New Attacks by Russian Hacking Group using Flash and an Unpatched Zero Day Exploit

wa_desert_rat · April 20, 2015

If they don't issue a patch for a known exploit there is no amount of "updating" that's going to protect your system.

(wrong link... Stanley got it right... unless you're a fan of "The Goonies" movie)

Be careful out there!

WDR

skp51443 · April 20, 2015

WDR, Is that the right link? Maybe this one:

http://www.techworld.com/news/security/russian-hackers-wield-flash-unpatched-windows-zero-day-flaws-3608495/

I like this one: http://www.theregister.co.uk/2015/04/20/nasty_jpg_pops_corporate_locks

Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks.

In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal.

A key part of the stunt is achieved by inserting active content into the attributes of a jpg image, such that the file name read image.jpg.aspx. “I'm going to try to compromise the web server, then go for back end resources, and ultimately compromise a domain controller,” Murray said, adding the hack is not that difficult.

“Even in mixed environments, when you own the domain controller you usually own the entire infrastructure of that company and that is true because they have Linux server you usually use Windows clients for connect to them.

A good reminder to not use the Windows integration features Linux offers you on any important Linux boxes!

wa_desert_rat · April 20, 2015

Interesting. I'm in the process of setting up an Exchange server for a client on a stand-alone Server 2012 box. MS Exchange does not actually act like a "normal" SMTP server and, since only an idiot would connect any box with an MS operating system (especially with files containing user data on it) directly to the Internet, I have a Linux box running Postfix to receive email (and then forward it) and to send it. But both the Linux box and the Server 2012 are in the Domain (Linux via Samba and Server 2012 via being a backup domain controller).

I'm going to have to think about taking the Linux SMTP forwarder off the MS domain. Although nothing much to compromise on the Linux box; even the user accounts have no passwords (and no way to log in) and no data.

On edit, let me elaborate a little: the point is that if no one on the Internet can see the Exchange server and the Exchange server thinks it's all by itself inside a comfortable Windows domain and active directory, then you reduce the chances for any penetration.

WDR

skp51443 · April 21, 2015

I haven't done any Exchange Server work since the early 90s when I developed the default install for a government organization I was contracting to and on the side helped the wife set up the Exchange system for Ft. Huachuca. We used an external hardware firewall for isolation and dedicated Unix box for the SMTP, we weren't deep into the MS mail system at that point so we didn't need to hook the clients to a domain which really made securing the Exchange Server box a lot simpler.

Some of the stuff you can do with an Exchange Server integrated into a Microsoft ecosystem is pretty nice and hard to duplicate under most Linux setups but the security downside has worried most of the folks I've worked with to the point they do the same as you are looking at and isolate things as much as possible.

Are you going to set up some type of remote logging so you can do an audit if something goes wrong and the on-system logs are compromised?

wa_desert_rat · April 21, 2015

Are you going to set up some type of remote logging so you can do an audit if something goes wrong and the on-system logs are compromised?

Yes, the Linux SMTP box logs everything and sends me an email every morning.

The Exchangs logs, like almost all of MS logs, are pretty much useless. With a Linux server I can watch the log in real time. This tells me - sitting miles away in my office, whether the email system is flowing well or not. With Exchange I have to go to the server, log in, get to the Event Viewer and then interpret all the various messages.

Keeping any MS server installation isolated as much as possible is the only way to even try to secure it. Internet Explorer is so insecure that the default install of that application on Server 2012 is crippled by a system that refuses to let you browse to any web address without specifically adding it - and any subdomains - to a list of permitted sites. So, if you end up going to an insecure site it's your own fault because you added that to the list of permitted sites. It's not MS's fault.

WDR

wa_desert_rat · April 22, 2015

We're now two days into the actual Exchange installation and, so far, have not gotten beyond the "prerequisites". As far as I can tell these are the same as "dependencies" in open-source except that instead of solving the dependencies MS simply tells you that "this computer requires......" and gives you a url for "help" (which doesn't help). You're on your own. (The "Microsoft Updates" don't help, either.)

And halfway down the "prerequisites" for Exchange 2013 is the necessity to upgrade Exchange 2010 (which we're moving from). So we go to that machine - a machine with all the updates installed - and discover that we have another list of "prerequisites" that MS doesn't solve for us.

It's interesting that on the Linux box I simply typed, "yum install postfix" and it solved all the dependencies for us and even gave us a list of everything that would be downloaded and installed and then asked us to type "y" or "n" if we wanted to continue. Hitting the "y" key installed everything and all I had to do was configure it for our system (domain names, subnet, and user mailboxes) and it works. It took less than 2 hours including tests to make sure that the machine received email and didn't relay for spammers.

I am beginning to wish we had just moved them to Google Apps.

WDR

skp51443 · April 22, 2015

I loved Exchange, it was so horrible they paid me a bundle to develop a lab setup and train others on it. My setup notes had very little in common with the Microsoft instructions with a lot of extra steps and many, many warnings added. Sorry I didn't keep them around, I'd send you a copy.

I still remember one engineering team that went out with a bunch of gurus in charge, they hit about three remote sites before they discovered the multi-server integration wasn't working. They had ignored the one lower level employee (a lowly GS-12) I had trained when she pointed out one of my warnings about assigning some cryptic parameters in the setup and the only fix was going to be a wipe and re-install. The nice lady (my project leader and the one that approved my pay rate) was most happy when the team had to call back to the home office and ask the organization's director for help. He knew he had been paying me to work on Exchange and I'd gotten it working in the lab so he called me in for the phone conference. I listened to the problem and instead of telling them what was wrong I asked if Pam was still with the team. She chimed in that she was there, had told them they were making a mess and that they were ignoring her. I told the director to put Pam in charge of the current install and to test it by connecting to one of my lab systems before going back to the other sites and doing the job over. Made no friends with the engineers but my pay rate got a nice bump and Pam got a lot more control over the new installs.

Google Apps is really tempting but there are also some nice self hosted Linux based groupware solutions. I wouldn't recommend either of them since you are doing this for profit, you'll bill a lot more hours going with Exchange and if anyone that isn't a true Exchange expert fools with it once you have it working to "save money" you'll be billing even more hours.

wa_desert_rat · April 22, 2015

My issue is that I'm not trying to gouge these folks. It's a family service group dealing with headstart and abused women. They get by on grants and you know how those are since 2008.

So I have a contact there who does most of the work and I come in for the tricky bits. Unfortunately, Exchange is all tricky bit. I thought early versions were bad but new versions are even worse; requiring voice codecs for voice mail! Voice codecs that aren't available but still rquired.

Just a mess. (Did I mention that practically every "prerequisite" crashes the email server? That's special!)

WDR

skp51443 · April 23, 2015

Maybe try something Linux that they can afford to keep running? From 2014 but a good starting point:

http://www.linuxlinks.com/article/20090921133533625/Groupware.html

9 of the Best Free Linux Groupware Software

Groupware software (or collaborative software) is designed to enable users to collaborate, regardless of location, via the internet or a corporate intranet and to work together in a virtual atmosphere.

The efficiency of a organisation can be greatly enhanced by the effective deployment of groupware software. Ccollaborative applications help to integrate project work so that a group can achieve their tasks and objectives. The term groupware is wide-ranging spanning communications tools (such as email), conferencing tools, and management tools.

Groupware solutions heavy on the feature-set are often not suitable for more than a few hundred users. However, software which offers only basic groupware functionalities, such as e-mail, contact and calendaring, are likely to meet the requirements of large deployments.

This type of software is particularly important to businesses, service providers and email hosters.

The Linux platform offers an impressive set of collaboration software. This type of software often includes messaging functionality, support for the popular mail protocols (such as STMP, IMAP, and POP3), and organisational tools including a calendar.

The standard medium for accessing a groupware account is via a web browser.

To provide an insight into the quality of software that is available, we have compiled a list of 9 excellent groupware servers. We have included web based solutions as well as classic client-server solutions.