Wednesday, August 27, 2008

Pretty lights

More on DNS I know. May as well be another person beating a dead horse. But I give you pretty:
It is a video of the patched and not patched world wide. It intrigues me that there is a blinking light on the map of Australia about 3 hours north of Adelaide, I doubt it is Alice Springs, to south, maybe Coober Peadie if my geography serves.
Onto some more supposition by me (mainly in reply to Dan [the guy who discovered the Researched the DNS flaw] here);
I agree with what has been said, that we need more security on an inherintly in-secure network. But some (percieved) anonymity and some plain text is good, and what the internet is all about.
Could you imagine every site moving to https, for starters what is the point, who needs to read my blog through an encrypted channel? Really why, I don't really have any direct post functionality, and only a handful of readers, it is not like I am directing them to blindly do anything either.
Onto DNS, I was thinking the other day of another way to fix the issue. Deploy a port knocking technique on the reply based on the query, so that ports would have to be knocked in the correct order on the DNS server pre accepting back the lookup. Similar to the way a person gets into a safe, knowing the numbers isn't good enough you need to know the sequence. This would stop NAT being an issue as the DNS server can make the request out on all ports getting an auto map back on these ports. And would be more secure as the attacker would have to guess the right ports to knock on the way back, or read the request and then generate the reply and reply back, but if they can do that they are already in the middle and its game is over.
What do you think?
Peace out all, especially Dan, good job.

Thursday, August 14, 2008

DNS woes continue... sorta

So as I said, and the original discoverer Dan said, it was just a patch. Not a fix, not a be-all and end all solution. A temporary patch. We already know some nat devices break the patch's fix. But from the looks here and here it can be broken. The first link even details how, but there is a caveat. It is not easy, and a lot of bandwidth with low latency is required.
The first article explains how they did it over Gige in 10 hours. So most DNS servers that are doing resolves for clients, are probably not even on 20mbs of bandwidth, and latency 10+ times that of ethernet, not including the clients themselves causing some load. So you could say it would take 10+ times longer to do this over the internet, so 100hours. Someone will hopefully notice at around hour 20… But it isn't that simple, what if some baddie hits a server with a mere 100 clients... (Most botnets are 10 times this size). Chaos again. We need a better fix. I mentioned before some kind of signed DNS, I am the first to admit I have gaps in my knowledge as I have never heard of DNSSEC, now I that have listened to the Blackhat talk I have heard about it. I had a quick look at wikipedia and the official site and it is interesting. Of course windows servers only support it as a secondary, also the glaring-hole of non NSEC3 servers allowing enumeration of sites is just plain silly. Seriously just hash The users request domain “Not Found” and add it to the RFC, done.
I think it should include the option for encrypting replies, may as well, could be useful for higher secure organisations.
This is a very real and very now threat, there are at least two pieces of software out there to attack it, one being the very good, but very newbie friendly metasploit.
Well I am pretty much just re-iterating and expanding on my comments on darknet but there you go.
Peace out all.

Geoffrey talking, and going loopy

So Geoffrey gave me a heart attack today (not literally) Fiona came in to have lunch with me and we went to the park. It was a lot of fun and really shows how he will talk if he wants something, "up again" kept coming when he wanted me to pick him up to the flying fox.
But the scary bit was when we were having fun, I was pushing him on the swing, when he decided to flip forward just after I had pushed back, he flipped over fortunately caught by the chain as he was in the little kids swing. I lunged forward and caught him... phewww.
Other than that is was a lovely lunch, Marion brought beautiful ham sandwiches and soft-drink, and Geoffrey and I ran around the play equipment like madmen.

Sunday, August 10, 2008

Social Engineering

I think possibly the equal first security threat facing all business today is that of Social engineering. I say equal first, because a lot of insider threats would probably fall under this banner. The employee, lets say his name is John calls up the helpdesk, he tells them his name is Sam, and that he has forgotten his password. You of course see where I am going with this, the helpdesk happily resets Sam's password, John knows Sam is out to a long lunch and has access to files he doesn't. He logs in as Sam, gets the files he needs and then logs out, maybe even leaving a post-it on Sams screen saying the helpdesk had to reset his password to blah, so the helpdesk doesn't get another call and get suspicious.
John know has all the files on his cheap USB disk, or in hard copy and does with them whatever it is nefarious people do with data to make a buck.
I have seen mitigation techniques for the one I mentioned above, all users have a password reset word, something they wouldn't have as a password and stored in plain-text for the helpdesk to see. This will mitigate it, unless John says he forgot it and to send someone down, the helpdesk guy may not know John or Sam, and as long as John is in Sam's office still acting like he owns the place he will probably get away with it.
Social Engineering is scary for another reason in that even non-technical users can do it. I remember I had a client once who had a relitively new employee call up asking for some permissions to files he needed for work. I knew his role was to do with those files and I knew his voice over the phone (as funnily enough he had moved from one client to another). Still I decided to call his manager to get the ok. She didn't give it, and was a bit distrubed that he had asked for the access. Horray one for the good guys.
Have a look here at how easily some guys doing a sprite commercial pulled off some non-harmful social engineering.
Here is a very thourough article on the subject.
And here is my first shirt design on cafepress, totally on topic.
Really though combine some social engineering with technical knowledge the smarts to think of the good-guys mitigation techniques and the connections to make money off your exploits and you have a major foe to be reaconed with.
I think in future we will need to audit our people as much as we do our security systems. Having someone who won't suffer the repricussions of the law come in randomly and do spot checks would keep people on their toes, but it also comes down to having the personal touch, knowing people by name, by their voice, by their face. Maybe the solution is smaller decentralised IT departments, say one for each department and at least one at each site, this lessens the body of knowledge but increases the likelyhood of the staff member knowing the other. I don't know, someone will come up with a solution eventually.
I have decided to use tags to seperate the posts, so no more personal stuff in the security tagged posts.
Peace out all.

Off to the zoo

So today we went to the Zoo and Geoffrey let something interesting go. He knows how old he is about to be. When asked when he felt like it he replied with are hearty THREEEE. Ahh it is good to see. It has been about six months since his operation and he is picking up new things everyday.
Anne is walking and has added to her repitore of Mama and Dada and Baba other interesting little noises and words. She got a new little outfit that was terribly cute, a pair of stockings with a bustle at the back, to go perfectly with her little yellow dress with pedicoat. We had lots of fun at the zoo before the down-pour began.
Speaking of downpours I heard it snowed again in NSW, just south of Wollongong last week. That makes two 100+year events in the last few weeks, the weather certainly is variable at the moment. I heard a good saying the other day "Climate is what you expect, weather is what you get", it certainly is what we have been getting lately: Short bursts of rain, followed by nice hot days, when will it end.
Peace out all
eXTReMe Tracker