Secufeed

httpry is a tool specialized for the analysis of web traffic. The tool itself can be used to capture traffic (httpry -o file) but other other tools are better suited for that such as tcpdump, Snort, Sguil. When it comes to finding out if certain types of files were downloaded via http, this tool does a super job. It can be used in combination with regular expressions (Regex) to find if a file, a script or a malware was downloaded from site or by a host and will ignore everything else.

Fellow handler Kevin points us to new developments on this case, announced here ==www.fbi.gov/pressrel/pressrel10/mariposa072810.htm

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

New versions of Snort (Beta and Production)are both out. Release notes are here == http://www.snort.org/news/2010/07/28/snort-2-8-6-1-and-snort-2-9-beta-re...

New features that I'm finding interesting in 2.9 (Beta):

A Data Acquisition API (DAQ) is introduced in this version
A byte extract option that bears some investigation - this allows extracted values from one rule to be used in subsequent rule options
Some welcome updates for IPv6

Paul wrote in to tell us about the new version of NoScript just out ==http://noscript.net/
The main new feature is protection against the Craig Heffner's DNSrebinding attack that's getting some press, which will be presented at Blackhat.this week ==http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Heffner
The protection is pretty simple - look up the public ip of the workstation, and place it in the LOCALpseudo list. It uses a public site https://secure.informaction.com/ipecho for this - I can't comment at this time if this is a safe site to use for this or not.

This year's data breach report continues this valuable narrative. This years report is based on a larger case sample than in previous years, thanks to a partnership with the United States Secret Service, who contributed information on a few hundred of their cases this year. Many of the findings echo those of previous years (excerpts below).

Who is behind Data Breaches?

70% resulted from external agents

48% caused by insiders

11% implicated business partners

27% involved multiple parties

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

According to this announcement:

http://secunia.com/advisories/40780/

The problem is that passwords may in certain cases be logged to /var/log/messages while running GNOME Display Manager in debug mode (disabled by default)

This was originally reported on 02-15-2009 here:

https://bugzilla.gnome.org/show_bug.cgi?id=571846

A patch was issued the same day. A supported patch was issued 05-14-2010.

The secunia advisory did not have many details.

The Google Online Security Blog posted a brief article on their opinion the full vs responsible disclosure debate... likely in the wake of the controversy of one of their researchers publishing a security vulnerability. The debate on publishing security vulnerabilities has been and remains a hot one. Almost all vendors support responsible disclosure(a term that I absolutely detest) where a researcher discloses the bug only to the software vendor who then (hopefully) patches the bug.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

SophosLabs has just released a free tool that provides detection against the Windows shortcut exploit that we published last week here and here. Sophos has indicated it works with any antivirus software and it works with Windows XP/Vista/7 but not 2000. When Windows tries to display an icon with a shortcut, the tool will intercept the request in order to validate it and give back control to the user if not found to be malicious.
SophosLabs has made a video available on what is the exploit and how the tool works here and the tool is available for downloaded here.

I've been out of touch the last month or two with special projects and vacation so today was my day to catch up on some old email. One item that caught my interest is an update to one of Mandiant's free tools, Web Historian to version 2.0. If you are an incident responder or forensic investigator Web Historian may be of interest to you.

There is nothing new on the issue of unsecured sensitive data traveling across the network in plain-text. In fact, many popular websites use SSL to crypt information because they became aware of the man in the middle attack, soowners secured their webpages to avoid the attack.
Unfortunately, there are many companies that thinks nothing will happen if they use plain-text to send logon information. You can say there is noproblem with hashed passwords, but they are not enough. Rainbow tables are widely used so if a hash is grabbed from the network, it will be cracked in no time.

-- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

-- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

gpgsm is a tool similar to gpg designed to provide digital encryption and signing services on X.509 certificates and the CMS protocol. There is a bug with this tool when importing a X509 certificate with more than 98 subject alternate names or implicitly while verifying a signature.

Version 2.0.16 is affected and older versions should be affected as well. More information at http://lists.gnupg.org/pipermail/gnupg-announce/2010q3/000302.html

Wewould like to clarify something to our readers because of an e-mail received today.There are two types of diary: One-liners where we tell you things you should know and where we don't have anything else to add and full diarieswhere we discuss a subject. For example, we use one-liners to talk about many updates on popular software.We just pointyou to the link.These are not advertisement to other companies :)

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

In addition to stuxnet which has been using the LNK vulnerability to exploit systems since approximately the 14th of this month (possibly longer) a few researchers have been mentioning that they have encountered additional malware utilising the LNK vulnerability. eset has a write up here on what they have found -http://blog.eset.com/2010/07/22/new-malicious-lnks-here-we-go
Until patched expect more.
MH

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

When teaching Security Essentials (sec401) we often talk about one of the more useful hacking tools in everyone's arsenal, a browser. Wielding a browser in the right manner can expose all kinds of interesting information as is the case with vBulletin version 3.8.6.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Usually when I receive an email that looks like spam, I can just mash my Send to Junk keyboard shortcut and it goes away. But every once in awhile there is a decent looking spam that *might* be real. At first glance it won't have an images or selling viagra, or anything like that in it, and might just look real.
This is where the common sense approach to reading email kicks in. Obviously this post it not for the expert, this is probably more of the occasional user, but maybe someone in between will find it useful.

Note that this malware does NOT exploit 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198. It simply uses the autorun.inf to launch the executable, or waits for the user to double click the .LNK file. I wrote up this diary before fellow handler Bojan pointed that out to me.
Aaron wrote in the following:

We had a user get infected ... The symptoms we saw were as follows:

The virus hides all folders on the root of any drive it has write access to.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

A Dell support forum post confirms that PowerEdge R410 replacement motherboards contain malware. The posting is here en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx. The embedded server management firmware in some motherboards contain the malicious code. The issue is not present on new servers and does not impact non-Windows based servers. No further information on the malware itself, mitigation techniques, the specific motherboards affected, nor the method of the original infection are yet available. Dell is sending snail mail and calling affected customers.

Adobe have announced that Reader will run in a sandbox called Protected Mode blogs.adobe.com/asset/2010/07/%20introducing-adobe-reader-protected-mode.html. It is based on Microsoft's Practical Windows Sandboxing blogs.msdn.com/b/david_leblanc/archive/2007/07.aspx. This is good news as it will drastically reduce the attack surface of Adobe Reader and mitigate the impact of any vulnerabilities within the product.
Cheers,

Adrien de Beaupr

Microsoft have updated their security advisory 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198 to describe further attack vectors for this vulnerability. The vulnerability can be exploited using .LNK files on removable drives, via WebDav and network shares, using .PIF files as well as .LNK, and documents that can have embedded shortcuts within them. The original discussion on this vulnerability is here isc.sans.edu/diary.html?storyid=9181

More information at http://www.mozilla.com/en-US/firefox/3.6.7/releasenotes.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

According to the arguments presented by Handler Lenny when the Infocon level was increased, we believe that the purpose of increasing the awareness on this vulnerability has been fulfilled, so we are falling back to green level. This does not imply that the threat is over.
If we see a major attack arise using this vulnerability, we will let you know and if it is bad enough we will raise infocon again.

For all those who like truecrypt, version 7.0 is out there. Some of the new features are:

Hardware-accelerated AES
Now it is possible to configure TrueCrypt container on a USB flash drive to mount the drive automatically whenever you insert the USB flash drive into the USB port. This is cool.
Partition/device-hosted volumes can now be created on drives that use a sector size of 4096, 2048, or 1024 bytes (Windows, Linux).