Saw this article on e-week. I suspect it's mostly FUD, but just so everyone's aware and keeping an eye out for suspicious activity.
E-Week Article
Printable View
Saw this article on e-week. I suspect it's mostly FUD, but just so everyone's aware and keeping an eye out for suspicious activity.
E-Week Article
Hey Hey,
Considering this was a privately found exploit by a company that I really couldn't see releasing the technical details, this seems pretty fast to have a live exploit already... then again... there's a lot of people out there with nothing better to do..
The scary part is the fact that this is a pre-auth problem, so anyone can exploit it.
I'd be more inclined to think that this was the result of the recent release of an exploit for MS05-011 which also targets SMB... It's quite possible that they're seeing the increase of traffic from this new toy and because of the recent announcement of MS05-027 it's be interpreted as an exploit for it..
I guess only time will tell... but if it is live already, I'd appreciate any information anyone has on it.. There has been a thread regarding this exploit on GSO and the most popular opinion is that it'll be Worm time again... and I could see it happening, so when the exploit is released it'd be nice to have a bit of a heads up to start watching for the worm...
Anyways... thanks for the article
Peace,
HT
Actually the bigger problem is that while the company found the exploit they were probably not the first person to find it. The problem comes right there because the first, (few), people to find it probably used it - for a while - and didn't tell anyone.Quote:
Considering this was a privately found exploit by a company that I really couldn't see releasing the technical details, this seems pretty fast to have a live exploit already... then again... there's a lot of people out there with nothing better to do..
The "quiet" crackers have their "private" 0 days that they use at will and often for profit. Their biggest fear for their private 0 days is someone with ethics finding them and publicise them so that they are patched against. Once that happens some will publish for "props" in the community... Might as well get one last "gasp" out of thier work I suppose.... :rolleyes:
All you need is the patch itself. It provides a perfect roadmap to the vulnerable code, once the patch is out, exploits are right behind it.
-Maestr0
According to the SANS internet Storm Center, it looks like it's most likely exploit for MS05-011, since that was released yesterday. Everyone should be patches against that (right?), so it's less of a concern than if it's -027.
Except NT machines are potentially vulnerable (again).
That particular exploit indicated that it was for Windows 2000 - it didn't mention XP. Since I guess most Windows 2000 clients are sitting behind corporate firewalls, then that would limit its use somewhat.
Still.. keep auditing and patching, eh?
Patching, as always.
And how many times have we all been bitten by a small hole (such as VPN) in our corporate perimeter being used as an infection vector to compromise all of our unpatched PCs?
Found this, thought it underscored my point perffectly.
http://www.sabre-security.com/produc...ndiff_png.html
-Maestr0
Hi,Quote:
Originally posted here by Timmy77
I suspect it's mostly FUD, but just so everyone's aware and keeping an eye out for suspicious activity.
Pretty much is fud! SMB is designed for sharing resources on a LAN and I can't think of any reason why you would want to open it up at the firewall. If you have left it open, you are already owned :eek: and should be spending time drawing up your CV rather than trying to block the gaping mousehole you have left in your system.
Port scanning is just foo you have to deal with and if you have detected it increasing then whoever's smurfing you out doesn't know diddly from squat so you are probably ok. it's the ones you don't detect you have to worry about.
But even if you block SMB ports on the firewall (which I have to admit you would be STUPID not to do), all it takes is one user who get's his laptop 0wned while on the internet at home to bring it into the office and you are comprehensively stuffed.
We are also seeing viruses now that drop an LSASS or DCOM worm behind the firewall after being delivered by email, so it's possible that any publically available exploit could be delivered in that way.
It's not just MS05-027 that is a risk (although it's the biggest risk) as there are a whole batch of holes announced so far this year that are worrying.
Hi
This is the problem about considering any security countermeasures in isolation. Clearly, it is never enough to block at the firewall, although the context implied that script kiddies were increasing their scanning and ennumeration attempts ex perimeter and the stupidity would indeed be not to both block and stealth the port.
Dealing with any vulnerability requires:
1. Keeping your patching up to date
2. Keeping all your signature files up to date (anti virus, anti spam, content filtering etc)
3. You also need a solidly worded and technologically enforced home/location independent user policy which dictates exactly how users should use their laptops and as far as possible enforces this. e.g. childlock software to prevent them downloading or installing software, regular checks of Internet access records and email usage etc, regular antivirus updates, use good ISP (i.e. one who cares about security)
4. User awareness is equally important. Users should delete all suspicious email and attachments including from known contacts (if necessary, ring to check if the email was intended to be sent).
5. Emails should be plain text not html and active code should not be enabled to run from your email system. This prevents accidental or ignorant clicking on embedded links such as .stm extensions currently being passed around by phishing attacks. It also cuts out a lot of spoofing *** phishing attacks.
6. I would also suggest (if you are really serious about security) a 'friends only' email policy where only people whose email address you include on your system can send you mail and no one else can (it gets auto deleted as soon as it arrives). Apart from anything else, your productivity goes sky high as people are forced to phone you up or come and see you and you can deal with any problems/issues then and there. It also avoids emails piling up over the holiday period. :cool:
7. If you can afford it (big organisation), go for the self repairing network solutions where the network detects, stops and alerts at any anomalous behaviour. Alright normally it's just a wonky network card but better finding that out than losing your entire corporation's network to some S***OL%. The scary thing is not hackers with no stake in society, it's those with a wife, kids, mortgage and college fees.
@-hacker POV :lildevil:
1. Scanning should not be noticeable and should do as much as possible in one pass without being intrusive
- Stealth mode eg. netcat -t0 -s -v -O is obviously preferable if boring than an all out syn syn/ack ack straight run up the non standard ports which just stands out like a christmas tree (if you'll forgive the pun intended).
2. Deniability is everything. Better to own some zombies and scan from them than scan direct. Also hide the backward path in your socks.
3. Scans should be multivector (don't just rely on SYNs or UDP) although most packages now use a variety of methods.
4. De-pattern the scans. Fragmentation (teardrop) and frame overlapping helps especially when firewalking but really your scans should look like a user trying, trying again then walking away to get some coffee and then trying again a few hours later.
5. And always remember the key words - preparation, preparation, preparation. Good boy scouts go scouting first and scanning afterwards. An ounce of reconnaissance is worth a week of ennumeration. Corporations just leave information hanging around all willy nilly and sometimes you don't even need to be on their network to get what you want. I found this information on their public web server is a perfect defence.
6. Scanning for just the latest vulnerability opportunities is silly. Be systematic. It's unbelievable how much catch up sysadmins fail to do. Or oops they forgot to patch up to date a server they have just re-ghosted and guess who's just opened up a minor port or two on the firewall for a new application (like media streaming :D ) at management behest without telling the security manager.