Friday, July 6, 2012

DNSChanger



Most everyone has heard about the FBI finally shutting down the DNS services which provide  service to 360k clients on the internet on July 9 2012. Most of the buzz surrounding the shutdown appears to be FUD. These are all clients which were infected by at least one Trojan and never was fixed since. What other patches are missing, vulnerabilities, outdated virus definitions or complete lack of antivirus exist on these hosts? What other malware are they possibly infected with or botnets are they part of? They have had enough time for cleanup, patching, configuration, updating antivirus, and even replacement of hardware rot.

If the owners of these systems cannot provide the least bit of due diligence on these hosts, then good riddance to all of them.

Wednesday, June 13, 2012

Windows Network Location Awareness Services


Network Location Awareness Services


Sniffing some traffic shows DNS calls to dns.msftncsi.com and pulling
a ncsi.txt file from www.msftncsi.com.
This is a default global setting on all MS operating systems 2k8 and
Windows 7 and later.


So these Windows clients will query dns.msftncsi.com for www.msftncsi.com and expect an ip of 131.107.255.255.
Then pull www.msftncsi.com/ncsi.txt and expect the content "Microsoft NCSI"
All for a network status icon. If everything goes well, green. If it cannot proceed for whatever reason the icon changes. 
The client expects that some intervention is involved like in a web cafe or that the network is not available. 
This little amount of traffic can add up in a corporate environment with thousands of clients running this through a firewall.
From a small environment this could be tweaked to obtain IP addresses from your clients, or missing laptops to your own web server.
A possible threat may be simple arp poisoning and having the ncsi.txt be something larger than expected and perform a buffer overflow and maybe remote code execution. Just theoretical for now. No idea what Microsoft is doing with all the collected IIS logs on millions of Windows systems. But here is what to change if you want to modify your home computers or make a Group Policy in your production environment




HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveDnsProbeContent
Value type REG_SZ
Value data (IP Address of your web server)


HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveDnsProbeHost
Value type REG_SZ
Value data (your dns server to query)


HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveWebProbePath
Value type REG_SZ
Value data (text file to pull)


HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveWebProbeHost
Value type REG_SZ
Value data (fqdn of your web server)


HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet
Value name ActiveWebProbeContent
Value type REG_SZ
Value data (contents of the text file)


Creation of /(text file) on your web server

Friday, January 27, 2012

Sprint

So Sprint this week finally rolled out an HTC update to the EVO which removes the CarrierIQ they had so much bad press about. This long delayed upgrade does not fix other issues which would be fixed in Icecream Sandwich instead of Gingerbread. Icecream sandwich of course will not even be available on the older phones and will be stuck with the preinstalled applications with the information disclosure to third parties forever until they upgrade their hardware to something that the carrier will allow to support Icecream Sandwich.
The issue remains with the preinstalled applications which cannot be removed. And those applications sharing your cell phone number to a third party.
Also in the latest upgrade which removes CarrierIQ finally, the HTC Loggers which previously had an information disclosure issue which was also patched previously http://goo.gl/Y3gsO was upgraded considerably.

Below are the finding from the two versions with comaprison to CarrierIQ, HTC Loggers, and the preinstalled applications which cannot be removed:

Carrier: Sprint

Phone: HTC EVO

OS:
Android 2.3.3

Carrier IQ:
/system/bin/iqfd
/system/bin/iqd
/system/app/IQRD.apk
/system/app/HtcIQAgent.apk
/system/app/HtcIQAgent.odex
/system/app/IQRD.apk
/system/app/IQRD.odex
/system/etc/iqprofile.pro
/system/lib/libciq_htc.so
/system/lib/libhtciqagent.so

HTC logger:
/system/bin/htc_ebdlogd

Preinstalled applications:

Amazon MP3:
unique device ID, cell tower name.

Block Buster:
unique device ID

Kindle:
unique device ID, unique SIM ID, unique IMSI, cell number.

Nascar:
unique device ID, cell number.

Nova (game):
unique device ID, cell number.

QIK video:
unique device ID, cell number, current location.

Sprint football live:
unique device ID, cell number.

Sprint TV:
unique device ID, unique IMSI, cell number.

TeleNav GPS:
unique device ID, unique SIM ID, current location, cell number.


Android: 2.3.5

Carrier IQ:
Removed :)

HTC logger(s): Updated!
/system/bin/htc_ebdlogd
/system/app/QXDM2SD.apk
/system/app/QXDM25D.odex
/system/lib/libhtcqxdm2sd.so

Preinstalled applications:

Amazon MP3; rights:
unique device ID, cell tower name.

Block Buster:
unique device ID

Kindle:
unique device ID, unique SIM ID, unique IMSI, cell number.

Nascar:
unique device ID, cell number.

Nova (Gameloft):
unique device ID, cell number.

QIK video:
unique device ID, cell number, current location.

Sprint football live:
unique device ID, cell number.

Sprint TV:
unique device ID, unique IMSI, cell number.

TeleNav GPS:
unique device ID, unique SIM ID, current location, cell number.

Wednesday, January 19, 2011

Everything Is Not All White

White listing Is Not The Holy Grail:

I have to disagree with some in the security community that search out white listing as the Holy Grail in cyber security. The hard critics of Antivirus have many valid concerns. Repackaging and obfuscation are only the start of the problems. The definition updates leaving the window of opportunity for the malware to run may always exist.
Having the malware take advantage of that opportunity and interfering with the antivirus definition updates in order not to be detected is also a continuing problem. Later Windows User Account Controls have helped somewhat.

One Achilles heel with white listing is very similar. White listing in general will only allow certain programs to run, which is great in a production lab environment. The white listing program keeps track of what is authorized through some type of database. A program already authorized to run by the white listing service may still be vulnerable to a 0-day or another unpatched vulnerability. So taking advantage of the 0-day in the vulnerable program, such as a
Metasploit, can execute malicious code on the system running the white listing service. This single risk can create a cascade of issues. Once the code in this example can run freely on the host, it can download a payload, add that payload to the white list database. A new program, service, running freely on the host that the white list service is actively protecting.

So although antivirus may not be the toughest tool in the arsenal. White listing is not the Holy Grail that will do away with the other tools. But must work in concert with the other tools and form the layers of security needed.

Wednesday, December 1, 2010

WikiLeaks: What Went Wrong..

Data classification: Private Bradley had and everyone else for that matter has more access than they needed to do their jobs.

Lack of auditing: When Private Bradley is downloading thousands of documents at a time no alerts were raised.

Modernize technical controls:

No endpoint protection: USB thumb drives are disallowed by Policy not by technical controls.

Siprnet systems have rewriteable media.

Modernize laws:

Private Bradley can be put away for espionage for a very long time. His self image of heroism is a complete fraud. Data does NOT want to be free. Trade secrets, intellectual property, state secrets, health care data, and even grades are protected for many important reasons.

Julian Assange is not a US citizen and cannot be subjected to the same fate. He also cannot be given constitutional rights to freedom of speach for the same reason. So now he is in an awkward place and the constitution also forbids any black op's to take him out like other countries would have done already.

The laws have to be modernized to defend against attacks from the like of people such as Assange to something greater than a World War I level.

The content of the documents also have to be protected by law. If this data were instead

Justin Bieber's latest release, a Hurt Locker movie, Microsoft source code, or anything with the likeness of Gene Simmons; there would have an army of lawyers attacking. Which really sheds light on who really rights the laws in the U.S.?


Follow Up:

http://www.schneier.com/blog/archives/2010/12/wikileaks_1.html

http://www.eweek.com/c/a/Security/WikiLeaks-Disclosures-Prompts-Defense-Department-Ban-on-USB-Drives-227599/