Wednesday, March 22, 2017

SMB1 is baaaaaad!

Every once in a while, something comes along in the IT world where everyone panics.  And I mean PANICS!  The lastest SMB1 vulnerability is that panic generator.  It's so bad that they created 6 different CVEs to cover it.
Vulnerability title CVE number
Windows SMB Remote Code Execution Vulnerability CVE-2017-0143
Windows SMB Remote Code Execution Vulnerability CVE-2017-0144
Windows SMB Remote Code Execution Vulnerability CVE-2017-0145
Windows SMB Remote Code Execution Vulnerability CVE-2017-0146
Windows SMB Remote Code Execution Vulnerability CVE-2017-0148
Supposedly this zero-day vulnerability can leak information and allow for remote code execution.

What?   Zero day??   Remote code execution? Huh?  Let me try to break this down for you and give you the "what this means to me" speech.


1.  Zero-day Exploit

This is just a highly technical term to say this vulnerability has been in place since the initial release of this code/function/feature.  For this SMB1 vulnerability, this means that the vulnerability has been in Windows since at least Windows Vista (which is the earliest version that Microsoft still supports), and could possibly even be in Windows XP, Windows 2003 and Windows 2000.  But since Microsoft no longer officially supports those Windows versions so they won't divulge that information.

2. Remote code execution

This one is a little more nebulous of a term.   Well... ok you can execute something remotely on some machine.   Great!   I can do a "dir" on a remote machine.  Which machine?  The "server" or the "client"?  With SMB1 there is the concept if the "server"; the machine serving the files.  and the "client"; the machine that connects to the "server" to read, change or delete those files.  These particular SMB1 vulnerabilities allow for a malicious (read: highly modified) client to exploit that vulnerability to run commands on the SMB server. This can lead to being able to download things like password databases and other mean things.

TURN OFF SMB1!

The SMB1 code is old.  Ancient in fact.  It was developed for Windows 2000.  It's inefficient, clunky and chatty.  That being said, there are still devices out there that use it and cannot use anything newer.  Network printers, Linux hosts (fairly recent ones too) and a number of embedded systems still use the old SMB1 code to communicate and cannot use the SMB2 or 3 protocol to communicate so turning off SMB1 completely in your environment may not be possible.  What you can do in this situation is to turn off the protocol on devices that do not require any SMB1 connections to it.  Microsoft has a way to do this through GPOs (Group Policy Objects).  There is a good Technet blog on this here: https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

But I have a NetApp filer and can't turn off SMB1.   What can I do?

NetApp, both 7-mode and clustered Data ONTAP have SMB servers built in.  If you have them licensed, then you can serve Windows file shares through it.  Is it vulnerable?  Probably not.  The vulnerabilities with Windows, and specifically with these SMB1 ones are within the Windows Operating System code.  Data ONTAP does not run Windows Operating System code.  It has a custom built SMB server that adheres to the protocol standards, but the source code that runs that protocol is completely different than the Windows source code so the risk of having the vulnerability in two completely different implementations are almost non-existent.


How do I know if I still need SMB1??????

With devices still around that require SMB1 for their functionality to work, You need to be informed if devices are still using it.  The way the SMB dialects work, the negatiation on which version to use is basically a highest common denominator type negotiation.  When the client connects to the SMB server, the client sends all the SMB dialects it supports.  (SMB1, SMB2, SMB2,1, SMB3, etc)   THe server then picks the highest common version.  So if a server supports SMB1, SMB2 and SMB2.1 and the client supports SMB1, SMB2, SMB2.1 and SMB3, the result of that negotiation will result in an SMB2.1 conversation.

In 7-mode, you can see which version clients have been negotiated to by running the command:

cifs sessions -p smb

Then you get the output as follows:

Server Registers as 'TOASTER' in Windows domain 'MYDOMAIN'
Root volume language is not set. Use vol lang.
Selected domain controller \\TOASTER for authentication
====================================================
PC IP(PC Name) (user) #shares #files
10.10.1.15() (MYDOMAIN\administrator - pcuser) 2 0


The above indicates that you still have a device at 10.10.1.15 running SMB1.

In cDOT, you have a similar command:

cluster::> cifs session show -protocol-version SMB1

which outputs


Node:    cluster-01
Vserver: CIFS-SVM
Connection Session                                        Open            Idle
ID         ID      Workstation      Windows User         Files            Time
---------- ------- ---------------- ---------------- --------- ---------------
4268056359 1       10.10.1.15      MYDOMAIN\                0              5s
                                    administrator


and you can tell which systems have negotiated to SMB1.

Can I firewall it?

Well....   yes....    well..... no.....   well.........

There is but one TCP port that all SMB dialects use and that is port 445.  If you block port 445 within your internal network, then absolutely no Windows File Services will be available regardless of SMB dialect.  BUT I fully suggest that at your internet connection, you block all inbound and outbound connections to port 445!  It's always smart to allow only absolutely necessary traffic in and out of your network but that's getting into a post for another time.

Thursday, March 3, 2011

Facebook https browsing can be turned off by applications.

For those of you playing along at home, we recently learned that Facebook has turned on secure browsing on it's whole site.  You can accomplish this by checking the "Browse Facebook on a secure connection (https) whenever possible" box in the Account Security section of your Account settings.  Now we know that this stops local hackers from stealing information when you are connected to a the network and this prevents advanced hackers from engineering hacks that can dump your information to them.  But I found something interesting the other day while auditing my applications settings.


This is not working so well.


As I went through some of my applications, I wanted to refresh my memory of why I installed some applications.  I click on the application's page in Facebook and I get a page that tells me that I need to switch back to http (non-secure) browsing in order for the application to work.  


So I play along.

Now to check the damage.   I look at the checkbox that I know I have checked previously to browse in https and it is not checked anymore!  WOW!  Facebook doesn't even let you know that this is a PERMANENT CHANGE TO YOUR ACCOUNT SETTINGS!!!!!


Just all the more reason to do what I do. 


Audit your applications!
Go through your list of applications every once in a while to make sure that nothing has crept in there that you don't want.  If that has happened, immediately remove the app from your profile.
Audit your settings!
The same should apply for your settings.  Go through your settings every so often to ensure that what you have set in the past is still applied.

As always, remember that in the end no one is responsible for your information but yourself.  Always check and double check to make sure your information is as private as you want it to be.

Monday, February 28, 2011

Facebook security http vs. https questions answered

There's been a lot of talk on Facebook lately about http and https and how to change it. Do any of the folks touting this wobegone actually understand what is going on here?  Do YOU know what the difference between http and https is?  Let me try to explain.

When a web browser tries to get to a web site, there is a conversation that happens in the network between the browser and the web server.  Basically you browser gives the web server a bunch of information about itself and then asks the web server to transmit back the page it's requesting.  When you're browser address bar has http:// in front of the web server, this happens in "plain text".  This means that anyone that can see the network traffic between your web browser and the web server can read in plain words what is going on in that conversation.  When you are writing an email, writing a Facebook status update, filling in a form on a website, writing a Facebook message, or sending ANY data to a web site, anyone can read that data that really wants to.  Now, this can happen only at the time that you hit save, send, login, update, or any other button that uploads the information.  As soon as the information is uploaded, that's it.  Noone else, besides the folks you sent it to, can read that data.

Now, when you're browser address bar has an https:// in front of the web server name, then the conversation is a little more involved.  First your browser asks the server for it's "keys", server certificate and then goes out to a certificate authority (such as Verisign, Microsoft, or others) and makes sure the server is who you think it is.  Then your browser takes the "keys", looks at it's own "key" and creates an encryption "key" that will scramble the data that is sent back and forth.  The server then looks at that key and makes sure everything is OK.  Then all data back and forth from the server to the browser is sent coded with the "key".  If someone were to look at that conversation in the network, it would look like gobbledygook to them.
This is the preferred way to log into web sites (since you don't want to send your password over the network so that anyone can read it), send emails, Facebook messages, web site forms, etc, etc, etc so that no one can read the information you are transmitting.

Why is everyone worried about this right now?  Because of Facebook "hacking"?  Will this prevent this???

NO!!!

There are very few opportunities to do this type of hacking. The first is an open WiFi network.  Open means that you have to do nothing to connect to it besides hit the button on your computer or phone that says "Connect".  If you did that, and I did the same thing, I can run a program in the network and listen to everything your computer/phone is saying out on the internet.  If you connect to a WiFi that is password protected, then I can't listen in because the WiFi network does basically the same as the web server in the https:// scenario.

The other two opportunities I have to do this is to send you a bogus email with a link to Facebook that looks like Facebook, but really is my bogus server where you put your information in.  Then my server records that information and sends you on to Facebook so you don't suspect anything.  The last one is that I need to hack into the internet.  This is a little more difficult since I will need to get into network devices owned by AT&T, MCI, Sprint, etc.  Not that easy.

Although this is always good practice to make sure that whenever you are sending private information to a web server, that you ensure https:// is in the address bar, this is not how many of the email and Facebook scams are getting your passwords.  They are getting it by "brute force".  Basically, they are just trying a bunch of passwords and getting a success because yours is easy to guess.  (and don't think you're being clever by using P@55w0rd).

Thursday, February 18, 2010

Over 75,000 systems compromised in cyberattack

Over 75,000 systems compromised in cyberattack
via computerworld.com

Security researchers at Herndon, Va.-based NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.
The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months, according to NetWitness.
A 75GB cache of stolen data discovered by NetWitness included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, 2,000 SSL certificate files and a large amount of highly detailed "dossier-level" identity information. In addition, systems compromised by the botnet also give attackers remote access inside the compromised network, the company said.

 Read entire article

Posted using ShareThis

Saturday, February 13, 2010

Passwords make a difference in keeping your accounts safe from hackers

Lately I've had an influx of people that have had their Facebook, Gmail, Yahoo and other accounts hacked only for someone in Nigeria to ask me to wire them money.  Do they really think that I am going to wire $2000 to someone I have just reconnected with?  No.  What I usually do is throw in a stumper in the chat.  Something the hacker won't have a clue about.  Not something that is true, but something that is false because the hacker will agree.  The other day someone asked me to wire them $3500 to London.  Now I haven't seen or heard from this guy since 8th grade so the fact that he's asking for money is already throwing up red flags, but I go with it.  Then I ask "How's my best UVA roommate doing?"  He answers; "I could really use the help."  Now, I know he went to Virginia Tech and saying he went to UVA would be like branding him with red hot pokers.  Furthermore, we did not even go to school together so being roommates was definitely not the truth.  At that point I knew his account was hacked.


How did his account get hacked?  Every account you open up on the internet requires a password.  It's the old daunting "what password can I make up today" scenario.  Most of us have one password that we use over, and over, and over, and over, well.... you get the point.  How secure is that password?  Can I guess it? Is it a variation of your username, real name, wife/girfriend's name, kids' name, dog's name?  I can guess those.  Most of the time, the hackers run programs that just try a bunch of passwords in a list.  This is what I call the "well known passwords and variations" list.  Do you really think that Pa55w0rd is a unique password you thought up and was cool?  No.  As soon as they get one password, they look for other accounts.  They then try the same password on the other accounts.  Once they have your email account, watch out, because they can reset passwords on just about any other account on the internet you created with that email address.


So, you ask, what is the casual, non-geeky internet user to do?  


Build a better password.  There are plenty of random password generators out there so use one.  When you register for a site, make sure that the password is random.  Now, you ask, how do I keep track of all these passwords?  I don't want to have to remember a different gobbledygook password for each site.  Well here's where technology comes into play.  In your browser, you have the option to save the password for each site.  Use that.  Many security experts say not to use it, but I say go for it.  There are only two scenarios where this poses a risk and those are when your computer gets physically stolen or totally hacked into.  I'll put up another blog post about securing your computer so that nothing can get accessed when it gets stolen, and someone trying to hack into YOUR computer doesn't really happen much anymore.  You can secure your computer against that with good anti-virus, anti-spyware/malware and a decent firewall.
If that doesn't tickle your fancy, you can use a password manager.  This is a program that you install on your computer that keeps track of all your passwords for the different sites.  Some can even automatically log you in or copy & paste your password onto the webpage.  My personal favorite is KeePass password Safe. (http://keepass.info)  This password manager will not only keep your passwords, but will automatically generate a new random password for you every time you create a new site.  The second bonus, it's FREE.


Give better answers.  Many of the sites ask you some "challenge questions".  "What's your mother's maiden name?" or "What city were you born in?" are the most common.  These are also easily guessed.  I can research the 'net and find out where you were born or what your mother's maiden name is without even having access to anything but your full name.  Here is what I like to do.  Make up your own and rotate the answers.  Put together a decoder key of sorts.  Every time a site asks for your mother's maiden name, put in your birthplace, or your first pet's name, or the street you grew up on, or even better some non-sensical answer. Just make sure you have a good decoder sheet for it.  You can also use the KeePass Password Safe to manage this since each site has a "notes" section.  In here you can put in the challenge question and how you answered it.


Stay safe out there on the 'net.  It's powerful, fun, entertaining, and dangerous.  When you put a lock on your house, you use a unique key that's hard to guess what the ridges look like.  You don't use one that has no ridges or only one.  Do the same for your online "house".  Use a good key to lock it all up.

Thursday, January 14, 2010

Google Turns on Gmail Encryption to Protect Wi-Fi Users

via Wired.com

Google is now encrypting all Gmail traffic from its servers to its users in a bid to foil sniffers who sit in cafes, eavesdropping in on traffic passing by, the company announced Wednesday.
The change comes just a day after the company announced it might pull its offices from China after discovering concerted attempts to break into Gmail accounts of human rights activists. The switch to always-on HTTPS adds more security, but does not help prevent the kind of attacks Google announced Tuesday.
All Gmail users will now default to using HTTPS, the secure, encrypted method for communicating with a remote server, for their entire e-mail sessions, not just for log-in. Session-long HTTPS has been an official option for Gmail users since 2008 (and unofficial for much longer), but Google says it hesitated turning it on for all since the encryption does slow down the service.
“Over the last few months, we’ve been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do,” Gmail Engineering Director Sam Schillace wrote in the Gmail blog.
This option often wasn’t necessary when people used fixed and trusted connections, such as their home or office DSL or cable lines. But as Wi-Fi connections, especially public ones, became more popular, hackers began using simple sniffing software to snoop on people’s online activities with the goal of stealing passwords.
Still, the switch doesn’t encrypt  e-mail — it simply encrypts the communications in transit between Google’s servers and a user’s computer — the same as when you use your bank’s website. E-mails sent to other people are transmitted in the clear as they have always been. True encrypted e-mail can only be read by the sender and receiver, regardless of how they move across the internet.
For those whose schools or workplaces that routinely monitor employee or student internet usage, the change also shields their e-mails from the IT department.
A coalition of privacy and security experts called on Google publicly to make the change last June, saying that Google was putting millions of people at risk by not using encryption as the default for their so-called cloud computing services.
Users who find the service slows them down or determine that it’s overkill for their needs can turn the HTTPS off in their account settings.
Rival free e-mail from Yahoo and Microsoft do not use HTTPS throughout their sessions, nor do social networking sites or other so-called cloud-computing services.
Instead, most of those services use the secure “HTTPS” protocol only for logging in, and fall back to unencrypted browsing thereafter.Failing to use HTTPS full time increases one’s vulnerability to a host of nasty hack attacks when using an open or badly secured network, particularly a public Wi-Fi spot.

Posted using ShareThis

Tuesday, January 12, 2010

Another new year and a new focus

So I've had 1 post in the last year. That really pathetic. After looking at the last year or two in happenings and other things, I will post some hints and tips on personal technology and security. There's been a few friends that have had their Yahoo, Facebook, GMail, and other online accounts hacked.  The worst thing is that the hacker is exploiting the relationship that person has with their friends/followers/contacts to extort money or other things.  Lets see how this goes.