I was waiting for my download to finish before I told you that EthicalHacker.net has released a version of the BackTrack live CD that A) is also a VMWare appliance and B) has Metsploit 3 ready to run. (It also has the latest aircrack-ng for those long airport layovers.)
OK, my download is done.
Friday, September 28, 2007
Firewalls, SIM, and Visualization
Saudi asks for help on the loganalysis mailing list:
"Looking for help in identifying meaningful/actionable reports that we can get from Firewall log analysis."
Normally, I would've replied to the list, but attaching a bunch of jpeg files that will be sent to hundreds of people is poor etiquette. So instead, I'll spam the list with a link to this blog post. :-)
Reports are great and all, and you've gotten some excellent suggestions so far. But I'm a believer in mjr's artificial ignorance model for log analysis, so I put a high value on finding things that I don't know that I'm looking for. And when you want to do that with millions of events, visualization is the way to go. So here are some ArcSight data monitors that I have that are specific to firewall data.
This is a pair of moving average graphs. The green one is 'accept' messages and the red one is 'drop' or 'reject' messages. Big spikes or dips in these graphs are interesting. The other thing you can't see in these is that there's a second line along the bottom. That line is the failover firewall. When it fails over, both graphs draw a pretty 'X' with intersecting lines.
This is another moving average graph. I love these things! This one isolates workstation VLANs (so this is user-land only) and pairs srcaddr/dstport. Big spikes and long plateaus are usually interesting. The plateaus have traditionally been malware trying to scan or send spam. We've gotten better at catching this stuff on the front end, though, so I rely on this less today than I did 2 years ago. Also, if multiple lines are doing the same thing, that's interesting, too, since it can mean multiple infections.
This data monitor shows, to-scale, firewall events by hour, by severity. Any place you have visible orange or red or green is probably interesting. Also an abnormally high or low event count per hour is also interesting. This one above shows the overnight, so the yellow, orange, and red appear more prevalent because there are fewer events in those buckets.
This data monitor is a pie graph that shows last-hour firewall events by target country code. This probably doesn't work for all organizations, but my company is based and does business exclusively in the US. That means that any large amount of traffic destined for RU or CN is probably the start of a bad day for me.
This data monitor is just a chart that displays the Top 10 sources of blocked traffic. I've whited-out the actual IP's, but you can see the zone details. (The top 3 DMZ servers are due to a recent change in the firewall that the servers haven't caught up to.)
One of the cool things about SIM visualization gadgetry like ArcSight's data monitors is that these displays are in near-realtime. So it's like a report that's always running, and that's really easy to operationalize - "Here, stare at this for a few minutes every so often. If it looks weird, click on it and find out why."
"Looking for help in identifying meaningful/actionable reports that we can get from Firewall log analysis."
Normally, I would've replied to the list, but attaching a bunch of jpeg files that will be sent to hundreds of people is poor etiquette. So instead, I'll spam the list with a link to this blog post. :-)
Reports are great and all, and you've gotten some excellent suggestions so far. But I'm a believer in mjr's artificial ignorance model for log analysis, so I put a high value on finding things that I don't know that I'm looking for. And when you want to do that with millions of events, visualization is the way to go. So here are some ArcSight data monitors that I have that are specific to firewall data.
This is a pair of moving average graphs. The green one is 'accept' messages and the red one is 'drop' or 'reject' messages. Big spikes or dips in these graphs are interesting. The other thing you can't see in these is that there's a second line along the bottom. That line is the failover firewall. When it fails over, both graphs draw a pretty 'X' with intersecting lines.
This is another moving average graph. I love these things! This one isolates workstation VLANs (so this is user-land only) and pairs srcaddr/dstport. Big spikes and long plateaus are usually interesting. The plateaus have traditionally been malware trying to scan or send spam. We've gotten better at catching this stuff on the front end, though, so I rely on this less today than I did 2 years ago. Also, if multiple lines are doing the same thing, that's interesting, too, since it can mean multiple infections.
This data monitor shows, to-scale, firewall events by hour, by severity. Any place you have visible orange or red or green is probably interesting. Also an abnormally high or low event count per hour is also interesting. This one above shows the overnight, so the yellow, orange, and red appear more prevalent because there are fewer events in those buckets.
This data monitor is a pie graph that shows last-hour firewall events by target country code. This probably doesn't work for all organizations, but my company is based and does business exclusively in the US. That means that any large amount of traffic destined for RU or CN is probably the start of a bad day for me.
This data monitor is just a chart that displays the Top 10 sources of blocked traffic. I've whited-out the actual IP's, but you can see the zone details. (The top 3 DMZ servers are due to a recent change in the firewall that the servers haven't caught up to.)
One of the cool things about SIM visualization gadgetry like ArcSight's data monitors is that these displays are in near-realtime. So it's like a report that's always running, and that's really easy to operationalize - "Here, stare at this for a few minutes every so often. If it looks weird, click on it and find out why."
Thursday, September 27, 2007
A Message for Digital Flow
I was following up on some suspicious JavaScript content and found this:
//****** Advanced DHTML Popup Pro Version 2.40.096.201.019, Build: 130 ******
// Copyright (c) Digital Flow Software 2005-2006
// The present javascript code is property of Digital Flow Software.
// This code can only be used inside Internet/Intranet web sites located on *web servers*, as the outcome of a licensed Advanced DHTML Popup application only.
// This code *cannot* be used inside distributable implementations (such as demos, applications or CD-based webs), unless this implementation is licensed with an "Advanced DHTML Popup License for Distributed Applications".
// Any unauthorized use, reverse-engineering, alteration, transmission, transformation, facsimile, or copying of any means (electronic or not) is strictly prohibited and will be prosecuted.
// ***Removal of the present copyright notice is strictly prohibited***
And subsequently, this:
Unblockable popups
The popups that are created with Advanced DHTML Popup are not blocked by standard external window blocking software as they are part of the web page and not windows on your visitors desktop.
So, first of all, I would like to say that for as long as your "intellectual" property appears on my network just like a malware dropper, I will continue to reverse engineer its content to verify its intent. Second of all, you guys seem pretty smart. Why couldn't you find real jobs?
//****** Advanced DHTML Popup Pro Version 2.40.096.201.019, Build: 130 ******
// Copyright (c) Digital Flow Software 2005-2006
// The present javascript code is property of Digital Flow Software.
// This code can only be used inside Internet/Intranet web sites located on *web servers*, as the outcome of a licensed Advanced DHTML Popup application only.
// This code *cannot* be used inside distributable implementations (such as demos, applications or CD-based webs), unless this implementation is licensed with an "Advanced DHTML Popup License for Distributed Applications".
// Any unauthorized use, reverse-engineering, alteration, transmission, transformation, facsimile, or copying of any means (electronic or not) is strictly prohibited and will be prosecuted.
// ***Removal of the present copyright notice is strictly prohibited***
And subsequently, this:
Unblockable popups
The popups that are created with Advanced DHTML Popup are not blocked by standard external window blocking software as they are part of the web page and not windows on your visitors desktop.
So, first of all, I would like to say that for as long as your "intellectual" property appears on my network just like a malware dropper, I will continue to reverse engineer its content to verify its intent. Second of all, you guys seem pretty smart. Why couldn't you find real jobs?
Tuesday, September 25, 2007
eBay Hacked?
Sounds like somebody may have hacked an eBay server or two and dumped member dox to one of the forums. Keep a close eye on your credit cards that are associated with eBay and/or PayPal. Also keep an eye out for an announcement from eBay of the personal info disclosure.
Update: Maybe not. May have been a problem with eBay software. Either way, personal info seems to have been disclosed. Here's a post (that's subsequently been pulled) from an eBay employee:
"xman@ebay.com View Listings Report 26-09-07 00:47 EST 82 of 88The site wasn't actually hacked... it was a server issue where the system displayed the poster's information rather than the post itself. Being that the credit card information was on a different server, that info came up incorrect. It was not some hacker sitting there entering in someone's information and using a card generator."
More here.
Another Update:
Check out some video of the actual data. Look out for the cheezy Nintendo music. It'll sneak up on you!
Update: Maybe not. May have been a problem with eBay software. Either way, personal info seems to have been disclosed. Here's a post (that's subsequently been pulled) from an eBay employee:
"xman@ebay.com View Listings Report 26-09-07 00:47 EST 82 of 88The site wasn't actually hacked... it was a server issue where the system displayed the poster's information rather than the post itself. Being that the credit card information was on a different server, that info came up incorrect. It was not some hacker sitting there entering in someone's information and using a card generator."
More here.
Another Update:
Check out some video of the actual data. Look out for the cheezy Nintendo music. It'll sneak up on you!
Monday, September 24, 2007
TJX Settlement Close?
According to a boston.com article, a tentative settlement has been reached in the TJX breach class-action lawsuit. If the judge accepts the settlement, consumers will get:
- Up to a $30 voucher per customer who can show time/money spent dealing with the breach (at a rate of $10/hr).
- 3 years of credit monitoring and identity theft insurance for about 450K customers who had lots of info (including DL# and SSN) stolen.
- Marshalls and TJ Max will hold a 3-day "Customer Appreciation 15% Off Sale." (I kid you not!)
Friday, September 21, 2007
Expert Advice
I feel a little strange about being proud of this achievement, but anywhere my name appears along with the word "expert" in the same context as folks like Kevin Kadow and Lenny Zeltser, it makes my head swell.
Thursday, September 20, 2007
It's Official
The Grand Rapids ISSA chapter has secured local evil* genius Matt Carpenter to present at our October meeting. Matt is a SANS instructor and security analyst at Intelguardians. He will be presenting the research he and Tom Liston debuted at SANSFire 2007 on VM escaping.
If you're in Michigan or even Northern Indiana or Northeastern Illinois (or Eastern Wisconsin - the ferry drops you in Muskegon, just 40 minutes away!), and couldn't get to SANSFire, this is your chance to catch part of it for free.
* Matt's not actually evil, in fact he's a genuinely great guy and I'm honored to call him my friend. But if he were evil, we'd all be in big, BIG trouble.
If you're in Michigan or even Northern Indiana or Northeastern Illinois (or Eastern Wisconsin - the ferry drops you in Muskegon, just 40 minutes away!), and couldn't get to SANSFire, this is your chance to catch part of it for free.
* Matt's not actually evil, in fact he's a genuinely great guy and I'm honored to call him my friend. But if he were evil, we'd all be in big, BIG trouble.
Subscribe to:
Posts (Atom)