Differently vulnerable and not more vulnerable

February 11, 2008

Bryan Betts writes at security.itworld.com that “Encryption could make you more vulnerable, warn experts”. I’ve to vigorously disagree! Data encryption creates a different kind of attack vector, but that is not such a good headline I guess. Sure DOS attacks against the key infrastructures must be added to the list, but it helps against simpler attacks like the “loss” of a medium. As that kind of attack is much easier to execute, encryption even decreases the target surface.

Conclusive I can say this news is provided by some consulting firms which want sell to scared companies. Nonetheless you should always keep an eye on the processes you implement concerning DOS attacks. An example for a bad process is a remote access via SSL VPN which disables a user account not only on the VPN server after some failed logins but on the backend too (like an Active Directory). An attacker needs only a guess the user name, which is not that hard most of the times (email address part before the @ is a good start in most cases) to make it impossible for a given user to work.

In summary all things come with inherent risks, and the risks of any particular action must be weighed against the rewards thereof. Encryption is necessary for many businesses, and if such attacks are truly a worry, they should be addressed in the same manner as any other risk.

Govware: New name for a special kind of Malware

February 9, 2008

In the last weeks and months I increasingly started hearing more and more the new word Govware, which is a special kind of Malware. I though that this is interesting and informative for some of my readers, which leaded to the point that you read this post now ;-). But first things first – what is Malware? Wikepedia defines it this way:

Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. It is a portmanteau of the words “malicious” and “software”. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Govware is Malware which is used by governmental entities to extract information from computers without the knowledge of the user. Govware is a portmanteau of the words “government” and “software”. In Germany Govware is often called “Bundestrojaner”, but the term which is “winning” in the security sector seems to be Govware. I think that this name is coming more from Europe than from the US, but it is really easy and logical – so I think it will stick on both sides of the Atlantic.

One is a coincidence, two are suspicious but three or even four are no coincidence!

February 6, 2008

What I’m talking about? About the four underwater cables in the Middle East and India which stopped working. On the 30.1.2008 the underwater cables “Fiber-Optic Link Around the Globe (FLAG)” and “SEA-ME-WE 4” got cut before Egypt. First everyone was talking about ships which possible cut the cables, but now the Egypt ministry of telecommunication went public with the information that there were no ships within 12 hours in that area.

On the 1.2.2008 the Indian telecommunication company Reliance Communications reported an error with its cable Falcon before the coast of the Emirates. And now last weekend there was an other incident with an under water cable from the Qatar Telecom (Qtel) between the islands Haloul and Das, but this time it seems at least to be a power supply problem.

Anyway quite unstable the underwater cables today …..

Now why I’m posting this? It should show you that the internet can be attacked physically. Most people think the Internet was made for a nuclear war, and it is not possible to damage it to a large degree. Even as this is a myths it had some trues in the past but now everything is driven by the need to be economical. This leads to the point that the backbone of the internet is only provided by a new physical connections / organizations.

But this leads also to the point that I don’t think that this 4 incidents where related ….. or better call it coordinated, as an attacker could do better – or it was a lame attacker. But it should show us that the internet is an not that hard target even for guys which don’t know anything about computers. You need only to know which lines run where find the spots you need to hit at the same time to cripple the internet in a region.

It should be therefore in the strategic interest of most countries to increase the number of physical connections and organizations handling the internet backbone. But I’m aware that this is not that easy – at least the number of organizations and connections should not go down further. With every fusion of backbone providers some manager will look at 2 cables going from A to B will remove one as its more economical. With this attitude we are on the way to a non-failure tolerant internet on which our whole economy builds. I can’t think about a better target to damage a modern economy.

ovpnCNcheck — an OpenVPN tls-verify script

February 2, 2008

If you’ve running an OpenVPN server you may have asked yourself how you can decide which clients can connect even if they got signed by the same CA. A common case would arises if you provide more than one OpenVPN server but not all clients should be able to connect to every one. Sure it would be possible to use a separate CA for each server but that would not be flexible. The clients would need more than one certificate/key pair and if you want to enable/disable access to a certain server for a client you need to generate/revoke the client certificate. Not a good idea!

I’ve therefore written two scripts with solve this problem. These scripts check if the peer is in the allowed user list by checking the CN (common name) of the X.509 certificate against a provided text file. For example in OpenVPN, you could use the directive:

tls-verify "/usr/local/sbin/ovpnCNcheck.py /etc/openvpn/userlist.txt"

This would cause the connection to be dropped unless the client common name is within the userlist.txt. The bash script will just check if a common name is in one of the lines (one CN per line) and the python version parses the provided regular expressions. Every line should hold one regular expression in this case which can also be just one common name (don’t forget to escape stuff like .?^()[]\ with a \). Empty lines or ones which start with a # are ignored. The bash version works also on a “out of the box” OpenWRT installation.

Python version: ovpncncheck.py
Bash version: ovpncncheck.sh

Hope it helps you!

Active attacks on home routers underway

January 23, 2008

Only last week I posted about the UPnP attack vector on home routers and now Symantec is reporting active attacks on Mexican internet users. The purpose of this attack is to manipulate the DNS settings of the router so the user is directed to the phishing site for a popular Mexican bank. As there is no change on the computer itself, security software will have a hard time to detect such attacks. Sure the SSL certificate the fake site will provide is most likely faked, but most users just click Ok anyway. But my guess would be anyway that the phishing site is just plain HTTP.

But this is not the only attack vector even if a password is set for the router (not counting the default password). If a router allows the user to authenticate himself via a cookie, than an attacker needs only to provide an URL which includes the commands for the router. Sure the attacker needs to know the router which is used by the user, but thats not that complicated as you might think. For example in Austria an attack would be best done against Alcatel SpeedTouch router (configured to multi user mode) which used by the Telekom Austria since the start of DSL in Austria. And to make it worse, there is no password defined by default, so we don’t need a cookie attack at all.
It is therefore important to change the default password and to make sure the router requires a password each time you start your browser. It is also a good idea to restart your browser after you authenticated yourself against the router and before you surf through the internet.

You ask yourself how to attacker knows the IP address of the router? Thats easy – following possibilities exist:

• just try 192.168.0.1 (or what is default setting for the router, which should be attacked)
• get the IP address of the computer, and replace the last number of it with an one. (java script?)
• use a applet (flash, java, ….) to get the default gateway or DNS server IP address – you’ve your router

The first one is the easiest one, but also the easiest to defeat. Just change the network to a new C-Class network out for 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8. eg. 10.133.122.0/24. So lets change to following mantra a little bit. Recommended steps for setting up your home router:

• Unbox
• Throw the disk away
• Plug in your machine, Turn on the router and navigate to the Web-GUI
• Turn off UPNP
• Change the subnet of your router
• Change default name and password, set WPA-PSK
• Check that remote management is disabled
• ….

I’ve changed the subnets of my routers for years, just because the 192.168.0.0/24 stuff didn’t look cool – so be cool and change yours too.

ICQ / AOL is testing encryption – by adopting XMPP [Update]

January 18, 2008

Florian Jensen beaks the news about AOL adopting the Jabber protocol XMPP – at least on a test server. This is a good move for the interoperability of instant messaging service but also a good one for security and for me.

The ICQ traffic goes unencrypted over the network and I know of special programs which sniff the traffic for pop3, smtp, icq, …. communications and log the login data into a log file (good on routers 😉 ). So you don’t need someone to understand the Oscar protocol, any script kiddie can use these tools . This is the reason I don’t use ICQ except on networks I trust. You’ll ask yourself why I use ICQ (with Kopete as client) at all? Too many friends which I know for a long time (when ICQ was the only instant messaging system – you know the time before it was bought by AOL 😉 ) are still using ICQ. I’ve also a Jabber account and some of my friends have switched to Jabber or are using both as I do, but most use ICQ as their only IM system for > 10 years.

As XMPP is a “good” internet protocol the usage of TLS / SSL encryption is common throughout clients and servers. If AOL is really switching to XMPP it would really increase the security, so lets hope that this is the first step. Even if they are keeping their protocol and only allow XMPP Servers to send messages to their clients it would help me. I just would stop using my ICQ ID and switch completely to my Jabber ID, which than can communicate to my ICQ buddies.

Update: As Edwin Aoki from AOL pointed out in his comment you’re save if you’re using the original AOL clients. Sorry for not making that clear. The problem is only that I don’t know anyone who is using the original clients, even the friends who are using Windows are running alternative clients.

Proof that UPnP on home routers is bad

January 14, 2008

I said it for years it is a bad idea to enable UPnP on systems that protects your local network and/or PC from the internet. With UPnP any program on you PC is able to open “firewall” ports on your home router without requiring a user interaction. UPnP may has its purpose at streaming media within a secure network, which I’m not totally convinced anyway, but letting any malicious or bad written program open your PC/network for the whole internet is plain stupid. Ok, this is all known for years – why now this post?

Some folks at GNU Citizen have created a flash swf file capable of opening open ports into your network simply by visiting an malicious URL. This is done via the UPnP functionality common home routers provide. As flash is installed on the majority of personal computers this is a significant attack vector, specially since a “flash ad” can be inserted quite easily into trusted websites or by hacking such a website.

As this is not a new thread I can just repeat my normal statement when it comes to setting up a home router:

• Unbox
• Throw the disk away
• Plug in your machine, Turn on the router and navigate to the Web-GUI
• Turn off UPNP
• Change default name and password, set WPA-PSK
• Check that remote management is disabled
• ….

Bruce Schneier is wrong about unencrypted WLAN!

January 12, 2008

Bruce is right with many statements but his last one (Steal This Wi-Fi) is just populist and tries to provoke people. People with an understanding in this topic will see that and take it the right way, but not the ones who have a default setup of a access point / router running at home. They heard in the media that they have an insecure setup at home, and hopefully thought about changing that – but now a security expert tells them that’s not needed. He is simplifying the whole topic and is forgetting some important points.

Most users which have an unencrypted WLAN also have insecure PC at home. What is easier for them to do? Make a Windows System secure besides activating the automatic updates or login onto his router and change the password and configure the WLAN to be encrypted with 20 char long password?
Sure this still leaves the attack vector via malicious websites and emails but it is a start and a drive by attack is now much more complicated. Would a security computer help? Sure, but is it realistic?

Bruce also writes about his dear neighbors, which may need his internet access. Some thoughts about this. Not all neighbors are your friends, just talk to your friends – ask them if all there neighbors are their friends? If you like your neighbors, why not make an encrypted WLAN and tell them the password and share the costs of the internet connection with them. That helps all – except the ISP 😉

But lets look more at his technical points. He says that he is as secure at his unencrypted WLAN at home as at a public hotspot. Public access points normally allow no direct communication between clients. In infrastructure mode all traffic even between 2 clients need to be relayed by the access point and in a public access point setup it just makes no sense to activate this feature. Due the limited address space with IPv4 almost all public access points will provide only local IP addresses which are then masqueraded to one global IP address. Due to this facts it is possible to sniff the packet from and to the clients it is not possible initiate a direct communication to a client.
But still I would not do my e-banking via a public hotspot. Sure I trust my notebook and the CAs I’ve installed and I think the current version of SSL is secure. But still I would not do it. Call me paranoid, but it is different to do something like this at home or at a public hotspot.

I believe in layered security. Bruce writes in this commentary that one layer of security is enough (the one of his PCs). I can’t believe that he really means that. If you want to provide yourself with plausible deny ability then use 2 separate WLANs. One that is unencrypted and provides only access to the internet and one thats encrypted with WPA and at least a 20 char long password, as a passive dictionary attack is possible on WPA . Within this network you and your family can work within a first line of defense. That is a similar setup as FON provides, which he mentions in his commentary. So why should someone like Bruce use the unencrypted network for himself?

Besides these technical points someone needs to look also at the legal ones. He writes about the situation in the US, which is quite different from the laws in Europe. e.g. a German court ruled that the owner of a WLAN is required to make and keep it secure (german)
And I won’t talk about the problems you get into if the police raids your home, even if they don’t find something and to the gossip this leads in your village.

DMZ on SOHO routers is a joke!

January 10, 2008

If I talk to people with a DSL router/NAT they sometimes tell me they have placed a PC or gaming console into a DMZ (Demilitarized zone) and now they are secure. If I hear something like this I am at the brink of crying. Why?

First let’s take a look at how this routers are making their version of a DMZ. You specify the IP address of the device which should be in the DMZ. Basically that’s it. This IP address is from the same subnet as your other internal devices, which should be protected from the systems in the DMZ. But this is not the case in this scenario! Why? The device in the DMZ can communicate without filtering by a firewall to the devices in the internal network – which is the same anyway. In theory it would be possible by a filtering bridge (Layer2) but at the SOHO routers I checked it’s just an internal switch. As their version of DMZ cannot protect your internal network from your DMZ devices if they get compromised, you are in the false impression of being secure.

How to make a secure DMZ setup with a SOHO router?

I recommend to install openwrt onto your router if you’re fit enough with Linux. You can then specify (at least at the Linksys WRT54GL routers I always buy/recommend) which VLAN should be untagged on which switch port (the Linksys has an internal 6 port switch – 1 for the CPU, 1 for the uplink and 4 for devices). After you’ve specified the VLANs you can configure separate subnets for the internal network and the DMZ. After that configure the firewall rules so that only the internal network can initiate connections to the DMZ but not the other way round.

The problem with this setup is that it requires a lot more knowledge than the wrong version above, and the described solution therefore is not passable for the majority of the users. Anyway this post should show the users of such a DMZ at least the design flaws in their DMZ. And maybe, just maybe, some SOHO DSL router manufacture will create a real DMZ feature.
This is my first blog entry in the IT security segment, so please tell me what you think about it. Thx.