Tag: Security

Researchers from the University of Cambridge computer laboratory have announced that they were able to successfully bypass the restrictions of China’s firewall, and found a DOS vector at the same time.

Richard Clayton , (UC computer lab) explained that when a keyword is found in a packet. the routers let the traffic through, but send resets to both sides of the connection. Ignoring those injected reset packets at both ends is trivial and renders the firewall completely ineffective.

On the other side of the coin, since the firewall uses stateless packet inspection to search for keywords, a forged packet containing one of these keywords, with a source and destination IP belonging to say, a Chinese goevernment website and a Chinese embassy somewhere, would effectively cut off all communication between those two endpoints for up to an hour. Unless, of course, they are also bypassing the firewall and (by doing so) the restrictions placed by the government they represent.

While not exactly in the arena of what is meant by “Network Security,” I just couldn’t resist commenting on the failure of the U.S. House of Representatives to include Net Neutrality in the COPE (Communications Opportunity, Promotion, and Enhancement – H.R. 5252) Act here. (story)

So why would I post this in security? With telcos given the option of giving bandwidth priority to some sites or content types without penalizing them, and with the possibility of telcos charging customers extra fees to access certain sites (as in sites that are on another carrier’s backbone connection) the security risk I see is to the free exchange of information. If AT&T gets a bug up their butt and decides that any content on Verizon isn’t as important as content on AT&T networks, they could throttle those links, effectively cutting their customers off from Verizon customers, and vice-versa. Then it is a simple matter to charge a “net long-distance” fee for customers to get some of that restricted bandwidth.

Will it happen that way? I don’t know. I would hope not, but given the behaviour of the telcos over the past few years I wouldn’t put anything past them at this point.

Before you toss that old hard drive out stop. What information is on there? How about your personal information? Banking information? Maybe even some incriminating or embarrasing pictures, emails or documents?

Now that you are thinking about what may be contained on that drive, how hard would it be for someone else to pick it up and slap it in a machine and pull that information off? Not hard at all.

There are several ways to make sure that the data on the disk is not (easily) recovered. One way is physically destroy the device. One common practice for physical destruction is to drill the case, and straight through the platters (they may shatter and/or throw off shards so be sure to wear proper eye protection.)

Many stores offer to do this for you when you upgrade your hard drives. There is nothing wrong with letting the store do this for you, but make sure you watch every step of the process or you may end up surprised like the couple in Springfield Township, Ohio. They trusted their local Best Buy store when they were told that the drive would be destroyed, but got a phone call a year later from a gentleman in Chicago who told them that he had just bought their hard drive at a flea market, with all their data in tact.

If you are planning to pass your drive on rather than trashing it, however, there are a couple tools that may come in handy. One is Eraser by Sami Tolvanen. It can be used to overwrite files, directories, or entire drives with pseudo-random binary data. If you have more than one drive you want to wipe, however, it makes it difficult to use something like Eraser. In this case you can use Darik’s Boot and Nuke – you boot from the floppy or CD and it wipes the entire drive(s) installed in the machine.

While not usually on the top of the list of dangerous attacks, blog comment spam is a serious annoyance if nothing else. I just watched half a dozen spam comments pop up in the span of 30 seconds. Nice work by the bot, but a total pain in my rear.

So, I removed the spam comments and added the “magic word” pyBlosxom plugin available here. This is not perfect, but it should at least deter automated bots from generating comments.

A more serious type of comment spam was mentiond by Ted Leung – where a spammer uses the comment field to insert an entire email message including headers, which most comment mailers will simply pass through the open SMTP connection where the mail server will blithely parse and send out the message based on the headers contained. Ted’s workaround involves wrapping any To: From: and Subject: in the comment body in html tags so it will still display, but will be illegal as SMTP commands.

Once again, the arms race continues, but by taking the simplest methods of correction, we leave ourselves in a better position to later add more and different kinds of protection against attacks that (maybe) haven’t been invented yet.

I read a rather sad article on Slashdot this morning about China’s Construction Bank servers being hacked and conducting phishing scams. In many of the comments I see users being blamed for being stupid, and one poster even refered to the majority of American internet users as “a bunch of mouth breathing, knuckle-dragging morons.” This kind of attitude only continues the “class war,” if you will, between IT and users. When you spout off with elitist comments you will be seen as elitist. (Imagine that.)

I submit that the majority of users are not stupid (or even “mouth-breathing, knuckle-dragging morons”), but are uneducated in the field of IT security. I am not advocating teaching every user every aspect of security (firewall construction to net monitoring, packet filtering to reverse-engineering malware), but the simple parts that directly affect them. How to tell a legitimate email from their bank/paypal/ebay/etc from a phishing scam. How to use antivirus and anti-spyware programs and keep them up date. How to make sure they are getting the proper updates for their OS and programs.

Some of it may seem like common sense to someone in the IT field, but that only comes after you have learned it. It is too easy to forget that once we, too, were ignorant of these things and they had to be learned. None of us were born with an instinctive knowledge of how to check the source code of an html email and see that the links go somewhere other than where they appear to, or how to install and configure an antivirus program, or any of the rest. The trick is to pass the knowledge on to users in such a way that it becomes common sense to them as well.

Well, this has got to be the most annoying piece of spam I have received recently. It seems that now even the crack-scripting community is using spam to advertise their “services.” I have included a copy of the email – the more disturbing items I have emphasized in bold. The email:

From: noreply-52@ww-nn.web-hack.ru
Bcc:
Return-Path: noreply-52@ww-nn.web-hack.ru
X-OriginalArrivalTime: 06 Mar 2006 13:36:47.0450 (UTC)
FILETIME=410ABA0:01C64123]
Date: 6 Mar 2006 04:36:47 -0900
Dear Sir/Madam, Hello!
We are internet hackers crew – Web-hack. We propose you for sale some interesting things: – private exploits – http://forum.web-hack.ru – stolen credit cards and bank accounts – http://forum.web-hack.ru – we infect users pc’s with your trojan for low prices (10000 infected pc’s for 25$) – http://forum.web-hack.ru – bulletproof domains and hosting – http://forum.web-hack.ru Best offer – bulletproof domain + hosting =0 usd/week. You can use this hosting for any scam/fraud and nobody will close it! For more information look at – http://forum.web-hack.ru P.S. We are registering bulletproof domains on our partner site http://www.r01.ru/ there we have “our” people to guarantee stability of our domains and hosting so any organization like spamhaus.org cannot down our hosting and domains. We are now spaming 5 000 000 people look out the domain is alive as always and never gonna be down !! Please go and order our services at: http://forum.web-hack.ru Msg-ID: 12543

Whois:

forum.web-hack.ru
ww-nn.web-hack.ru

217.107.217.167
217.107.217.168

OrgName: RIPE Network Coordination Centre
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
Comment:
RegDate:
Updated: 2004-12-13
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 217.0.0.0 – 217.255.255.255
CIDR: 217.0.0.0/8
NetName: 217-RIPE
NetHandle: NET-217-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2000-06-05
Updated: 2005-07-27

# ARIN WHOIS database, last updated 2006-03-05 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.

www.r01.ru

195.24.65.17

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.

% Information related to ‘195.24.64.0 – 195.24.71.255’

inetnum: 195.24.64.0 – 195.24.71.255
netname: PARKLINE-1
descr: Garant-Park-Telecom
descr: Science Park, MSU
descr: Lebedeva St., Leninskie Gory
descr: Moscow 119899, Russia
country: RU
admin-c: PAN-RIPE
tech-c: PAN-RIPE
status: ASSIGNED PI
mnt-by: PAN1-RIPE-MNT
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: PAN1-RIPE-MNT
source: RIPE # Filtered

person: Alexander V Panov
address: MSU, Science Park, Garant-Park-Telecom
address: Moscow
address: Russia
remarks: phone: +7 095 7898207
phone: +7 495 7898207
remarks: fax-no: +7 095 9308800
fax-no: +7 495 9308800
e-mail: panov@parkline.ru
nic-hdl: PAN-RIPE
mnt-by: PAN1-RIPE-MNT
source: RIPE # Filtered
remarks: modified for Russian phone area changes

% Information related to ‘195.24.64.0/21AS25537’

route: 195.24.64.0/21
descr: Garant-Park Telecom Block 3
descr: Science Park, Moscow State University
descr: Lenin’s Hills, Moscow, Russia
origin: AS25537
mnt-by: PAN1-RIPE-MNT
source: RIPE # Filtered

Definitely ones to watch for in your log files.

While looking through my del.icio.us links I found a couple that I haven’t had time to check in on lately. It is telling, really, that the sites I have not visited recently are those related to security best practices.

It is really entirely too easy to get sucked into other areas at work and rely on past practices to maintain security. But as things go in the world of tech, the rules, tools and environment change almost (it seems) daily.

With that in mind it is time to look again at the NIST Information Technology Security guidelines and the Center for Internet Security benchmarks.

I was over at the Internet Storm Center and saw a simple how-to on retrieving viruses from the AVG vault for sending in to malware testers.

From the article:

Steps to export viruses from the AVG vault for analysis.

1. Create a directory to store the files in.
2. Open avg.
3. Select the virus vault.
4. Click on the virus you wish to restore.
5. Choose restore, that will prompt you for the directory to restore the virus into.
6. Select the directory created in step 1
7. avg will alert again if its in active monitoring mode. choose continue.
8. Turn off avg resident shield protection if you plan to package the viruses up for submittal for malware analysis.
9. Select the AVG resident shield and unselect “turn on avg resident shield protection”, Click apply.
   Remember to turn resident shield back on as soon as your [sic] done with the virus.

There are further instructions in the article, including how to package a virus for sending for analysis. If you want to test this on your own machine so you know how to do it use the eicar test file (literally the following 68 characters: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* saved as a .com file) which will show up as a virus without actually doing or attempting to do any damage to your system.

This morning I came across an article at the Internet Storm Center about Bush’s visit to the NSA that showed their internet monitoring setup in the background.

From the article:

A little over a week ago the President of the United States visited the National Security Agency in Ft. Meade, Maryland. The visit came on the heels of allegations that domestic eavesdropping laws were broken, and that the administration had exceeded its authorized powers. We aren’t going to pick sides on that one but there was a really nice photo that showed up in the Washington Post as part of the story that we should all be proud of. When I first saw it, I thought:

Super-secret spy agency sensor grid – $Billions

Security for a visit from the President of the United States – $Millions

Showing the President that your prime source of information is a bunch of volunteers – PRICELESS!

See the photo or read the article. The image you see behind the NSA Director is the Talisker Security Wizardry Portal, which includes the DShield world map along with other security information.

That just tells me that there is intelligence in the NSA!