The Glider

Rob, you say - it's been a little while since we talked about Layer 2 Security (almost a week) - does that mean that we're done?



Not a chance - we haven't talked about Private VLANs yet!



A VLAN is often defined as a broadcast domain, and in most cases is co-incides with an IP subnet. Private VLANs (also called PVLANs) are the exception to this, a Private VLAN is still usually a single IP subnet, but the broadcast domain definition no longer holds true.



In a private VLAN, you start by defining an uplink port (also called a promiscuous port). This is normally the port (or link aggregation group) that is attached to the uplink router(s), firewall(s), provider network or server(s). After that is set, you define isolated ports. Any frame received on a isolated port is forwarded only out the uplink port, no matter what destination MAC or IPaddress it might have. This includes ARP traffic or any broadcast traffic. Frames received on the promiscuous port are then forwarded in the usual way - ARPs, Broadcasts and all other layer 2 frames work as you would expect them to.



So what this means is that isolated ports in a Private VLAN cannot speak to each other at all - their only traffic path is via layer 3, to other subnets or to other isolated ports in that PVLAN.



The concept of private ports can be expanded to include larger port groups - this concept is called community ports. Community ports can speak to each other via layer 2 just like a regular vlan, but are separated from ports in other communities, and from isolated ports.




Typical applications for private VLANs might be in a Colocation Facility or public or private IaaS network (Infrastructure as a Service Cloud), where you might have several customers using the same subnet, but communications between the customers is not desirable as it would circumvent their firewalls. This might also be used on a DMZ, where you might want to restrict communications between DMZhosts, but it's not worth the effort or cost of creating a separate DMZfor each host. Another common use for Private VLANs might be in a hotel situation, where each hotel room has internet access, all are on the same subnet, but communications between the rooms is not desired (for obvious reasons.)



This diary touches on only the most basic concepts of Private VLANs - I won't get into the specifics of the configuration, as they vary quite a bit between various vendors' gear. Also be aware that this covers only the most basic of PVLANconcepts - there's enough material in this for a good few hundred pages, if you were writing a book on Layer 2/3 Switching and Security for instance
As always, if there are any errors in this diary, or if you'd like to comment with other examples of how you've seen PVLANs used, feel free to use the comment link.


=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe released a new version of the Shockwave Player for Windows and OSXyesterday. Multiple vulnerabiltiies are addressed, most of the vulnerabilities on the list result in compromise of the workstation and arbitrary code execution, so this is an important update to get done ASAP.
Full details here == http://www.adobe.com/support/security/bulletins/apsb10-12.html
=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Several readers wrote in to note that the .de domain (Germany), which is operated by DENIC [1], had an unplanned outage earlier that lasted a bit over an hour.

There is no official statement yet, but according to one source [2], a bad zone file was loaded and it took a while to fix.
Currently, .de domains appear to be reachable again.
[1] http://denic.de/ (in German)

[2] http://www.tld.sc/en/
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
===================================================
The outage looks like it was from approximately 13:30 to 15:30 local time (CEST)
================= Rob VandenBrink ==================== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview of theMay 2010 MicrosoftPatchesand their status.




#
Affected
Contra Indications
Known Exploits
Microsoft rating
ISC rating(*)


clients
servers





MS10-030
Vulnerabilities in Outlook Express and Windows Mail (Replaces MS09-037, MS08-048)


Outlook Express and Windows Mail Integer Overflow

CVE-2010-0816



Proof-of-concept code publicly available
Severity:Critical

Exploitability: 2
Critical
Important



MS10-031
Vulnerabilities in Microsoft Visual Basic for Applications (Replaces MS08-013, MS06-047)


VBE6.DLLStack Memory Corruption

CVE-2010-0815





no known exploits.
Severity:Critical

Exploitability: 2
Critical
Important





We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.


The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

------

Scott Fendley

ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Matousec has released a new paper (http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php)detailing their proof of concept for using kernel hooking (specifically what they are calling an argument switch attack) to bypass antivirus software. The concept isn't new, as they acknowledge but the paper is nicely detailed and the use of a race condition of sorts to bypass security checks made when a kernel hook is requested/handled is cool. It should be noted that PatchGuard should provide some protection against this attack though how much is uncertain. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

H-Security has published an article (http://www.h-online.com/security/news/item/Large-scale-attack-on-WordPress-996628.html) discussing a new series of attacks against WordPress-based sites.
Multiple ISPs have been hit including GoDaddy, Bluehost, Dreamhost, Network Solutions and Media Temple. There is one report that even sites built with the most current version of WordPress have been compromised.
We will update as we have more information, at this point I recommend reading the H-Security article for the summary of the scripts being added and contacting your hosting provider if you have concerns about your site. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark issued an update to fix an issue with the DOCSIS (Data Over Cable Service Interface Specification) dissector. It could be exploited by attackers to cause a DoS when processing malformed data, causing a crash of the application.
Affected Products
Wireshark versions 0.9.6 through 1.0.12 Bulletin can be viewed here.

Wireshark versions 1.2.0 through 1.2.7. Bulletin can be viewed here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft announced they will be releasing a total of 2 bulletins rated critical that could allow for remote code execution. The vulnerabilities affect Windows 2000, XP and Vista as well as Windows Server 2003, 2008 and 2008 R2. Other affected applications are Office XP, 2003, 2007 and MS Visual Basic. More details available here.
The recent SharePoint Security diary posted on ISC will not be addressed in the May bulletins.
[1] Microsoft Security Response Center Blog
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Intresser prendre SANS Sec 503 en franais?
Enregistre toi http://www.sans.org/nice-2010/pour leCommunit SANS Nice, France - du 21 au 26 juin 2010 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

A number of stocks lost about all their market value yesterday in the span of 5 minutes, leading to the fastest ever drop in the Dow Jones index. Luckily, most of the value was recovered, but the index overall was still substantially lower. It is not clear yet what exactly happened, but computer issues are cites as a possible reason. One report suggested a data entry error (entering Bfor Billion instead of M for Million). But several stocks where affected. These company's stocks went from as high s $59 to a couple of cents in a few minutes.
Again, the investigation is just starting. But this overall reminded me of a scenario we put forward a few years back. John Bambenek published a nice diary [1] in September of 2005 estimating that $24 Billion worth of assets are under the control of bot herders at the time in the form of brokerage accounts owned by infected users. This number is of course just a guess, but it does support the scenario of a bot control Market DoS. The scenario we put forward back then was that a botnet could cause economic mayhem if such a sell-off would be timed right to coincide with real world events that would cause market jitters. Right now, the economic crisis in Greece and the oil spill in the gulf of Mexico can be seen as such events.
How do we protect ourself? Sadly, as typical in our approach to software security, incident handling and forensics will have to come first. Maybe then, we will learn what should have considered int he first place: How to write more secure software, how to put the controls in place to prevent these errors.
[1] http://isc.sans.org/diary.html?storyid=712
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
=====================================================
More thoughts on this - - if you want to a large financial influence (for instance in a cyber-war scenario), you don't need to control 24B in household assets through malware, you need to control one trader's workstation at a major firm. Yesterday's event shows us just how vulnerable we are - one bad trade, and all the lemmings follow the leader over the cliff! Fund managers would be good targets as well. Through a lever like this, your control is multiplied potentially hundreds of times.



Looking for targets like that? I just searched linkedin for hedge fund (36,000 results) or fund manager for targets (12,000 results) - all nicely searchable by city, company etc.



A targeted phish campaign against a narrowly defined audience like that ... hmmmm ....

============== Rob VandenBrink, Metafore ================
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Last month, I posted a diary titled The Many Paths to Security Awareness, which discussed various job positions, what motivates people in those jobs, and what messages you might use to take advantage of those motivators. The end goal is that, when faced with a security-related decision, you see a move in the positive direction. As a security professional, you want people in your organization or your customers' organizations to make the right choice when they're put on the spot.



First of all, I'd like to thank everyone very much for participating in the survey that was part of the original story. I used the survey results, along with interviews and my own experience to write a paper on this topic (one of my last requirements for my sans.edu masters degree ! ). You can find the paper here == http://www.sans.edu/resources/student_projects/ , along with a presentation that summarizes the information. The presentation got posted as a PDF, so the nifty powerpoint animations don't work, but the message is all there.



There were lots of things in the results that you'd expect - for instance, CEO's are motivated by regulatory compliance, avoiding lawsuits and shareholder value, but some of the results were a bit of suprise:
When I started this, I had thought that protection of Intellectual Property (IP)would be of primary concern to Engineers and others that actually create said IP. However, what Ifound was that, more and more the value of IP is being given a real dollar value, and any compromise of IP is being worked into corporate risk assessments. So protection of IP is now on the radar of lots of CEO's, and protection of IPcan be used to influence security decisions at that level.
Folks in a Helpdesk role are motivated by uptime of Corporate Systems, compliance with Corporate Policies and personal financial incentives, but more overtime does NOT count as a financial incentive ! Also, personal workstation downtime almost didn't register as a motivator (this one kind of surprised me).
Something that we all live with is that ITgroups are still taking the lead in developing, monitoring and enforcing security policies. However, what is FINALLYhappening is that HRis now starting to take the lead in some of this. In many organizations, things like reports from the content filter that monitors and enforces web usage policies are now the responsibility of HR, with ITthere to provide the service and act as an expert consultant. This is a good thing to see, because HR is actually placed to do real enforcement of policies like AUP's (Acceptable Use Policy)and Web Surfing Policies, where in many companies ITcould only watch and shake their heads.
What didn't work across the board was any security task that people couldn't immediately see value in on their own (without a lesson from security school). So, for instance, if you want to implement password complexity where it hasn't existed before, it's probably worth a bit of an awareness message ahead of time or no-one is going to be buying into it.
Again, the full results are in the paper, the power point covers the high points.
Anything you'd like to add to the list is welcome, by all means use the comment form to add to this story !
=============== Rob VandenBrink, Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.