adventuresinsecurity.com Blog » Security Tech

DNS Cache Poisoning: Definition and Prevention

Tom Olzak — Thu, 16 Mar 2006 23:10:12 +0000

The Internet would grind to a halt – would not be possible – without a Domain Name System (DNS). As you’ll see in this paper, the proper operation of DNS is fundamental to the maintenance and distribution of the addresses for the vast number of nodes around the globe. So it would be too much to hope for crackers (malicious hackers) to ignore DNS as they continuously look for new ways to circumvent your security. There are several facets to DNS security.

In this paper we focus on one of the most dangerous types of attack – DNS cache poisoning. To provide a complete picture of this threat, we’ll explore how DNS works, two ways crackers facilitate cache poisoning, what impact this type of attack can have on your organization, and steps you can take to protect your information assets.

Download this paper

Author: Tom Olzak

Listen to our Podcasts –>

Free security training available at http://adventuresinsecurity.com/SCourses

Technical Security Alert: Rootkits can be hidden in virtual machines

Tom Olzak — Mon, 13 Mar 2006 14:13:02 +0000

“Security researchers have uncovered new techniques to hide the presence of malware on infected systems. By hiding rootkit software in virtual machine environments, hackers have the potential to avoid detection by security software, boffins at Microsoft Research and the University of Michigan warn” (John Leyden, published 13 March 2006 in The Register).

View the rest of the article

Listen to our podcasts –>

Free Security Training available at http://adventuresinsecurity.com/SCourses.html

Email Authentication with Sender ID

Tom Olzak — Tue, 07 Mar 2006 20:27:16 +0000

In a February 14, 2006 article, I described the new Goodmail CertifiedEmail solution. Goodmail provides a service to senders of marketing email that allows messages to bypass the normal spam filtering processes of email service providers like AOL. The sender is charged a fee. The objective of this for-fee service is to authenticate senders.

Sender ID is an free standard that also meets the objective of sender authentication. Developed by Microsoft, Sender ID is enjoying increasing acceptance by email and email filtering vendors. It also provides significant flexibility to receivers when making automated decisions about what to do with unauthenticated messages. In this article I examine the two primary contenders for email authentication standard, how Sender ID works, what senders must do to be considered “safe”, and what the emergence of this standard means to businesses and individuals.

What is User Authentication?
In today’s Internet messaging environment, it’s anybody’s guess what kinds of messages might attempt to gain entry into your network or PC. The dangers of email use range from infection with a harmless though frustrating virus to the theft of intellectual property and personal identities. The level of risk has risen so high that many Internet users are making the decision to either minimize email use or discontinue it completely. Last but not least is the never-ending flow of spam that clogs enterprise email systems and home mailboxes.

Email authentication helps protect users from these risks and frustrations associated with Internet email. Through the use of one of the two major contenders for an actual IETF standard, recipients of email can be reasonably protected from unwanted or malicious email.

Two Approaches
There are two basic approaches to email authentication. The first is the use of DomainKeys (DKIM). Based on Yahoo!’s email authentication technology and Identified Internet Mail developed by Cisco, DKIM authentication is based on an asymmetric key methodology. A secure hash is calculated using the contents of the message to be sent. The hash value is encrypted using the sender’s private key. The resulting cipher text is added to the message header.

When the email is delivered, the recipient uses the name of the domain from which the message originated to perform a DNS lookup. The domain’s public key is returned, and the hash value is unencrypted. The receiving system then recalculates the hash and compares it’s result to the unencrypted result. If they’re the same the receiver can be certain that the message originated from the domain indicated in the message header, and that the message was not tampered with as it traveled over the Internet.

The second approach is the use of Sender ID. Sender ID, a combination of SPF and Microsoft’s ”caller ID,” is an extension of the SMTP protocol. The rest of this article is dedicated to describing this emerging email authentication standard.

Sender ID
The basic underlying functionality of the Sender ID method is a DNS lookup of the sending domain’s SPF record. The SPF (Sender Policy Framework) consists of a text DNS record located on the sending organization’s DNS server. The entry contains, at a minimum, the IP addresses of the servers authorized to send email on behalf of the sending domain. Let’s use Figure 1 (http://www.microsoft.com/mscorp/safety/technologies/senderid/technology.mspx?pf=true) to step through the message receiving process.

1. A message is sent to the receiver

2. The receiver’s inbound mail server receives the message

3. The inbound server obtains the name of the domain from which the message was supposedly sent. It uses this information to check the SPF record for that domain. If the sending IP address in the message matches any one of the outbound addresses included in the SPF record, the message is authenticated and delivered. If no address match is possible, authentication fails and the message is not delivered. Once the message is authenticated, the receiver can process the message based on sender specific rules.

The questions asked and acted upon by these rules might include:

1. Is the sender known to the receiver?

2. Does the sender have a history of sending legitimate email?

3. Is the sender a trusted entity?

Sender Setup
In order to operate effectively in a Sender ID environment, senders will have to begin adding SPF records to their DNS servers. This process isn’t too bad. In fact, there are many sites where a domain owner can use a wizard to create the necessary SPF entry string. Although Sender ID is still moving through adoption and approval processes, it’s a good idea for senders to post a SPF record soon.

The following is a list of some of the organizations that have accepted and are implementing Sender ID in their products and services:

Barracuda
CipherTrust
IronPort
Microsoft (Exchange Server 2003)
Symantec
Tumbleweed
VeriSign

Conclusion

Email authentication is becoming a reality. Is it perfect? No. But it’s better than the chaos that pervades the messaging world today. It also doesn’t matter which standard wins out; they’re not mutually exclusive, and they can easily coexist. So don’t stand in a corner waiting for a winner. Anything you do today will work in the future. Just be sure to take the appropriate steps to protect your enterprise from the increasing risks of messaging.

Author: Tom Olzak

Listen to our Podcasts –>

Hacker’s Beware

Tom Olzak — Wed, 01 Mar 2006 20:15:06 +0000

“Quantum cryptography is trying to make all transmissions secure, so this could be very useful for online banking, for example,” says Professor Hoi-Kwong Lo, an expert in physics and electrical and computer engineering at U of T’s Centre for Quantum Information and Quantum Control and the senior author of a new study about the technique. “The idea can be implemented now, because we actually did the experiment with a commercial device.”

Read the rest of the article

Listen to our podcasts

IP Surveillance

Tom Olzak — Mon, 27 Feb 2006 21:47:23 +0000

When managers discuss physical security, it’s usually restricted to what types of locks to place on what doors. This is a good start, but locks are only one component of effective physical security. In fact, a lock is intended as one of many safeguards to delay an intruder until he is identified and intercepted by security guards or police officers. Good physical security requires the combination of locks, barriers, and sensors. But these safeguards must be supported by the capability for human assessment of alerts or alarms. The quickest method for gaining visibility into sensitive areas is the use of cameras.

Until recently, CCTV (Closed Circuit Television) technology was the principle means of viewing physical assets. Today, IP Surveillance systems are taking over and providing significant improvements.

In this article, I define IP Surveillance, explore how it works, and list the potential value it brings to your security efforts.

IP Surveillance is the use of an IP network to gather or view information collected by network-ready surveillance cameras. An example of an IP surveillance configuration is depicted in Figure 1 (D-Link, 2005). Three Ethernet switches are connected to the core network infrastructure. Cameras are either directly attached via Cat 5 Ethernet cabling or via a wireless connection. The use of 100 Mbps or greater connections is recommended for high resolution images.

Figure 1 (click to enlarge)

Security personnel can access camera output in two ways. The first method is by direct connection to one or more cameras. This is typically facilitated by using web services embedded in the camera. Real time visibility into coverage areas and camera adjustment for better viewing are possible using vendor-supplied or third party software. Password protection prevents eavesdropping.

The second method involves accessing camera output stored on disk. Cameras can send information to a recording station for storage in one of many popular video formats. These recordings are quickly available for investigation, audit, or other business purposes.

OK, so this is “cool” technology. But how can it help strengthen your security program?

Barriers like fences, gates, and locked doors and windows are only a temporary frustration for a determined intruder. Again, barriers are intended to delay an intruder’s advance – not stop it. The delay provided by an organization’s physical barriers should be long enough for human intervention.

Cameras provide the means for local or remote monitoring personnel to quickly identify an intruder and direct local law enforcement or onsite security guards to the appropriate location in order to apprehend and remove the threat.

Even organizations that use motion or vibration sensors gain significant benefit from cameras. Sensors are not 100% accurate. False positives and false negatives are possible. Strategically placed cameras can help ensure costly human security resources don’t continuously run after false alarms, and that intruders are unable to circumvent non-visual safeguards. Finally, cameras can provide continuous surveillance of sensitive areas.

Installation of IP surveillance cameras is pretty easy. If used with Power over Ethernet (PoE) capable switches, cameras can be placed in locations where no electrical outlets exist; power is delivered over the Ethernet cable.

CCTV systems used coax cables to transmit unencrypted information. Once an intruder gained physical access to a cable, it was easy to tap into the data stream without being detected. Security personnel can protect IP camera output by using LAN encryption technology.

Cameras might not be necessary for every business. But if you’re protecting critical intellectual property or other sensitive information, consider at least limited use of video technology; even if it’s just around your data center. Cost shouldn’t be an issue, with cameras ranging from less than $200 to under $1000, depending on the feature set you need.

Author: Tom Olzak

Sources:

D-Link (2005, July). IP surveillance: the next generation security camera application. Retrieved February 27, 2006 from ftp://ftp10.dlink.com/pdfs/products/IP_Surveillance_Solutions_Brief.pdf

Listen to our podcasts

Dissecting Nyxem: New dog, same old tricks.

Larry — Sat, 04 Feb 2006 21:57:28 +0000

There has been some real buzz concerning a new virus in the wild, Nyxem. While it employs the same old tricks virus coders have been using for years, it has a new nasty ending. Let’s discuss Nyxem (aka Mywife, Blueworm, BlackMal) and see what kind of risk we are really looking at.

How does this work?
The short answer is “same old, same old”. It uses all the same time tested techniques we’ve come to love. The long answer is well….longer and can be summed up with the following checklist.

Comes as an email attachment? Check
Mass mailing to your contacts? Check
Drops multiple copies of it’s self? Check
Changes the registry to start it’s self at boot? Check
Tries to disable your anti virus? Check
DoS attack? Right on

An in depth description can be found here but up until this point, everything about this virus is pretty routine. It looks like the writer has paid close attention to what has worked in the past and incorporated multiple methods and attacks. So if it is so routine, why so much concern?

Why is it different?
Most of the more successful viruses these days keep it pretty simple. They usually have a single, moderately malicious goal. Clogging up email systems is a common one. Denial of service is a classic. Zombie net anyone? Even installing malware/spyware for profit is becoming common. But Nyxem goes a step further and succeeds in striking fear in the hearts of us all. It wants to delete your files. How dare it!
Part of this virus, the real nasty part will indeed search for and delete any files with the extensions .doc .xls .mdb .mde .ppt .pps .zip .rar .pdf .psd and .dmp. This pretty much covers the standard office suite and any zip files you may have. That could be a ton of crucial data, and on the 3rd of every month it’s going to be looking to remove it from your hard drive. Yeah, that’s a bad piece of software. But before you start panicking lets look at what you can do to mitigate the risk.

Lots of bark, not a lot of bite
While the outcome of Nyxem and its variants is pretty scary, the probability of it actually deleting files off your PC is pretty low. That is of course as long as you follow a few of the basic computing best practices.

AV software — Make sure it’s up to date. This has been ground in to everyone for years and is usually a no brainer. This is a known virus and the destructive action takes place once a month. If you are up to date, chances are you are safe.
Know your email — This viruses like so many before it, propagates through an email attachment. Email providers and developers alike have been combating this method pretty well for some time now. Most email clients limit or remove executable attachments by default or at the very least do not let them execute. Up stream from your home should be even safer. Any reputable email service should be scanning for viruses, and blocking malicious attachments on the back end. This alone should stop a large percentage of email based nasties.
Backups — If you are doing the right thing, you should have a recent backup of any important files. We’re all backing up ….right?

Keep one eye open
No virus is a trivial matter and only through due diligence and common sense can we begin to keep our data safe from malware. With that being said I would defiantly categorize Nyxem and variants as a high risk, low probability threat for home users and even lower for corporate users. The chances of getting struck by lightening are pretty low….but if it happens be sure to have your rubber shoes on.

Author: Larry Hinz