Thursday, November 29, 2007

Subverted search sites lead to massive malware attack in progress

Well, this is something clever! Tactics is to use some legitimate site (a search engine) to point you to a malicious site, thus playing on your trust. Moreover, using legitimate site that is often visited makes the attack more efficient. This is not something completely new. See Spammers feeling lucky with Google, for example.

Read ComputerWorld article:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9049269&intsrc=news_ts_head

Friday, November 23, 2007

Passive Fingerprinting by IDS

In a classical situation security administrator needs to deploy: IDS to match signatures against network traffic and send alerts to operator’s console, VA scanner to find vulnerable hosts in network, and correlation mechanism which should somehow collate information about discovered vulnerabilities with triggered IDS’ events and make a decision whether the event is important or not and automatically adjust event’s severity.

Keeping in mind that IDS monitors all traffic between two hosts I don’t understand why commercial IDSs don’t perform passive OS fingerprinting. In my opinion IDS fingerprinting could be even more accurate than that of an active scanner, due to IDS' ability to analyze actual interactions between systems.

Let me summarize some parameters that IDS can check to figure out what OS is used (more information is available below):

and, finally, history of successful attacks. If IDS can see whether attack was successful or not it can guess not only OS but also version of compromised service.

I saw this idea realized in snortpf but it is still absent in commercial products. The main advantage of such NIDS behaviour is that it can decide by itself whether matched signature is important or not, for example, when it sees DCOM Remote Activate BO attack against Linux.

If implemented appropriately, it should be possible for administrator to correct IDS’ assumptions, which will allow correction of system’s misinterpretations.

It is not a secret that a huge number of false positives is the biggest IDS’ disadvantage. To my mind, IDS passive fingerprinting would significantly reduce “noise” in IDS logs.

More information:

Thursday, November 15, 2007

User Roles in SAP R/3

I’ve been reviewing a number of projects with SAP R/3 in a company I work for and found what seems to be a very big mistake in user rights planning and implementation. I raised this many times but still have no response from our ‘SAP gurus’, probably because their main task is to finish project and move on or maybe because they’re not experienced enough. I don’t know and it’s not my headache, but I think that the problem I’m going to explain is obvious.

The thing is that each project produces a number of roles, and authorizations (piece of privileges) are spread over these roles. During a test phase these roles are tested either by user without additional roles or by user with roles from the same project. I haven’t seen anybody testing roles from one project together with roles from different project. Unfortunately, SAP has weird system of authorizations – there are authorizations to access Objects, to perform Actions (transactions, programs) etc. So, to perform an action upon an object through specified transaction you have to have authorization for Action and for Object. To deny this action it’s enough not to have privileges for Action or for Object.

When a user has a number of roles, authorizations in these roles are added together, and in the end it’s possible for user to gain more capabilities than she should have. Maybe it is hard to understand, but it is really possible in SAP if you have, for example, authorization for Object in one role and authorization for Action in another.

We may significantly reduce the probability of such ‘authorization summation’ by adding each authorization into role manually but it’s very time-consuming. It’s much more easer to build role from menu or use other automated role-generation tools. If we were too lazy to create roles manually we could test all combination of roles to fix ‘authorization summation’ issue. But it would be very difficult!

Well, I see the only solution in this case – make one role for one user. I know this is not what SAP recommends (I attended "CA940: SAP R/3 Application Security Concept"), but in complicated environment where there are thousands of users and thousands of roles from different projects, to my mind, it is the only solution. This strategy can withstand the following common issues:

  • authorization summation – you need to test only one role for one user;
  • some employees do more than specified in their job description, and in this case you just add authorizations into one role for that user. To my mind, it’s more secure than add whole additional role never being tested in combination with others that user already has;
  • you get more flexibility: if roles in project were developed in connection with organizational structure they wouldn’t fit when organization's structure changes. In "one role–one user" situation – just add new authorizations for users that changed their positions.

The only bad thing here – it is more difficult to quickly finish new projects…

Friday, November 9, 2007

Five Simple Rules of Client Security Proved in Practice

Several days ago I helped friend of mine install Windows XP Professional on his home computer. I made default installation of XP SP2 and created two users with default options – these accounts were created with administrator rights.

After that he made a contract with local Internet provider and plugged into the Internet. My friend had admired by the Internet up to depth of his soul, – he was very happy to be able to visit internet sites at home.

But two days latter he phoned me complaining that his new computer had become very slow and he sees a lot of prompters from Kaspersky AV telling him that his computer is infected with malware. I should mention that he has 30-days evaluation version of Kaspersky with old virus base.

I downloaded latest CureIT and went to my friend’s place. But when I came I found that all my attempts to log on to Windows immediately ended with logging off. I found a number of materials about malware that change HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey and decided that problem was in that. Then I made a BartPE CD and loaded from it. I found that C:\Windows\System32\Userinit.exe simply absent. I copied it from I386 directory of XP installation CD. After that I decided to look at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I loaded offline registry and I found two suspicious programs that start from C:\Windows\system32 and C:\Windows\Temp. Unfortunately I don’t remember exact names but I have been assured, that they can be deleted safely. Finally, I started CureIT against whole C:. Remember, it was three days old XP SP2 installation, so C: didn’t contain much data. It ended with more that 50 different malware found! Mainly they were Trojans. I know that some malware block AV updates by editing C:\WINDOWS\system32\drivers\etc\hosts file so I decided to check it too. Well, I hadn’t mistaken – I commented 35 rows of well-known update services including Microsoft Windows update, Symantec Live update, etc.

After that long process of getting rid of viruses, assuming that my friend will not buy antivirus so computer will not be protected with AV and also he will not update Windows because it takes too much Internet traffic that costs money I wrote for him 5 simple rules that should help him to stay somehow protected against Internet threats. Here they are.

  1. Do not surf the Internet with admin rights. Very simple – if you catch something, it won’t destroy your system, just your profile.
  2. Do not use IE. Since you don’t update your Windows, IE is not updated as well. Use Firefox – it’s free and seems more secure.
  3. If browser asks you something, read this carefully and only after this make your decision. If you feel lazy and don’t want to read – answer ‘No’.
  4. Try to avoid unknown sites. I know that it’s difficult, – that’s why I said ‘try’.
  5. Do not install plug-ins. Even if everything is OK with your browser core you still can be successfully attacked through plug-is. See, for example, page 7 here.

Additionally, it’s good idea to download CureIT and run test periodically, for example, once a week.

Inside myself I was very frightened because I don’t have AV on my home computer, my XP has only SP2 and no other patches and my wife like the Internet very much. The only defense I have – five above rules.

When I came home I ran CureIT against C:. I was very happy with result – ‘No viruses found’. I think it does really prove that 5 rules are working. Don’t misunderstand me, I don’t assert that we don’t need to use AV and install patches, no, but these rules are good trade-off.

Friday, November 2, 2007

More On Malware - Trojan.Bayrob

Wow, this is really worrisome, sophisticated, targeted and (I think) effective attack: Trojan.Bayrob Strikes Again! A mix of social engineering and advanced malware.

Thursday, November 1, 2007

Mac Malware

We've been expecting this for a long time, and at last Mac OS X trojan was found in the wild by a security research company Intego. OSX.RSPlug.A (name of the trojan) is a simple one and was hosted by several pornographic web sites. It requires user interaction - disguises itself as a multimedia codec installer and asks for admin password, so nothing new in terms of technology. Welcome to real world, mac users :).

Also in Macworld.

UPD: SANS ISC, SecurityFocus

UPD: Symantec Security Response Blog:

Symantec Security Response has also confirmed this, and added detection for the threat as OSX.RSPlug.A. It appears that the Mac is becoming popular enough that the "bad guys" think it is worth spending time and effort in developing malware for the Mac OS. If we see a rise in Mac malware, then we will have to assume that there are profits to be made in malware for Macs as well. Stay tuned.