However, some, but not all, of the recent XP machines that I have rolled out were giving me the dreaded “network path not found” message. Finally, I took the time to tackle this odd little issue.

I checked the Event Log on a whim, and noticed a number of entries for a failure to start a DCOM server with the message “Access is denied” and an eventid of 10000. I narrowed this down to an issue with the WMI controls not having access to start up. At about the same time I realized that the normally Automatic service, RemoteRegistry, was not starting on the offending machines, but was started just fine on machines that had no issues. Putting three and three together, the DCOM event log errors were logged every time this service attempted to start, and an access denied pointed back to a security setting I implement on new machines: limiting the NTFS permissions for the C: drive.

After some googling now that I knew what to look for, I found that I needed to restore the “MACHINE\Local Service” account to Modify/Read/List Contents/Write access to the C:\%SYSTEM% folder. This change did not have to be implemented through the subdirs, but rather just on that particular directory.

Once this permission was restored, things worked great. I used DameWare to browse and set NTFS permissons on offending systems. Psservice then let me remotely start up the RemoteRegistry service, and another command line let me run the BlockXPSP2.cmd file to “patch” the system up.

Definitely pissed me off for a while that I had to be troubleshooting this issue, but so very rewarding to finally clear it up, and in the process clear up some other smallers issues from the past. Needless to say, the “install” docs for setting up new computers have been updated…

news from the noc

Nothing much to say from the NOC today. My regular desk out on the floor is being taken away and I’m moving all my stuff into the NOC, which is just fine by me. Otherwise much of the day was spent organizing current things and working on documentation. Documentation amongst us admins is pitifully spotty and incomplete. This is a new area that we are working on fixing up. The first item of business: making a document on documentation.

stop hot-linking of images

Here is a forum post describing how to stop hot-linking of images from your website by others, including a means to create a public folder that can be hot-linked from. Pretty useful, and not something that I configure every day, or even every month, but not a tidbit I really want to lose after 12 months either.

Posted in web