Secure me if you can

FYI- to everyone responsible for monitoring feeds for patch releases in their organization, the risk assessment portion of your job just got a little bit easier thanks to Adobe.

I noticed today that Adobe’s security team, in addition to their typical severity rating(which is usually “Critical”) now adds a “Priority rating” to each of its’ patches.

The priority rating helps to describe the exploit availability and potential for exploit development.

Here is the full description of the Priority and Severity ratings taken from Adobe’s site, full text available here

Priority Rating Definition Priority 1 This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours). Priority 2 This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for instance, within 30 days). Priority 3This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.

If you're on a win box, here's the quick summary of how to configure metasploit's Framework update(or SVN UPDATE) to work if youre behind a proxy.

1. Browse to your metasploit program files directory

2. Browse to config\svn

3. Open the file called servers in notepad or whatever text editor you'd rather

4. Search for [global] Below global there will be some proxy parameters you can enter. Remove the comment(#) next to the ones you're required to use, and fill the values in.

Save. Update. Done.

Let me start out this post by saying that normally I would enter this sort of thing in my KB section of my blog.

Assumingly you would need to recover the passwords for IUSR_[machinename] or IWAM_[machinename] if you changed the account in IIS that a particular site was running as, and now you would like to change it back to IUSR_[machinename].

Let's take it from a security approach today. Let's say you're a pen tester or have "other intentions", and you "somehow gain access to a windows 2003 IIS web server."

Of course you could create accounts, modify passwords, etc, but isn't that a little TOO noticeable(YES)?!!

How about acting as an account on the machine?! Since you're on a 'box running IIS and if it's windows and not some taped up mesh solution, there is likely two accounts with various permission sets that already exist on the server. You can run as these accounts with little effort and zero cracking.

These two accounts are to help out IIS in running services and authenticating guest users, and set a (random?) long password during the iis installation.

There is actually a tool that can help you determine what those passwords are..provided by microsoft.

You'll need to have the windows server support tools installed and your gem will be adsutil.vbs.

The article at http://www.windowsitpro.com/article/passwords/how-can-i-check-the-password-of-the-iusr-and-iwam-local-accounts-on-a-machine-describes how to use adsutil to dumb the passwords of the two accounts, as well as change them if needed.

But since we're staying stealth, lets just dump them.

The prior mentioned web site says:

You first need to update the adsutil.vbs script, which you'll find in the AdminScripts folder under the Inetpub folder, to display sensitive information (e.g., passwords) instead of just asterisks. Open the adsutil.vbs file in Notepad and search for the text "IsSecureProperty = True", replace this text with "IsSecureProperty = False" and save the file. Now run the following commands to return the passwords(/anonymoususerpass is the IUSR account; /wamuserpass is the IWAM_ account).

Note: this is around line 2592, right before the Else condition. Then, run the following commands(in bold)

C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/anonymoususerpass anonymoususerpass : (STRING) "/XEv`J01T"!69I" C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/wamuserpass wamuserpass : (STRING) "ikI37Q"W5\[,uu%"

If you know there is more you should be doing to protect against hacking, you're never going to get a better reason to bring this up than Zappos, the reigning customer service monarch, just gave you.

Dear Hackers,

Just for the record. Dana White doesn’t give a shit. He’s in the fight biz, not web sites.

While the UFC site getting hacked won’t stop all of us from watching two people beat the crap out of each other on a regular basis, President Dana white’s reaction is unfortunately right on with a number of his other-industry counterparts.

In a twitter response to news of the web site pwnage, White says, “I’m in the fight biz not the website biz!! Might be a big deal to other companies not mine.”(http://www.neowin.net/news/ufcs-web-site-latest-victim-of-cyber-attack)

“So what if we were hacked” is poisonous and often the watchword, until being hacked causes financial loss, reputation loss, and heads being chopped…

On the other side of the spectrum, or the pot of gold at the end of the security rainbow, Earlier this month,online retailer Zappos was hacked. Zappos, who actually cares about their online reputation responded quickly and attentively to the matter, indicative by CEO Tony Hsieh’s response “We are cooperating with law enforcement to undergo an exhaustive investigation.”

Complacency about security/risk management from leadership should be among the SANS Top 20. If management isn’t really concerned, and by really concerned, I mean in a manner other than “I hope we pass our compliance audits,” things could get scary.

Overall though, the UFC is running strong..the hack is laughable, but, I wouldn’t take hacktivism lightly. The compromise of the UFC site is just a sample of how simple it is for some of these groups to break on through to the other side.

I've heard too many times from security professionals that Windows is the worst OS for various reasons, some of which I agree with. But, one assumption we all make is apparently false. While I was browsing some data on the newer website CVEDetails.com, I reviewed report "top products having the highest number of distinct vulnerabilities." Of course my expectation was right in line with most, that [some flavor of] windows is the most vulnerable software/OS in the market.

I was wrong! We were wrong...

Looks like there is now an open source tool available to detect traces of the framework that has been leveraged by the deviously creative to create Duqu, stuxnet and others. The framework is called Tilde-D(~d), and when malware is created with the framework, there are certain common artifacts and characteristics.

The biggest threat to information security today besides the nature of the web and end users, is small security staffs. There are many technologies to help mitigate(not prevent, that's impossible) threats to system compromise and data exposure. However, these technologies take bodies to operate. And that's just a start. The data that the technologies takes analysis, and eventually conversion into something consumable. "Something consumable" can take many forms, ranging from mapping to compliance and policies, to "punch lists" for IT admins, to status metrics, to state of security metrics. The analysis and reporting is almost always more time consuming than running the security technologies themselves. Problem statement: Not enough staff to do the latter described heavy lifting effectively.

In an unfortunate turn of events yet to be disclosed, it appears that Zappos fell victim to some threat or another their security squad couldn't keep pace with(http://www.livehacking.com/2012/01/16/zappos-com-hacked-and-turns-off-phones-to-avoid-deluge-of-calls-from-customers/). From analyzing the press release, it appears that the network security architecture properly segregated customer credit information, which deserves a kudos to the security squad.

Zappos is one of those truly unique, customer and employee oriented companies. So, in a way it's sad to see anything like this happen to taint their squeaky-awesome image. However, maybe in retrospect, some will see this a good thing. Security is not only on the map, but will be bolstered as a priority which (hopefully leads) to appropriate budget and staffing levels.

Some helpful links in your intel collection for the Microsoft and Adobe Patch Tuesday releases

November 2011 Microsoft Patch Tuesday

Yumm..NIST 800-30 Rev 1, public draft in all her glory.

Time to eat Risk Assessment for Breakfast, Lunch and Dinner.

I'll even share with you. Enjoy. A little bland, may need a little salt.

OK. ALOT of Salt!

For: Windows Hosts

Leveraging PSinfo, i've created a quick batch to help identify versions of sun java and adobe apps on a target system

Requires:

-Psinfo in the same directory as the batch Download Link-->http://technet.microsoft.com/en-us/sysinternals/bb897550

-credentials on the target system..tested with admin level

Usage:

check installed adobe apps and versions appcheck 1 [host] [username] [password] check installed adobe apps and versions for a list of hosts appcheck 2 [host list-one per line] [username] [password] check installed java apps and versions appcheck 3 [host] [username] [password] check installed java apps and versions for a list of hosts appcheck 4 [host list-one per line] [username] [password]

Copy the below into a notepad document and save as appchecker.bat

___________________________________________________

Quick tool to check if a patch is installed on a window utility.

Uses native WMI query functionality.

Note: WMI should be encrypted!

Requires:

-a valid username/password on target(s) With/OR

-WMI Access

-kb number(s) of the patch(es) you are checking for fi looking for specifics

Usage:

Check all installed patches for a host checkwinpatches 1 [host] [username] [password] Check one host for a specific patch checkwinpatches 2 [host] [username] [password] [patch search string] Check a list of hosts for a specific patch checkwinpatches 3 [host list, one per line] [username] [password] [patch search string] Check one host for a list of patches checkwinpatches 4 [host] [username] [password] [patch search string list, one per line]

-------------------------------------------------

This batch requires you to have plink in your path or run from the directory in which plink resides

You can download plink here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

This batch relies on ssh being open to the target host(s) and valid credentials on the target hosts with permission to run the instfix command.

The batch offers 3 options: check a single host for the existence  of a single fix, check a single host for the existence of a list of fixes, or check a list of hosts for the existence of a single fix.

Single host-Single fix

checkaix 1 [username] [password] [hostIP] [Fix]

Single host-list of fixes(one per line)

checkaix 2 [username] [password] [hostIP] [path to fix list]

List of hosts(one per line)- single fix

checkaix 3 [username] [password] [path to host list] [Fix]

Copy, paste in to a notepad doc, save as "checkaix.bat"

----------------------------------------------------

John Gerber at securitymonks, about two years or so ago put together a list of cheat sheets, useful for when you're sick of googling to get the specifics.

Check it out--> http://blog.securitymonks.com/2009/08/15/whats-in-your-folder-security-cheat-sheets/

Some of the links are dead, but still a decent collection.