Hi,<\/p>\n
IFor those of you with computer networks\/systems in case your IT department isn’t aware. (attached)<\/p>\n
Bill
\n*** Joint USSS\/FBI Advisory ***
\nPREVENTIVE MEASURES
\nOver the past year, there has been a considerable spike in cyber attacks against the financial services and the online retail industry. There are a number of actions a firm can take in order to prevent or thwart the specific attacks and techniques used by these intruders. The following steps can be taken to reduce the likelihood of a similar compromise while improving an organization’s ability to detect and respond to similar incidents quickly and thoroughly.
\nAttacker Methodology:
\nIn general, the attackers perform the following activities on the networks they compromise: <\/p>\n
1.
\nThey identify Web sites that are vulnerable to SQL injection. They appear to target MSSQL only. <\/p>\n
2.
\nThey use “xp_cmdshell”, an extended procedure installed by default on MSSQL, to download their hacker tools to the compromised MSSQL server. <\/p>\n
3.
\nThey obtain valid Windows credentials by using fgdump or a similar tool. <\/p>\n
4.
\nThey install network “sniffers” to identify card data and systems involved in processing credit card transactions. <\/p>\n
5.
\nThey install backdoors that “beacon” periodically to their command and control servers, allowing surreptitious access to the compromised networks. <\/p>\n
6.
\nThey target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs. <\/p>\n
7.
\nThey use WinRAR to compress the information they pilfer from the compromised networks. <\/p>\n
We are providing the following preventive measures. Performing these steps may not prevent the intruders from gaining access, but they will severely impact their effectiveness based on current attack methods.
\nRecommendation 1: Disable potentially harmful SQL stored procedure calls.
\nThe xp_cmdshell, OPENROWSET, and OPENDATASOURCE stored procedures should be disabled on all databases unless they are explicitly serving a business need within the network.
\nThe xp_cmdshell procedure allows someone to execute commands on a local system from the database, with the permissions of the service account used for the database. The OPENROWSET and OPENDATASOURCE procedures allow one to cause the database to transfer data from the local database to a remote database and vice versa.
\nThe following two steps should be taken to remove the potentially harmful stored procedure calls. <\/p>\n
1.
\nDisable access to the xp_cmdshell functions within Microsoft SQL Server. <\/p>\n
Microsoft SQL Server 2000
\nxp_cmdshell’
\nEXEC sp_dropextendedproc ‘Microsoft SQL Server 2005
\nEXEC sp_configure ‘xp_cmdshell’, 0 <\/p>\n
2.
\nRemove the “xplog70.dll” file from the server. <\/p>\n
If it is necessary to use the potentially harmful stored procedure calls, limit the exposure by applying IP filters on the SQL servers. Assign explicit ALLOW rules to the interfaces for the application the SQL server is supporting. Disallow communication between SQL Server hosts unless an application necessitates otherwise.
\nRecommendation 2: Deny extended URLs.
\nExcessively long URLs can be sent to Microsoft IIS servers, causing the server to fail to log the complete request. Unless specific applications require long URLs, set a limit of 2048 characters. Microsoft IIS will process requests over 4096 bytes long, but will not place the contents of the request in the log files. This has become an effective means to evade detection while performing attacks. <\/p>\n
1.
\nModify “%windir%system32inetsrvurlscanurlscan.ini” <\/p>\n
Ensure “MaxQueryString=2048” is present <\/p>\n
Ensure “LogLongUrls=1” is present <\/p>\n
Recommendation 3: Implement specific approaches to secure dynamic web site content.
\nCertain measures can be taken to mitigate the risk of these types of attacks by developing a secure code base. The steps below are a few of the best practices for secure coding that will help prevent the attack associated with this incident. Additional information can be found at http:\/\/msdn2.microsoft.com\/en-us\/library\/ms998271.aspx. <\/p>\n
1.
\nReplace escape sequences <\/p>\n
private string SafeSqlLiteral(string inputSQL)
\n{
\ninputSQL.Replace(“‘”, “””);
\n} <\/p>\n
2.
\nUse parameters with stored procedures <\/p>\n
using (SqlConnection connection = new SqlConnection(connectionString))
\n{
\nDataSet userDataset = new DataSet();
\nSqlDataAdapter myDataAdapter = new SqlDataAdapter(
\n“SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id”,
\nconnection);
\nmyCommand.SelectCommand.Parameters.Add(“@au_id”, SqlDbType.VarChar, 11);
\nmyCommand.SelectCommand.Parameters[“@au_id”].Value = SSN.Text;
\nmyDataAdapter.Fill(userDataset);
\n} <\/p>\n
3.
\nConstrain input in ASP.NET web pages <\/p>\n
if (!Regex.IsMatch(userIDTxt.Text, @”^[a-zA-Z’.\/s]{1,40}$”))
\nthrow new FormatException(“Invalid name format”);
\nRecommendation 4: Install and run authorized Microsoft SQL Server and IIS services under a non-privileged account.
\nUnless a specific application requires system or administrative level permissions, all instances of Microsoft SQL Server and IIS should run under accounts with restricted user permissions.
\nRecommendation 5: Apply the principle of ‘least privilege’ on all SQL machine accounts.
\nThe attackers generally create tables into which they store malware or data collected from the enterprise. Unless specific applications dictate otherwise, restrict the capabilities of the accounts used to modify databases on the servers. In particular, remove the ability to create new tables, denying the attackers a means of transporting malware and stolen data.
\nRecommendation 6: Require the use of a password on Microsoft SQL Server administrator, user, and machine accounts.
\nSeveral SQL servers examined had an empty password on the “sa” SQL account. All accounts with access to resources should be protected with passwords or certificates.
\nRecommendation 7: Lock out accounts on the mainframes after several unsuccessful logon attempts.
\nLocking accounts and requiring IT support to restore service aids in protection against brute force attacks. This can serve as an early detection of potential security problems.
\nRecommendation 8: Run the minimum required applications and services on servers necessary to perform their intended function.
\nSeveral servers, to include Active Directory master servers, have unnecessary software installed (e.g. Microsoft Office). In addition, ensure that no unnecessary services are running. This includes SQL Server and SQL Server Express on support and other workstations. Should these services be necessary, restrict access through IP filters on Microsoft Windows or through third-party firewall software.
\nRecommendation 9: Deny access to the Internet except through proxies for Store and Enterprise servers and workstations.
\nAttacks on victim networks make extensive use of HTTP, HTTPS, and DNS network ports. Denying direct access to the Internet will frustrate and mislead an attacker.
\nRecommendation 10: Implement firewall rules to block or restrict Internet and intranet access for database systems.
\nDisallow all traffic outbound from servers harboring sensitive data. Communication to the SQL servers and data warehousing servers should be tightly controlled. Restrict traffic between data centers and stores to essential ports and services only.
\nRecommendation 11: Implement firewall rules to block known malicious IP addresses.
\nFirewall rule sets designed to block all ingress (incoming) and egress (outgoing) traffic to the known malicious IP addresses have been put in place. Note that traffic violating the rules should be logged and observed in near-real time.
\nRecommendation 12: Ensure your HSM systems are not responsive to any commands which generate encrypted pin blocks. More specifically, HSMs should not accept commands that allow plain text PINs as an argument and respond with encrypted PIN blocks.
\nHSMs are normally used to verify Personal Identification Numbers (PINs), generate PINs used with bank accounts and credit cards, generate encrypted Card Verification Values (CVVs), generate keys for Electronic Funds Transfer Point of Sale systems (EFTPOS), and generating and verifying Message Authorization Codes (MACs). These systems, if accessed by an unauthorized intruder, can provide the attacker the ability to discover the appropriate PIN number for a corresponding credit or debit card. Therefore, in an effort to prevent this, HSMs should be configured to disallow “in the clear” PINs as an argument for performing its tasks.<\/p>\n","protected":false},"excerpt":{"rendered":"
Hi, IFor those of you with computer networks\/systems in case your IT department isn’t aware. (attached) Bill *** Joint USSS\/FBI Advisory *** PREVENTIVE MEASURES Over the past year, there has been a considerable spike in cyber attacks against the financial services and the online retail industry. There are a number of actions a firm can … Continue reading important security info for your IT department from USSS\/FBI<\/span>