One of the most critical IT-based attacks ever revealed!
Today you can read an open letter to all RSA customers on the RSA website [http://www.rsa.com/node.aspx?id=3872]
The letter states that a extremely sophisticated cyber-attack has been mounted against RSA and that sensitive information regarding RSA-Secure ID products has been successfully extracted from their systems.
The severity of this issue is clear to anyone interested of involved in IT-Security. RSA Secure ID product are used to authenticate to systems and networks all around the globe and right now it´s impossible to know how this will affect the massive number of companies, governments and authorities using RSA products to secure logins to their systems.
Also RSA had, at least until today one of the highest reputation you can possibly get when it comes to trust. It´s a cold awakening, at least for me that my trust in their product will never be the same again. It simply can´t be since it´s now official that bad guys we don’t´ event know may have access to secrets that potentially can compromise the security of the RSA Secure ID solutions.
RSA states that there is until today no evidence that the attack will directly affect their customers but at the same time they recommend their customers to increase security on several areas regarding their IT-environments.
This is the recommendation RSA gives to all their customers:
•We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
•We recommend customers enforce strong password and pin policies.
•We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
• We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
• We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
• We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
• We recommend customers update their security products and the operating systems hosting them with the latest patches.
These are very demanding recommendations from RSA and reading between the lines I get worried. I don’t think RSA would ask their customers to do all this unless the result of the intrusion was VERY serious.
As a security consultant my guess is that I and my team will be very busy helping RSA customers to follow these recommendations for months to come. I have to say that the recommendations however are valid to anyone interested in protecting their IT-infrastructure so let the message to RSA Customers be a message to all of us.
And if you need help in this area you know where to find me and the Truesec security Team!
Feel free to contact me marcus.murray[at]Truesec[dot]com
Stay safe!
/Marcus Murray,
Security Team Manager, Truesec
MVP – Enterprise Security
SharePoint 2010 & PowerShell
SharePoint is one of the fastest growing products in history, and it is quickly becoming mission critical for numerous companies around the world. Whereas SharePoint 2007 was a really cool product, with an automation API, its use for automation purposes was a bit complicated for the average SharePoint admin. This is where the inclusion of Windows PowerShell as a management tool for SharePoint 2010 comes in to play.
In SharePoint 2010 you can start Windows PowerShell through the SharePoint 2010 Management Shell. The shell runs the SharePoint.ps1 script at startup and executes the following code:
$ver = $host | select version
if ($ver.Version.Major -gt 1) {$Host.Runspace.ThreadOptions = "ReuseThread"}
Add-PsSnapin Microsoft.SharePoint.PowerShell
Set-location $home
The code in the example above stores the hosts version in a variable and if the major version is greater than one (if you are running PowerShell V2) the ThreadOptions property is set to “ReuseThread” - which runs each line, function or script on the same thread. When working with the SharePoint object model using PowerShell, running code on separate threads can cause memory leaks, while commands running on the same thread have a smaller chance of doing so. This is because some SharePoint objects still use unmanaged code and the way memory is allocated to those objects. Next the SharePoint Snap-in is loaded (Microsoft .NET Framework assemblies that may contain custom Windows PowerShell cmdlets).
The SharePoint 2010 cmdlets
The SharePoint 2010 snap-in for Windows PowerShell contains more than 500 cmdlets that you can use to perform a large variety of administrative tasks. Let’s see how we can list all the SharePoint cmdlets using the Get-Command cmdlet. Get-Command returns basic information about cmdlets and other elements of Windows PowerShell commands, such as functions, aliases, filters, scripts, and applications. All nouns of the SharePoint 2010 cmdlets start with “SP”. Knowing this, we can use Get-Command’s –noun parameter followed by SP*:
PS > Get-Command –noun SP*
The list of cmdlets returned is pretty long. You can use Get-Command to find specific SharePoint 2010 cmdlets. If you for example want to find all cmdlets that are used to manage site collections you can simply type:
PS > Get-Command -Noun SPSite
CommandType Name Definition
----------- -------- ------- ------------
Cmdlet Backup-SPSite Backup-SPSite [-Identity] <SPSitePip
Cmdlet Get-SPSite Get-SPSite [-Limit <String>] [-WebAp
Cmdlet Move-SPSite Move-SPSite [-Identity] <SPSitePipeB
Cmdlet New-SPSite New-SPSite [-Url] <String> [-Languag
Cmdlet Remove-SPSite Remove-SPSite [-Identity] <SPSitePip
Cmdlet Restore-SPSite Restore-SPSite [-Identity] <String>
Cmdlet Set-SPSite Set-SPSite [-Identity] <SPSitePipeBi
Working with the SharePoint 2010 cmdlets
Let’s see what we can do with the Get-SPSite cmdlet. Typing the cmdlet in PowerShell returns the Site Collections available:
PS > Get-SPSite
Url
---
http://spserver
Notice how the command returns the Site Collections URL property although the returned objects have a lot more properties. The properties displayed by default are controlled by a set of formatting files. Windows PowerShell includes ten formatting files and SharePoint 2010 comes with 13 additional formatting files that are used to generate a default display of various .NET objects.
We can display additional properties using the Select-Object cmdlet. In the example below we use the –Identity parameter supported by the Get-SPSite cmdlet to retrieve a specific Site Collection and pipe the object to the Select-Object cmdlet.
PS > Get-SPSite -Identity http://SPServer | Select-Object -Property Url, Zone, Port
Url Zone Port
--- ---- ----
http://spserver Default 80
It’s also possible to change specific properties on a Site Collection. First let’s see how to we can add a secondary contact to the Site Collection using the Set-SPSite cmdlet.
PS > Get-SPSite -Identity http://SPServer |
>> Set-SPSite -SecondaryOwnerAlias domain\user
If we use the Select-Object cmdlet again and display the SecondaryContact property we’ll see that the user a secondary contact is added to the Site Collection.
PS > Get-SPSite -Identity http://SPServer | Select SecondaryContact
SecondaryContact
----------------
Domain\user
You can also store an object of the type SPSite in a variable and set the SecondaryContact property. The property requires an object of the type Microsoft.SharePoint.SPUser – which is just the type of object that the Get-SPUser cmdlet returns. Note that the user has to exist in the Site Collection.
PS > $spSite = Get-SPSite –Identity http://SPServer
PS > $spSite.SecondaryContact =
>> (Get-SPUser -Web http://SPServer -Identity domain\user)
What if you want to add a user that exists in Active-Directory but does not exist in the Site Collection? Simply use the New-SPUser cmdlet to add a user to a Site Collection and then add the object to the SecondaryContact property.
PS > $spUser = New-SPUser -Web http://SPServer -UserAlias domain\newuser
PS > $spSite.SecondaryContact = $spUser
When we are done with the object stored in the $spSite variable it’s important to Dispose of it correctly. One way of doing this is by calling the Dispose() method as shown below.
PS > $spSite.Dispose()
Why do we have to dispose of the object? Well, SPWeb, SPSite, and SPSiteAdministration objects can sometimes take up large amounts of memory, so using any of these objects in PowerShell requires proper memory management. Normally, instances of these objects obtained through cmdlets such as Get-SPSite are disposed of automatically at the end of the pipeline, but this does not happen to instances stored in variables. You can dispose of objects using the Dispose() method as demonstrated in the example above or you can use the Start-SPAssignment and Stop-SPAssignment cmdlets that were introduced in SharePoint 2010 to spare scripters the need to dispose of such objects individually.
Be sure to check out “PowerShell for SharePoint 2010 Administrators” for detailed examples on how to automate your SharePoint 2010 environment using Windows PowerShell.
Regards
Niklas Goude
