Security Adviser | Roger A. Grimes | December 2006

MORE ENTRIES

December 2006

December 31, 2006 | Comments: (0)

Use Smtpscan to identify mail server type.

In a class a few months ago, one of my students bet me a $1000 that I couldn't identify his email server. A few minutes later and told him the obscure, 10 year old, Windows 95 email server he was running, and I asked for my money. He thought I was being an uber hacker, but all I had done was downloaded, installed, and used Greyhats SMTPscan.

Smtpscan runs in Linux and BSD (and other systems I'm sure). It's got a great INSTALL document...just follow the included instructions to make and install.

Smtpscan implements 15 different tests against a particular MTA (mail transfer agent (a.k.a. email server)) and reads the results of each test. It doesn't just rely on responding banners.

Smtpscan hasn't been updated in awhile, but its still a handy utility for identifying mail servers. It isn't always accurate, but it's more accurate than Nessus and other vulnerability scanners.

Posted by Roger Grimes on December 31, 2006 12:03 PM

December 31, 2006 | Comments: (0)

Securely copy files

Use Putty's Pscp.exe to securely copy files between computers.

Everyone frequently needs to copy files to and from different computers, even over the Internet. I still see a lot of unsecured FTP used, when it should have been retired long ago. Consider instead any one of the hundreds of more secure alternatives.

My favorite? scp (Unix, Linux, BSD) or Pscp.exe (Windows). Scp and Pscp.exe using SSH to securely (encrypt files and authenticate destinations) copy files from one computer to another. Most Linux, Unix, and BSD hosts already have scp (secure copy). Windows doesn't have any default utilities like scp, but the programmers of Putty (the fantastic, free SSH Windows client), offer very similar Pscp.exe. You can download Putty or Pscp.exe here.

With scp or Pscp.exe you can copy files over temporary SSH tunnels between source and destination. The only problem is that at least one of the machines has to be running an SSH server/daemon. Most Unix, Linux, and BSD's have that (i.e. sshd). If you don't have one, follow my yesterday instructions on loading OpenBSD, and it will easily load an sshd service. Then you can use the OpenBSD box/image to copy files.

I like to copy Pscp.exe to \Windows\System32 and rename it scp.exe, so I can use scp in Unix, Linix, BSD, and Windows without thinking about it.

Syntax is basically like the DOS copy command:
scp [from where if not there] [what] [to where?]

but you have to add a logon name, the @ sign, and machine name/IP address for the remote machine, so the syntax is:

scp [from where if not there] [what] [logonname]@x.x.x.x:[to where?]

Examples of syntax, if I'm on the box I'm copying from:
scp *.* roger@192.168.4.1:/
scp frog.tar roger@www.banneretcs.com:/tmp

Examples of the syntax if I'm on the destination box:
scp roger@192.168.5.6:c:/files/toad.zip \Window\temp
scp roger@www.banneretcs.com:\tools\putty\*.* c:\newtools

Scp is free, works great across any TCP/IP network, across the network, and you can send it to customers to use, and automate in batch files and scripts.

Once you start using scp, you'll probably never use ftp again.

Posted by Roger Grimes on December 31, 2006 10:28 AM

December 30, 2006 | Comments: (0)

Installing OpenBSD for the first time

Step-by-step instructions for installing OpenBSD 4.0 for Windows admins trying to do it for the first time.

I’ve already had a lot of positive feedback on my support for OpenBSD in my recent column.

About half the mail is from Windows users interested in trying OpenBSD for the first time. I’m thrilled more people want to try it. If you want to play with it for the first time, I suggest installing it on an available PC or using VMware (or one of the other suitable virtual host applications). If you use an available PC, make life easy and don’t try a dual boot scenario. It works, but it is probably more problematic than the entire rest of the install. I know dozens of friends who simply gave up trying to install BSD or Linux just because of the dual-boot questions and problems. Install it on an available PC or in a VM instead.

There are dozens of ways to install OpenBSD. The following tasks will help you install OpenBSD on an i386-compatible computer for the first time, using one of the most common scenarios:

1. First you’ll need to download all of OpenBSD or a bootable OpenBSD installer. The latter is more common.
2. You can download a bootable installer from www.openbsd.org or any of the mirror sites, or pay $50 for the complete CD-ROMs.
3. If you want to download it for free start at www.openbsd.org and click on the Getting Releases link.
4. Select your download type (e.g. http, ftp, etc.) and select a download mirror site.
5. Navigate to the download directory of /pub/OpenBSD/4.0
6. Most people will want to install OpenBSD on an IBM/Intel/Windows-compatible computer. If so, choose the i386 folder (i.e. /pub/OpenBSD/4.0/i386)
7. Now you can choose what type of OpenBSD file (or set) to download.
8. Choose and download cd40.iso. It is a cd-rom bootable image of OpenBSD. Burn it to a CD-ROM. If you don’t have burner software, download the excellent, and free, CDBurner XP Pro.
9. If you want to install OpenBSD in VMWare, start the VMware workstation wizard and choose Other as the guest OS type, and then choose FreeBSD. It’s close enough. Choose a 1-4GB partition, 256 MB of RAM, and the appropriate networking (e.g. bridged). You need to be connected to the Internet in order to download the complete OpenBSD software (called “sets”), so make sure your VMWare guest machine networking works.Start the VMWare guest install booting up on the OpenBSD burned install CD-ROM.
10. Or if not using VMware, just boot up on the OpenBSD install CD-ROM.
11. Eventually OpenBSD will ask you for what type of install, choose Install.
12. Hit ENTER to choose the VT220 terminal type when prompted.
13. Hit ENTER to accept the default keybd mapping.
14. Reply yes to proceed with the install.
15. OpenBSD will detect your available hard drives. SCSI drives will be labeled something like sd0 or sd1. IDE drives will be labeled something like rwd0 or wd0. The r is for raw mode, the wd for IDE and the number for the number of the found drive.
16. You will probably be installing OpenBSD on wd0. Say yes when prompted to install OpenBSD on all of wd0.
17. Soon you should be in the OpenBSD disk partitioning program, called disklabel (although usually you won’t see that name anywhere).
18. You should be at a > prompt.
19. You can type in p and hit ENTER to list your partitions.
20. Normally you’ll see an a and c partition.
21. Type in d and hit ENTER to delete a partition. Type in a for the partition to delete.
22. Then type in a to add a partition. Just hit ENTER to accept the default offset value. This will be your main partition. Type in something like 1000M to make a 1GB main partition and hit ENTER. Accept the FS type of 4.2BSD. If asked for a mount point type in /.
23. Type in a to add another partition. This will be the swap partition. Accept the defaults, except make a size equal to twice your RAM (e.g. 512M) and make the FS type swap.
24. Type in q to quit the disklabel program and choose y to write new values.
25. You will then be prompted to set host name and a bunch of standard networking parameters. To make life easy, choose dhcp if you have a dhcp server and take all the defaults.
26. You’ll be prompted twice to enter in the root password. Do so and hit ENTER.
27. Eventually, you’ll be asked to download the OpenBSD sets. These are the OpenBSD programs. To make life easy, just say all and hit ENTER.
28. Then you’ll be prompted to give OpenBSD the download location. You can put in the same place as you download the install file from. If in doubt, try http for the first value and hit ENTER.
29. Type in a proxy server name and IP information if needed.
30. Type in the download site’s host name (e.g. mirrors.24-7-solutions.net) and hit ENTER. Don’t put in the http:// part here or else it will duplicate.
31. When prompted for the host download location type in /pub/OpenBSD/4.0/i386 or something validly similar. Hitting ENTER should result in the sets downloading and installing.
32. When finished, it will prompt you for more sets again, and you can say done this time and hit ENTER (don’t take the default).
33. Say yes to start sshd(8) by default.
34. You can choose whether or not to start the ntpd (network time protocol daemon).
35. You can choose whether or not to start the X Windows system, but most Windows people like me do. It is required for most GUIs and required for some other non-GUI programs. The default is no.
36. When prompted to change the default console to Com0, say no.
37. OpenBSD will then save the new settings.
38. When prompted, put in the correct time zone (e.g.EST). You can type in ? to choose among various options. If you are going to run security devices, consider using UTC (universal coordinated time), so that logs you create can be discussed through multiple time zones. After hitting ENTER, OpenBSD will be ready to go.
39. Type in reboot and hit ENTER. Restart and enjoy.

Of course, don’t forget that Google is your best friend. www.openbsd.org has many great mailing lists and discussion groups. However, research and read all you can before you ask a question. They don’t suffer newbies lightly. If you’re new to Linux and/or OpenBSD buy one of the many books as a good, solid starting place. My favorite book is Absolute OpenBSD: Unix for the Practical Paranoid (by Michael W. Lucas from No Starch Press). Addison Wesley publishes another good secondary book called Secure Architectures with OpenBSD (by Palmer and Nazario) and if you’re interested in the PF firewall mainly, try The OpenBSD PF Packet Filter Book edited by Reed.

Posted by Roger Grimes on December 30, 2006 11:29 AM

December 30, 2006 | Comments: (0)

Barracuda Networks Vulnerability Alert Sign-up

Barracuda now sends vulnerability alert messages.

I've been a big personal fan of Barracuda Spam Firewalls and their other successor products. Barracuda's defense appliances are relatively cheap and feature rich.

In the past two years there have been a few vulnerabilities found and proof of concept exploit code released (although usually the bug has been patched by the time the vulnerability has been announced). Barracuda Networks now allows administrators to sign-up for proactive alerts. Click here to sign up.

You'll need your Barracuda device name and serial number to complete the alert registration.

Posted by Roger Grimes on December 30, 2006 04:44 AM

December 21, 2006 | Comments: (0)

Low threat Vista exploit

Several people are reporting a local exploit that can leverage a regular or admin user to the System account.

The CSRSS process is exploitable in Windows 2000 and above. You can read the report here.

And no, this doesn't make me take back my statement that Windows Vista is a secure OS. Privileged escalation exploits that need a logged on local user to begin with aren't much of a threat. There are many ways to accomplish the same thing.

Posted by Roger Grimes on December 21, 2006 05:19 PM

December 17, 2006 | Comments: (0)

Bruce Schneier analyzes MySpace passwords

Schneier comments on MySpace passwords.

I sent Bruce Schneier a copy of the 2 GB collection of real passwords taken in a recent MySpace hack. I discussed my thoughts in a my InfoWorld column a few weeks ago.

Bruce did an entirely different analysis. It's an interesting read. You can read Bruce's summary analysis here. His conclusions support my ideas about overall weak passwords, although he says that passwords are getting better than they were in the past. It's worth the read, as is any Bruce Schneier article.

Posted by Roger Grimes on December 17, 2006 12:22 PM

December 16, 2006 | Comments: (0)

Secunia Software Inspector finding lots of unpatched software

Windows and IE among the most patched applications.

In my blog entry last week, I introduced Secunia's Software Inspector. It's a free online vulnerability analyzer that will check your PC for over 4,000 applications to see if they are fully patched or are vulnerable versions.

Secunia's blog mentions some interesting figures. First, over 1/3rd of all scanned PCs contained vulnerable software. Now many readers might see this is a high figure, but in reality it's probably low. Software Inspector is very new, and only people very concerned about computer security are running it. I would expect this sample of early testers to be more patched than the population in general.

Second, the most up-to-date and patched applications are from Microsoft. This is probably reflective of Automatic Updates and other patch mananagement tools. Kudos to Microsoft on this. It shows that pushing AU on consumers is helping.
(Now, if they could just get MS-Office less exploitable these days)

In comparison, over 1/3rd of Firefox users were running vulnerable versions. Or maybe that figure includes the many people who initially switched to Firefox to test it out, then went back to IE because of missing functionality or the like, and think they don't have to patch Firefox now.

As in the case of any software program, if you don't use it, remove it...or keep it patched. Opera users came in at 13% unpatched. As good as that figure is, it's still 3 times higher than IE. Of course, IE still contains a higher level of overall risk because of the focus from hackers, but other browser users need to be more diligent. Just because hackers don't target your browser as much doesn't mean they can't or haven't. Many of today's web-based malware programs target IE and FF.

Over 1/2 of all Macromedia Flash users were running vulnerable versions. That doesn't surprise me. Me, and many of my friends, have found multiple versions of Flash on our PCs, located in one or more locations. So, you could be running the latest version and still have older versions lying around. Software Inspector will show you for sure (if you use the more thorough scan method).

On a related note, I had a bear of a problem trying to delete an old Flash version. In Windows\System32\Macromed I had a Flash ActiveX control called flash6.ocx. It was read-only, and it (or Windows) would not let me delete it, no matter what I did, and I tried nearly everything (including booting into Safe mode, Recovery Console, Bart PE, Linux, etc., and several delete-on-reboot utilities...all failed). Finally, a friend of mine, who had similar problems with another version of flashx.ocx, gave me the solution. On the \Windows\System32\Macromed folder, he reset NTFS permissions and told them to propagate downward to all files and folders. This trick worked, and I was able to delete the offending ocx file.

How Windows was able to prevent me from deleting a file when I booted outside the operating system is still a mystery to me. I was using the true Administrator account who had Full Control the the file I was trying to delete.

Posted by Roger Grimes on December 16, 2006 10:23 AM

December 16, 2006 | Comments: (0)

Vista zero-day exploit for sell

Not surprising, professional hackers are selling Vista exploits already.

Read here.

The vulnerability is being sold for $50,000. That surprised me a bit, because XP Pro SP2 and W2K3 zero days sell for much more. Then I realized that the Vista audience is limiited right now, and Microsoft has plenty of time to patch the hole before the general release of Vista.

Posted by Roger Grimes on December 16, 2006 09:04 AM

December 10, 2006 | Comments: (0)

Secunia Software Inspector

Secunia releases free online software vulnerability scanner.

Secunia has released a new online vulnerability scanner called Software Inspector.

It's a great tool to run on home computers and for small business which can't afford to buy something commercial. It requires Java.

It doesn't find everything, but it will identify and find a lot of issues on most computers. Give it a try. And if it finds something vulnerable, update or remove.

Posted by Roger Grimes on December 10, 2006 09:22 AM

December 10, 2006 | Comments: (0)

Yet Another Zero Day Vulnerability in MS-Word

Another zero-day exploit in MS-Word.

McAfee announced a new exploit found in a malware program. You can read about it here.

Thanks to DShield and Susan Bradley for the heads up.

Posted by Roger Grimes on December 10, 2006 08:43 AM

December 10, 2006 | Comments: (0)

Firefox 3.0 released to developers

And I was still getting used to 2.0.

In an InfoWorld article, it was announced that Firefix 3.0 is already being released to developers. Although it seems like 2.0 just came out, and it did, 2.0's development started over a year ago, so maybe it really is time for a 3.0 release.

Hey, maybe they ought to call it Firefox 2007, followed by Firefox 2008, and so on? No. Oh, well, just a thought.

Posted by Roger Grimes on December 10, 2006 05:59 AM

December 08, 2006 | Comments: (0)

New Microsoft zero-day exploit

Affects all versions of MS-Word. Trojans in the wild and spreading.

A new MS-Word zero day exploit has been found. Microsoft discusses it here.

At least two trojans have been discovered connected to the exploit, so the vulnerability is in the wild. You can read about those here.

This exploit has the ability to go big, but so far MS-Office threats haven't really gone widespread in the last few years. I think this one could have more legs because it affects all versions of Word, and has no easy defense, other than don't open unexpected MS-Word files, even if you know the sender's name. You can always email the sender to confirm before opening.

It doesn't help that MS-Word file extensions can be nearly any file extension (that isn't already defined) in Windows, and MS-Word will open the file. So it can appear as one type of file, and really be a malicious MS-Word file.

12-10-06 Update:
McAfee announced a malware program that uses the MS-Word exploit vector. It is not widespread.

Posted by Roger Grimes on December 8, 2006 09:13 AM

December 07, 2006 | Comments: (0)

Packet sniffing animated demos

Cool online packet analysis help.

The only truth on a network is revealed with a packet sniffer.

Laura Chappell, network packet analysis goddess, has some free online packet analysis animated demos available here.

You will need Macromedia Flash player installed.

If you ever need network sniffing help or expertise, Laura is one of the best in the world. Great in person. Great speaker. I highly recommend any of her books, podcasts, and tutorials.

Her web site, www.packet-level.com, is a great source of information on packet sniffiing.

Posted by Roger Grimes on December 7, 2006 03:07 PM

December 03, 2006 | Comments: (0)

Sophos AV trying to raise Vista scare to sell more product

Sophos incorrectly implies that Vista won't stop current viruses

Sophos recently published an article implying that today's malware can easily exploit Vista.

"Sophos experts note that on the launch date of Microsoft's Windows Vista operating system, three of the top ten - including Stratio-Zip - are capable of bypassing the operating system's security defences (sic) and infecting users' PCs. The Vista-resistant malware - W32/Stratio-Zip, W32/Netsky-P and W32/MyDoom-O - comprise 39.7% of all malware currently circulating."

However, if you read further, the article says that Vista's Windows Mail, the new Windows email client that replaces Outlook Express, stops all the threats by default. Only if you use a non-Microsoft, third party, email client, is the threat allowed to execute on Vista. So by default, in Vista, the threats are prevented from running.

Now, while there might be a little news here, it isn't much. That viruses and worms can spread in Vista is a little newsworthy. But really it isn't. If I can convince you to run my malicious executable, it's always game over, regardless of your OS. You can be running Windows, Mac OS X, Linux, and FreeBSD...but if you run my untrusted file meant to cause harm to your system, I can always bypass any defense you have. That's just the facts of life.

The real factoid is that the default software that comes with Vista DID STOP the threats that they ran against it, by default. I find that conclusion much more newsworthy.

Posted by Roger Grimes on December 3, 2006 06:39 AM

December 02, 2006 | Comments: (0)

Does Vista's Windows Resource Protection protect enough?

I was playing with Vista's WRP last night and found that it does not completely protect many system files that you would expect it to protect.

Win ME's System File Protection and 2000 and XP's Windows File Protection protected about 99% of the files that were installed or upgraded by Windows. Delete, modify, or rename one of the protected files and the file would come right back. SFP and WFP didn't always restore the file with the correct permissions (it restored the parent permissions), but it indirectly stopped computer viruses from infecting most Windows system files. It stopped hoax virus victims from deleting protected files, and it even helped out last month when one of the popular antivirus programs was going around deleting legitimate Windows files accidentally.

Sadly, on my initial review it appears that WRP isn't nearly as protective as WFP. I looked forward to WRP because it protects registry keys too, and prevents protected files from being modified in the first place. SFP and WFP allowed the modification, but then undid it.

I demo'd this recovery behavior in WFP all the time in classes and presentations. I'd delete wscript.exe, wait a few seconds, and then watch it "magically" re-appear. Classes and audiences loved it. Linux didn't have that.

In Vista, it's much harder to delete a system file because of WFP and because all files are owned by the TrustedInstaller service by default. But if you are an Admin-level person, and Take Ownership of a file, add the appropriate ACE, then you can modify, rename, or delete protected resources.

In Vista last night, I took ownership of wscript.exe and then deleted it. Then I waited for it to re-appear. It never did. My friend Jesper Johansson told me that only Windows system files involved in the start-up are stored in the cache and replaced automatically. And he's right.

Here's a list of what WRP protects.

In checking \Windows\Winsxs\backup, I found nearly 2000 files (long names, but the file names they represent are in the longer file name). You'd be surprised as to what is and isn't covered. In WFP, if a protected file wasn't in the cache, the system would normally prompt you for an installation CD. In WRP, if the file isn't in the backup cache (and you can't modify or add to what's in the backup cache), you're out of luck.

I'm perplexed. In Vista we have a potentially better mechanism, that prevents modifications and protects registry keys, but it doesn't replace all modified or deleted system files? What is Windows Resource Protection when it doesn't fully protect a significant amount of Windows system files?

Yes, it takes a lot to mess with a System file in the first place, but I can see a virus, worm or bot automating what I did manually. Or an updated hoax virus warning with " removal instructions".

Ah, I'm just upset that a good demo is gone using a file I didn't mind losing if it didn't work in the first place.

Posted by Roger Grimes on December 2, 2006 11:56 AM

December 01, 2006 | Comments: (0)

New Cain & Able hacking tool released

New Cain & Able hacking tool released.

The fantastic Cain & Able hacking tool continues to innovate. It contains a bizillion features now.

You can download it here.

Some readers ask me how a hacking tool like Cain & Able can be legal? I always reply, most malicious hackers don't use Cain & Able. They already have their hacking tools. Cain & Able just makes it point and click so us stupid whitehat hackers can use a tool and see how easy it is. Cain & Able isn't a malicious hacker tool (although I suppose it is used maliciously all the time). It's a demo tool for the good guys and girls to learn how to hack like the bad guys and girls, and to demo stuff to management.

Posted by Roger Grimes on December 1, 2006 05:35 PM

December 01, 2006 | Comments: (0)

New Vista RDP Client for XP and W2K3

Microsoft has released a new Remote Desktop Protocol (RDP) client for XP SP2 and W2K3 SP1 for connecting to Vista and later Windows computers.

You can get the new client here.

As much as I like RDP for managing remote Windows computers, it has had a serious flaw in it that makes it vulnerable to attack, as reported by several sources including the author of hacker tool Cain & Able. You can read his excellent article here.

Essentially, with RDP there is a private key that should be private and unknown. Somehow, Microsoft chose to make this key the same key in every version of Windows and make it easy to obtain (a.k.a. "the public private key"). This crypto implementation error allows RDP traffic to be MitM'd and the session decoded.

I have successfully used Cain & Able to decode RDP traffic, including the password sent between the RDP client and the remote server, no matter how long or complex that password is, or what the encryption settings are for Terminal Services/RDP.

Interestingly, I haven't always been able to get it to work successfully in all the environments I have tried it in. Not sure why. But it is successful enough that I always supplement RDP with another layer of encryption/authentication, like IPSec, SSL, TLS, or SSH.

Microsoft's defense is that while they have promised encryption, they did not promise authentication, and the public-private key is an authentication issue. Unfortunately, it means that RDP cannot be relied upon as being secure. Use RDP without another authentication supplement, and you are risking having your password stolen.

Microsoft fixed the problem in Vista (and Longhorn server) by adding better authentication. You can configure Vista (and LH) to accept old RDP connections, or to require the new, updated RDP clients. The link above, and here, let's you install the new, more secure RDP client.

Wikipedia has a great list of new RDP 6.0 (as the new client and server is called) features available here. Strangely, though, it doesn't mention upgraded security in the list.

Posted by Roger Grimes on December 1, 2006 05:03 PM

Technology White Papers

InfoWorld Technology Marketplace

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert