Priveon Labs Security Blog

Cisco has announced the immediate availability of Network Admission Control (NAC) Release 4.8.0. This latest software release contains many new enhancements including:

• Support for Cisco NME-NAC Platforms
• Administrator Access Restriction
• Out-of-Band Logoff
• In-Band and Out-of-Band Filter Behavior Enhancements
• Fast-OPSWAT
• RADIUS Session Timeout
• Passive Re-assessment
• Reporting Enhancements
• Agent Customization
• Agent Authorizes CAS
• Field-Replaceable FIPS Card for HP-Based Cisco NAC Appliances
• ..plus others

To accompany the Cisco NAC Appliance Release 4.8, the following new documentation is also available on Cisco.com

Release Notes for Cisco NAC Appliance, Version 4.8

Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8

Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8

Cisco NAC Appliance Hardware Installation Guide, Release 4.8

Cisco NAC Appliance FIPS Card Field-Replaceable Unit Installation Guide

F-Secure has recently reported of "…tens of thousands of malware samples that have been signed (with MS Authenticode)."

MS Authenticode uses digital signatures (code signing) to authenticate software and inform the user of the fact that the software was digitally signed by a trusted issuer (CA).

Theoretically, when signed with digital signatures, authenticode signed, recently downloaded software are less likely to have been tampered with or to include malware. Depending upon the IE policy, some authenticode signed software can even bypass IE security zones (http://support.microsoft.com/kb/174360).

(For a detailed Technet article on Authenticode, please see here)

Once downloaded, some security software including HIDS, HIPS, and AV solutions may even ignore Authenticode signed software. At the very least, many of the aforementioned product types place less scrutiny on Authenticode signed software.

Priveon recommends the following for prevention of Authenticode signed malware:

1) Keep systems up to date. MS updates commonly include trusted IE and Windows Certificate Authority certs in hotfixes. (Priveon Recommends BigFix for endpoint management and automated patch deployment)

2) As seen with the F-Secure research, malware can use trusted Authenticode signed executables. In addition to keeping endpoints up to date on hotfixes, Priveon recommends a trusted endpoint security solution such as Bit9. When properly deployed, Bit9 application whitelisting protects systems against unknown and untrusted executables on an endpoint - including authenticode signed executables. In addition to preventing malware outbreaks, Bit9 allows for detailed reporting and alerts administrators to opportunities for application analysis and user education.

For more information on Application Whitelisting solutions and Bit9 or BigFix, please contact a Priveon representative.

F-Secure: http://www.f-secure.com/weblog/archives/00001973.html

F-Secure Research: http://www.f-secure.com/weblog/archives/Jarno_Niemela_its_signed.pdf

Authenticode Technet Article: http://technet.microsoft.com/en-us/library/cc750035.aspx

An interesting MetaSploit extension was recently posted to the MetaSploit mailing list. Railgun is an extension that allows for direct access to the Windows API (any existing or uploaded DLL on the target system) through Meterpreter. Railgun knows around 1000 API calls out of the box and additional calls can be added through simple Meterpreter/Railgun commands.

Note, this is not an offiical MetaSploit/Rapid7 extension and you assume all risk for downloading the Railgun extension.

Cisco has officially announced the end-of-sale and end-of life for the Cisco Security Agent. Priveon will post updated information to this Blog, our Web Site and Twitter communications to keep our customers informed.  Stay tuned for additional information and recommendations...

A common question in the security world is "what do you recommend for a pen-testing lab?"

This question is somewhat open-ended. When personally asked about pen-testing labs, I typically attempt to narrow down the area of interest from web application security (SQL injection, CSS, CSRF), application/operating system security, database security, network security, or any of the other sub-categories of vulnerabilities and/or pen-testing.

If I can qualify a "pen-testing lab" question with a specific area of interest, I typically answer with a related list of favorite tools, live CDs, websites, and vulnerable images. MetaSploit is nearly always mentioned in the "favorite tools" category for learning pen-test and attack techniques.

Now MetaSploit has released "MetaSploitable" - an image that can be used for pen-testing skill development and testing. I haven't had time to review MetaSploitable yet, but if it comes from HD and company I suspect it will make its way into my list of recommended pen-test lab tools and images.

More information on MetaSploitable, including download instructions, can be found on the official
MetaSploit blog.