BSides JAX – Who Should Use PowerShell? You Should Use Powershell!

B-Sides Jax LogoI was fortunate enough to present at the recent BSides Jacksonville Information Security conference.  What an awesome event that was.  We’ll be posting more about BSides Jax in the very near future, but a few kinds souls have asked for the slidedeck to my presentation “WHo SHould Use Powershell? You Should Use Powershell!” in some consumable form, so here it is!

Thanks to everyone who came out to the conference, and to Jess Hires and the entire BSides Jacksonville team for putting on an awesome event!



Heartbleed, but for Windows – MS14-066 – Critical Vulnerability in Schannel Could Allow Remote Code Execution

This week’s Microsoft Security Bulletin includes a critical patch for interesting and dangerous vulnerability discovered in Windows.  Interesting because it was found by Microsoft’s internal code review team. Dangerous because, much like the some of the well publicized vulnerabilities from earlier this year (HeartBleed or Shellshock) it could enable an attacker to execute malicious code remotely.  Not many details have been released yet, but we do know that it effects servers and desktops/laptops in the same way.  Basically, if the system accepts incoming encrypted communications, it can be vulnerable.

We are expediting the testing and roll-out of the patch for all customers, and working with our various vendors to develop and implement any additional protection mechanisms we may have at our disposal, such as host-based IPS and firewalls.

We have no reports of any attacks “in the wild” using this vulnerability at this point, and will continue to monitor the situation closely.  Microsoft has not released any proof-of-concept code for this vulnerability, which of course makes it harder for the bad guys to weaponize, but also makes it a slower process for other defense mechanisms to build signatures for protecting against it. Not releasing vulnerabilities can be a double-edge sword, but we do have a patch that resolves the issue already issued from Microsoft.

If you’re interested in the deeper technical details, please read on.  As always, should you have any questions, please don’t hesistate to reach out with your concerns.  EI customers should expect to hear shortly on any issues we run into accelerating the patch rate for this vulnerability.

Additional Technical Details

assmblrThe vulnerability can be exploited by sending a specially crafted packet to a vulnerable server. If successful , a memory corruption may create an adequate condition to execute an arbitrary payload remotely. This vulnerability affects SChannel which is a Microsoft’s SSL/TLS library, counterpart to Linux’s OpenSSL.

Microsoft security research team rated this vulnerability at 1, which means that exploit is very likely but have not been see in the wild. The only higher exploitability rating is 0 which  means that an attack has already happened and someone has a working exploit (not the case with MS14-066 yet).

Based on the following criteria,  it is recommended to patch all Windows systems right away.  This vulnerability:

  • affects every Windows OS
  • available from public Internet
  • does not require authentication
  • may result in remote code execution.

Since Microsoft did not specify any workarounds other then patching the affecting systems and after the patch is released, a working exploit may be released soon as well, so this vulnerability’s risk rating could escalate from 1 to 0 very soon.

Just because the bulletin only mentions one vulnerability, doesn’t mean the patch doesn’t actually fix multiple related vulnerabilities. According to Cisco Security blog “While it is covered by only a single CVE, there’s actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses.”

Reboot is required for this update, so better get your change control request in soon!

Microsoft’s official release on this patch:

Thanks for reading, and stay safe out there!

Offender’s Advantage Series – Introduction

“… Dear Defender,

Your castle’s walls are high and your moats are wide. Your soldiers are many and their swords are sharp. You seem impenetrable.

But I have something that you lack. Time, dear defender, is on my side. I will continue to strike every inch of your walls from afar until I find a crack in the brick that I can exploit. I will locate every builder of your castle and find every blueprint. Your moats may be very wide but they are not deep throughout.  There are shallow places that in the dark of the night I can cross. Time will pass and your walls will begin to wear out and crumble. Cracks will start to form and your walls will be weakened.

And most importantly, your repairs are many. You cannot keep up with time. As you patch the cracks in the walls, new ones appear. Old foundation is buried under the new one and while still holding the castle, it can no longer be repaired. You distract yourself with one “big” break in your wall while ignoring many others.

Your castle is populous. So many people have access to open your castle doors from the inside. Be careful, not all can be trusted. With time I can find one that has a weakness.

You built your castle to be strong, but you did not build it to last. Time destroys all and I, the offender have all the time. So that is why I say to you – the time is on my side.

Offender …”

While organization’s defenses may be at its strongest, the bigger the attack surface, the more there is a chance that a critical vulnerability is missed. With new vulnerabilities coming out every day and it seems like the critical ones, you know they ones that affect everyone and seem to be in everything, are at least one per month. It is only a matter of time before an attacker finds one that was missed, or one that just came out and have not yet been been patched. An attacker will always have the advantage of time. A determined attacker will find a way in. Its only a matter of time. All software is eventually outdated. The more devices there are on the network, the more patches there are to install. Most organizations, lack resources and time to patch every system. Systems are interconnected and new software has been developed to depend on old systems.
The battlefield has not changed since the middle ages into the cyber age. The problems are still the same and offenders always seem to have the upper hand. Defenders job is to continuously play catch up. Until we have new ways to build our castles and dig our moats and to educate our people, defenders will be behind the curve. The solution is in building security in from the beginning. Create systems that are based on security principles. We are are on our way but the journey will be long.
This offender’s advantage series will attempt to examine the ways of the attacker, whether it is a penetration tester or a malicious entity. I will attempt to draw a parallel between the cyberspace and historical battlefields to examine the offender’s advantage. I will try to explain some of the techniques in an easy to understand, non-technical language to provide insight into the hacker’s world in plain English.
Thanks for reading, and we look forward to sharing the rest of the series with you!

Wirelurker – Malware attacking iPhones and iPads

iOS devices targeted through the Apple computers they connect to

Researchers from Palo Alto Networks recently released a study where they found a new piece of malware targeting Apple Mac computers and iOS devices.  Dubbed “Wirelurker”, this piece of malware is not terribly sophisticated, but does operate differently than previous malware.  So is this a serious threat, or the malware du jour?

Early signs are that this particular malware attack is not likely to infect your Apple Mac or iOS device, but the attack method it is using is pretty new, and definitely worth looking into.

Wirelurker targets iOS devices through the Apple computers they connect to.  Basically, the trojan is bundled into pirated versions of software (in this case, mostly in China).  When the pirated software is installed on a Mac, it sits and waits for an iPhone or iPad to be connected.

When an iOS device does connect to the infected computer, the Wirelurker software captures the device serial number, the phone number, the iTunes identifier (the email address you sign into the Apple App Store with), and other identifying information.  This information is only available when you’ve enabled the “Trust This Computer” option, which you have to in order to sync with iTunes.  The captured information is uploaded to various Command and Control (C&C) servers on the Internet.

The Wirelurker software also attempts to install malicious versions of normal looking applications on your iOS device.  If your phone is jailbroken, then the attack is much worse, as many of the protection features in a jailbroken device are either disabled or easily over-riden.  If you have a standard iOS device, the Wirelurker software will attempt to use the Enterprise Provisioning feature of iOS to install applications.

So far it appears that this information is being used to identify people installing pirated software.  Odds are that if you haven’t downloaded and installed any pirated Chinese software for your Mac, you’re OK.  The security researchers who examined this malware have noted that while not terribly complex, the attack vector is likely to be copied by more skilled attackers.

So what can you do to protect yourself?

Unless you are absolutely certain, never use the "Anywhere" option.
Unless you are absolutely certain, never use the “Anywhere” option.

First, be very careful when downloading and installing ANYTHING from the Internet.  If you are using a Mac, check to see if the application you are looking for is published in the App Store first, as Apple manages and tests applications that are available there.  That is not to say that it is impossible for malware to be in the Apple App store, but odds are better that it will be discovered and removed.   Mac OS X doesn’t allow installation of software without a valid code signing certificate, and disabling that check with significantly reduce the security of your system.   By the way, this attack could work just as easily with a Windows machine, and will no doubt begin cropping up there as well in the future.

Palo Alto Networks has developed a Wirelurker Checker for Apple Mac systems, to quickly check for the presence of Wirelurker on your system.  That software can be found here:

Those awesome themes should make up for having a phone that is easily compromised....
Those awesome themes should make up for having a phone that is easily compromised….

Don’t jailbreak your iOS device.  While it does provide an awesome array of apps and functionality not present in the stock version of iOS, your security is greatly compromised.  Virtually every strain of malware impacting iOS devices that we know of requires the device to be jailbroken in order for the attack to succeed.

Using these kinds of public USB charging stations is a very bad idea.
Using these kinds of public USB charging stations is a very bad idea.

Be extremely careful when connecting your phone to a USB port you don’t own.  It has become very common for airports and other public places to install USB ports for recharging of phones and tablets.  I can not recommend more strongly that you never use one of those ports.  The simple fact is you do not know what is sitting on the other side of that connection.  Bring your AC adaptor and plug into a good old-fashioned electrical outlet.

Here’s a link to the original Palo Alto release on Wirelurker:

A great write-up by Jonathan Zdziarski, a malware researcher with lots of excellent iOS malware experience:

Thanks for reading, and stay safe out there!