Microsoft have released EMET 5.0 details here. I've been running EMET for quite some time now, it's very unobtrusive and fairly intuitive.  It can also be integrated to good effect with the MS System Center suite. If you're running Windows, install it and make a bad guy's life that little bit harder.

The guys over at abuse.ch who publish the ZeuS and SpyEye tracking lists among others have added another list, this time tracking the SSL certificates in use by various pieces of malware for C&C traffic.  There are two types of lists, a list of fingerprints of observed certificates and a list of IP addresses associated with the traffic. The fingerprint list also comes as a ruleset for the Open Source (IDS/IPS) Suricata, unfortunately Snort doesn't support SSL/TLS fingerprinting so Snort users are out of luck (the IP lists would certainly be of some use). It also comes as a CSV.

This got me to thinking about other ways to do this without having a Suricata instance or doing this with historical data (maybe you run full packet capture at the gateway and don't discard ssl?). Granted for the historical use case you could just fire up Suricata and run the pcaps through it, but where's the fun in that? *nix has a utility called ssldump which looks at network data, live or pcap, and parses out the session information including the certificate. Once we have the certificate it can be fingerprinted with OpenSSL and compared to our list of known bad fingerprints.

This is still a work in progress and currently doesn't work with live traffic (something goes awry with the awk script I think) and I can't clain to have written all the code, more glued some bits and pieces together but it seems like it could be quite effective with a bit more fiddling. I'd be interested to see how it goes on a reasonable size data set. I still need to write something to grab the Source and Destination IP from the ssldump too.

 ssldump -AN -r ssl.pcap | awk 'BEGIN {c=0;} { if ($0 ~ /^[ ]+Certificate$/) {c=1;} 
if ($0 !~ /^ +/ ) {c=0;} if (c==1) print $0;} ' | tr "\\n" " " | sed 's/ *//g' | 
perl sslbacklist.pl   

The contents of the Perl script is as follows

 use strict;  
 use warnings;  
 use Text::CSV;  
 use Data::Dumper;  
   
 my %bad_thumbprints;  
 my $csv = Text::CSV->new( { sep_char => ',' } );  
   
 my $file = 'sslblacklist.csv';  
   
 open( my $data, '<', $file ) or die "Could not open '$file' $!\n";  
 while ( my $line = <$data> ) {  
   chomp $line;  
   if ( $csv->parse($line) ) {  
     my @fields = $csv->fields();  
     if ( $fields[1] ) {  
       $bad_thumbprints{ $fields[1] } = $fields[2];  
     }  
   }  
   else {  
     warn "Line could not be parsed: $line\n";  
   }  
 }  
   
 my @certificates = split( /certificate\[\d+\]=/, <> );  
   
 foreach my $certificate (@certificates) {  
   unless ( $certificate eq 'Certificate' ) {  
     my $thumbprint = `echo $certificate | xxd -r -p | openssl x509 -inform der -fingerprint`;  
     $thumbprint = lc substr $thumbprint, 17, 59;  
     $thumbprint =~ s/://g;  
     if ( exists( $bad_thumbprints{$thumbprint} ) ) {  
      print  
 "ALERT: Bad Thumbprint ($thumbprint) detected indicating $bad_thumbprints{$thumbprint} malware \n";  
      } 
   }  
 }  
   

   
   

References:
Awk script came from http://serverfault.com/questions/313610/extracting-ssl-certificates-from-the-network-or-pcap-files
OpenSSL and xxd commands from http://stackoverflow.com/questions/22211140/conversion-x-509-certificate-represented-as-a-hex-string-into-pem-encoded-x-509

edit: Updated Perl script to do the awk part and other cleanup, also extracts IP addresses

 ssldump -ANn -r ssl.pcap | perl sslbacklist.pl  

 use strict;  
 use warnings;  
 use Text::CSV;  
 use Data::Dumper;  
 my %bad_thumbprints;  
 my $csv = Text::CSV->new( { sep_char => ',' } );  
 my $file = 'sslblacklist.csv';  
 open( my $data, '<', $file ) or die "Could not open '$file' $!\n";  
 while ( my $line = <$data> ) {  
   chomp $line;  
   if ( $csv->parse($line) ) {  
     my @fields = $csv->fields();  
     if ( $fields[1] ) {  
       $bad_thumbprints{ $fields[1] } = $fields[2];  
     }  
   }  
   else {  
     warn "Line could not be parsed: $line\n";  
   }  
 }  
 my $c = 0;  
 my $certificatestring;  
 my $source_ip;  
 my $dest_ip;  
 while (<>) {  
   chomp;  # strip record separator  
   if ( $_ =~  
 m/New TCP connection #\d+: (\d+\.\d+\.\d+\.\d+)\(\d+\) <-> (\d+\.\d+\.\d+\.\d+)\(\d+\)/  
    )  
   {  
     $source_ip = $1;  
     $dest_ip  = $2;  
   }  
   if ( $_ =~ /^[ ]+Certificate$/ ) {  
     $c = 1;  
   }  
   if ( $_ !~ /^ +/ ) {  
     $c = 0;  
   }  
   if ( $c == 1 ) {  
     $certificatestring = $certificatestring . $_;  
   }  
 }  
 $certificatestring =~ s/\n//g;  
 $certificatestring =~ s/ //g;  
 my @certificates = split( /certificate\[\d+\]=/, $certificatestring );  
 foreach my $certificate (@certificates) {  
   unless ( $certificate eq 'Certificate' ) {  
     my $thumbprint =  
 `echo $certificate | xxd -r -p | openssl x509 -inform der -fingerprint`;  
     $thumbprint = lc substr $thumbprint, 17, 59;  
     $thumbprint =~ s/://g;  
     if ( exists( $bad_thumbprints{$thumbprint} ) ) {  
       print  
 "ALERT: Bad Thumbprint ($thumbprint) detected indicating $bad_thumbprints{$thumbprint} malware. Source IP: $source_ip Dest IP: $dest_ip \n";  
     }  
   }  
 }  

edit 2: now works when sniffing and needs a refactor...

 sudo ssldump -ANn -i eth0 | perl sslbacklist.pl  

 use strict;  
 use warnings;  
 use Text::CSV;  
 my %bad_thumbprints;  
 my $csv = Text::CSV->new( { sep_char => ',' } );  
 my $file = 'sslblacklist.csv';  
 open( my $data, '<', $file ) or die "Could not open '$file' $!\n";  
 while ( my $line = <$data> ) {  
   chomp $line;  
   if ( $csv->parse($line) ) {  
     my @fields = $csv->fields();  
     if ( $fields[1] ) {  
       $bad_thumbprints{ $fields[1] } = $fields[2];  
     }  
   }  
   else {  
     warn "Line could not be parsed: $line\n";  
   }  
 }  
 my $c = 0;  
 my $certificatestring;  
 my $source_ip;  
 my $dest_ip;  
 my $connection_no;  
 while (<>) {  
   chomp;  # strip record separator  
   if ( $_ =~  
 m/New TCP connection #(\d+): (\d+\.\d+\.\d+\.\d+)\(\d+\) <-> (\d+\.\d+\.\d+\.\d+)\(\d+\)/  
    )  
   {  
     $connection_no = $1;  
     $source_ip   = $2;  
     $dest_ip    = $3;  
   }  
   if ( $_ =~ /^\s+Certificate\s*$/ ) {  
     $c = 1;  
   }  
   if ( $_ !~ /^ +/ ) {  
     $c = 0;  
   }  
   if ( $c == 1 ) {  
     $certificatestring = $certificatestring . $_;  
   }  
   if ( $c == 0 && $certificatestring ) {  
     $certificatestring =~ s/\n//g;  
     $certificatestring =~ s/ //g;  
     my @certificates = split( /certificate\[\d+\]=/, $certificatestring );  
     foreach my $certificate (@certificates) {  
       unless ( $certificate eq 'Certificate' ) {  
         my $thumbprint =  
 `echo $certificate | xxd -r -p | openssl x509 -inform der -fingerprint`;  
         $thumbprint = lc substr $thumbprint, 17, 59;  
         $thumbprint =~ s/://g;  
         if ( exists( $bad_thumbprints{$thumbprint} ) ) {  
           print  
 "ALERT: Bad Thumbprint ($thumbprint) detected indicating $bad_thumbprints{$thumbprint} malware. Source IP: $source_ip Dest IP: $dest_ip \n";  
         }  
       }  
     }  
     $certificatestring = "";  
   }  
 }  

There's now a github for this here

With World Cup fever sweeping most of the globe, this snippet of the Wireless SSID and password for the World Cup’s security center being accidentally exposed in the background of a media photo made me chuckle!

The fact that SCADA systems and embedded controllers are woefully insecure is hardly news to security folk. But is is always somewhat eye opening to see how some of these systems can be compromised. One of those is in this blog post from IOActive Labs that a friend sent to me, where they used remote control drones to hack the systems that send data to the  traffic control systems.
While the specific details haven't been revealed yet, IOActive did reveal the responses they received after reporting the bugs to the manufacturers including in one case where:

(T)he vendor said that since the devices were designed that way (insecure) on purpose, they were working as designed, and that customers (state/city governments) wanted the devices to work that way (insecure), so there wasn't any security issue.

Nice to know the poor security isn't an accident, it was done on purpose due to customer demands!

Not that I'm in Australia at present, but I'm keeping an eye on things at home. Here is a nice little article from CSO.com,au on the ICT Security Controls Required by the Australian Privacy Principles.

Early last year the big domestic infosec story here in Japan was a hacker who was running rings around the police, while making death and bomb threats against airlines and kindergartens.
The Police arrested several suspects - 'extracting' confessions from some of them who later turned out to be victims whose computers had been used by the the hacker via remote access.
The best part of the tale (tail?) is the hacker attached a memory card to the collar of a cat(!) and invited the press to 'play a game' by answering quizzes that led to the cat with the memory card. Possibly the first hack in history to involve a actual cat, and not just LOLcats.exe.

The police eventually captured and charged a new suspect, who is now claiming his innocence and pointing to the previous dubious police investigation (and confession extracting) as proof.

Prosecutors say they found on Katayama’s office computer, searches for the words “cat” and “Enoshima” that predate the email of riddles sent to journalists. But the defense asserts that the real suspect would've planted the searches, recalling the untraceable nature of the virus, which was dispersed widely through the popular online forum, 2channel. The defense, meanwhile, called the allegations “complete nonsense."

Did he do it? Who knows, that's for the lawyers to decide but I hope there's more to the evidence than searching for cats on the internet!

Came across this interesting article today about a new anti-forensics tool that can basically add a bunch of stuff into memory to obfuscate what an attacker has really been up to, or even plant evidence to implicate someone else! Interesting stuff, I'm looking forward to hearing more about it!

I came across this advisory today, which i believe is the result of the DDoS attacks that were launched against a number of online games platforms such as Steam and the Playstation Network over the Christmas break.

Team Cymru have s secure NTP template available for Cisco, Juniper and Unix systems, the Canadians have more information available here and CERT have some information; including how to verify if you're vulnerable; here.

明けましておめでとございます！
Happy New Year from Security-Samurai.net!

Some interesting articles that recently caught my eye on the impending changes to the Privacy Act in Australia (courtesy of itnews.com.au):

Is your IP address personal information?

The Privacy Act and the cloud

Consent and the Privacy Act in the Big Data era

Are you ready for a data request deluge?

The posts raise some interesting points (such as is your IP address or mobile phone number PII?) and highlight some of the challenges Governments now face when trying to legislate privacy today.

If true, this just leaves me speechless....