The Glider

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

In view of all the brute force attacks still being attempted against Secure Shell (SSH), we have long since been extolling the virtues of forgoing passwords and moving to RSA/DSA keys instead.
While key based login indeed nicely addresses the problem of password guessing attacks, it looks like many a Unix admin has been less than diligent in the implementation. In pretty much every Unix security audit recently, we've come across unprotected or badly protected SSH private keys (id_dsa, id_rsa). Some reside plain flat out in the open, in /tmp and such. Others are found in world-readable tar backup archives of user and administrator home directories. Some are even built into home-grown Linux RPM and Solaris PKG packages, ready to be plucked off an install server.
It probably goes without saying, but let's repeat it nonetheless:

Whoever can access a TAR/ZIP/GZ archive, can read all its contents. Be super careful when you create a temporary archive copy of everything residing in a home directory. This copy is bound to include the .ssh directory, and the private keys therein
Whoever can access a RPM or PKG package, can read all its contents. Yes it is convenient to have the SSH keys that are part of your home-grown admin script suite already within the install package. But then don't be surprised if others make use of this convenience, too.

In a Unix penetration test within a company or academic institution network, we often first go looking for files and directories that can be read without authentication. Most large organizations have an install server from where they stage their new Unix systems, and often we find these install servers to openly share the package filesystem over NFS foreveryone. Other good choices are home directories, all too often also exported via NFS to everyone. Once read access is established, we can go hunting:
$find /mnt/some_exported_fs \( -name id_dsa -o -name id_rsa

$find /mnt/some_exported_fs -type d -name .ssh

$find /mnt/some_exported_fs -type f -name *.tar | egrep (^/|id_dsa|id_rsa|.ssh)
...etc. Adapt as needed for your environment.
To better protect your privates, please consider to

add a passphrase for all private keys that are used interactively. ssh-keygen -p can be used to add a passphrase to an existing private key
use a forced command for all private keys that are used in system automation, to limit the abuse potential. Use command=/bin/foo/bar in an authorized_keys file to limit what the corresponding private key can do



Keys without passphrase look differently from those that have one.If you want to make sure that your users also protect their privates, you can (as root) search for keys without passphrase with the following command
#find / \( -name id_dsa -o -name id_rsa \) -exec egrep -L Proc-Type 2/dev/null
Newer DSA/RSA Keys contain the string Proc-Type as part of the key file when a password is set on the key. The above command lists all those key files where this isn't the case (egrep -L)
If you got additional tips on how to protect SSH private keys on Unix, or how to best locate misplaced / unprotected private keys, please let us know.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

This is a busy day for the folks doing patching out there. Aside from the MSpatches released today, Adobe also released a bunch of security updates.
Here are the links to the each of the security updates,
Flash Media Server - Rating :Critical (rated by Adobe)
Adobe AIRand Flash - Rating :Critical (rated by Adobe)
ColdFusion - Rating :Important (rated by Adobe)
With the current exploitation trend, the Flash vulnerability should be a high priority for patching. Happy patching.

--------------------

Jason Lam (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Tom wrote in to the handlers list today and asked a question that Ithink our readers can help with (especially since we've gotten so many great ideas from the diary asking for suggestions for Cyber Security Month). He is looking for tools to allow for more proactive monitoring of his systems, but given shrinking budgets (he works in government, but the situation isn't much better anywhere else), he's looking for something free or, at least, inexpensive. What are you using to monitor patch status? application versions? A/V? behavior? strange files? network devices? anything else? Is it centrally managed? Does it scale?
---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 Computer Forensics Essentials coming to central OH in Sept, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

As most of our readers know, the past three years we participated in Cyber Security Awareness Month by covering a special topic each day. We are less than two months away from this year's awareness campaign and we are looking for your ideas on what we should focus on this year. Here are links to summaries of the past three years so that you can see what we've done:

2007: http://isc.sans.edu/diary.html?storyid=3597

2008: http://isc.sans.edu/diary.html?storyid=5279

2009: http://isc.sans.edu/diary.html?storyid=7504
The handlers were discussing this topic a couple of weeks ago and came up with some ideas. Here is what we've been noodling as possible topics for 2010:
- Key services that should or should not be running, and how to secure those services that are necessary

- How to secure popular applications in categories like social (Facebook, etc.), desktop (MS Office, etc.), mobile (iPhone apps, etc.), web apps (online banking, etc.) and cloud (Google Docs, etc.)

- How to use security tools like Nessus or Wireshark

- Manipulating Windows registry settings

- Security horror stories
We'd really like to do something that has a lot of meaning for our readership. So use the comment link below to add your ideas and thoughts, or if you want to share your thoughts privately with us use our contact form. In the past, we've had a general theme for the entire month then discussed sub-themes each week. If you look back at the previous years you can see how that theme is carried out.
Marcus H. Sachs

Director, SANSInternet Storm Center (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Two of our readers (thanksJason and Mike!) have written in to highlight the ongoing DDOS againstDNS Made Easy.
You can read the ongoing reports via their twitter page. The DDOS is reported to be circa 50Gb/sec in size. If you have any details on the type of attack we'd love to know.
Steve Hall
ISCHandler (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Seb dropped me a note today to ask to remind our readers that we are on countdown to a bumper crop of patches being released by Microsoft on Tuesday.
On Microsofts Advanced Notification website they are reporting 14 bulletins, with 8 criticals and 6 importants. Given that all the criticals are all remote code executing in classification it's time to dust off your monthly patching process and get it all ship shape ready for the fun to start.
Given we have a few days between Seb's timely reminder, and when we need to push the patch button, how good do you think your patching processes are. How to you measure their effectiveness, how to you measure their maturity?
Maybe you consider scoring them against a scale such as COBIT? There is a nice table which explains the ratings within COBIT (taken from SEI Capability Maturity Model (CMM)) on the ISACA site which i've taken and reproduced below:


Level 0: Non-existent
Level 1: Initial/ad hoc
Level 2: Repeatable but Intuitive
Level 3: Defined Process
Level 4: Managed and Measurable
Level 5: Optimized

Given the frequency which suppliers, including Microsoft, release such patches, where would you score yourself?
If you score somewhere between 3, and 4 in that you have a process, but you dont measure your success, what would you do to get you up towards a 4, or maybe even a 5.
Let me know before you get busy patching those systems, and i'll update with the best suggestions.
Steve Hall

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

www.foxitsoftware.com/announcements/2010861227.html=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.