Bookmark and Share

Recent Posts

Are You Sure About Your AIX Security?

August 15, 2012

I had promised to write about RBAC this time, but current events lead me in a different direction. Access controls are important for managing a secure system, but are you sure your system is secure (i.e., has the most recent/relevant patches)? Are you sure?

If your answer is no–but only because you know you have not applied the latest software updates–you might be able to say “qualified yes” instead. The real question is do you know what you have and have not applied? Have you done your research and are you sure the patches you have not applied are not what IBM calls HIPER (High Impact PERvasive).

The current event that caused me to switch topics was a successful malware virus–large scale in the Netherlands–less so elsewhere. That the systems affected are Windows based (not AIX) is secondary. The after action analysis is concluding that systems were already affected by another virus that should have been spotted by anti-virus scanners. This is what hackers hope for–lazy, uninformed, unknowing, inactive administrators.

The malware/virus is now dubbed XDocCrypt/Dorifel by the National Cyber Security Center (NCSC), an institute of the Netherlands government. More information is available here and in the Dutch language report on Dorifel.

If you are asking yourself: “What does a Windows virus have to do Securing AIX?” I come back to my question, are you sure about the security patches you may not know about? Fortunately, AIX systems are not as open to attack as other operating systems, but that does not mean that there are no attacks, no vulnerabilities being found and exploited, and also patched! I must assume attacks occur; I must assume some succeed; I know they are patched! In other words, a certain level of paranoia (i.e., fear of impending doom) is needed to keep systems secure (Paranoia for the bad press that your company, city, county and province when systems go offline and put you in the international news because you did not have them patched. Or are you looking to be infamous?).

So if you are not sure, I want to suggest you look at a built-in utility for getting updates as they are released–SUMA. You will need an AIX system with Internet access so that it can access IBM servers with the updates. I wrote a couple of articles (now so old they need updating ;): "HOWTO: Use SUMA to Download AIX Updates" and "HOWTO: Use SUMA and NIM to manage Software updates." The second article is “timely” because IBM has a new product with a component that takes the integration of SUMA and updating systems using NIM to a new, automated level. This product will help you say, “Yes, I am sure!” The product name is PowerSC: (see the IBM Systems Magazine article, “PowerSC Features at a Glance” and/or the IBM website PowerSC Overview.)

I have discussions (read, I ask: “How are you keeping your systems up to date?” and we go from there) with customers I visit for assessments on POWER virtualization, performance and/or security. Generally, customers have many reasons for not having all systems up to date. I never disagree with any reasons. My role is to help customers improve utilization, performance and/or security while, ideally, lowering costs. What ties this all together is that very few administrators know exactly which systems are patched at the “latest” level. Neither are they aware of how many different versions are being used. This is a situation where spending a little time and money on education and tools can save costs, headaches and perhaps embarrassment.

PowerSC is a package of tools that have a collective goal of simplifying the hassle of keeping a large number of (virtual) systems consistent. Consistency, imho, is the starting point of being able to manage risks and the associated vulnerabilities. And I do not mean to limit myself to security. Consistency of your installations will help lower your system and application management costs.

One component of PowerSC–Trusted Network Connect And Patch Management (TNC)–is meant to help with keeping systems consistent at specific patch levels. TNC does this by getting patches via SUMA and updating systems using a NIM server. The extra bit that makes life simple for the system administrators is that systems (virtual machines running AIX) are registered with a central system. This central system monitors SUMA servers for updates, gets them when there are new patches, creates a NIM resource for the update and schedules the systems for updates. If a virtual machine is offline or not available, TNC can provide an alert that it is not patched. More important perhaps is that it notifies the administrator that it is not patched as soon as the system is activated. No more having to go through a manual process of verifying which systems are patched.

So, in closing, I would like to bring this back to lessons that can be learned from Dorifel. An excerpt from a blog on FOX-IT XDocCrypt/Dorifel – Document encrypting and network spreading virus:

So, how did people get infected by this? Well as it seems it was not a drive-by exploit on a large news site or some compromised advertisement server which caused this malware to run, but instead an already existing ZeuS variant named Citadel which downloaded and executed “a.exe”.

Should you worry about all those encrypted document files on your network…, what you should really   worry about, is that there apparently was/is a trojan (ZeuS/Citadel) on your network that was doing active C&C communications and has been leaking all kinds of information from your organization for days, weeks or perhaps even months. And apparently none of your IT security defenses has removed it, has blocked it and neither has signaled you that there was something wrong on that system.

In short, this attack succeeded because not all machines were protected. Files continued to be infected and stored via shares, so when the dorifel variant was introduced–and 0 of 40 AV products identified it–it spread quickly to other systems. Having a few systems that were not protected for days, weeks or perhaps even months permitted the disease to remain in the system. The lesson I take from this is I need to be sure that all of my virtual systems are patched–the one I miss or forget is the backdoor I left open.

So, again I ask–are you sure?

Posted August 15, 2012| Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus