Wednesday, February 27, 2008

Very Common Uncommon DoS attack vectors

Who needs bot armies when you have end-users, uncooperative software, and overwhelmed systems and network administrators?

I have found a few recurring themes lately which fall loosely under the heading of Denial of Service attacks, but turn out to be something else. These are things I've seen seen in my clients' environments and heard echoed from other consultants and IT pros, especially in small businesses.

The first two "Denial of Service" attacks are often reported as a DoS eating up all available bandwidth. Those who guessed a combination of end-users with streaming media and/or peer-to-peer traffic got the first one and get a gold star. It doesn't take too many users streaming media to cripple your network. I have been a big proponent of Internet filtering for a long time, this is one reason why. The second one is a bit trickier and has to do with the evolving nature of devices at the network perimeter. More and more small businesses have proxies in their networks, usually in their firewalls, UTMs, or content filters- and they don't usually have fully locked down desktops or patch management systems. The problem is that all of those automatic update applications bundled with everything from your OS to your PDF reader don't always understand proxies, and visa-versa. This scenario play out something like this:

  1. The update application "phones home" (there's another issue, but we won't go there now)
  2. It finds that there is an update available
  3. Launches the downloader
  4. The proxy intercepts the request and starts a download
  5. The application downloader gets impatient and requests a new download
  6. The proxy intercepts the request and starts a download
  7. And so on until a handful of client machines crash your entire network.

You could blame the proxies, but they are just doing what they are supposed to. The downloader apps could be more patient, but the only real workaround I have seen is to whitelist the download sites. I say workaround rather than fix because the proxy generally has to pass the file without scanning it. You should be able to trust the update servers, but I would rather be able to "Trust, but Verify" instead of "Blindly Trust".

The third category of misdiagnosed DoS attack has been with us for a long time and is not going away any time soon. Some people like to ridicule the "incompetent" system and network admins throughout the industry, and there are certainly a few who might be better suited to another line of work (maybe involving the phrase "would you like fries and a soft drink with that?") but very few admins have the training and resources they need- and they make mistakes. Big mistakes, little mistakes, and mistakes that are just right. I won't go into too much detail, we've all made mistakes and cut corners. I have recently seen a few cases of harried admins leaving gaping holes in their infrastructure which resulted in serious problems for the network. A couple of hints:

  • Don't leave vulnerable services open to the Internet.
  • Move services off of their standard ports if you have to leave them open (port 22, SSH is getting heavily scanned and attacked lately).
  • Watch out for service port conflicts when you are port-forwarding to/from non-standard ports, your traffic may end up somewhere unexpected and unwanted.

When something goes wrong that we do not understand, we often think we are being attacked. It is primal, and it works well if you are trying to feed yourself while not being eaten by lions- but it isn't always helpful when trying to diagnose network problems. Step back, look at the clues, isolate the problem, and then identify it- it isn't always the lions.


Sunday, February 24, 2008

Shmoocon Wrapup

The final day of Shmoocon 4 was a week ago and I'm already looking forward to Shmoocon 5, scheduled for February 6-8, 2009.

Last Sunday I started off in the Hacking Windows Vista Security session by Dan Griffin. Nothing earthshattering, but good info, including smart card middleware which trusts all input from the reader. Hmm, I remember hearing something about validating inputs being a good idea. Also info on using the MS CNG (crypto) API to add support for algorithms not natively supported by Vista. (MS shunned Schneier's Twofish, they better be looking over their shoulder).

Next was 0wn the Con presented by The Shmoo Group. The Shmoos have been very open about their cons and supportive of others thinking about running their own con. In this preso they talk about some of the nuts-and-bolts info, finances, decisions (good and bad), etc. A few interesting numbers, about 1220 people were registered (including regular attendees, speakers, staff and misc.) with an attendance of about 1150. Sponsorship was up dramatically over last year, this combined with other favorable factors allowed them to pay for the T-shirts and have all proceeds go to charity. The Shmoo Group is considering other events, but their primary focus will be the Con. I was amused that this session was listed in the "Break It!" track.

Third session of the day was a mistake. I chose Renderman's "How do I Pwn Thee? Let Me Count the Ways". It was a decent WiFi/Bluetooth/RFID overview for the uninitiated and would be great for a broader audience, it just wasn't meaty enough for this crowd- which Renderman told us in the beginning of the preso when he said he would rather have been in Josh Wright's preso in the next room. I should have listened to him. All I heard through the airwall from Wright and Antoniewicz's PEAP talk was two salvos fired from the now infamous Shmooball cannon.

Last year's Shmoocon wrapped up with a panel discussion on the security implications of the OLPC (video available here). This year the closing panel was "On the Social Responsibility of Hackers" subtitled "A modern day Walden". The panel members included Bruce Potter, Simple Nomad, J0hnny Long, Rick Dakan and Hackajar. Topics started off with "What is a hacker?" and cover issues such as hacker v. cracker, etc.

A few sound bites:

  • Bruce: "How do we define ourselves if not Hacker"?
  • Simple Nomad: "Hacker is our community, it is our word, screw people who don't understand."
  • Normal people ask "What does it do?" Hackers ask "What can I do with it?"
  • What's the difference between a Black Hat and a White Hat? A Mortgage.

Later topics included:

  • What positive activity has the Hacker community had to date?
  • Are there "greater goods" that are security related?
  • What can we as a community do for the greater good?

It was an active discussion with plenty of participation from the audience. Slides and video for this session (and all of the others, too) should be available from the Shmoocon website soon.

See you there next year.


Saturday, February 23, 2008


There is a growing community of security folks on Twitter. Not sure what Twitter is? Ask Wikipedia. Just don't ask why. Twitter is an addictive little thing, and some people really like it- including me. Chris Hoff and I Twitter-cast coverage from Shmoocon last weekend and I expect to do so again for relevant events, such as RSA. I'll add a Twitter widget to the blog for such events in the future, but it will probably only be active for specific events. If you really want to see all of my updates on everything from traffic and weather to caffeine and alcohol you'll have to follow me on Twitter.

Jennifer Leggio's blog has the definitive list of Security Twits. Not sure I really like that name, though. It make it sound like we're Steve and Leo's minions.

Note: as Twitter users all know, Twitter is the MG of social media sites. That is, it is lightweight, nimble and fun- when it works. Just like an MG, Twitter's lack of reliability is legendary. (I didn't even know Lucas made web servers).


Upcoming Conferences and Events

A few upcoming events of note. Unfortunately, I will not be able to attend any of the local ones.

Source Boston
March 12-14. A new security conference, featuring keynotes by Dan Geer, Steven Levy and Richard Clarke. Featuring a wide variety of presentations in three tracks: Business and Security, Application Security, and Security and Technology. Presentations include a reunion of L0pht Heavy Industries and talks by several industry luminaries including Rich Mogull, Chris Hoff, Mike Rothman and many others.

BU Security Camp
March 14. The "Security Camp" is a free one day conference for university system, network, and security administrators. The goal of the conference is to share the experiences of those responsible for maintaining computing security in the higher education environment so all may benefit from our collective experience. Opportunities to network with other University staff will be provided throughout the day.

[Yes, the above conflict. No, apparently they are unaware of the wonders of Google and calendars]

MIT Spam Conference

March 27-28. Topics for 2008 include not just plain spam, but "other cybercrimes" such as phishing, IM spam, SMS spam, MMORPG spam, blog spam, trackback spam, photo spam, stock pump-and-dumps, email con games, exploit marketing, zombie bots and bot armies, setting up antispam systems, and antispam countermeasures including hardware, software, wetware, and blue-ware (i.e. employing the police).

April 7-11. I will be covering RSA for the blog this year and will "Twitter-cast" (more on that later) from RSA as I did at Shmoocon. I may even take a recorder and try to get some interviews, or at least put some folks on the spot. No, I am not going to start YASP (Yet Another Security Podcast), but if I get anything good I will post it somewhere and post links from the blog. Besides lurking in the press room, wandering the floor, attending sessions and attending the Security Bloggers' Meetup, I will be working with people from my "day job" to help set up a smaller blogger event. More on that as it develops.

I am disappointed that I will not be able to go to the events twelve miles from my office, but I am looking forward to RSA- even if it is 3200 miles away.


Monday, February 18, 2008

ShmooCon wrapup delayed.

Life has interfered, but a Shmoocon wrapup will appear here soon. Until it does, see the post on Hackers for Charity and do what you can to help Johnny.


Hackers for Charity

Johnny Long's latest venture: Hackers for Charity.

Go, check it out, join, donate.

Really, go now.


Saturday, February 16, 2008

Shmoocon, Day Two

Except for morning arriving too early, too bright and too loud- another great day.

A couple of references: the Shmoocon website and the speakers page.

An explanation of Shmooballs: ShmooCon 2008 is continuing in the tradition of arming attendees with ShmooBalls (a soft aerodynamic object of some sort). This is in an effort to facilitate a frank and open discussion of opinions. Speakers are encouraged to present innovative ideas that not everyone agrees with. Audience members are encouraged to use their ShmooBalls if they disagree.

First presentation was a tough choice, I passed up a great wireless talk to attend Mouse's inside look at voting systems. I have been concerned about voting systems for years- and after last year's talk by Avi Rubin and last night's talk by Alex Halderman I chose to hear more about the research that has been done. Mouse is on the team that did an in-depth analysis of the voting systems in Ohio after the fiasco of the 2004 elections. The phrase "one voter really can make a difference" takes on a new and ominous meaning in light of the findings on system vulnerabilities.

Next I went to the "Forced Internet Condom" talk, a couple of former ISP abuse department guys delivered their mea culpas and explained why the traffic filtering they once supported is the wrong approach. Takeaway, Sandvine and their customers are not very nice. "Intelligent traffic management" is a polite way of saying the ISPs have oversold their networks and are now controlling what their customers can and can't do on "their" Internet- and changing terms of service as they see fit to cover it. How bad is it? Commonly filtered ports now include TCP 21, 25, 80 (inbound), 111, 135-139, 445, 1433-1434, 3128, 4662 and 36781; UDP 135-139, 161, 445, 1434; and a few stray protocols.

At noon I went to see Jay Beale's preso on "They're Hacking our Clients". Jay is a very sharp man, but I was underwhelmed by this talk. He seemed to be proposing manually doing what agentless NAC already does (or claims to do). I think Palo Alto Networks are already where he is theorizing we should be going. Early in the talk Jay became the first victim of Larry Pesce's compressed-air powered Shmooball cannon- a yell of "fire in the hole", a load pop, and the air was full of Shmooballs.

After a little lunch and some time in the Lockpick Village I caught Simple Nomad's "Practical Hacker Crypto". It was informative and entertaining, as his talks always are. After a shot at Ovie Carroll (from the Cyberspeak podcast), Simple delivered the most solid advice of the con, "don't do dumb shit". A little light on specifics, but irrefutable advice. Simple later proposed PDP, the Plausible Deniability Protocol- under the topic of WWDKD (What would Dan Kaminsky do?). The now-infamous Mr. Pesce and his cannon struck again during the talk.

At 4:00 I went to one I had been looking forward to, a talk on small business security challenges. Displeased with their ideas, I threw Shmooballs and challenged their contention that small businesses are easier to secure than larger entities. To their credit one of the presenters, Pete Caro, found me in a hall later in the day and asked if we could continue the conversation tomorrow. I'm looking forward to it. That will be at least one blog post of its own, hopefully soon.

For the final time slot I went over my head into "Advanced Protocol Fuzzing" with Enno and Daniel from ERNW. I think it went over many people's heads, but I stuck it out and am glad I did. Crashed Cisco gear is a perennial crowd favorite, and they delivered. The preso, followed by a hallway chat with Chris Hoff and Daniel convinced me that I need to learn about VRRP and think about trying to break VRRP, HSRP and WLCCP. If I make any progress, that should be a few blog entries.

Chris Hoff and I have also been delivering running commentary on Shmoocon on Twitter. (There's another blog entry in the works, the growing Security Twitterati community). Chris' tweets are here and mine here.


Shmoocon, Day one plus

I'm here. Getting here was tough, someone thought mid-day on Thursday was the ideal time to work on the GW bridge, so a 15 minute section of NYC took 2 hours to cross. I have never been so happy to get to New Jersey in my life.

Thursday night I got hopelessly lost in the city, but then recovered and had a great dinner and conversation with Chris Hoff, Enno and the crew from ERNW, Sergey Bratus and others I am forgetting.

This afternoon's presentations included scary talks about intercepting and decrypting mobile phone traffic (GSM), password recovery through forensic image analysis, hacking the samurai spirit, and the dangers of web portals. There was also an outstanding talk by Syn Phishus (possibly not his real name, BeanSec folks might have some insight on that) about conducting an unauthorized "Phishing Awareness" exercise at work. The short presos ended with the always entertaining and informative Deviant Ollam with the latest from the lock picking world.

The keynote was to be delivered by Ed Felton from Princeton, but he has the nasty bug that's going up and down the east coast, so Alex Halderman (one of his post-grad students) filled in and did a great job with the presentation on E-voting systems. Short version, we're screwed. Slightly longer version, the most secure code on the systems is the OS, Windows CE.

More to come, film at eleven, etc.


Sunday, February 10, 2008

The first few, coincidence- but five times?

Do not read this if you are looking for answers or even insight.

Two underwater cables cut on a stormy night on the Mediterranean- that was easy to explain; probably just a couple of ships anchoring offshore until it was safe to enter harbor.  High winds, dragging anchors, makes sense to me- I've been there myself in small craft (but without the bit about crippling communications to entire nations).

Another underwater data and telecommunications cable damaged the following day, just an unlikely and unfortunate coincidence.

Two more in the following week brings the total to five damaged cables.  Internet and telecom service to large parts of the Middle East and Indian subcontinent, you don't have to be Oliver Stone to start thinking that maybe this isn't a coincidence.

Let's start with two questions: who has the ability to sabotage the cables and who profits from the damage?  Since we don't know anything about what actually caused the damage (and won't until repairs are made, if ever) it is hard to say what skills are needed, but I bet a seaworthy fishing boat and crew would be a good start.  Add a little Google reconnaissance and current navigational charts you should be ready to wreak havoc on telecommunications.  Draggers accidentally damage all kinds of stuff on the sea floor regularly, imagine what they could do if they wanted to damage things.  That doesn't narrow the possible candidates much.  So, back to the other question- who benefits?  I guess that depends on motive.  There is more than enough political, religious and social turmoil throughout the region to provide dozens of possibilities- so that doesn't help narrow it down much, either.

This leaves wild speculation, so I say we blame the Canadians.  Sure, they seem nice...



Tuesday, February 5, 2008

Two more NAISG chapters

As you may know, I chair the New England Chapter of NAISG and am happy to report the news of two new chapters; one in Washington, DC and another in Silicon Valley. Details will be on the NAISG website as they become available.


Fine, I'll do it myself.

You may remember that I have vented about vendors dumping insecure products on us and being clueless about the dangers- or having the nerve to charge extra to secure the products they sell us.

What can you do about it? Fix it yourself, of course. Log into that multi-function printer, appliance, whatever and lock it down. Turn off unnecessary services, change default passwords (or add passwords to the really lame systems), do the things you already know to do.
But what about the stuff you can't fix? You know, the stuff you can't secure because it is controlled by the clueless vendor and you can't hack it due to some lease or maintenance agreement. That may still be relatively easy- isolate it, physically and/or logically. Maybe some network segmentation will do the trick- use VLANs or put the system(s) on a separate subnet- maybe you'll have to blow a few bucks on a cheap firewall/router to do what you need.
You could roll your own custom solution by hacking consumer hardware, but you may not need to spend that much time on this- an off-the-shelf broadband router can do a credible job of controlling traffic. Sure, it isn't perfect. And it is another device to secure and manage.

Maybe you have a whole rack of insecure, third-party gear stuck in a corner of your network, what then? The same, only more- give the rack it's own switch and single firewalled link to the network. Even a managed switch with a good set of ACLs will be an improvement over letting a bunch of questionable gear have unlimited access to your network. (In case you are wondering, this situation is fairly common in automotive retail and some other environments).

You will probably have to monitor traffic to and from the device(s) to be screened, Wireshark or Show Traffic running on a SPAN port should give you a pretty good idea of the traffic you will need to allow to and from the devices.

Is this ideal? No. But you are moving forward, towards a more secure environment- and that is the idea.