I’m not usually very excited about posting on LinkedIn Discussion Groups. On top of that, I don’t even have the time to blog anything on my own site. However, I could not resist to write a comment on that discussion about what the best IDS system is. Not when I read the following comment:

Actually the idea of an IDS system has been obsolete for a few years now. Given the latest events in the security area, there are plenty of traffic anomalies far more advanced than relatively-simple signatures out there to deal with.

The best approach nowadays is the IPS (Intrusion Prevention Systems) which would not only detect and inform IT management of the attack events but will also apply the necessary countermeasures to them. Most important of all, this must happen at wire-speed with ASIC-based systems.

Ok, I understand that IPS vendors and resellers have the right to claim what they want, but saying that “the idea of an IDS system has been obsolete for a few years now” is simply too much for me.

Just in case you are not registered with LinkedIn, the following is the comment I’ve just added to that discussion:

I respect everyone’s comments and views, but obviously some of the above are clearly biased. It’s not the first time we hear comments like “actually the idea of an IDS system has been obsolete for a few years now”.

Back in 2003, Gartner analyst Richard Stiennon stated, “IDSs have failed to provide value relative to its costs and will be obsolete by 2005″. Well, although I understand that claim (keep reading), many security analysts will tell you that IDS is very much alive and recent findings like those covered in the “Verizon Business 2008 Data Breach Investigations Report” support this (see http://securityblog.verizonbusiness.com/2008/06/10/2008-data-breach-investigations-report).

First thing to know is that IPS and IDS are different things and that they fit in different layers of the Defense In-Depth strategy and in different phases of the well known Assessment-Prevention-Detection-Reaction loop. IPS devices are meant for intrusion prevention and always run “inline”, very much like firewalls, whilst IDSs (whether network or host based) are passive solutions obviously designed for intrusion detection. Both technologies are complementary and should be part of a holistic security strategy. In many scenarios you will not be able to prevent and stop all attacks with a 100% accuracy. Thus, when prevention fails, what else is left? Detection and then reaction.

However, an IDS is not that different to an IPS from a technology point of view. Take Snort as an example, which is the most widely deployed intrusion detection solution in the world and actively used by large organisations like DARPA, GSA, NIST, NSA as well as the US Armed Forces. Get Snort running in inline-mode with active-response enabled and you have an IPS. Same product but different configuration sitting in a different place on your network. So take and IDS, put it inline and get a third party to manage it and there you have your IPS. Now you understand why most vendors will tell you that IDS is dead.

However, I can understand why many people still claim that IDS is dead. Many fail to understand that an IDS is not a “Plug and Play” device. The state of the art of IDS has not yet evolved to a point where they can be plugged and work accurately right out of the box, and it won’t be for a while. It is imperative to have a trained and competent analyst (or team of analysts) tunning, updating, examining and investigating the output from the IDS. Do you have the resources to do that? Well, that should be part of the cost analysis of implementing any IDS/IPS solution. Now, with many IPS devices a big chunk of that work can be externalised on a third-party, namely Managed Security Services Providers (MSSP).

As far as what solution is right for your site, it is a decision that depends on your site configuration, your team skills, your network bandwidth, your budget, organisation’s risk appetite, just to name a few. I would suggest to combine both IPS and IDS solutions, implementing them in different parts of your network as part of a comprehensive Defense in Depth strategy.

Finally, I recommend you have a look at open-source solutions like Snort, Bro (not all IDS are signature-based only) or even more advanced NSM solutions like Sguil (I really like this one), Hex, etc… See if you have the necessary skills and resources to implement and maintain them, as it won’t be easy. Otherwise hire a specialist to help you out with the implementation if you decide to go down that route.

As of commercial IPS solutions I have a very good feedback from Juniper devices. Also check with your firewall vendor, as integrating firewall and IPS management under the same console makes sense.

Feel free to flame me if I’m wrong.

Whatever you did, and despite the amount of money you spent, one thing is for sure: if you are reading this it’s safe to assume that you are still interested in reading about good infosec stuff, aren’t you?

Keep reading then and have a look at the following links containing a few interesting security tools, new forensic challenges and even a new Multi-Boot Security Live DVD:

• DFRWS 2008 Rodeo (forensic challenge): The 8th annual Digital Forensic Research Conference was held from August 11 to 13, 2008 in Baltimore, MD. A key element of this conference is the “forensic rodeo”, a challenge where conference attendees form teams to solve a digital forensic problem. The DRFWS has made the materials for the 2008 Forensic Rodeo available on their website for educational purposes and to support further research in memory analysis and file carving. The scenario description and the image files can be downloaded http://www.dfrws.org/2008/rodeo.shtml
• The Open Computer Forensics Architecture (OCFA): OCFA is a modular computer forensic framework developed by the Dutch National Policy Agency meant to be used in large investigations. If you want to give a try you can download the required packages from their main site: http://ocfa.sourceforge.net/
• Splunk: Splunk is a log archiving product that allows to search, navigate, alert and report on all logs in real time. Plus it’s free and available for all platforms on http://www.splunk.com/download
• Multi-Boot Security LiveCD DVD: A new all-in-one multipurpose LiveDVD that combines some of the very popular LiveCD ISOs already available on the Internet:
  • Backtrack 3
  • Damn Small Linux 4.2.5
  • Knoppix 5.1.1
  • Ophcrack 1.2.2 (with 720 mb tables)
  • Puppy Linux 3.01
  • and a few more…

I’m currently downloading the 4GB MultiISO .torrent file and will it give a try soon. Shame that Helix is not part of the DVD, but still looks like a handy tool to have in your Incident Response jump bag.

Enjoy and good luck with you holiday blues!

Now that my body is starting to recuperate from the 8 hours time difference, I’ve decided to upload a few pictures to the Photos area. There aren’t that many at the moment, but I’ll keep uploading more as I go.

Before arriving, a friend told me that Sydney was his second favourite city in the world (after Boston) and I can understand why he thinks so. Sydney seems to be a young, modern and vibrant city that has an interesting mix from Europe, Asia and America. Also people seem to be quite open and friendly.

Still have a week left in the land ‘Down Under’ so hopefully will have time over the weekend to do the tourist again and take some more pics to show you.

Being a BSi instructor for the BS 25999 courses on Business Continuity, I find these kind of real-life examples very instructive for being used at class, although I try to to get students to talk about their own experiences as much as possible.

So have a look at The Planet outage - what can we all learn from it? and let me know your thoughts.

In the following weeks I’ll be creating a new section of my blog where I will put together a list of Business Continuity resources (among others) I can share with my students at class. So stay tuned!

All of the above describe how the password attack picture was before a new technique, called ‘Pass-The-Hash’ made its way into the hacking scene. Although someone may think this technique is quite new, it was actually back in 1997 when Paul Ashton posted on Bugtraq a Windows exploit named “NT Pass the Hash” along with the theory which the exploit was based on. This Unix-based tool implemented a modified version of a SMB client that allowed the use of captured LanMan hashes, without having to decrypt them first. However, it wasn’t before last year when Core Security finally took this concept to the next level and produced a much more powerful tool called ‘Pass-The-Hash Toolkit’, which now runs on Windows and works with NTLM hashes. Let’s see how this technique works in more detail.

Pass-The-Hash is a different kind of password attack in that its ultimate goal is not to reveal what the password is, but rather to use it without having to crack it. Think about this, do you really care whether the password you are cracking is actually “peanuts”, “Barbie” or “Mickey Mouse”? I don’t think so. All you need to know is that it will give you access to the resource it’s protecting. Well, that’s the main concept behind ‘Pass-The-Hash’ attack.

First step to launch this attack is obviously to extract the password hashes. I’m not pretending to detail how to obtain them here, but you know you can either dump the SAM database if you managed to get admin privileges or dump current user SAM from memory if you ‘only’ have regular user privileges. Now, instead of trying to crack the hashes with L0pthCrack or Cain, all you need to do is to USE them directly.

To do so, the ‘Pass-The-Hash Toolkit’ contains utilities that let you manipulate the Windows Logon Session maintained by the LSA (Local Security Authority) component, allowing you not only to list the current logon sessions along with its corresponding NTLM credentials, but also to change in runtime the current username, domain name, and even NTLM hashes. Isn’t DLL injection lovely?

The Toolkit contains three utilities:

• IAM.EXE: This tool allows you to change your current NTLM credentials directly in memory without having the cleartext passwords. Only the password hashes are needed. Yes, that means no password cracking anymore! From the moment the NTLM credentials are changed you can immediately use commands that make use of NTLM authentication, like ‘net use’ or ‘net view’, with the stolen user’s credentials.
• WHOSTHERE.EXE: This tool will list logon sessions with NTLM credentials, including username, domain name, LM and NTLM hashes. Those logon sessions also include remote sessions like Remote Desktop Connections. That means you can now steal Domain Administrator’s password not only from the Domain Controller but also from any machine the Administrator may RDP to. Just run WHOSTHERE.EXE while the admin is logged on and use IAM.EXE from your machine to compromise the Domain Controller using those credentials. Also Man-in-the-middle attacks could be used effectively with this tool.
• GENHASH.EXE: This tool generates LANMAN and NT hashes from user given passwords. It’s just a small tool designed to help testing of IAM.EXE.

The advantages of using this technique are out of doubt. First, the time consuming password cracking is not needed, and additionally, the account lockouts that happened so often when doing password guessing won’t happen anymore. This is a massive improvement so it’s not surprising that Penetration Testers are increasingly relying on ‘Pass The Hash’ techniques.

For the folks on the other side of the line, that is from a defensive perspective, the above reinforces the need of adopting best practices when it comes to high privilege account management, using secure authentication schemes and maintaining a suitable patch and vulnerability management programme. Doesn’t it sound familiar?

—

The tools described in this post are part of the Pass-the-Hash Toolkit (pshtoolkit), written by Hernán Ochoa from Core Security. Latest release of Pass-The-Hash toolkit (v1.3 published on February 29, 2008) is available for free download here.

I’m sure those, both Unix beginners and their managers, will appreciate the following presentation I came across a few weeks ago: ”Unix Command-Line Kung Fu“. It’s author, Hal Pomeranz, presented it at SANS 2008 Orlando as part of the @Night talk conferences.

I think these nice slides will make happy not only users with less experience with the Unix command line, but also some experienced Unix folks that will find a good amount of tricks that provide massive productivity increases. I especially like the slides devoted to “Time-Based Searches”, which contain useful commands for intrusion detection and forensics analysis.

Well done Hal and thanks for this great material. And for those wondering whether there is any Windows alike version, stay tuned!

Thanks Adrian for your promptly response when asked for the slides and congratulations for your excellent contribution to the security community. Hope we can share a pint next time I’m in London. Un abrazo!

From HITBSecConf2008 website:

Let me give you a bit of background before going further. It’s been almost a month since Cesar Cerrudo, security researcher and CEO of Argeniss publicly warned that the latest Microsoft operating system, Windows Server 2008, might not be as secure as it seems. On an advisory released on March 24, he stated:

“The problem discovered by Argeniss results from design issues that were not identified by Microsoft engineers during the Security Development Lifecycle (SDL), and allows accounts commonly used by Windows services (NETWORK SERVICE and LOCAL SERVICE) to bypass new Windows services protection mechanisms and elevate privileges to achieve complete control over the operating system.”

This security flaw was reported to affect Windows XP, Vista, Windows Server 2003 and the brand new Windows Server 2008. Although exploitation details were not given at that time, the advisory announced that further details would be given at the upcoming Hack-in-the-Box conference in Dubai (14-17 April 2008).

And it’s right at this point when this becomes really interesting. Microsoft quickly stressed that Cerrudo’s advisory described a “design issue” rather than a new vulnerability. Well, that was before Cerrudo’s paper, entitled “Token Kidnapping”, was presented in Dubai earlier this week. As to rectify is of wise people, Microsoft released on Thursday a pre-patch security advisory (951306) recognizing that they are “investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008”.

Some sources claim that the vulnerability addressed in that security advisory is the same discussed by Cesar Cerrudo in Hack-in-the-Box. This becomes quite evident after reading Thursday’s advisory and Cerrudo’s paper, although I haven’t found any official statement from Microsoft confirming so.

I must admit that this has been of benefit for both Microsoft and the researcher. On one side, Microsoft has had some time to research the problem before public details of exploitation are given, and on the other side, the researcher has created a great expectation on his talk. No doubt a win-win for everyone.

Now the question is, am I affected by this flaw? And in the absence of a security patch, what workarounds are available? Well, the good news is that no exploitation has been seen yet, however it’s worth to keep an eye on this, especially if you are a Web-hosting provider where customers could upload malicious code. Attending to Cerrudo’s paper, the main attack vectors are:

• Fully trusted ASP.Net code in IIS,
• SQL Server with users that have administrative privileges to load and run code,
• Any process with SeImpersonatePrivilege that loads and runs user-provided code, by acquiring a NetworkService token from the Microsoft Distributed Transaction Coordinator (MSDTC) service.

The following are some recommended workarounds (refer to Microsoft’s advisory for more details):

• On Windows XP and Server 2003: for IIS 6 don’t run ASP.Net in full trust and if classic ASP is enabled don’t allow users to execute binaries.
• On Windows Vista and 2008: for IIS 7, again, don’t run ASP.Net in full trust or don’t run websites (nor services) under NetworkServer or LocalService accounts. Use regular user accounts to run services instead.

Happy Sunday evening!

Further info on: http://www.argeniss.com and http://www.microsoft.com/technet/security/advisory/951306.mspx

PS. Earlier this week I got an email from my friend Adrian Pastor, also known as ‘pagvac‘ saying he was also giving a talk at HiTB 2008 in Dubai (Cracking into Embedded Devices and Beyond!). He is a great security professional and even a better chap. I promise I will post a link to his presentation on this blog when he makes it available.

Granted, I also gave him some tips on where to go in Dubai -views from the 24th floor bar at the Jumeirah Beach Hotel are awesome!-

I know it sounds funny, but so claims latest survey conducted by Infosecurity Europe over 576 office workers in London. According to that research, women are four times more likely than men to give out their passwords in exchange for a chocolate bar (45% of women compared to 10% of men).

However, results also indicate that up to 60% of men and 62% of women were happy to provide their names and telephone numbers when promised to enter a draw to go to Paris. With the percentage of people being fooled depending on the prize attractiveness (at the end of the day, all women love chocolate, don’t they) I wonder what the results would have been among men if the prize were football tickets or electronic toys…

While the real value of this ‘research’ is still uncertain (we don’t know how many people gave out a real password and how many just filled in any rubbish for a chocolate treat), the truth is that these year’s results are far better than those obtained in 2007, when 64% of people were ready to exchange their passwords for chocolate.

It’s also worth to mention that Infosecurity undertook this survey just a week before its annual exhibition at Olympia Centre, where nearly 12,000 visitors are expected. I’ve been there many times, and although I guess I would never give out my password for a chocolate bar, who has never given a business card to enter a draw to get a free ipod or an xbox at one of the hundred stands Infosecurity has?

Link to Press Release on Infosecurity website.

In this paper, published on the 11th issue of INSECURE Magazine (May 2007), I explain how information security controls can be integrated in the Software Development Lifecycle (SDLC) using ISO/IEC 17799 (now ISO/IEC 27002). The article includes a summary table linking specific clauses in the standard to SDLC phases starting from the risk assessment stage, prior to drawing up security requirements, and continuing right through development, testing and operations to system disposal at the end of its life.

Thanks to Mirko Zorz, INSECURE’s Chief Editor, for publishing my work and thanks to all the colleagues in the security community that have reviewed my article and posted positive comments on their websites like Gary Hinson or Jose Manuel Fernández, to mention a few.

To download my article only, instead of the full issue, click on the image on the left. More info here.

In the following days I will be adding more papers and presentations to that section.