Test your Bash Shell

how to test for vulnerable Bash shell:

Execute the following:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

on the command line, if it comes back with 

this is a test                

then the system is vulnerable

If the system returns:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

Then you are safe.

like on my system in this example: shellcode-safe

 

From Red Hat Security Blog: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

 

Contact Me at 314-504-3974 (Tony Zafiropoulos) if you need help in deciphering this issue.  Or Contact Us page

 

 

new RedHat Announcement at https://access.redhat.com/announcements/1210053  regarding all 6 Bash Shellcode CVE’s

 

————————-

Who to trust to “hack your systems”?

Taosecurity has an interesting post.

hubpluscables Is your network a jumble of wires andnetwork equipment but not yet ordered?

Hiring a 19 year old hacker without an Associates degree and some hacking knowledge does not make a secure corporate environment.

The ststaement by blogger Richard Bejtlich

Young has repeatedly assigned Brewer to hack into Butler’s computer system. “He finds security problems,” Young said. “And I patch them.”

This article does not mention whether Butler’s CISO spends any time looking for intruders who have already compromised his organization. Finding security problems and patching them is only one step in the security process. ”

 

Also Bruce Schneier’s “monitor first” is also a good principle to follow.  Patching known vulnerabilities is good, but monitoring and patching is better. With a concerted security policy, architecture, and consistent vulnerability scanning.

Maybe you have seen it?

 

We test and audit your environment to make you safer    (A – Σ – Ω)

A monitor and security policy can also be discussed, and we do not recommend hiring people with little experience.

Contact us

Password changes – how to keep track of passwords

The Onion gives a joking reference as to how some choose their passwords.  Putting your livelihood in the ability of hackers to guess your favorite TV show is funny.

Some in the security industry recommend passwords to be built with lots of special characters 8 digits long, upper and lower characters, even as that method also creates difficulties.

Ks%!59fT is a valid (difficult to remember- hard to crack) password, which means you will likely write down the password (which is also a nono in the security field).

Instead I would like to point to a new Password Strength description at xkcd:

password_strength

 

What should be remembered is the password without writing it down; like 4 random words as in”Correcthorsebatterystaple1″ 25 digits plus upper case and a number makes it easier to remember and provides the needed upper case and number requirements. At 26 characters it makes the password effectively impossible to guess even with a supercomputer.

 

We recommend at least 2-3 words with 20 digits plus numbers/ upper case characters. Then when keeping up with changes like every 60-90 days the password must be changed, the numbers can be modified and the length of the password is your defense.  word1-word2-word3-number1  can be changed to word1-word3-word2-number2

Example:

Correcthorsebattery1

Correcthorsebattery2

 

And as the modifications require you can change just the numbers. After the first few changes it becomes easier to remember different passwords.

The Psychology of security

Why do we continue to live with the situation that we have?

Why are we willing to live with risks?

 

It has been shown from the ever capable Bruce Schneier youtube and his blog posts

Humanity is risk averse when it comes to gains and risk seeking when it comes to losses.

Here is a noted sentence:

“Security is a tradeoff,” Schneier said, speaking to a packed audience at his RSA session. “What are you getting for what you’re giving up? Whether you make that tradeoff consciously or not, there is one.”

 

For example almost no one wears a bullet proof vest (if only police wear them, and then only in certain situations – this is a case in point).

This is the first part of his Psychology of Security essay

 

It is good to know one’s own inclinations of security.

 

Bruce did not go into detail as to what that actually meant as far as securing ones own network meant.

I think it means most business owners(70%) would take the risk (risk seeking in losses) due to the natural inclination of not vividly seeing themselves in a worst case scenario. The chances are nothing will happen thinks the business owner, so it won’t.

darthvader

Maybe we as a security community have not created the true picture of network security for the business owner to understand in a manner that is needed.

It is a worthwhile endeavor to spend $X dollars to reduce the risk of a security failure.

The problem is when all of our devices are connected to the Internet we are more insecure. As the Internet grows (as per Cisco “The Internet of Things“)

cisco internet of things

Actually what I would be focusing on is the people who will be connected to the Internet.  How many of those people will be criminals?

We do not go to the “bad” part of town on a regular basis. But if we re connected to the Internet we are going to the bad part of town every day and every second.

So this lack of security consciousness will catch up with us … very soon.

Tony Zafiropoulos August 22, 2014

www.fixvirus.com owner since 1999

 

What systems did the attacker access?

Will your company ever ask this question?     Hopefully the FBI does not call you …

As Jim Aldridge from Mandiant says in this youtube video the first thing that will happen is the FBI will call you in a somewhat cryptic manner…

Tell you the systems that were compromised and what systems compromised them. That’s it. If you do not have any SIEM (Security and Information Event Management) systems this information will be of limited value.

wires

Unfortunately a breakin investigation (or forensics in Security terminology) may let you know that the hacker was in your systems for months or even years.

Jim Aldridge listed some good questions:

 

1. What information was exposed?

2. Do I need to notify regulators or customers?

3. What is the extent of compromise?

4. How much money did I lose?

5. How did the attacker gain entry?

6. How do we effectively stop the attack and remove the attacker?

 

 

Of course if you were scanning your systems and revealing vulnerabilities on a regular basis you will likely not get a call from the FBI.