Apr 9

I have been doing a lot of reading lately about the history of security research and the issue of full disclosure. It is a huge debate issue and it was something that before I started getting into security, I was completely unaware of. It isn’t something that hits the news often and when a vulnerability makes the news, the background issue about the disclosure of it is usually so controversial that nobody touches on it in the mainstream.

So what is it exactly? Well it is in regard to when a security vulnerability is discovered, the debate revolves around whether or not knowledge of that vulnerability should be open to the public. Some people say that making sensitive information like that public only put the customers and general public more at risk by releasing that information out into the wrong untrusted hands. Others say that untrusted individuals already had that information and that releasing it to the public will help speed up the process of getting a proper fix for the vulnerability out to the people that need it.

No matter where you stand on the issue, both sides seem to agree that one of the greatest issues is communication. There are generally two parties involved with the issue. One being the vendors that make the software at risk, the others being the security researchers that initially discovered the vulnerability. These parties must communicate in such a way that is in the public’s best interest. However, poor communication between the two can deteriorate relations and can lead to the disclosure of sensitive vulnerability information. Vendors typically claim that they are not given enough time to get a fix properly release. The security researches sometimes claim that waiting too long to get a patch to the general public is putting the public at an increased risk with each day that goes without a proper patch.

There have been many disclosure policies that have been developed over the last decade that are aimed at helping develop proper communication between all parties involved such as RFP, OIS, and ZDI. Many of these are just guidelines and are there just out of general respect for both sides. Neither side, however, is obligated to follow those guidelines. They do help give each side of the fence a certain set of expectations. If one side is following a specific policy and staying within the guidelines set, then the other side will know what to expect. It also helps open lines of communication that may not have been there before the policies were put in place. Many times, when a security researcher discovered a flaw in a piece of software, they’d have no idea where to turn to to get the flaw fixed.

After reading more and more about the history of this issue, when I see events that happen, like the DNS vulnerability that Dan Kaminsky and the associated vendors handled, it really amazes me how well everyone involved were able to communicate and help get the issue resolved. Without open lines of communication from both sides, we just won’t be prepared enough to handle wide spead isssues properly when they arise.

Posted in Information, Vulnerabilities | No Comments »
Apr 1

There has been a lot of buzz lately about the Conficker worm that has been circulating and has now infected nearly 12 million Windows computers worldwide. But, not all the news regarding the Conficker worm is doom and gloom. Experts in the field have discovered a security flaw in the virus that will allow security administrators to isolated infected computers.

When the Conficker worm infects a computer, it applies its own version of the Microsoft patch that was released last October that fixes this vulnerability so that when the computer is scanned for patches, the vulnerability goes undetected. However, security researcher Dan Kaminsky said a research group found that it was far easier to distinguish a computer patched with the Conficker worm from a computer patched with Microsoft’s patch due to a flaw in the Conficker code.

From this, they have been able to create scanning tools that can help distinguish whether or not specific computers are infected with the Conficker worm or not because of the the Conficker flaw they found.

The problem with this type of resolution though is it could possibly give some criminals an opening into the botnet to create new worms that will allow them to take control of sections of the botnet.

Such an “anti-worm” might well be more destructive than the Conficker worm itself, Kaminsky said. “You would have to build something that is as virulent as the current worm, and be willing to become the kind of monster you’re trying to fight,” Kaminsky said. “No one can play counter-worm very well.”

If one good thing has come out of the Conficker flaw it is the discovery that it highlights weaknesses that can be found in almost all third-party security patches. Usually the security industry would release seperate security patches and scanners pertaining to a particular virus or worm to provide protection until a complete update is able to be released. But, those updates are generally produced by people who do not have access to the source code, thus not providing a 100% guarantee on patch success or not. The Conficker flaw has shown that systems really can’t be purged until they have a full cleaning with an updated scanning software made from the source code.

Posted in Antivirus, Vulnerabilities | 1 Comment »
Mar 26

I wanted to quickly post on a topic I was reading about this morning. There were several posts I came across that I found important to take note on. They are about a growing trend in attacks in 2009. Infrastructure attacks have been on the rise since January and it is a large concern for many because of the way that most professionals handle their core infrastructure.

In a recent post by Dan Kaminsky he talks about the growing trend of infrastructure attacks in 2009. He mentions the need for better security across the infrastructure. Network devices need to be easier to update. Current generation appliances require cumbersome update processes that often result in needing schedule outage periods. Not to mention the fact that there is always a risk of bricking the hardware during a firmware upgrade. There is a growing need for an automatic update process much like the kind desktops use in order to stay current with the trends of infrastructure attacks.

Infrastructure attacks like the one that Ryan Naraine talked about in his blog post. There is a psyb0t worm that affects embedded Linux devices like ADSL modems and the like. This means there are hundreds of thousands of home routers that are vulnerable and there is an estimated 100,000 already infected.

With the growing trend of infrastructure attacks this year I suspect there will be a new trend to combat it. People will begin to re-evaluate how they handle their infrastructure. We may start to see network appliance manufactures implement auto-update features for their devices. We’ll just have to wait and see.

Posted in Vulnerabilities | No Comments »
Sep 9

Any time you introduce new features or products into your network, you must be aware of the fact that you may also be introducing new security threats. Technology is meant to be as an asset to the business that is to increase productivity. Unification is all the buzz lately and many applications on the network have become “unified”. This means that applications and resources on the network are integrating and seemlessly providing access through one interface.

Many businesses have seen the benefits that can be provided by a VoIP phone system and have migrated their older generation system to this new technology. But, because VoIP is over the data network, there have been new security risks associated with it. Because of this, many IT departments have chosen to segregate their voice networks from their data networks as much as possible.

But now many VoIP applications offer unified communications. This integrates many data applications on the network with your voice communications. This is introducing many new ways for attackers to gain access to confidential information. Unified communications (UC) opens up your infrastructure so that users can collaborate and share ideas easier. All this opens up the VoIP network to the data network and vice versa. VoIP now integrates with applications such as LDAP, email, and instant message communications. This means that now network credentials can be stolen through the VoIP network and once those credentials are compromised, a much broader range of access can be accomplished. Softphone clients are common in UC implementations and that provides just one more point of access for attackers to take advantage of.

Still though, while some of the more complicated attacks against UC in the application layer garner more attention, the more prevalent attacks are the lower network layer attacks that can deny service to VoIP networks. Protecting your network at the lower network layer can have a greater impact on your overall network security. When it comes to UC implemtations, including security planning early in the development cycle can make it much easier to create a secure environment.

Posted in VoIP, Vulnerabilities | 2 Comments »
Sep 8
A little time has passed since the major uproar over the critical DNS cache vulnerability that researcher Dan Kaminsky discovered. Since then a temporary “band-aid” fix has been applied. Randomized source ports are used to make it very difficult for an attacker to poison a DNS server’s cache. But it is not a fix that can stand the test of time to secure DNS. DNS is still broken and vulnerable and much more work and many more ideas are needed to secure it. 10001
There have been a lot of ideas to come out from researchers to find a way to secure DNS. Many of them are discussed on Dan Kaminsky’s blog and he discusses their benefits, downsides, and their possible implementation.

In an earlier article on his blog he discussed using TTL as a security feature. Someone came up with a method of using TTL to prevent someone from poisoning the cache on a server unless the TTL (time-to-live) on a record has expired. Kaminsky states several things wrong about this. One is that the TTL on servers vary and for those servers that have vary high TTL’s it can actual cause of a lot of problems and for those with very low TTL’s, you don’t gain much value from it.

For more on Kaminsky’s take on TTL being used to try and fix DNS, you can read his statements on his blog. It will be interesting to see what people come up with to secure DNS.
Posted in Internet, Vulnerabilities | No Comments »
Aug 28
In case you needed further confirmation that the internet is not a safe place, an exploit in the Border Gateway Protocol can be used to divert internet traffic to another location. This can be done from anywhere on the internet and does not require the attacker to be within the same subnet. This was demonstrated at the DEFCON security conference in August.

While this is not a new discovery, the recent demostration helps show how unstable and insecure the core infrastructure of the
internet really is. Not only are higher level applications like DNS vulnerable, but also the lower level protocols have flaws in their design that can be taken advantage of. Experts in the field are calling for changes to internet routing and have been making warnings for years. A newer secure protocol, S-BGP, is a possible solution that could be deployed, yet there are still issues that need to be worked out regarding deployment and operation.

For now however, the only solution to any privacy over the internet is to use point-to-point encryption such as a VPN tunnel. Send data over the internet without encryption and you risk compromising it.
Posted in Encryption, Internet, Routing, Vulnerabilities | 1 Comment »
Aug 12
Network security is an evolving animal that changes every year. Just as your virus protection changes its signature database, your company needs to change its endpoint security to maintain quality security control throughout your network. Hackers are modifying their approach to attacks constantly and if you don’t change how your network filters out these attacks, then you will lose the war.

Managing endpoint security and control on your network is a key factor in your overall
security. Today endpoint security requires a multi-layer approach. A study done by the European Network and Information Security Industry showed that more than half of all exploits come in the form of browser hijacks and vulnerabilities. Attacks today are also becoming much more blended which means they take advantage of multiple protocols and mediums to accomplish the task. Attacks like these require that all points in your network are covered and endpoint security of the past is no longer effective enough.

The best way to combat against blended attacks today is with a blended or multi-layer endpoint security solution. Intrusion prevention systems are a must. They are not just a solution for enterprise business, but also for small and medium sized business, if not even more so. Today small businesses are becoming a large target for attackers. This is due to the fact that many small businesses process credit card information today, but then lack the budget for a quality endpoint security and control infrastructure. This makes them a an easy target for attackers.

Your endpoint security and control infrastructure today contains several features that help protect your network. They typically involve several of the following forms of protection: antimalware, desktop firewall, hardware gateway firewall, intrusion prevent and detection, device control, application monitoring, and network wide event monitoring. All these facets are usually monitored and controlled to provide a comprehensive endpoint security solution. Because each facet can now be broken down into a seperate product in and of itself, it allows for scalability among all business levels.
Posted in Antivirus, Content Filtering, Firewalls, Internet, Vulnerabilities | No Comments »
Aug 11

In a Microsoft Security Bulletin released late last week, 12 new security updates have been planned for release this Tuesday. Seven of those updates have been labeled as critical and the rest are labeled as important. This bulleting came at the same time of the Black Hat conference.

During last week’s Black Hat conference, researchers Mark Dowd and Alex Sotirov discussed ways to bypass Windows Vista memory protection techniques like DEP. They use several browser functionality methods to do so. They don’t exploit any software vulnerabilities which means these flaws will be much harder for Microsoft to correct. Microsoft has yet to comment on the findings.

Posted in Vulnerabilities | No Comments »
Aug 6

Email is a part of everyday life in the business world. Even small companies will see thousands of emails pass through their servers each day. This means there is plenty of opportunity for attack against your mail server. So here are 5 good tips to help keep your email secure.

1) Change your SMTP banner: Most mail servers accept connections of port 25 for use with SMTP. If you telnet on port 25 to a mail server that is opened up on port 25, you will receive a response from that server. This response is called the SMTP banner. Usually by default (with Exchange) this banner will not only display the actual server name and domain, but it will also show the version number and software that is running on that server. This is crucial information that an attacker can utilize when planning an attack. It is important that if your server accepts connections on port 25 that you mask this banner with a canned message that doesn’t display sensitive information like that. For more information on changing this banner with Microsoft Exchange, read this Microsoft article: Changing your SMTP Banner

2) Enabled Relay Restrictions: This is usually set by default on mail servers so that only authentication or specified servers are allowed to relay email through your mail server. But, it is a good security measure to take to ensure that your mail server is not an open relay. If there are no restrictions set, spammers will have a field day with your server. Not only can this really cripple your server if not taken care of promptly, but it can also get your server blacklisted. Once blacklisted you will need to score which blacklists you are on and request to be removed once you prove to them that you are no longer spamming from your server. This can take weeks or months depending on which list you are on. If you aren’t sure if your server is an open relay, you can use this tool to check: Open Relay Checker

3) Make sure your server is up-to-date: Because your mail server is constantly in touch with connections to the outside world, it is crucial that your mail server is always up-to-date. A lot of IT professionals will ensure that their servers have the latest Windows Updates run on their servers, but don’t forget about Exchange updates and service packs as well. Automatic updates won’t keep that up-to-date and many times the security vulnerabilities needed to be patched with Exchange are more critical than your typical Windows update. While there is no excuse for an out-of-date server, if installing updates is something that takes up too much of your time, then look into a patch management solution. Microsoft offers a free solutions for all their software systems called Windows Server Update Services.

4) Protect your mail server with a front-end server: Another good idea for security is to set up a front-end server to act as either a proxy or relay between the mail server that stores your mail databases and the internet. The front-end server will handle all HTTP and SMTP requests for your main mail server. All emails will then be relayed from this front-end server to your main mail server. What this allows you to do is close off port 25 to your main mail server so that it is hidden behind your firewall. Many companies will even provide this service for you. Having your server behind a firewall and accepting connections from only internal mail clients and the front-end server will greatly increase the security of your server.

5) Spam and Virus Protection: I’ve listed both spam and antivirus under the same number here because I think we are at the stage where they both go hand in hand. It is important that you maintain antivirus and antispam software on your network. I recommend using a seperate appliance for spam as this will help catch spam emails from even reaching your mail server. If your mail server processes a lot of emails everyday, then this will help eleviate some of the strain that it carries. Making sure that both systems are up-to-date with the latest signatures goes without saying.

These are only 5 tips for helping maintain security on your mail server and there are a ton more. Hopefully these will get you on the right track and taking email security serious.

Posted in Antivirus, Email, Vulnerabilities | No Comments »
Aug 4

So there has been a lot of talk lately about Kaminsky’s DNS Poisoning Vulnerability. What is it and why is it such a hot topic, yet kept so secret at the same time. Well I can’t tell you exactly what the issue is. If I could then I’d probably be directly in touch with Dan Kaminsky and would be at Defcon with him at the end of the week. But there is a little bit of information out about the severity of it and why it is kept such a huge secret. There was a design flaw found with DNS that allows an attacker to poison the cache on a DNS server with invalid entries.

What poisoning is refered to in IT is when entries in a cache system are replaced with fake or incorrect entries on purpose from an attacker. With DNS what this results in if someone were to take advantage of it is the attacker could revert any traffic to any particular website hosted on the compromised DNS server to any other web server on the internet. This means the attacker could place a phishing web page at the new destination. Email could also be compromised by poisoning MX records and then having confidential emails redirected to another email server on the internet. Basically the internet would become compromised.

But, thanks to a collaboration of some of the best minds in the industry, this issue has been kept secret and has given everyone hopefully enough time to patch the vulnerable systems. Here is a little more information on the DNS vulnerability at hand.

Posted in Information, Vulnerabilities | No Comments »