Possible Vulnerability in Client Security due to Network Scanning Default Settings

I'm aware of the following post (see below) which does touch on this issue but I decided to create a new thread as while our issue is related, our requirements differ.

http://community.f-secure.com/t5/End-point/folder-re-directs/td-p/17964

Because we have to meet certain security standards & compliance in my organisation, we have a yearly penetration test which is done against our perimeter & then against hosts on our LAN.

This year, the Pen Tester found an interesting issue which he suggests needs addressing ASAP as it's a security hole.

Basically, because by default Client Security 9 does not scan network drives, he was able to compromise any internal PC host on our network & then launch an attack against our servers! Effectively, our PC's acted as a stepping stone to further penetration in to our network.

The way the compromise happened is by the tester connecting an unauthorised machine on to our LAN, creating a share on that machine & then compromising someone's account credentials & impersonating them (which on a Windows network isn't that hard). He then logged into that PC & executed malware code which he deposited there. Because F-Secure wasn't scanning the network share & he wrote a zero-day vulnerability for which F-Secure had no signature for, the malware was able to execute & subsequently managed to disable F-Secure on the workstation, resulting in an infected compromised host, from which he was able to start attacks against other workstations & then servers.

This kind of attack isn't "James Bond" style espionage as this is typical of how hackers have gained access to corporate LANs using APT techniques & it was such a technique which resulted in RSA being compromised.

So, what I'd like to know is how we mitigate against this situation & what F-Secure do to protect their LAN from such an attack?

Let the debate begin as I can think of methods which would minimise this situation but they don't involve changes to F-Secure's set-up but it would involve using other network infrastructure shall we say but for this case, I'm really interested in closing down this "loop hole" shall we say!

Many thanks.

Find more posts tagged with

Comments

ElseH

Smiley Very Happy

>>>> Slightly different from the subject....

About attemps and Bond.... Check this out.

But the Bond Girl attemp is actually missing in this.

Cheers!
ElseH
F-Secure Community Manager

etomcat

Hello,

Good news: the F-Secure Client Security 10.00 beta is now publicly available, with more advanced DeepGuard gen4 detection against yet unknown threats. Download is here:

http://www.f-secure.com//en/web/labs_global/beta-programs/business-users/client-security-1000-beta

Worth a try and I hope that will tilt the balance a little against the cheeky pentester!

> Also, having worked in educational establishments.

Protecting school computers is probably futile. One possibility is to let the kids play and centrally re-image every computer in the 15 minute breaks between the classes. (Essentially the same thing netcafes do.) Suprisingly doable with reasonable server-side hardware and network infrastructure. Network connectivity between pupils' and office segments must not be allowed until schoolrooms are evacuated for the evening, of course.

> inadvertently introducing infected USB sticks

FSCS 9.3x has advanced USB-scan and also hardware peripheral control functionality to answer that, although the latter one is admittedly rudimentary in its current features.

The really secure approach is hardware-based mutilitaton, i.e. off with those USB headers and pins, french revolutionary style. The criminal court, where my mother used to be a scribe, did exactly that. Only the sysadmins had working USB in their machines. In practice it was easier to print the half-ready papers and scan+OCR them at home when she needed to work through the weekend...

> find an empty room with a computer and use its connection!

Surely that will be blocked by intelligent switches and NAP/NAC that can detect impersonation of an authorised computer by a fake computer.

> not everyone has that level of physical access control

The big problem with IT security is that you do everything possible to fortify the establishment and then the attackers find out some of the workforce are either easily corrupted by bribes or can be blackmailed over some secret immorality. Those people will hand over the intellectual property to the attacker. A company that has no good physical and counter-espionage security is spending on IT-security in vain.

The plans for the London Olympics were not stolen by chinese hackers. A chinese espioness seduced the lord mayor's deputy and copied his laptop while he slept. That after MI5 warned everybody who counts to be extra guarded against "Bond girl" like attempts!

Kind regards: Tamas Feher from Hungary.

MikkoP

Hi Rick,

thank you for your valuable input. As pointed out earlier, the layered protection is the key in securing complex environments.

In the case of network shares, the primary security layer is the Anti-Malware protection of the server itself. We have the scanning for network shares functionality also in the end-point clients as the optional secondary security measure. However due to the performance impact enabling this setting does not suit all the environments but depends on the setup, which is the reason why it is disabled by default in the 9-series end-point client products but can be enabled when it is seen suitable.

We have improved our product performance and scanning logic for the network shares in the end-point clients in the upcoming versions of the products. This makes it more suitable, and recommended solution, to turn on this functionality in most cases for additional level of security. Still it is worth mentioning that the primary security layer should not be neglected as this provides the protection for e.g.. The unmanaged BYOD systems where the end-point security level can not be ensured without tight network access control.

What comes to the breaches utilizing advanced social engineering tactics, unfortunately there is no bullet proof solution for these. Human behavior can be educated and guided, and layered rights and permissions can be utilized to mitigate these risks, but leakage risk is never 0% as long as there is emotional and survival instincts involved.

Best regards,

Mikko

Rick586

Hello Tamas.

I'm afraid that some of your comments aren't helpful at all as saying that something is NOT possible in terms of security is a sure way to invite someone to try and circumvent your security - which is exactly how hackers operate. You "dangle the carrot to the rabbit" and watch what happens. History teaches us this as there have been security companies who should've known better and have been caught with their "pants down"!

If that's the case, why bother patching a product? Any vulnerability is only a problem if it's exploited and perhaps certain people will never have an unpatched machine exploited! It's like that old story of the woman who has smoked all her life, is now 80 and still doesn't have lung cancer! At the end of the day, it’s about risk, probability and opportunity. As security professionals, it’s up to us to do a risk assessment and then decide whether we think something is worth dealing with.

The issue comes around when a possible vulnerability is discovered, even if the exploit is hypothetical, surely it's better to ensure that the attack vector isn't there!

Security is a multi-layered approach but what you're saying is that it doesn't matter if we use software which has vulnerabilities as any intruders "will be shot on site" by our military guards! Well, not everyone has that level of physical access control and as F-Secure deliver solutions from government to small businesses, their software has to be able to adapt. It's likely that F-Secure is running in places where there are little controls over boundary access so surely it is better to ensure your product isn't going to be the weak link! This becomes paramount when your company is in fact a security company!

Also, having worked in educational establishments, how do you think they operate? How do you think they police students with BYOD and mobile devices? How much of a budget do you think educational establishments have? How many resources do you think they have to their disposal? I can answer that as I’ve spent a large portion of my life working in such environments. Now that’s a challenge I can tell you; maintaining a secure and clean network with very little resources to hand and money to spend! Also, how about visitors to an organisation or disgruntled staff?

In my working life, I've been involved in situations where I've seen all of the above. Students hacking and inadvertently introducing infected USB sticks or devices on to a network. Disgruntled staff who have a grievance and intentionally introduce a problem and wouldn't it make it easy for that person if they knew the vector of attack?

Then, how about the sales person or guest speaker who does have authorisation to enter the building, gets a day pass and then decides to connect their machine on to the LAN? Perhaps all unused network points are not configured but that's easy; find an empty room with a computer and use its connection!

My company does have access control and we do have switches configured properly but we also have areas of our network which are exposed to the public. I'm not at liberty to discuss any further details other than the risk that was presented to us was unlikely to happen but I wasn't prepared to take the risk and put my neck on the line in front of management as if it did happen, as I knew about the vulnerability which was also now detailed in a report, failure to act would end up costing me my job!

Our Pen tester commented on the fact that he thought we had above average controls on physical entry and excellent controls within our organisation and said it was only one of a few occasions when he wasn't able to compromise any of our servers but I take the view that it was our lucky day as I would say that were aren't impenetrable as I'm sure if someone really wanted to, they could but me and my team do our best to have this risk as low as possible.

Our Pen tester also said how his company had done social engineering tests and for at least half the companies, managed to get into a company with little resistance and when inside, found that instead of other staff challenging them, they just smiled away!

In fact, let me tell you how I know this stuff is so true as I once worked for an organisation where a thief "blagged" their way in to the company and then on the way out of the TV theatre with a bag full of equipment, which he struggled to carry, had a member of staff help him with his bag at the exit of the theatre and I know all this as I was involved in the investigation where we saw it all happening on CCTV! Had the member of staff challenged the person? What do you think? How many staff in a medium to large organisation even bother to challenge unknown staff or people with no ID card displayed? Not many, as people don't like confrontation and this is a sentiment which our Pen Tester agreed with as that's how they managed to engineer their way into several organisations and plug their infected (test) laptop in.

Anyway, I believe I've said enough on this subject and to address your last point, I've now activated network drive scanning and we've had no such issues with slow downs as it does appear that F-Secure have made improvements.

I just hope for your sake that no one engineers their way into your organisation with knowledge of that vulnerability as you'll have big problems on your hands!

Good luck with that one...

hewtac

Hello Tamas

>> but that also makes it possible to disable AV if the attacker is clever.

We're constantly improving on this to make our products as "tamper-proof" as possible. I did receive comments that certain malware samples can cause problems to our products te.g. products entering a malfunction state, disabling our automatic update feature, etc. If such samples do exist, we would appreciate if our readers would upload them to our Sample Analysis System (https://analysis.f-secure.com/), so we can better improve our products.

>> AV scan on network drives is a huge performance problem

This remains an open discussion; what I can tell is that product management is revisiting this issue following the initial post. On a separate note, R&D has since improved the network drive scanning feature back in year 2010, its changes would (could?) mitigate the side effects brought up by Tamas.

If there are any readers who are against turning this setting ON/OFF, do feel free to share your thoughts, as we are highly interested to hear our customers' voices .

etomcat

Hello,

> he wrote a zero-day vulnerability for which F-Secure had no signature for

If this is the case, then having "scan network drives" flag ON or OFF really does not matter. The code would appear benign to the AV scanner, even if checked.

Please note: the current F-Secure 9.3 corporate product line has the older DeepGuard generation3 technology. Upcoming FSCS 10.0 version (already in pre-beta) will have a newer generation DeepGuard technology in it, which is much better at stopping unknown, not-yet-in-signature threats. Works well in the F-Secure IS 2013 home user / home office oriented product already.

That will make pen-testers work harder for their money.

> managed to disable F-Secure on the workstation

This is a dilemma. In old times, F-Secure AV was partly (much) in the kernel level and usually could not be disabled in an unauthorized way without crashing the Windows NT OS to BSOD. Of course that meant any small AV tech problem also resulted in a BSOD. That was not longer acceptable when Microsoft started to promote Windows XP as a super stable OS. Therefore antivirus development turned to userland, which enhances stability allows on the fly recovery from minor AV crashes), makes debugging easier, but that also makes it possible to disable AV if the attacker is clever.

However, most companies are more concerned about AV-related crashes and the problem posed by occurance of false malware alarms, etc., compared to actually getting infected or hacked. Therefore it makes common sense to keep as much AV in userland, as possible.

> such a technique which resulted in RSA being compromised

There is no defence against these types of military-governmental sanctioned attacks, short of launching a cruise missile aimed at the chinese hacker's lair, which is a well-known tall building in the port town of [censored]. Why the Pentagon fails to exercise that option is a mystery.

Mikko Hypponen said very clearly in a webcast that in case of an advanced cyber-attack, sanctioned by a government, you are toast for sure. I think the only remedy is if your government makes it clear that they are willing to retaliate on your behalf and that deterrence may shy away the attackers.

> This kind of attack isn't "James Bond" style espionage

Mr. Mikko actually used an analogy about James Bond killing you inevitably, when referring to the futility of defence versus threats like Stuxnet or the RSA hack that cracked the token tech.

Bye, Tamas Feher from Hungary.

etomcat

Hello,

> The way the compromise happened is by the tester connecting an unauthorised machine on to our LAN

This act is NOT possible in a company LAN, because of mandatory access controls, either based on MAC or something more advanced (like NAP and NAC). F-Secure supports both NAC and NAP.

Furthermore, the company's security guards should confiscate "unauthorised hardware" at the gate. The pentester probably did not dress as Batman to come in through the roof at night.

> Because we have to meet certain security standards & compliance in my organisation

You will definitely not meet compliance with a corporate LAN that has no access controls and lets John Doe connect any unknown laptop to it!

AV scan on network drives is a huge performance problem and turning it on by default would allow an attacker to effectively DDoS a server by artificially setting a 10mbps legacy ethernet speed and then open many large files on a share.

Furthermore, shouldn't every server and client (be it Win or Linux) run an AV instance itself, with OAS protection active? That way the attacker is only able to infect oneself. If you do not run AV with OAS on Linux/Unix server, you deserve to be infected.

Bye, Tamas Feher.

hewtac

Apologies to our fellow readers, I've been in direct contact with Rick586 to ensure I got my facts right before responding here. To recap on the first post, the tester was able to compromise an administrative account through other means, and hence was not only able to disable our product, but could even uninstall our product if they wanted to.

We were subsequently able to conclude that this is *not* a vulnerability, and as confirmed by Rick586 himself, the tester was not able to:

use one of F-Secure’s binaries to perform privilege escalation with a limited user account.
Disable F-Secure’s processes using a limited user account.

That being said, it is true that network drive scanning is currently disabled by default, and in the age of mobile computing, BYOD policies and faster network connection speeds, this default configuration may no longer stand the test of time. This topic has already been raised to the relevant people, and (good news!) they've listened to the community We can expect changes to this setting in upcoming products e.g. AVCS10.

For those who are concerned about scanning overheads from enabling this setting, rest assured that our R&D team has already implemented performance improvements to the setting to make it more usable. All in all, the benefits of enabling this setting outweights its cons.

>> So, what I'd like to know is how we mitigate against this situation & what F-Secure do to protect their LAN from such an attack?

F-Secure recommends to:

enable network drive scanning
deploy our end-point security software on both workstations and servers
review your organisation's firewall policy e.g. prevent file sharing ports on unathorised devices

ElseH

Dear Rick!

I noticed that you haven't received any reply yet. Sorry for that. I will do my best to get one