Thursday, December 22, 2011

IAVM matched with CVE

I see that DISA has released a spreadsheet matching IAVMs to their corresponding CVE numbers.  This will be handy when you are matching patch findings with their CVE number.

You can find the spreadsheet here.

Thursday, December 8, 2011

SUPER Timeline creation (from SANS)

I'm making a push for more forensics at work.  One avenue I'm trying to open up is the investigation of laptops/computers of former employees.  And, to that end, one of the tools I'll be making heavy use of is the timeline.  I'm pretty adept at creating timelines with SIFT, but Log2Timeline was not in existence when I took my GCIH.

This article is an excellent primer on using Log2Timeline to create a SUPER timeline in SIFT, using many inputs from an acquired image.

(Edit 1/20/12) Rob Lee has added another article on  Log2Timeline to the SANS Forensics blog, this article talking about log2timeline and log2timeline-sift.  Plus, there are some good examples at the end of the article.

(Edit 1/28/12) Rob has added yet another article...releasing a template that colorizes output from Log2Timeline.  I haven't given this a whirl, but I will after I create my next timeline.

Older articles:
How to Create a Filesystem and Registry Timeline


I've created this post so I know where to reference the original article, as I'm sure I'll forget.

Tuesday, November 29, 2011

Google Talk Spam on my Android phone

For the first time, I have received, what I believe to be, SPAM through Google Talk on my Android phone.  I don't use Google Talk, at all, so I'm 100% positive that this is spam.  Upon looking at the notification in the notification bar, I see:

crazieannaxx3@aol.com wants to chat with you.  Will you accept?

This is a vector I haven't seen before, and if anyone has more information, I'd love to hear more.

Monday, November 28, 2011

Apple IOS interim STIG guidance (and a mobile device draft STIG)

I happened to be checking disa.mil today and I noticed a couple of updates:

Windows 7 benchmarks were updated on November 9th.
Apple IOS interim guidance was released November 17th.
A draft for the General Mobile Device (non-Enterprise Activated) was added November 21st.

From the Apple interim guidance memo:

When approved by the Component CIO, the guide may be used to configure Apple iOS devices for limited deployment, pilots, and demonstrations.

Regarding the General Mobile Device (non-Enterprise Activated) STIG, I noticed the following:

The STIG requirements apply to a smartphone or tablet that does not connect to the DoD
network or a DoD email system, and does not store or process sensitive or classified DoD
information.
This is as of today's date.

Wednesday, November 23, 2011

Holiday Incident Response

I wrote about this a couple of years ago, and one of the links in the post that links to the SANS posts is one of my all time favorite reads.  It's that time of the year again.  Incident Responders and Forensicators will be visiting family and friends (or have guests themselves) and invariably, the question will come up:  "Can you take a look at my laptop/computer/etc.?  There's something wrong."

It never fails.  (Disclaimer...I've already been asked by my parents.)

Education of our families and friends will go a long way in preventing the question from arising next year, or the next holiday, or next week.  High on my list of education topics are automatic updates, anti-virus, and social engineering (in no particular order.)

Here's hoping you have a relaxing holiday, good times, and quick work (if you have to.)

Friday, November 18, 2011

DISA.mil back up, but limited

As of this morning (when I checked - 11/18/2011) DISA.mil appears to be back up.  However, it appears that there is still some limited functionality.  From the banner on iase.disa.mil:

Parts of the IASE NIPR site are temporarily unavailable. We apologize for any inconvenience.
For STIG content, please go to AKO/DKO (AKO/DKO account required).

I'll keep checking on more functionality.

Tuesday, November 15, 2011

DISA.mil down (inlcuding iase.disa.mil)

I use DISA.mil for much of my guidance while testing systems and analyzing data from testing trips.  It appears that DISA.mil is down.  I noticed it yesterday while looking for STIGs, and now SANS has a post on it.  The comments allude to a web server being down in the SAN.

Here's the SANS post.

I'll try to post again when it is back up.

Edit (11/17/2011):  As of 8:30 this morning, the site is still down.

Edit (11/18/2011):  Parts of the site appear to be back up, but in limited capacity.

Thursday, October 27, 2011

2012 DISA FSO Release Schedule for STIGs

While looking for a STIG today, I saw that DISA released the schedule for updated STIGs in 2012.  Those dates are:
  • First Quarter:  27 January 2012
  • Second Quarter 27 April 2012
  • Third Quarter:  27 July 2012
  • Fourth Quarter:  26 October 2012

I probably will not get a chance to write up what gets released this quarter due to travel, but I did see that the Gold Disk has been released.  The files are in the PKI-protected area of DISA.

SANS Incident Detction and Log Management Summit

I just received an email about this summit today, and it looks like a great couple of days' worth of events.  Due to politics in the office, and likely my travel schedule, it appears I will not be able to attend.  The event is being held December 7 and 8, 2011 in Washington D.C.

Here's a link to the summit.

I look forward to reading write-ups and recaps of the event.

Monday, October 10, 2011

A link to a post on getting into the field

As I am continuously trying to land a job in IR and Forensics full time, I look for any clues or tips on breaking into the field.  The other day, I saw this article, linked to the Forensic Focus site and thought it would benefit others looking to get into the field.

Good luck.

Advide for Digital Forensics Job Seekers

Monday, October 3, 2011

Betfair accounts hacked

I haven't seen this story making the rounds in the security community.  Interestingly, I got this story from a mailing list for a card forum.  Apparently, 2.28 million"encrypted payment card account numbers and other details" were stolen OVER 18 MONTHS AGO.  Betfair just recently notified their clients.  Allegedly, 3.16 million "account user names with encrypted security questions" and 89,744 "account usernames with bank details" were also taken.

An article with more information is here.

Sure, it's good to hear that some information was encrypted.  However, a lot can happen in 18 months.  If someone has a link to an article with more technical information, I would love to see it.

Saturday, September 24, 2011

Using Event Logs (Event 4624) to troubleshoot an alleged illicit login

At the company, I'm considered the Incident Response / Forensics Guru.  I'm certainly not a guru, but I'm the only employee (that I know of) with both the SANS GCIH and GCFA certifications.  Both of those certs are what I'm passionate about.  And I think it is a rule, all incidents have to occur just before you are leaving for the weekend.

So, it was 4:45 when the company internal security officer (and pen-tester) came to me with an issue.  He had been going through the Splunk logs when he found curious connections to his machine from one one the admins in the IT department.  I asked why he thought one of the admins might have been connecting to his machine, and he thought it might be retaliation for a sanctioned pen-test.  It seems the security officer had snagged the admin's credentials and had been using them during his pen-test.  The admin found out about it at least once and was trying to shut the security officer down.

So, it was off to look at some logs.  Our security officer was using OSSEC to aggregate all of the logs on his machine and was sending them to a log server.  He could correlate those logs with Splunk.  My first question was "What are we trying to prove?"  And the answer was:  "Did the admin "illicitly" log onto the security officer's machine?"  Fortunately, the security officer had EnCase on the machine.  The first thing we did was build a timeline, and look at the dates in question.  (Personally, I prefer the SleuthKit for this activity.)  The activity certainly showed a profile for another user being built.  But, there were no extraneous files accessed, created or deleted.  I thought maybe the admin was logging on to see what processes were running, or what activity was taking place.

My next step was to look at the Splunk logs.  Splunk showed a login, with the corporate id during the night.  I asked our security officer, why night?  He replied that he was running the pen-test at that time, and he might have used the id at that time.  So, now I was thinking, how can we prove whether or not this was truly an incident or the machine showing activity from the pen-test.  What I found interesting in the logs were that there was a login by the admin, but no logoff.  Why would that occur?

Looking at the log, I noticed that the EvenID was a 4624.  We Googled 4624, and found a great page with the fields laid out.  There were no entries for the Network Information so I was beginning to think that this might not be an incident.  We looked up the Logon Type and found a 2, which meant that this was a login through the keyboard.  Further, there was no Kerberos information, so no real authentication was occurring across the network.  I asked the security officer how he conducted the pen-test with the admin's credentials. He showed me a "run-as" batch script he had created, where he passed it the credentials of the admin.  It opened a shell with the credentials of the admin.  When he demoed it, it created the exact same log entry we were using to troubleshoot.

I was fairly confident that this was not an incident, merely a log entry created by opening the shell up with a different user.  Why were there no logoffs?  I posited that when the pen-test was over for the night, the security officer shut down his machine and never really "logged out" his shell script with the admin's credentials.

I suggested looking at the VPN logs, but apparently, our VPN ip address leases are not long, and we don't actively log their issuances and revocations.

So, it appeared to be no-harm-no-foul.  That kind of disturbed the security officer, I think he really wanted to catch the admin.  But the log and timeline evidence did not point to any nefarious activity.

Friday, September 23, 2011

September 2011 STIG updates - IIS 7 and IAVM benchmarks

I was cruising through DISA's site looking for a particular STIG when I noticed the announcement on the top of their STIG page.  DISA has released a couple of STIGs and benchmarks:

IIS 7.0 Server STIG - Version 1, Release 1 - Updated September 20, 2011
IIS 7.0 Site STIG - Version 1, Release 1 - Updated September 20, 2011
Web Policy - Manual STIG, Version 7, Release 1 - Updated September 20, 2011
IAVM 2009 Benchmarks - Updated September 7, 2011
IAVM 2010 Benchmarks - Updated September 7, 2011
IAVM 2011 Benchmarks - Updated September 7, 2011

It appears that the IAVM benchmark files are for HBSS only and they are intended for the HBSS Policy Auditor tool only.  The IAVM benchmark files are contained in the PKI-enabled repository.  It's nice to see the IIS 7.0 STIG officially released.  The note I received from DISA stated:  "The requirements of the STIG become effective immediately."

New issue of (In)Secure Magazine - Issue 31

I just realized that I missed passing along that the new issue of (In)Secure magazine, issue 31, is out.  I really like this magazine as it has a good mix of articles; some technical, and some theory.  (In)Secure has been around for a while and they produce a good product.

For a while, there were a whole bunch of magazines filling this niche, but I see less and less of them as time marches on.

From an IA prospective, I read the article on looking at Domino applications, and already I have learned a couple of new tricks to use when looking at those types of apps.  Fortunately, I just don't see many of those applications.

Tuesday, September 6, 2011

A question on creating a log management program

At one of the establishments where I donate my services, the need for log management and security incident management has been discussed.  To put it in a nutshell, the establishment wants to open up the wi-fi to "partially" vetted users.  The wi-fi is locked down pretty good.  I think the question that wants to be answered is "who logged into the network, from where?"  Also, should there some kind of incident, they want to know when and where it occurred.

Here's a mini-description of the network.  Broadband comes into the building, and DHCP addresses are given out from this router.  The router is an Actiontec MI424WR.  There is a scope of the first 50 hosts reserved for static IPs and the static IPs are used for the central file server, access points, an internal HVAC computer, and part of the HVAC/solar system to broadcast results (like how much electricity has been generated.)

Down the line, I have plans to add a commercial firewall and a router, in order to create VLANs.  However, as the infrastructure is improved, I want to add log management and incident management into the network.

So, for right now, I'm looking for ideas on how to capture:
firewall logs from the Actiontec
DHCP logs from the Actiontec
Windows logs from the file server (Windows 2000)
maybe wireless access logs

I found a great page here:  http://www.securitywarriorconsulting.com/logtools/ 

My question is:  what's a good recommendation? How to best capture the information?  Open source would be great as I'm sure money is going to be an issue.

As this project progresses, I'll post updates.

Wednesday, August 31, 2011

Facebook Security (August 2011)

I only use Facebook casually; I'm not a big user.  I think I've blogged before about Facebook security, but Facebook is continuously changing and updating their policies and security/privacy posture.  However, I saw a link today that I had not seen before:

Facebook Security Guide

Some of the points they make are true common sense.  But, I'm sure there is something for everyone in the guide.  My hope is that the guide gets updated as they introduce new features and policies.

Monday, August 29, 2011

August 2011 Unix updates

I just noticed that DISA has updated the Unix STIGs and SRR.

They can be found at DISA's site.

Auditing with MMC's Security Configuration and Analysis Snap-In

Here's an auditing trick I had never used before.  I'm sure I should be able to script this information from the registry.  But, until I find where this information, here's what we did:

Open MMC
File -> Add/Remove Snap-in...
Chose "Security Configuration and Analysis"
Click Ok
In the main window, right-mouse-click on Security Configuration and Analysis
Choose Open Database
We created a temp database.
When asked for the .inf file, we pointed to the .inf files we grabbed from the DISA benchmarks.
Right-mouse-click on Security Configuration and Analysis, again
Choose Analyze Computer Now
DO NOT CHOOSE Configure....
MMC will analyze the computer against the settings in the DISA .inf file.

When it is doen, I double-clicked the individual policys, and exported them to our results directory.

Retina and Auditing File Versions

I have a quick Retina question for anyone that uses Retina with any regularity.  While testing this past week, I came across an issue with Retina. 

After point Retina at its targets, it would launch and run the scan with no problems; until it reached the Auditing File Versions check.  Then, the scan would crawl almost to a halt.  A couple of times, I had to check Task Manager to make sure that Retina was still running.

Has anyone else run into this?

How to see shared drives when you can not map a share

A weird title, I know.  Here is the situation that transpired.  I was auditing a system at a client site where we were given admin-level credentials.  I was able to log in to the server through RDP, but try as I might, I could not map a drive to the share that was created for us on one of the local file servers.  It mapped fine on the testing laptop.  The system admins assured me that my credentials were good and that all servers had the same permissions on the subnet.  And, all servers were on the same domain.  My co-worker gave me this tip:

First, map the drive on the local test laptop.
Next, start an RDP session to the server you are auditing.
Enter the address of the server.  But, before clicking connect, click the options button.
On the Local Resources tab, click the drive that you mapped to the share.
Then, you can click connect. 
When you connect, the server you are auditing will be able to see the share through your laptop.  It is sort of like a proxy.

The trick is pretty cool, and worked like a champ for the rest of our testing.

Tuesday, August 16, 2011

August 2011 STIG releases

I happened to be checking DISA for something unrelated, and I saw the following STIG releases:

Windows IAVM Benchmarks (HBSS only) - Updated August 15, 2011
Windows 7 STIG Benchmark Version 1, Release 5 - Updated August 15, 2011
Windows 7 STIG - Version 1, Release 5 - Updated August 15, 2011
Windows 7 STIG - Version 1, Release 5 (*PKI) - Updated August 15, 2011
Draft Solaris 9 SPARC STIG - Version 1, Release 0 - Updated August 3, 2011
Draft Solaris 9 x86 STIG - Version 1, Release 0 - Updated August 3, 2011
Draft Solaris 10 SPARC STIG - Version 1, Release 0 - Updated August 3, 2011
Draft Solaris 10 x86 STIG - Version 1, Release 0 - Updated August 3, 2011
Microsoft Office 2007 STIG - Version 4, Release 5 - Updated August 2, 2011
Windows 2008 DC STIG Benchmark Version 6, Release 1.15 - Updated August 2, 2011
Windows 2008 MS STIG Benchmark Version 6, Release 1.15 - Updated August 2, 2011
Windows 2003 DC STIG Benchmark Version 6, Release 1.22 - Updated August 2, 2011
Windows 2003 MS STIG Benchmark Version 6, Release 1.22 - Updated August 2, 2011
Windows Vista STIG Benchmark Version 6, Release 1.22 - Updated August 2, 2011
Windows XP STIG Benchmark Version 6, Release 1.22 - Updated August 2, 2011

I think this is the last of the releases until the next quarter.

Thursday, August 4, 2011

Fixing CAC access to a website when certificates seem to be the problem

A co-worker lost CAC access to ONE of the DoD websites we routinely access.  One, of the four or five we use on a regular basis.  We tried switching browsers.  We tried removing certificates.  We tried re-installing (from our install file.)

In the end, it seems like following the instructions in this PDF did the trick.

Ultimately, I think the install-root file for the root certificate was newer than our file, and so I believe newer certificates were added.  Also, the PDF mentioned some specific certificates that had to be removed.

Monday, August 1, 2011

July 2011 STIG updates, part 3

This looks to be the last of the updated STIGs:

RAS Remote Access Server STIG Version 2, Release 5 - Updated July 29, 2011
Remote Access Policy STIG Version 2, Release 5 - Updated July 29, 2011
Remote Access VPN STIG Version 2, Release 5 - Updated July 29, 2011
Remote Endpoint STIG Version 2, Release 5 - Updated July 29, 2011
Remote XenApp ICA Thin Client STIG Version 2, Release 5 - Updated July 29, 2011

I will update if there are any more updates.

Friday, July 29, 2011

July 2011 STIG updates, part 2

Checking the DISA site today, I see more STIGs have been updated:

Network Infrastructure Router L3 Switch - Version 8, Release 7 - Updated July 28, 2011
Network L2 Switch STIG Version 8 Release 7 - Updated July 28, 2011
Network IDS/IPS - Version 8, Release 7 - Updated July 28, 2011
Network Firewall - Version 8, Release 7 - Updated July 28, 2011
Network Other Devices - Version 8, Release 7 - Updated July 28, 2011
Network Perimeter Router L3 Switch - Version 8, Release 7 - Updated July 28, 2011
Network Policy - Version 8, Release 7 - Updated July 28, 2011
BlackBerry STIG - Version 1, Release 6 - Updated July 28, 2011
Radiant Mercury (RM) 4.5x STIG Version 1 Release 3 (*PKI) - Updated July 28, 2011
DSG Version 2 Release 1 Procedures - Version 1, Release 3 (*PKI) - Updated July 28, 2011
JVAP Administrative STIG Version 3, Release 12 (*PKI) - Updated July 28, 2011
DoD Host Based Security System (HBSS) STIG - Version 3, Release 3 (*PKI) - Updated July 28, 2011
Internet Explorer 6 STIG - Version 4, Release 4 - Updated July 28, 2011
Internet Explorer 7 STIG - Version 4, Release 5 - Updated July 28, 2011
Mozilla Firefox STIG - Version 4, Release 3 - Updated July 28, 2011

As with yesterday's post, STIGs marked with an "*" are in the CAC-protected section of DISA.  Also note, there is a date of "July 28, 2011" associated with these updated STIGS.

Thursday, July 28, 2011

July 2011 STIG updates

By my calendar, STIGs were supposed to be released tomorrow.  It appears many have been released today.
Draft Microsoft SharePoint 2010 STIG Version 1, Release 0 - New July 28, 2011
Windows 2008 STIG - Version 6, Release 1.15 - Updated July 28, 2011
Windows 2008 STIG - Version 6, Release 1.15 (*PKI) - Updated July 28, 2011
Windows 2003 STIG - Version 6, Release 1.22 - Updated July 28, 2011
Windows 2003 STIG - Version 6, Release 1.22 (*PKI) - Updated July 28, 2011
Windows XP STIG, Version 6, Release 1.22 - Updated July 28, 2011
Windows XP STIG, Version 6 Release 1.22 (*PKI) - Updated July 28, 2011
Windows Vista STIG, Version 6, Release 1.22 - Updated July 28, 2011
Windows Vista STIG, Version 6 Release 1.22 (*PKI) - Updated July 28, 2011
Gold Disk - Updated July 28, 2011
Mac OS X 10.5 STIG, Version 1, Release 2 - Updated July 28, 2011
Mac OS X 10.5 STIG, Version 1, Release 2 (*PKI) - Updated July 28, 2011
z/OS ACF2 STIG - Version 6, Release 8 - Updated July 28, 2011
z/OS ACF2 STIG - Version 6, Release 8 (*PKI) - Updated July 28, 2011
z/OS RACF STIG - Version 6, Release 8 - Updated July 28, 2011
z/OS RACF STIG - Version 6, Release 8 (*PKI) - Updated July 28, 2011
z/OS TSS STIG - Version 6, Release 8 - Updated July 28, 2011
z/OS TSS STIG - Version 6, Release 8 (*PKI) - Updated July 28, 2011
zOS SRR Scripts Version 6, Release 8 (*PKI) - Updated July 28, 2011

Note that the draft of the SharePoint 2010 STIG has been released.  Also note that the Gold Disk and the STIGS noted with with an "*" are located in the PKI protected area of DISA.

Tuesday, July 19, 2011

DISA may have been hacked

Here's the link.

Keep your eyes on the news for more to the story.

Monday, July 18, 2011

What are STIGs and where are they found?

In looking at traffic sources for the blog, I've seen that people have reached this blog by searching for "what are STIGs?" or "where are STIGs found?" So, in a small effort to answer those questions, I thought I would answer as best as I could.

STIG stands for Security Technical Implementation Guide, and is the "configuration standards for DOD IA and IA-enabled devices/systems." (From DISA) STIGs contain the guidance necessary to harden or secure a specific device, piece of hardware, platform, operating system, server, cross-domain solution, and potentially an application. A joke in the industry is that if something can be plugged in (to the network,) there is a STIG for it. That saying is almost true. A "checklist" is usually coupled with a STIG, and gives instructions to manually check and configure compliance to a particular STIG. An example is that there is a Windows XP STIG which gives the guidance on how a Windows XP machine is to be configured in order to meet the DoD's security posture. The Windows XP checklist tells you specifically how to check to see if that machine is in compliance, and if not; how to fix it.

Gold Disk is the de facto host-based tool used to check operating system compliance with regards to Windows operating systems. Currently (as of this writing) there is no support for Windows Server 2008 R2 and Windows 7. Running Gold Disk will show you how your operating system fares against the particular checklist. According to the FAQ on DISA's site, Gold Disk is being phased out in favor of SCAP-compliant tools.

There are Security Readiness Review (SRR) Scripts that help automate checking controls for a few of the checklists. A couple of the SRR Scripts I have used with some regularity are the MS SQL scripts, Oracle SQL Scripts and Unix scripts.

A note on Gold Disk and some SRR scripts: Many of the actual scripts (and some of the STIGs that contain FOUO content) are housed in a CAC-enabled site in order to control their usage.  You will need a CAC in order to retrieve those documents/scripts.

So, where are STIGs found? The STIGs are found on the STIG home page, which is part of the Information Assurance Support Environment (IASE).  The sponsor for IASE is the Defense Information System Agency (DISA.)

STIGs and tools are updated on a regular basis to address to platforms, new vulnerabilities, and new patches for those platforms.  Older technologies are retired, and periodically, new STIGs are released in order to address new technologies.

Wednesday, July 6, 2011

Does what we do matter? Explanations from Lenny and Alan

Yesterday, I read a great post by Lenny Zeltser on four reasons why security assessment reports get ignored or unread.  The reasons he put forth are spot on; and, as a DoD auditor, I see this first hand.  I think many times I see this, the reasoning is actually a combination or a blend of some of his reasons.

If you have not read his post, allow me to direct you there....the post is not long.

I'm not one to rant (much) but some of these reasons really fly in the face of the DoD.  The Department of Defense has specific guidelines and regulations that must be followed in securing the IT infrastructure.  These guidelines are called out in various instructions, like DoD 8500.2.  I do not have a problem going on site and finding controls that are not compliant; there may be a justifiable reason, or plain ignorance may leave a control or two in a non-compliant state.  The issue I have with some units/networks/enclaves/bases is when we go to audit a site multiple times and we find the same non-compliant controls.  Sometimes we find more non-compliant controls than a previous audit.  Then, I know that there is an issue.

Point three (from Lenny's post) is how I attributed the non-compliances we found; I used to assume that an over-worked, under-staffed IT/IA department had too many fires to put out.  The commanding officer can not get his email.  Or reach Facebook.  Or, a router has gone down.  Or, the SQL database is down, and the main application used by unit is unusable.  I get it.

However, there are units that we have audited more than three times (as the accreditation cycle revolves) and the units have the same number of non-compliances, or, in one base's situation, more.  One base that we have audited multiple times actually got worse between audits.  On these trips, I saw ambivalence by the administrators.  It was almost that they did not care that we were there doing our job, as they were almost non-responsive to us when we asked for help.  We may have seen ignorance, but how can you not know that you have a SAN in the data center, or that half the servers are virtualized and therefore subject to the ESX checklist.  Over the four years, they received from us at least three DIACAP reports, including POAMS, that they could use to track open issues.

It was only when the Inspector General's office started sniffing around and threatened to pull the plug because there was no activity to remediate open findings that the unit sprang into action.

Alan Paller had a great editorial opinion in the December 17 2010 issues of the SANS NewsBytes.  Because I don't have a link for the quote, I'll reproduce it below:
EDITORIAL: "Accredit and Forget It": How Some U.S. Government Agencies
  Fib On Cyber Security (Alan Paller)
First a few words about how the system works: Before a federal system is allowed to go online, it must be given "Approval To Operate" (ATO) status.  Only a Designated Accrediting Authority (DAA) is allowed to accredit a system and give it an ATO.  Any security weaknesses exposed to the DAA generally needs to have a fix defined and scheduled for implementation and listed in an Information Technology (IT) Security Plan of Action and Milestones (POA&M).  If there is no plan to fix the weaknesses, the system is not supposed to be granted ATO status.  That's how the system works, but with one damaging addition.  A lot of the most important fixes are not made - ever.  They stay on the POA&M for so many months or years, without action, that the whole process has been given the nickname "accredit and forget it." Sometimes the agencies notice how long they have ignored an important action. When they do, they take it off the POA&M and put it back on, with a new start date. That way it doesn't look like it was ignored, even though it was.  Then last week we learned from a contractor that one of the large civilian agencies has automated the process of changing the date.  If an action has stayed on a POA&M for too long, the computers automatically change its start date so it appears to have been just added. That way it doesn't look like the agency is skimping on security.  If senior executives in the White House want to wake up a the CIOs and show them security matters, they could make that "automated fibbing system" a very public career-ending mistake for the CIO of that agency.

I truly believe that this occurs more often than not, and the data from auditing trips bears it out.  I would love for there to be some sort of check an balance for when you know the client (system/unit/enclave/base) is just paying you lip service in order check off a box (see point 1 in Lenny's post.)  I have seen a few of my (now ex-) coworkers leave this sector because the constant flouting of the open controls or mis-management drove my co-workers to the realization that our work does not matter.  And sad to say, I can not disagree with those (now) ex-coworkers.

We are supposed to move to NIST-controls.  We are supposed to start embracing SCAP tools.  I do not know if that will help, but I am hoping that some kind of change will bring about more remediation.

As I said before, I do not like to rant; I would rather work on a solution to the problem.  But, it is getting more and more frustrating as the problem becomes more pervasive.

Tuesday, July 5, 2011

June 2011 STIG updates

I mentionied that I was out on vacation last week.  DISA released a couple of STIGs:


Windows 2008 R2
Network Perimeter Router L3 Switch
Blackberry STIG
Windows 2008 DC STIG Benchmark
Windows 2008 MS STIG Benchmark
Windows 2003 DC STIG Benchmark
Windows 2003 MS STIG Benchmark
Windows Vista STIG Benchmark
Windows XP STIG Benchmark

Windows 2008 R2 is still not supported by the Gold Disk.

Monday, July 4, 2011

Back from vacation

So, as I mentioned in the previous post, I'm back from vacation.  I read a good book, and took some time to flesh out where I seem to be headed.  Vacation gave me a chance to look at the big picture and work out some of the issues I see in various career paths.  I really don't know where the government job is headed; I know where it is supposed to be headed.  But I fear what the company is doing is not enough, and I think we are losing out on contracts we should be winning  A year from now, will the company still be here? I suspect "yes" but I'm not sure our division will.  At least, if it is, I'm not sure that it will look anything like it does now.

So, I've been putting in extra hours with my own company.  I've joined a different Chamber of Commerce, one that is more local; and I hope to derive more business from the people I know.  I prefer to run my own business, as it gives me more pleasure.  Sure, there are more pressures, but I'm pushing to build the client base such that I can be more reliant on my own business.

Tomorrow, it will be back to the grind.  At least I have a clearer head. And we'll see where this all goes.

A mini-review of Ninja Hacking by Wilhelm and Andress

I have just come off a vacation where I tried to disconnect from being overly technical.  Typically, on my breaks I read technical books to enhance something I know or I read something in-depth to learn a new skill.  This past week, I wanted something relevant, but not overly technical.  I saw an ad for "Ninja Hacking:  Unconventional Penetration Testing Tactics and Techniques" by Thomas Wilhelm and Jason Andreas, and decided this fit the bill perfectly.

To start off, let me say that the book is aptly named.  The use of the word "ninja" is not just used as the adjective to describe a good coder or pen tester; all of the concepts in the book relate to the ancient ninja of feudal Japan.  The point of the book is to introduce concepts of penetration testing with the arts and practices of the ninja.

So, here is what I liked:  First, the book devotes the first two chapters to the history of the ninja in Japan.  I can honestly say that prior to reading those two chapters, my concept of ninjas was what Hollywood depicts in movies.  The first two chapters shed light on what the ninjas were really like, how they operated, why they were necessary, and what tools the ninjas had at their disposal.  Succeeding chapters took those tools and applied them to how penetration testers should think differently to accomplish their goal.  I really liked the discussion on strategies and tactics.  Some of the examples given to disrupt a system administrator were:  call them at 2 A.M. with a trouble ticket, send them an email from HR with an issue about their insurance, or leave a note on their car that they have parked in the wrong space.  Good stuff.  All of those are activities that will have someone thinking differently when they should be paying attention.

Also, the chapters might have discussed various tools and methodologies, but not at a low level.  For example, the chapter on discovering weak points in area defenses had a discussion on sniffing network traffic.  In the discussion Kissmet and Wireshark were both discussed, but only to introduce the tools to the reader (if they did not know of them) and provide the reader with the resources to learn more about them.  Each chapter had a page of end notes that included links to tools, articles, and other references for further study.

A couple of issues I found:  the title of the book includes "unconventional penetration testing tactics..." and to me, penetration testing refers to systems, networks and applications.  I understand that a target may be a building or a person.  Many of the chapters discussed the latter, buildings and people and did not necessarily apply to computers.  There was a section of the book that discussed torture; and while interesting, is not something I'll be employing.  There was a section in the chapter on discovering weak points called "Gates, Guns, and Guards."  While these are valid security concerns, I don't think they come up in your average day-to-day penetration test.  However, the authors extrapolated the scenarios to the logical (cyber?) world and created successful analogies in how to employ the tactics to the computer or network. 

Overall, I enjoyed the book.  It opened me up to thinking of different ways to conduct penetration tests and employ some tactics I would not have thought of.  I really enjoyed that the book was not overly technical such that I read through and jot down areas for further exploration.  And, I liked the chapters on the history of the ninja as I could dispel some of the Hollywood myths and legends for what the ninja truly were.

Tuesday, June 21, 2011

Does your email address password need to be changed?

I was going through my newsfeed today when I happened upon a post from Naked Security. The post discussed a site set up by Daniel Grzelak where you could check your email to see if it had been posted as a result of the various recent break-ins.

From the Naked Security Post:
Daniel doesn't store your email address after you've looked it up - so he can't spam you even if he wanted to, which he doesn't - and he's not accumulating a list of email addresses which spammers might like to break in and steal. And he doesn't keep any of the stolen databases on his server, so he's not offering a handy-to-hack repository for unlawfully-acquired loot, either.
To check your email address, go to:  https://shouldichangemypassword.com.

Friday, June 17, 2011

New HP-UX and Android STIGs released

DISA has released a draft version of the Android 2.2 and HP-UX 11.23 STIGs.

A meeting for the Android STIG has been set for June 30, 2011.

Thursday, June 16, 2011

Using a .audit file with Nessus to scan a host

I've created this post because I couldn't find detailed directions.  Here's what took me down this path.  Auditing Windows 7 machines is a laborious task; there is no easy way to do it without sitting down with the DISA checklist and going through each check one by one.  As we move to SCAP-based tools, we should be able automate this; either by using OVAL and an XCCDf file, or using Retina and the XCCDF wizard.  I've started playing around with both of those methods, and I'm not 100% there yet.  I get them to run, but the results are not exactly what I expect.

One of my co-workers asked me about i2a, a utility put out by Tennable that converts .inf files to .audit files to use with Nessus.  (By the way, as I understand it, i2a only works with the professional version.  Audit files work with both the professional and free versions.)  If you look in the Windows 7 STIG, the templates folder contains .inf files. 

I copied the .inf file to the directory containing i2a. My command to create an .audit file was:

i2a-2.0.4 U_FSO_Win7_Analyze_only_V1R4.inf Win7.audit

This ran, and there were a few errors in the log file.  I believe that Nessus can not perform some of the checks in the .inf file, so they are flagged.

Next, I opened up Nessus.  Then, I created a new Policy:  Click on Policy, Add.
I gave my scan a name, Win7, checked my options, added my credentials, checked my plugins, then clicked on preferences.  Under preferences, I picked the Windows Compliance checks.  Then, I browsed for my Win7.audit file and added it as Policy File #1.

After this, it was as simple as setting up a new scan and using the policy I just created.  I'm going to start looking at the results to see how good a job Nessus does, and what needs to still be looked at manually.

Monday, June 13, 2011

Microsoft Active Directory STIG version 2, release 1 released

I received notification that an updated has been released for the Mircosoft Active Directory STIG has been released.  However, in looking at DISA's site, I still see a March 25th date.  I'll update this post when I find the current updates.

Draft Microsoft Office 2010 STIG version 1, Release 1 has been released

I was cruising DISA's site looking for other guidance when I saw that a draft version of the Microsoft Office 2010 STIG has been released; version 1, release 1. 

I notice in the overview document that the guide is based on Office 2010 installations within the Windows 7 operating system.

The comment matrix has also been posted for any comments to be made on the documents.

Tuesday, May 31, 2011

Review: How to Break Web Software by Andrews and Whittaker

I haven't had to travel much over the last couple of weeks, which has been good for me in that I get to work on my reading list a bit.  I picked up "How to Break Web Software" for a trip a little while ago, and never got to the book.  Not having to travel coupled with the long weekend gave me some time to read and digest this book.  Here are a couple of things that I really liked about this book:

  • I really liked the table of regular expressions that is included in chapter 2.  To me, this is great because after I have retrieved source code, I can script out exactly what I'm looking for; especially hidden fields.
  • I liked the fact that the CD contained some older software that is not easily found on the web.  While the functionality of some of these tools is rolled up into newer software, there are times that I want to perform just what these tools do, and nothing more.  HttpPrint is highly useful to me as there are plenty of times I get on site and the client either doesn't know what they have, or doesn't want me to know all that they have.  SSLDigger is great for letting the client know how strong their SSL is.
  • The book includes its own vulnerable web application where you can practice some of these attacks.
  • I liked the chapter on Web Services.  More and more, I'm running into web services, and while some of the more advanced tools cover the services, it is good to have a primer on the various technologies involved.
Overall, I enjoyed the book.  In my estimation, the material is basic, and gives a great jumping off point for someone getting into testing/breaking web applications.  With the tools, a reader can dive into the material, practice, and really start to get a foundation for breaking web applications.

Thursday, May 26, 2011

DISA guidance with regard to cross-site tracing?

I've been doing some reading concerning different ways to test applications, and more specifically, web applications.  The last couple of books have mentioned cross-site tracing, and how to test to see if the server could be vulnerable.  We use WebInspect on many of our tests, and I know I have seen the vulnerability come up.  But that got me thinking:  where does DISA./DoD talk about configuring the web server to turn off TRACE?  I looked through the Apache STIG (both 1.3.x and 2.x) and the IIS STIG (both IIS 5 and 6.)  I did not find any mention of the TRACE verb and how the server should be configured in the DoD's eyes.  Further, I looked in the Application Security and Development STIG, and I did not see a finding/check in that STIG either.  (I did not expect to, since the finding really is a function of the server, and not the application.)

The closest the Application Security and Development STIG comes is a discussion in the finding for cross-site scripting.  There are three checks within the cross-site scripting finding that deal directly with cross-site scripting.  The fourth check specifically discusses the HttpOnly flag being set on cookies.  However, what makes cross-site tracing a bigger risk is that it has the ability to read/steal/reveal cookies even if the cookies have the HttpOnly flag set.

A great paper on the attack is here.

So, am I missing something in a STIG or checklist?  Or, is there really no guidance on web servers for the TRACE verb?

Tuesday, May 24, 2011

Sony Security Timeline

I don't have an iron in the fire, however I wanted to track how this story plays out; mostly so I could refer back to the timeline.  The poll on Slashdot the other week got me thinking about the various security issues Sony has faced over the past couple of years.  So, I briefly compiled this list.  I'll update it as it plays out. 

10/31/05 - Sony BMG copy protection rootkit scandal
Mark Russinovich's blog posting

2/9/11 - Sony Retweets the PS3 key
FuriousFanboys article

4/17/11 - Sony PlayStation Network hacked
Wikipedia article

5/20/11 - Phishing site found on a Sony Thailand server
F-Secure posting

5/22/11 - Sony BMG Greece hacked
Sophos posting

5/25/11 - SONY Ericsson Canadian e-commerce site
Sophos posting

6/2/11 - Sony Pictures
ISC posting

6/4/11 - Sony Europe
Zero Day posting

6/6/11 - Sony Computer Entertainment Development Network
The Epoch Times

6/9/11 - Sony Portugal
Naked Security

I must have missed a bunch, because this article mentions the 20th breach:
6/20/11 - Sony Pictures France
Forbes

7/5/11 - Sony Music Ireland
Naked Security


edit:  5/25/11 - add the Canada hack
6/3/11 - add Sony Pictures
6/6/11 - added Sony Europe
6/7/11 - added Sony Computer Entertainment Development Network
6/9/11 - added Sony Portugal
6/20/11 - added Sony Pictures France
7/5/11 - added Sony Music Ireland

Thursday, May 19, 2011

Review: Web Security Testing Cookbook by Paco Hope & Ben Walther


I’m not much for writing reviews of books that I read, but I wanted to heap some praise on this excellent book.  As a DoD auditor, more and more, especially in enterprise systems, we are running into applications; specifically web applications.  While auditing web servers, database servers, and operating systems is pretty generic (usually,) auditing the enterprise web applications is anything but.  To that end, I’ve picked up some books on (pen)testing web applications with the goal of sharpening my skills and better being able to answers the technical checks from the Application Security and Development checklist.

The Web Security Testing Cookbook by Paco Hope and Ben Walther is an excellent book for helping to be a better web application tester.  I should point out that the book is not aimed at pen-testers by any stretch; it is clearly aimed at in-house application testers.  But, that does not mean that the tools and concepts provided do not translate well to the auditor/pen-tester field.  In fact, it is with the eye of an auditor that I believe I was able to glean bits of information that I found useful that may not necessarily apply to an in-house application tester.

Like other books in the O’Reilly cookbook series, the book contains recipes to solving various problems.  Typically, within each chapter are a collection of like-recipes that have a problem, a solution, and a discussion.  Many tools are discussed (most of which are free or open source.)  And, many solutions are given to the various topics of testing.

Here is what I liked:

Chapter Two was awesome for me; a listing of the various tools that are used in the book.  Some of these tools I’ve heard of and used, some were new.  This was important to me because many times I am limited to “certified” tools for the networks we are auditing.  For example, most sites allow us to use Retina, but not Nessus.  On the application side, we are typically allowed to use HP’s WebInspect.  The tools listed in chapter two allow me to take a more “manual” approach to testing the application.  Specifically, I liked Firebug, EditCookies and TamperData, WebScarab, and ViewState Decoder.  One note, while testing Edit Cookies, I was not able to get it to work with FireFox 4, at the time of this writing.

The chapter on Basic Observation gave me a new appreciation for hidden fields and what you can do with them.

I do not have much experience with web encoding, so chapter four got me up to speed on the topic.  A recipe dealt with OWASP’s CAL9000, however another good encoder I have used is the one linked to by the Ethical Hacker:  http://yehg.org/encoding/.

Chapter 5, Tampering With Data, was one of my favorite chapters.  Many recipes were discussed, using the tools to show different ways to tamper with the data being sent to the application.  My favorite recipe in the book came from this chapter and discussed uploading of files with malicious files names; a concept I never gave much thought in the past.

Chapter 6 discussed the automation of some of the rudimentary tasks.  Some of the great tools discussed included wget, nikto, WSFuzzer, along with native *nix tools.

Chapter 7 dealt with cURL, a tool I’ve never used before but will probably add to the toolbox.  The first sentence in the chapter sums it up perfectly:  “cURL is a command-line URL tool that is ideal for automating simple web testing tasks.”  Many recipes were presented that gave examples of using cURL to accomplish common tasks.

Uploading viruses to an application (via EICAR), in chapter 8, was a that never dawned on me.  And, included with the concept is a snippet of Perl code that will do the trick.  Yet another great feature of the book is the inclusion of much Perl code to make the scripting of many of the recipes possible.

Chapter 11, on manipulating sessions, was enjoyable because I liked the presentation of the various tools to attack sessions and session state.  There are checks in the Application Development checklist that are specific to session state, so it was good to expand on my arsenal of tools to check sessions.

Probably the best feature of the book was that it gave me many "A-Ha" moments that will greatly expand my knowledge of auditing applications.  If you are in a position of having to audit web applications you will benefit from reading the recipes presented and using the tools described.

Monday, May 16, 2011

Draft Red Hat 5 STIG released

I just noticed that DISA has released version 1 of the Red Hat 5 STIG.  I've only taken a cursory look through the XML STIG, and it looks to be the unix STIG with specific guidance pointed towards Red Hat 5.

Friday, April 29, 2011

Even more STIG's released by DISA

Those noted by (*PKI) are only available in the CAC-protected area.

Windows Mobile 6-5 STIG Version 1, Release 1, Updated April 28, 2011
Windows 2008 STIG - Version 6, Release 1.14, Updated April 28, 2011
Windows 2008 STIG - Version 6, Release 1.14 (*PKI), Updated April 28, 2011
Windows 2008 DC STIG Benchmark Version 6, Release 1.14 (*PKI), Updated April 28, 2011
Windows 2008 MS STIG Benchmark Version 6, Release 1.14 (*PKI), Updated April 28, 2011
Windows 2003 STIG - Version 6, Release 1.21, Updated April 28, 2011
Windows 2003 STIG - Version 6, Release 1.21 (*PKI), Updated April 28, 2011
Windows 2003 DC STIG Benchmark Version 6, Release 1.21 (*PKI), Updated April 28, 2011
Windows 2003 MS STIG Benchmark Version 6, Release 1.21 (*PKI), Updated April 28, 2011
Windows Vista STIG, Version 6, Release 1.21, Updated April 28, 2011
Windows Vista STIG, Version 6 Release 1.21 (*PKI), Updated April 28, 2011
Windows Vista STIG Benchmark Version 6, Release 1.21 (*PKI), Updated April 28, 2011
Windows 7 STIG - Version 1, Release 4, Updated April 28, 2011
Windows 7 STIG, Version 1, Release 4 (*PKI), Updated April 28, 2011
Windows XP STIG, Version 6, Release 1.21, Updated April 28, 2011
Windows XP STIG, Version 6 Release 1.21 (*PKI), Updated April 28, 2011
Windows XP STIG Benchmark Version 6, Release 1.21 (*PKI), Updated April 28, 2011
UNIX Security Checklist Version 5, Release 1.29, Updated April 28, 2011
UNIX Security Readiness Review Evaluation Scripts (SRRs), Updated April 28, 2011
SPAN Keyboard Video Switch (KVM) STIG, Version 2, Release 1, Updated April 28, 2011
SPAN Multi-Function Device (MFD) and Printer STIG, Version 2, Release 1, Updated April 28, 2011
SPAN Storage Area Network (SAN) STIG - Version 2, Release 1, Updated April 28, 2011
SME PED STIG Version 2, Release 1 (*PKI), Updated April 28, 2011
Network Infrastructure Router L3 Switch - Version 8, Release 6, Updated April 27, 2011
Network L2 Switch - Version 8, Release 6, Updated April 27, 2011
Network IDS/IPS - Version 8, Release 6, Updated April 27, 2011
Network Firewall - Version 8, Release 6, Updated April 27, 2011
Network Other Devices - Version 8, Release 6, Updated April 27, 2011
Network Perimeter Router L3 Switch - Version 8, Release 6, Updated April 27, 2011
Network Policy - Version 8, Release 6, Updated April 27, 2011
Microsoft Office 2007 STIG - Version 4, Release 4, Updated April 27, 2011
Internet Explorer 7 STIG - Version 4, Release 4, Updated April 27, 2011
z/OS ACF2 STIG - Version 6, Release 7, Updated April 29, 2011
z/OS ACF2 STIG - Version 6, Release 7 (*PKI), Updated April 29, 2011
z/OS RACF STIG - Version 6, Release 7, Updated April 29, 2011
z/OS RACF STIG - Version 6, Release 7 (*PKI), Updated April 29, 2011
z/OS TSS STIG - Version 6, Release 7, Updated April 29, 2011
z/OS TSS STIG - Version 6, Release 7 (*PKI), Updated April 29, 2011
zOS SRR Scripts Version 6, Release 7 (*PKI), Updated April 29, 2011

Further,
Gold Disk - Updated April 29, 2011

Wednesday, April 27, 2011

Help with VxWorks

Help!

I'm in the middle of a testing engagement where I have run across VxWorks.  I am totally unfamiliar with auditing VxWorks and need some help with the finer points.  What I have come up against are medical devices that have multiple VxWorks modules attached to them.  The controllers are not a problem, they are either unix/linux or a variant of Windows.  However, the medical devices only show the VxWorks module to the network.  So far, I have run an NMAP scan, a Retina scan, and a Nessus scan.  I do not see a guidance, a checklist, or a STIG on DISA's site, nor do I see anything listed in the benchmarks put out by the Center for Internet Security.

So, for those of you that have had to audit a VxWorks system, what else did you do?  What other guidance did you use?  And, what did you use to tie back vulnerabilities (as I know that there are are some IAVMs that are VxWorks-related.)

April DISA updates

DISA's site is showing the list of updated STIGs and FAQs.  The following STIGs have been updated and released:
  • Blackberry STIG, Version 1, Release 4
  • Application Security and Development STIG and checklist, Version 3, Release 3
  • draft Apache 2.0 and 2.2 STIG
  • Domain Name System checklist, Version 4, Release 1.12
  • DoD Data Spill Procedures Guide for Blackberry Smartphones (PKI area)
  • DoD Host-Based Security System (HBSS) STIG, Version 3, Release 2
  • McAfee Antivirus Security Guidance, Version 4, Release 4
  • Network Infrastructure Router L3 Switch, Version 8, Release 6
  • Network L2 Switch, Version 8, Release 6
  • Network IDS/IPS, Version 8, Release 6
  • Network Firewall, Version 8, Release 6
  • Network Other Devices, Version 8, Release 6
  • Network Perimeter Router L3 Switch, Version 8, Release 6
  • Network Policy, Version 8, Release 6
  • Microsoft Office 2007 STIG, Version 4, Release 4
  • Internet Explorer 7 STIG, Version 4, Release 4
  • Internet Explorer 8 STIG, Version 1, Release 5

Also, the FAQ has been updated.