Saturday, June 23, 2012

How to apply updates and security patches to ESXi

It is possible to apply ESXi updates and it's free, by installing these updates you will get additional features such as new OS supported to be installed and security patches which are released in a monthly basis. You can get the updates from here: http://www.vmware.com/patchmgr/findPatch.portal

If you have ESXi 4.1 and have not installed any patches ever, I recommend:

  1. update-from-esxi4.1-4.1_update02.zip : It's the latest major upgrade often called as update 2
  2. ESXi410-201206001.zip: It's the latest security patch from June 2012.

ESXi updates are cumulatives, therefore you don't need to install all the patches that have been released to be up to date, by getting the last major update and the last security update, you are good.

The process is as follows:
  1. Download and copy the update-from-esxi4.1-4.1_update02.zip and ESXi410-201206001.zip ESXi:

    On OS X or Linux you can SCP the files to your server, you will need an ssh account.

    # scp update-from-esxi4.1-4.1_update02.zip root@esxi:/
    # scp ESXi410-201206001.zip root@esxi:/



  2. You need to turn off all the VMs and enter in maintenance mode:
    # vim-cmd hostsvc/maintenance_mode_enter
  3. On the ESXi, in the same directory you copy the file, apply the major update:
    Unpacking cross_qlogic-fchba-provider_410.1.3.7-454.. ###################################################################### [100%]
    Unpacking cross_oem-vmware-esx-drivers-scsi-3w-9xxx.. ###################################################################### [100%]

    Unpacking cross_oem-vmware-esx-drivers-net-vxge_400..
    ###################################################################### [100%]

    Unpacking cross_vmwprovider_4x.1.0.1-2.11.502767      ###################################################################### [100%]

    Unpacking cross_swmgmt_4x.1.0.1-1.4.348481            ###################################################################### [100%]

    Unpacking cross_kmodule_4x.1.0.1-1.4.348481           ###################################################################### [100%]

    Unpacking cross_omc_1.1.0-2.11                        ###################################################################### [100%]

    Unpacking cross_hdr_4x.1.0.1-1.4.348481               ###################################################################### [100%]

    Removing packages :qlogic-fchba-provider              ###################################################################### [100%]

    Installing packages :cross_oem-vmware-esx-drivers-s.. ###################################################################### [100%]

    Installing packages :cross_qlogic-fchba-provider_41.. ###################################################################### [100%]
    Running [cim-install.sh]...ok.Running [vmkmod-install.sh]...ok.Running [/sbin/esxcfg-secpolicy -p /etc/vmware/secpolicy]...ok.The update completed successfully, but the system needs to be rebooted for the changes to be effective
  4. On the ESXi, in the same directory you copy the file, apply the security update:
    # esxupdate --bundle=ESXi410-201206001.zip update

    Unpacking deb_vmware-esx-firmware_4.1.0-2.23.721871   ##################################################################### [100%]
    Installing packages :deb_vmware-esx-firmware_4.1.0-.. ##################################################################### [100%]
    The update completed successfully, but the system needs to be rebooted for the changes to be effective.
  5. Once installed, we check the status:
     esxupdate query

    ----Bulletin ID----- -----Installed----- ---------------Summary--------------- 

    ESXi410-Update02     2012-06-23T05:58:57 VMware ESXi 4.1 Complete Update 2
    ESXi410-201206401-SG 2012-06-23T05:15:08 Updates Firmware  
  6. We need to reboot to apply the security updates:
    # reboot
  7. And finally, we can now exit from maintenance mode:
    vim-cmd hostsvc/maintenance_mode_exit
  8. Done!

Summary of vcli commands:

  • vim-cmd hostsvc/maintenance_mode_enter
  • esxupdate --bundle=update-from-esxi4.1-4.1_update02.zip update
  • esxupdate --bundle=ESXi410-201206001.zip update
  • esxupdate query
  • vim-cmd hostsvc/maintenance_mode_exit



Wednesday, February 1, 2012

How your HR department helps hackers to own your company?


Introduction
The problem
Why my company should I care about this?
The numbers
What can we do?

Introduction

There is no doubt that the Information security industry is growing fast, companies all over the world are implementing security policies and infrastructure mainly either for compliance or need, either way, in order to do that, they need people with INFOSEC skills, which by the way, there has been a market boom lately, where you see a lot of “Security Experts” in the market, anyways, in lieu of getting the right people into XYZ company, the process generally starts at the HR department, where based on their internal processes if they have one, create a job posting in the corporate web site or hire a head hunter company to do so, the latter is not very commonly used, why? As you may have guessed, the cost.
Companies generally are looking for cutting costs wherever they can, and one of these areas is the HR hiring processes, obviously hiring a head hunter company to get the right people is more expensive than interviewing people on their own, but one of the problems they face is regarding to how are they publishing the job postings?


The problem

What it comes down to, is related to the type of information the HR people is publishing publicly on Internet in the job postings, the problem is not focused in just one country, for this research, I took a sample of 150 job posting divided in 3 countries, thus 50 job offers by country, the ones selected were: USA, Germany and Chile. Key question is how much insight information am I able to post publicly for a job opening? And here is the problem, based on the research I have done, most of the postings contain information that can be classified as critical IT infrastructure components or processes.


Why my company should I care about this?

As you may already know, hackers have been working lot lately, so one of the things, it is being done as first step before trying to accomplish any legal/illegal act, is called passive fingerprinting, where basically they go online and research as deep as they can on the target company in order to get as much information as possible. Here is where the job posting come into play, what kind of information can they get from them?: Company processes, IT Infrastructure, Internal Lingo, Operating systems, security infrastructure components, protection methods, and much more. By publishing all this information and based on the information gathering processes, several techniques can be implemented to achieve hacking activities, such as: Remote attacks, Client side attacks, social engineering, etc, putting your company at risk.


The numbers

The sample I worked, was 150 job posting divided as follows (USA: 50, Germany: 50, Chile: 50), the method used to collect this information was completely manual, thus, going to public job search web sites and going through the posts, I analyzed the information gathered as follows:



What can we do?

HR processes should be in line with the corporate security policy, however, even though companies with strong corporate security policy, lack of basic understanding of how serious is the type of information they are giving away.

As part of the corporate policy, Internet job posting should be reviewed by the BISO and/or SME, since for the first step in any hiring process, should not be necessary to publish all the technical details but if that is the case, you may think of outsourcing your hiring process and keep it anonymous.



Monday, December 26, 2011

Stratfor Confidential Customer's passwords analysis.

As you may already heard, Stratfor the global security intelligence provider was compromised during christmas by AntiSec on December 24th , among their services are daily intelligence brifing about security, international affairs.
Stratfor client list was confidential and the company's publicity includes Fortune 500 companies and international goverment agencies.
The clients list is no longer confidencial since last Saturday 24th, where the AntiSec group has published the following info: Customer's names, E-mail and Passwords.

Due the nature of the services provided by Stratfor and the customers they have, I was so interested in find out how these customers, that access high value intelligence information, how good are their information security posture on passwords complexity.

The results after quick research are, as you may have guessed, interesting:

I processed a dump of 10,258 items and the drill down is as follows:





86% of the passwords are equal or less than eight characters long, taking into account that the majority of them are alphanumeric leads us to:

36^8 (english keyboard, letters + numbers)

Remember that password strength is provided by technically by the called keyspace. The keyspace is represented mathematically as X^L, where X is the number of possible characters that can be in the password and L is the length. If you do the basic analysis, you can see that changes in L are more significant, character for character, than changes in X.

Therefore with current online or basic cracking tools the 99.97% of the Stratfor's user's passwords will last, 60 seconds before being cracked.

For some other stats you are invited to check , http://www.lockdown.co.uk/?pg=combi where there is a more detailed research on the amount of time required for a computer to crack different passwords complexities.

But let's move on with some other juicy info taken from the research:

Top 30 Passwords

418

stratfor

71

123456

50

stratfor1

45

1234

39

password

28

strat4

27

1qaz2wsx

15

changeme

12

samsam

10

baseball

9

charlie

9

testing

8

abc123

8

trustno1

7

qwerty

7

research

6

21937

6

andrea

6

password1

6

qqq111

6

STRATFOR

5

12345

5

12345678

5

alex

5

dragon

5

golfer

5

london

4

111111

4

333333

4

andrew



What I find really amazing was the amount of passwords containing or being just like "stratfor" and the always time saver 123456 or abc123.



This is really interesting since, if you think about it, most people in charge of getting this type of security intelligence reports are either related with the army, government or are related somehow with the INFOSEC industry, AKA, CISOS, BISOS, CISSPs et all. Therefore is really impressive how weak their security passwords posture is, again this confirms that the weakest link in the security chain is the human factor.

Of course if you’re a Stratfor customer reading this post, I’d strongly recommend you to change your passwords if you re-using any of these credentials in other Internet services, In addition, you should expect a zillion of Phishing, Virus and Scam E-mails in the next few days, due to your E-mail has been published, among another things.

So how strong is your password?