!Permit HTTP port 80 traffic
access-list 102 deny tcp any any eq 80
access-list 102 permit tcp any {proxy address} eq 80

!Permit HTTPS port 443 traffic
access-list 102 deny tcp any any eq 443
access-list 102 permit tcp any {proxy address} eq 443

Deny WAN DNS to all systems except DNS server:

access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!— insert any other previously applied ACL entries here
!— you must permit other protocols through to allow normal
!— traffic — previously defined permit lists will work
!— or you may use the permit ip any any shown here
access-list 101 permit ip any any

Does “IP helper-address” help to much?

! We want this protocol.
ip forward-protocol udp bootpc
!
! We don’t want these.
no ip forward-protocol udp biff
no ip forward-protocol udp bootps
no ip forward-protocol udp discard
no ip forward-protocol udp dnsix
no ip forward-protocol udp domain
no ip forward-protocol udp echo
no ip forward-protocol udp isakmp
no ip forward-protocol udp mobile-ip
no ip forward-protocol udp nameserver
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-ss
no ip forward-protocol udp non500-isakmp
no ip forward-protocol udp ntp
no ip forward-protocol udp pim-auto-rp
no ip forward-protocol udp rip
no ip forward-protocol udp snmp
no ip forward-protocol udp snmptrap
no ip forward-protocol udp sunrpc
no ip forward-protocol udp syslog
no ip forward-protocol udp tacacs
no ip forward-protocol udp talk
no ip forward-protocol udp tftp
no ip forward-protocol udp time
no ip forward-protocol udp who
no ip forward-protocol udp xdmcp

Multi-Stage, evolving, silent…

It seems to always come from drive-by attacks and silently waits for the C&C to provide instructions…

I drops onto the system and creates a number of registry keys with difficult to anticipate keys, and files with semi random names. That can make it hard to find, but the one key you can count on appearing is,

– HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist

The most important thing you can do to prevent the spread of Clampi/Ilomo once it is on your network is to do no work with Domain Administrator privileges. One of the most dangerous aspects of Clampi/Ilomo is its ability to log user credentials and use them to spread across your network using legitimate tools like PSEXEC.

@echo off && reg query HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist /s || echo Does not Exist!!!!

Ilomo Botnet analyzation by TrendMicro

Insert Loads of Text Here :)

Thank you ahead of time.

[See post to watch Video]
Video not found!

Thats right we are trying for less then 0.8 seconds of down time per day.

Lets face it customers don’t care if its your fault that they cant reach you… they just cant reach you… They dont know if its your server or a router or your firewall or your internet WAN provider… all that they see is a service that cannot be connected to…

So…

Lets make some assumptions, average ping 50ms, from anywhere to anywhere, thats a 16 packet window… if only one user was utilizing the “stream”… thats insane… how do you guaranty that you wont lose 16 packets. Now I know any Company that thinks it needs a 5 9 service is going to have more then ONE user at a time…

So maybe 16 packets is so small that customers wont notice… but it still happened… and you’ve already blown your 9’s…

To often small and medium companies focus on making sure that their back end and servers have the 9’s but forget to factor in the rest of the world, the tubes that connect us all are not under our control… accidents and congestion happens… (occasionally black holes appear the suck up all the traffic from Youtube). Unless you’ve got the power and cash of Google your never gonna reach more then 3 9’s… if you’re moving a Million USD a minute then maybe you have a business case…

Downtime is never acceptable… but ask your self can you afford to be truly dressed to the 9’s?

I’m sorry this is such a stream of consciousness.

I welcome your comments, your ideas, please let me know what you think in the comments below.

I am a Security consultant. In the last two weeks I conducted my first official incident response and policy gap analysis. It wasn’t a glamourous pen testing gig, nor was it something worthy of bragging about, but it was a most excellent opportunity. During the time I was conducting these contracts I was offered a pretty decent desk job. The job presented its own opportunities, but I just couldn’t bring myself to accept it. It wasn’t what I truly wanted. I am still finding my niche in the security field, but I know Im not built to do the same job day in and out.

I look forward to future contracts, and the challenges that will come my way. A short post, but maybe someday my Path will inspire someone else.

Most netbooks feature a SD card slot that can be booted from… why not load an OS onto the SD card that is tweaked for both the boot camp/fusion/parallels environment and the native netbook. Then you can take the netbook for IR and such… collect your data… and then easily come back to a more powerful rig for analysis.

Also with the ease of swapping SD cards you can keep different responses separate and cataloged for future review…

Its all just floating in my head… but more will come of this…

Let me know what you think in the comments.

Threats and vulnerabilities do not seem to be categorized the same way. LOW, MEDIUM, HIGH… RED, YELLOW, GREEN… It doesn’t mean anything. Threats should be categorized and ranked based on the ease of exploit, the level of automation available, and the ease of remediation.

And thats where HELL comes in…

Nine Levels with the center being the dreaded 0-day… with limbo or level 1 populated by 100% automated attacks… things “script kiddies” use and should always be plugged because its super easy. Each level gets harder. Each level of attack requires a increasing level of skill to accomplish, but can also have a higher degree of remediation. I propose such a scale due to the complaints Ive seen, and heard about some testers ignoring “script kiddie” stuff, or claiming “you don’t test for that, because anyone can do it”… But thats the point… If any one can do it you need to fix it first, you need to fix it faster, and then you get to move onto the “l33t” hacks. 30 minutes to hack with a super “l33t” 0-day or 5 minutes with a script…

Its Up to us the InfoSec community to make these issues meaningful to the suits and systems admins we work with. Its our JOB to do the basic’s, because there are plenty of people who will try the basic’s on us.

The time taken by Fyodor to write not only a technical repository, but a instructional tool is amazing. Chapters on the history of NMAP, legal view points to be aware of, and not only how to use NMAP for discovery, but why this is useful. This amazing tome of information could never be called complete due to the ever changing nature of the open source software its based on, but its more then most will ever need.

NMAP Network Scanning has earned a place on the “books on my desk” shelf. It’s not just a must read, it’s a must OWN.

 

#!/bin/sh
####################################################
# Pre-Stage Script.
# Written by Richard Baker on 08/12/08
# 
#
# To add Installers Reference Section 9
#   Packages use – installer -pkg [./path/file] -target /
#   External scripts – sudo [./path/file]
#
# Installers are run in order.
# 
#
#############################################################
#

#
#############################################################
# Section 1. Menu Screen
#############################################################
#
clear

echo “Welcome to the ODIN Q39 Installation script.”
echo “”
echo “This script will:”
echo ” – Set the computer name”
echo ” – Configure Network settings”
echo ” – Enable Remote Login (SSH)”
echo ” – Enable Screen Saver/Sleep Password”
echo ” – Enable Secure Virtual Memory (will require admin password)”
echo ” – Enable Require Password for System Preferences”
echo ” – Optional VPN Install”
echo ” – Install and configure Tivoli”
echo ” – Install ARC software payload”
echo ” – Begin Apple Software Update (will run 2 passes)”
echo ” – Display HW MAC address”
read -p ‘Do you want to continue? [y=yes] : ‘ inputstart

if [[ $inputstart != "y" ]]
then
exit 0
fi

#
#############################################################
# Section 2. Set ECN variable
#############################################################
#

clear
read -p ‘Please Input the correct ECN and press enter  : ‘ inputecn

#
#############################################################
# Section 3. Set Backup Server Options (This Section moved to installer calls)
#############################################################
#

#
#############################################################
# Section 4. Set Network variables
#############################################################
#

read -p ‘Please Input Network Information [IP Address] : ‘ inputtcp
read -p ‘                                [Subnet Mask] : ‘ inputsubnet
read -p ‘                                    [Gateway] : ‘ inputgateway
echo “”
echo “Installing Optional Software”
echo “”
read -p ‘Would you like to Install Cisco VPN   [y=yes] : ‘ inputcisco

#
#############################################################
# End Variable enty.  Below is running code.
#############################################################
#

#
#############################################################
#

#
#############################################################
# Setting Time Zone
#############################################################
#

echo “Setting Time Zone.”
sudo systemsetup -settimezone America/Los_Angeles

#
#############################################################
# Setting IP Address
#############################################################
#

echo “Setting IP address”
/usr/sbin/networksetup -setmanual “Built-In Ethernet” $inputtcp $inputsubnet $inputgateway

echo “Setting DNS server”
/usr/sbin/networksetup -setdnsservers “Built-In Ethernet” XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX

echo “Setting search domains”
/usr/sbin/networksetup -setsearchdomains “Built-In Ethernet” foo.bar.com

#
#############################################################
# Bind to Open Directory (For Future Use)
#############################################################
#

##(
### Edit this line to Correct server
##odmaster=”stfumac.foo.bar.com”
##
##/usr/sbin/dsconfigldap -a $odmaster
##/usr/bin/dscl localhost -create /Search SearchPolicy dsAttrTypeStandard:CSPSearchPath
##/usr/bin/dscl localhost -merge /Search CSPSSearchPath /LDAPv3/$odmaster
##/usr/bin/dscl localhost -create /Contact SearchPolicy dsAttrTypeStandard:CSPSSearchPath
##/usr/bin/dscl localhost -merge /Contact CSPSSearchPath /LDAPv3/$odmaster
##)

#
#############################################################
# Bind To Active Directory (For Future Use)
#############################################################
#

### Please Make sure System name is less than 15 caracters.
##(
### Edit below line for AD server
##adserver=”foo.bar.com”
##
##/usr/sbin/dsconfigad -f -a odin$inputecn -domain Foo.bar.com -ou FooMAC
##)

#
#############################################################
# Change Update server (For Future Use)
#############################################################
#

## Writes system wide for GUI tool
#sudo defualts write /Library/Preferences/com.apple.SoftwareUpdate <URL>
## Writes pref root user, ’softwareupdate’ will access specified
#sudo defualts write com.apple.SoftwareUpdate <URL>

#
#############################################################
# Enable System preferences
#############################################################
#

echo “Setting Remote Login”
systemsetup -setremotelogin on
echo “Setting Screensaver Timer.”
defaults -currentHost write com.apple.screensaver idleTime 900
echo “Disabling Automatic Software Updates.”
sudo software –schedule off
echo “Killing Time Machine NagScreen”
defualts write com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool YES
echo “Applying Security settings.”
#Below is a Shell run applescript please do not modify
(
sudo touch /private/var/db/.AccessibilityAPIEnabled
exec osascript <<\EOF
tell application "System Events"
 tell security preferences
  get properties
   --> returns: {require password to wake:false, class:security preferences object, secure virtual memory:false, require password to unlock:false, automatic login:false, log out when inactive:false, log out when inactive interval:60}

 set properties to {require password to wake:true, secure virtual memory:true, require password to unlock:true, automatic login:false, log out when inactive:false, log out when inactive interval:60}

 end tell
end tell
EOF
)

#
#############################################################
# Toggle Bluetooth sharing
#############################################################
#
echo “Disabling Blutooth Sharing.”
(
exec osascript <<\EOF
tell application "System Preferences" to set current pane to pane "com.apple.preferences.sharing"
tell application "System Events" to tell process "System Preferences"
click checkbox 1 of row 11 of table 1 of scroll area 1 of group 1 of window "Sharing"
delay 1
if (exists sheet 1 of window "Sharing") then
click button "Start" of sheet 1 of window "Sharing"
end if
end tell

ignoring application responses
tell application "System Preferences" to quit
end ignoring
EOF
)

#
#############################################################
# Setting Hot Corners
#############################################################
#

echo "Clearing Hot Corners."
(
exec osascript <<\EOF
tell application "System Events"
 tell expose preferences
  ##SCREEN CORNERS (top right screen corner, bottom left screen corner, bottom right screen corner, top right screen corner)
  ##get the properties of the top right screen corner ---> returns: {activity:none, class:screen corner, modifiers:{command}}
  set properties of the top right screen corner to {activity:none, modifiers:{command}}
  set properties of the top left screen corner to {activity:none, modifiers:{command}}
  set properties of the bottom right screen corner to {activity:none, modifiers:{command}}
  set properties of the bottom left screen corner to {activity:none, modifiers:{command}}
 end tell
end tell

EOF
)

#
#############################################################
# Setting Computer Name
#############################################################
#

echo "Setting computer name"
/bin/hostname $inputecn
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup -setcomputername  $inputecn
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/networksetup -setcomputername $inputecn
scutil --set ComputerName $inputecn
scutil --set HostName $inputecn
scutil --set LocalHostName $inputecn

#
#############################################################
# Call to Backup script.
#############################################################
#

sudo ./Installers/XXbackupsoftwareXX/InstallScript.sh

#
#############################################################
# Optional Package Installs
#############################################################
#

if [[ $inputcisco = "y" ]]
then
    installer -pkg ./Installers/Cisco/"Cisco VPN Client.mpkg" -target /
    cp ./Installers/Cisco/Profiles/ACME.pcf /etc/opt/cisco-vpnclient/Profiles/ACME.pcf

fi

#
#############################################################
# Package Installers
#############################################################
#

## See Top of script for formating additional installers 

#
#############################################################
# Starting Software Update (two passes)
#############################################################
#

clear
echo "Starting Software Update"
echo ""
echo "First Pass"
echo ""
sudo softwareupdate -l -d -i -a
echo ""
echo ""
echo "Second Pass"
sudo softwareupdate -l -d -i -a
 
#
#############################################################
# Post install Information
#############################################################
#

clear
echo "This"
echo "Pre-Stage"
echo "is"
echo "FINISHED"

say "This System is ready to deploy"
echo ""
echo ""
echo "Remember to write down the HW MAC address."
ifconfig en0 | grep ether
echo ""
echo ""
echo ""
read -p 'Would you like to restart the system? [y=yes] ' inputrestart
if [[ $inputrestart != "y" ]]
then
exit 0
fi
shutdown -r now

 

Documentation

Most boss’ love metrics… TCO… ROI… Six Sigma CTQ’s… but how does IT fit in. In most cases ITIL is exactly what your looking for. “The Information Technology Infrastructure Library (ITIL) is a set of concepts and policies for managing information technology (IT) infrastructure, development and operations. (LINK)”

Unfortunately ITIL is also a beast. So how would you like 4 easy steps to get better then 90% of what ITIL is… well “The Visible OPS Handbook: Implementing ITIL in 4 Practical and Auditable Steps” Is exactly what your looking for. Wash, Rinse, Repeat, Condition… It is almost that easy. While following the four phase’ described you will build change management, normalized configurations, standard builds and make it easier to improve. The whole time you make you life easier and set yourself up to start baking security in from the beginning.

With process comes results. With results come numbers. With numbers you can give your boss solid metrics on how things work, and help prove you deserve that raise.