February 24, 2008
Spammers normally send mails directly from infected PCs, for which blacklists are a good defense. This may change in the future as currently a test run of a new method is underway. “Project xddo” and “xddo Casino” are the subjects of the German spam mails, which are not send via infected PCs but via cracked accounts of mail server users. These official mail servers have static IP addresses and are often white listed which guarantees that the spam is delivered successfully ;-).
They really look like test spam mails which are really simple and similar, so checksum spam detection methods should be able to easily detect them as spam. An other specialty of the mails are a second To: entry in the header.
This new kind of spam is a direct result of the blacklists which seems to be successful enough at blocking dynamic IP ranges and infected PCs. This is basically a good thing, but it is now time for mail server administrators (specially of internet service providers) to also check the mails their customers send. They should also start checking the amount of undeliverable mails a users sends and if it goes over a specified amount the account should be disabled. The implementation of such a feature should be a priority as otherwise the danger of being added to a blacklist will rise otherwise dramatically.
February 22, 2008
The hard disk and file encryption Systems Bitlocker (Vista), dm-crypt, TrueCrypt and Apples FileVault were previously known to be save. This is no longer the case! Researchers from the Princeton University published in their blog a video showing how to extract the password stored in the memory. The attack vector is in this case the DRAM, which does not lose the state after a power cut. It takes some seconds or even minutes, by cooling the memory (-50Â°C) this can be extended even further.
The researcher boot than a mini program which dumps the memory onto a USB hard disk. A second program searches in this dump than for the password. Take a look at the video it is really well done!
My first thought to be at least a little bit secure is not use the standby modus but to switch off the computer completely. This at least limits the opportunity for an attacker to a few minutes. But this is not a solution. A solution would be a special RAM for storing the password which clears the memory when the power is cut. This could be done by a capacitor which provides enough power to clear the memory.
Has someone a better/other idea?
Many European nations have Computer Emergency Response Teams (CERT) for years now and finally Austria is on the way to play catchup. nic.at, the Austrian domain registry, plans to create it together with the Federal Chancellery of the Republic of Austria with four employees at the beginning. The Chancellor Alfred Gusenbauer declared: “The internet is a valuable infrastructure, which needs to be protect”. (Wow he truly go it!)
So much for the official version of it, but there is not all gold. The CERT should only be a information hub which provides international networking. So far so good, but what would be needed is a own infrastructure to react in cases of emergency otherwise no defense can be coordinated. But this is a typical Austrian solution, we will have our own CERT but it should not be that expensive as a real one.
If you hear about network printers and you think about “dumb” machine sitting in the corner your are mistaken. They are more like a low-end server running a standard operating system like Linux or BSD on standard hardware like the Xerox WorkCentre MFP with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL. Such a printer can be attacked like any other system in your network, maybe even easier as no anti virus software is installed.
What is the possible impact of a compromised printer? A compromised printer can do everything a normal computer could perform â€“ like attacking other systems, sniffing passwords, …. – but there is one big difference: A printer gets normally all important documents send by many users for printing. It could easily send them over the internet to an attacker. The printer has an internal hard disk where it could store them to send them slowly into the internet. You say now you restrict your internet access and MFP have no access to it? Good, but than an attacker could use the internal FAX, do you also monitor that? Does this not sound scary? At least it does for me, so be aware that MFP systems need an own security strategy.
Let’s look at the current status. Most likely your printers have the same software version installed, which was installed when you got them, normally nobody installs security updates on printers. But even if you would like to do so you’ve the problem is that in contrast to your normal appliances the printer vendor does not really care about security and does not provide security updates in time.
So beside installing security updates and monitoring the download sites for your printer. (I don’t belief that most MFP vendors have a security announcement mailing list ;-).) I recommend to move your printers in a separated VLAN, which is only reachable via a firewall. This firewall is configured in a way that only the printing servers can talk to the printers, and the printers are able deliver the received/scanned documents. And only the employees responsible for maintaining the printers should be able to connect on the management ports (be it http(s) or telnet). The access of the printers to the internet should be limited to required “service calls” to the service company as some printers report to the service company that someone should come e.g. with a new toner.
And at last you should use nmap or even OpenVAS to look at your printers, you will see ftp, http, ssh and telnet open normally. Try to talk to your printer vendor representative and make them aware that IT security for printers is a concern of you. Maybe over the time the vendors get better with their security, if enough customers care about it.
February 21, 2008
I found following on Slashdot: Codenomicon has published a whitepaper which discusses the state and future of wireless security. They examine Bluetooth and Wi-Fi, and also take a preliminary look at WiMAX. The results are almost universally dismal; vulnerabilities were found in 90% of the tested devices. The paper also looks at methods for vendors to preemptively block some types of threats. Quoting: “Despite boasts of hardened security measures, security researchers and black-hat hackers keep humiliating vendors. Security assessment of software by source code auditing is expensive and laborious. There are only a few methods for security analysis without access to the source code, and they are usually limited in scope. This may be one reason why many major software vendors have been stuck randomly fixing vulnerabilities that have been found and providing countless patches to their clients to keep the systems protected.”
February 20, 2008
In my post â€œOne is a coincidence, two are suspicious but three or even four are no coincidence!â€ I wrote about the four underwater cables which had â€œaccidentsâ€. Now there is some news to this topic.
The International Telecommunication Union (ITU) thinks that sabotage is a possible action. Wow â€“ so this is more than a simply conspiracy theory! The leader of the Telecommunication Development Sector of the ITU, Sami Al Basheer Al Morshid, said that he will not rule it out before the end of the investigation. He said according to heise online (german) that some experts don’t believe that ships could tear the cables by accident as the cables are laid very deep and the areas are off limits for ships.
The Worm Nachi inspired Microsoft by intruding into Windows systems, removing MSBlaster (aka Lovsan) and patching the security whole it used to gain access. This happened 2003 and now a researcher of the company published a document on how to deploy security updates by a good worm. They did research about better ways to find and attack … ah sorry … patch insecure computers. Microsoft claims that this would remove the need to provide central servers for security updates.
This is just a plain stupid idea! And I’m not alone â€“ read what Bruce Schneier thinks about that idea.
Here are my thoughts:
- Microsoft has a know history of releasing only security updates which work, and which introduce no additional functionality. So you don’t need to decide to update your systems, Microsoft takes care of it. Everything will work afterwards.
- For an Intrusion Detection System it is really easy to decide between good and bad worms, the good worms have the better algorithms for attacking … ah sorry again … fixing your systems.
- Firewalls have enough intelligent to realize the difference between the good worms probing and an malicious cacker.
- All of you systems can be rebooted at any given time without problem, nothing critical can happen.
- For removing the load on central servers we could not use something like Bittorrent, as it would be a documented protocol. It is better to use something which does not require an agent on the systems the user could configure.
- We only need to deploy updates for security vulnerabilities which give an attacker root access, which we need for patching the system.
As we’re all so fond of this idea Microsoft is telling us now that they don’t work on this idea. As we all know Microsoft does not lye, this must be true.
February 16, 2008
I’m operating some mail servers, where I’m running two different virus scanner. The first one is engaged during the SMTP handshake and rejects malicious mails. The second one is invoked before the maildrop filter. If this one detects a malware the attachment is removed from the mail and which is stored in a quarantine directory. The user is informed about the removal in this case so he can write me a mail if wants this file – but most user will never ask for the files, so I needed a script which deletes all files in the quarantine directory which are older than the configured days.
delete_old_files.py is this script, which I call by crond like this:
# m h dom mon dow command
23 23 * * * /usr/local/sbin/delete_old_files.py /var/quarantine/ 30
This script is a general purpose script which should also be helpful in other scenarios.
February 12, 2008
I’ve just moved my iptables firewall scripts from the old server to my blog and I updated the scripts with some new tricks I learned in the last years. I’ve have (modified) versions of these scripts running on all of my servers, as it provides an easy starting point which saves much time. The rules are easy enough to understand and change and I’m not a fan of complicated iptables rules you won’t understand without a special GUI. If something is so complex it will have wholes in it! I hope with this scripts you will see that iptables is not complicated. Have fund and be secure.
February 11, 2008
Bryan Betts writes at security.itworld.com that â€œEncryption could make you more vulnerable, warn expertsâ€. I’ve to vigorously disagree! Data encryption creates a different kind of attack vector, but that is not such a good headline I guess. Sure DOS attacks against the key infrastructures must be added to the list, but it helps against simpler attacks like the â€œlossâ€ of a medium. As that kind of attack is much easier to execute, encryption even decreases the target surface.
Conclusive I can say this news is provided by some consulting firms which want sell to scared companies. Nonetheless you should always keep an eye on the processes you implement concerning DOS attacks. An example for a bad process is a remote access via SSL VPN which disables a user account not only on the VPN server after some failed logins but on the backend too (like an Active Directory). An attacker needs only a guess the user name, which is not that hard most of the times (email address part before the @ is a good start in most cases) to make it impossible for a given user to work.
In summary all things come with inherent risks, and the risks of any particular action must be weighed against the rewards thereof. Encryption is necessary for many businesses, and if such attacks are truly a worry, they should be addressed in the same manner as any other risk.