- Recent
- Popular
- Tags (0)
- Subscribers (1)
- Taming Conficker, The Easy WayMarch 30 2009
-
We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don’t have to: I’ve been working with the Honeynet Project’s Tillmann Werner and Felix Leder, who have been digging into Conficker’s profile on the network. What we’ve found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it’s infected with Conficker, and it will tell you. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis‘ Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys.
We figured this out on Friday, and got code put together for Monday. It’s been one heck of a weekend.
The technical details are not complicated — Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit
- Infrastructure Attacks: A Growing ConcernMarch 24 2009
-
So the general theme of my talks for the last year has been about the extraordinary damage that infrastructure attacks are capable of. I do believe it’s possible to bolster endpoint security — to achieve end-to-end trust — but it will take more than what we’re doing right now. It will take, somewhat to my surprise, DNSSEC.
It will also take treating infrastructure itself with more care, and more security due diligence, than we do today. Forget patching infrastructure. When my DNS bug hit, a remarkable number of sites suddenly found themselves simply identifying the DNS servers they were dependent on. We can do better. We need better operational awareness of our infrastructure. And we need infrastructure, over time, to become a lot safer and easier to update. That means automatic update isn’t just for desktops anymore, that firmware patches need to have a much higher likelihood of not bricking the hardware, and possibly, that we need fewer builds with more testing for the new production environment, that is increasingly under attack.
The reality is the bad guys are out there, and they’re learning. Just as attackers moved from servers to clients, some are moving from compromising a single client to compromising every client behind vulnerable infrastructure. Psyb0t, a worm that has been bouncing around since January, was recently found by DroneBL and reported on by Ryan Naraine. It targets home routers, and early estimates are that it has hit over 100K of them. Home routers are a wonderful, enabling technology for users, and even for security, they carried us through 2001-2004’s years of widespread server side vulnerabilities. So we shouldn’t be too down on them. But they do have vulnerabilities, and they are getting exposed.
This, of course, is something quite a few people have been talking about. CSRF — Cross Site Request Forgery — attacks have affected everyone from Linksys to Motorola to Siemens to Cisco. More problematically, the DNS Rebinding attacks discussed by myself, David Byrne, Dan Boneh/Adam Barth/Collin Jackson, and others in 2007 still affect home routers. And I’m not talking about Java and Flash sockets, like at this year’s CanSecWest talk. I’m talking about simply running rebinding against the browser itself, to make a remote website and a local router appear to be the same name, thus able to script against one another.
This should sound familiar, because this is what I discussed at RSA last year.
- Cansec Slides, Now With More TCP NAT2NAT GoodnessMarch 21 2009
-
Slides from Cansec, replete with TCP NAT2NAT goodness.
(In my defense, this trick is way less hideous than my 2001 IP TTL game!)
Staring Into The Abyss Staring Into The Abyss dan@doxpara.com
- Staring Into The Abyss, A Bit Before CansecMarch 9 2009
-
I’m just going to come out and say it: I miss packet craft. Sure, we can always pull out Scapy, and slap amusing packets together, but everything interesting is always at the other layers.
Or is it?
For CanSecWest this year, I thought it’d be interesting to take a look at the realm of Deep Packet Inspectors. It turns out we were doing a lot of this around 2000 through 2002, and then…well, sort of stopped. So, in this year’s CanSecWest paper, “Staring Into The Abyss: Revisiting Browser v. Middleware Attacks In The Era Of Deep Packet Inspection” (DOC, PDF), I’m taking another crack at the realm — and I’m seeing really interesting capabilities to fingerprint, bypass, and otherwise manipulate systems that watch from the middle of networks, using protocol emulation abilities that have been part of browsers and their plugin ecosystem from the very beginning.
Ah, but here’s where I need some help. I’ve worked pretty closely with Robert Auger from Paypal, who just published his own paper, “Socket Capable Browser Plugins Result In Transparent Proxy Abuse”. We independently discovered the HTTP component of this attack pattern, and as I des
- Virtual HoffFebruary 28 2009
-
So Crystal and the rest of Workhabit just threw another Unconference: Cloudcamp Seattle. I’m actually pretty impressed with the crowd — there’s representation from Amazon EC2, Windows Azure, and RightScale (who, non-ironically, have actually implemented Cloud on Cloud). Crystal asked if I’d be willing to do a Cloud Security talk. The Man couldn’t fly out, but here’s my thoughts on the cloud. Quick summary: There are ugly engineering (and procedural) issues we can’t actually ignore, mainly around escaping the management layer and the problem of intrusion disclosure, but:
a) This is such a superior way to deploy software, that I expect to see the necessary modifications to hardware and authentication technologies so as to obviate the threats in this deck, and
b) Private clouds are such an obvious value add that they’ll carry us through until the modifications are implemented.I’ll throw video on as well if people want. Enjoy!
When Irresistable Forces Attack
Publish at Scribd or explore others: