Month: June 2007
Suggested Blog Reading – Wednesday June 6th, 2007
Now that I”m back home I hope that I won’t have to travel to Houston again any time soon. The city is nice but it’s involves quite a bit of time on a plane to get there and back đ
Here’s the list:
IBM to Buy Watchfire Security Software Firm – This is an interesting acquisition for IBM to improve their web application security offerings.
BM, the world’s largest technology services company, said on Wednesday it will buy privately held security and compliance testing software company Watchfire Corp. for an undisclosed amount.
The deal is expected to close in the third quarter, International Business Machines Corp. said in a statement.
How to become a “security guru” – I someday hope to become a Gru as well đ
The most important issue facing you experts is that people aren’t going to listen to you most of the time. It doesn’t matter if you are the summer intern or the CEO: getting people to listen is hard. It’s not your job to “tell” people what the right answer is, but to “sell” your idea. If you get angry and poison your working relationships, you are not going to be an effective salesman. The reason experts get angry or frustrated is because they blame others for not listening to the “truth”, rather than blaming themselves for their inability to sell their ideas.
Additional Image Bypass on Windows – Another example of image bypass on a Windows machine.
Michael Schramm posted about another way to do image filter bypassing using alternate file streams on NTFS file systems. Pretty cool stuff (thinking outside the box of what a file really means on different systems)
Undercover Exploits and Vulnerabilities – This post presents a timeline of undercover exploits going as far back as 1988.
I am trying to keep this updated, but life intervenes. Please let me know if I’ve missed some (browser/office vulns?). Note the animated cursor bug in April ’07 does not fit the definition.
Some Enterprise Traffic Analysis – Wow, what a great resource to practice your traffic analysis skills.
Finally, we got some spare time to analyze a few traces available on the LBL-ICSI project website. We would like to extend a big thank you to these guys for making such a valuable resource publicly available.
First thing to note is that these traces have their payloads stripped, only the first 54 bytes are captured. This precludes some of the advanced features like PDU, Stream, and User Objects, from working. Secondly, we are better off doing âtraffic analysisâ rather than âprotocol analysisâ on this huge glob of data.
Survey: Microsoft IIS twice as likely to host malware – I kinda always knew đ
Web sites hosted on Microsoft’s Web servers are twice as likely to have embedded malware as those using the open-source Apache software, Google security researchers stated in survey results published on Tuesday.
The importance of vulnerability research – If we stop looking, we stop finding. That is as simple as I can put it.
Testing in-house and vendor-built software for security holes should be an enterprise priority, said a group of vulnerability research experts speaking on a panel at the Gartner IT Security Summit held here this week. But Rich Mogull, the Gartner analyst who hosted the panel, questioned how practical it would be for companies to dedicate the dollars and resources required for this testing.
NIST Draft SP 800-54, Border Gateway Protocol Security
NIST has just released draft SP 800-54 entitled Border Gateway Protocol Security (PDF). Few people comprehend the seriousness of an attack on a protocol such as BGP. The introduction section of the paper provides some insight:
Most of the risk to BGP comes from accidental failures, but there is also a significant risk that attackers could disable parts or all of network, disrupting communications, commerce, and possibly putting lives and property in danger. This document discusses the structure and function of BGP, potential attacks, available countermeasures, and the costs and benefits related to countermeasures. The emphasis in this publication is on measures that may be applied either immediately or in a short time. A variety of proposals have been introduced in standards bodies for more comprehensive approaches to BGP security, but issues are not yet settled as to which, if any, of these proposals will be adopted by the producers and consumers of routing equipment. The aim of this document is to give decision makers a selection of measures that can be deployed rapidly, yet provide significant improvements to routing security.
A good explanation of BGP can be found on Wikipedia:
The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It works by maintaining a table of IP networks or ‘prefixes’ which designate network reachability among autonomous systems (AS). It is described as a path vector protocol. BGP does not use traditional IGP metrics, but makes routing decisions based on path, network policies and/or rulesets. From January 2006, the current version of BGP, version 4, is codified in RFC 4271.
The paper provides detailed explanations, with diagrams, of several potential attacks against the BGP protocol:
- Peer Spoofing and TCP Resets
- TCP Resets Using ICMP
- Session Hijacking
- Route Flapping
- Route Deaggregation
- Malicious Route Injection
- Unallocated Route Injection
- Denial of Service via Resource Exhaustion
- Link Cutting Attack
The goal of the spoofing attack may be to insert false information into a BGP peerâs routing tables. Peer IP addresses can often be found using the ICMP traceroute function, so BGP implementations should include countermeasures against this attack.
TCP resets cause loss of BGP peering sessions, forcing a need to rebuild routing tables and possibly causing route flapping.
Like the TCP reset attack, session hijacking involves intrusion into an ongoing BGP session, i.e., the attacker successfully masquerades as one of the peers in a BGP session, and requires the same information needed to accomplish the reset attack. The difference is that a session hijacking attack may be designed to achieve more than simply bringing down a session between BGP peers.
Route flapping refers to repetitive changes to the BGP routing table, often several times a minute. A âroute flapâ occurs when a route is withdrawn and then re-advertised. High-rate route flapping can cause a serious problem for routers, because every flap causes route changes or withdrawals that propagate through the network of ASes.
Route deaggregation occurs when more specific (i.e., longer prefix) routes are advertised by BGP peers. For example, if prefixes 129.0.0.0/8 and 129.0.0.0/16 are both advertised, BGP algorithms will select the second (for any addresses within 129.0.0.0/16) because it is more specific. In some cases this is normal and appropriate operation as a result of configuration changes, but it can occur as a result of error or malicious activity.
BGP exists to spread routing information across the Internet. Routers tell each other what prefixes they can reach and provide data on how efficiently they can reach addresses within these prefixes. In a benign, cooperative environment this works well, but a malicious party could begin sending out updates with incorrect routing information.
A particular variety of malicious route injection involves the transmission of routes to unallocated prefixes. These prefixes specify sets of IP addresses that have not been assigned yet, i.e., no one should be using these addresses, so no traffic should be routed to them. Therefore, any route information for these prefixes is clearly faulty or malicious, and should be dropped.
Like all computers, routers have a finite amount of storage and processing cycles available. One of the most common attacks of this type is known as a âSYN floodâ, in which a large number of TCP/IP communication sessions are started using the SYN (synchronization) packet, without follow-up by the appropriate next packet type. This causes the receiving host to reserve storage space for the session. With enough SYN packets, space is eventually exhausted on the host. Since BGP is implemented on TCP/IP, BGP processing can be affected by this attack.
An inherent vulnerability in routing protocols is their potential for manipulation by cutting links in the network. By removing links, either through denial of service or physical attacks, an attacker can divert traffic to allow for eavesdropping, blackholing, or traffic analysis. Because routing protocols are designed to find paths around broken links, these attacks are particularly hard to defend against.
I encourage everyone to give this paper a thorough read, especially if you’re responsible for the boarder routers in your organization and leverage the BGP protocol.
Suggested Blog Reading – Tuesday June 5th, 2007
Well my training session has completed and I head back home on the first thing smoking tomorrow morning. At the client site I was amazed to discover that the employees are mandated to take a ten minute break every hour. Not only are they told to take a break but their workstations actually lock them out after a specified period of time or after ‘x’ number of keystrokes. I’m fairly certain this would kill my productivity but it appears to work well for them. Very strange đ
Here’s the list:
2007 Security by the Numbers – Good set of statistics for use in your sales or technical presentations.
Phishing, spam, bot networks, trojans, adware, spyware, zero-day threats, data theft, identity theft, credit card fraud⊠cybercrime isnât just becoming more prevalent, itâs getting more sophisticated and subtle every day. At least thatâs the conclusion suggested by recent threat reports from major industry players and government organizations.
Iframe > malicious javascript > trojan, (Tue, Jun 5th) – Interesting analysis.
The server has since had the iframe removed. The owner was a little less than gracious when we spoke this morning. He was aware that it was compromised and infecting web users. If you are notified that a system you run or own is involved in an incident please take action as soon as you can.
My Presentation: Interop Moscow Keynote on Security Trends – Always a pleasure to read one of Dr. C’s presentations đ
Here is my recent keynote presentation on security trends from Interop Moscow (sorry, teaser version only – I plan to give it again some time)
SQLBrute – SQL Injection Brute Force Tool – New tool to check out.
SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesnât require non-standard libraries (there is some code in there for pycurl, but it is disabled because it isnât finished).
How to find your websites (Road to Website Vulnerability Assessment part 1) – Refresher of steps to take in order to start assessing a website for vulnerabilities.
I spend a lot of time with companies, mostly large and medium sized, who are interested in finding the vulnerabilities in their websites. Obviously the first step in the VA process is to first FIND the websites. Now this may come as a surprise to many, companies with more than 5 or 6 websites tend not to know what they are, what they do, or whoâs responsible for them. And if they donât know what websites they own, there is no hope of securing them.