Steve Goodbarn

Mobile computing vulnerabilites, DNS cache poisoning, SSL vulnerabilities

2010-07-28T16:17:44-06:00

Black Hat 2010 started today and there is no shortage of vulnerabilities to be revealed. Black Hat and it's lower end companion conference, Defcon, are where security researchers disclose vulnerabilities in IT infrastructure upon which our civilization depends.

I'm a little late getting this post out but here are some things to expect, courtesy of PC World: What to Watch at Black Hat and Defcon. I am glad DNS is getting some focus as is mobile computing.

2) DNS

Two years ago, Dan Kaminsky made headlines worldwide by uncovering a flaw in the DNS (Domain Name System) used to look up the addresses of computers on the Internet. This year, Kaminsky is speaking againat Black Hat -- this time on Web security tools. But he's also been tapped to participate in a press conference where he and representatives from ICANN (Internet Corporation For Assigned Names and Numbers) and VeriSign will discuss Domain Name System Security Extensions (DNSSEC) -- a new way of doing DNS that provides a level of confidence that computers connected to the Internet are what they actually claim to be.

About two weeks ago, ICANN presided over the first cryptographic signingof a root server with a DNSSEC key. DNSSEC isn't yet widely supported, but ICANN hopes that by signing a root zone, it will spur others to support the protocol in their server and client software.

Researchers like Kaminsky say that widespread adoption of DNSSEC could curb a whole bunch of online attacks. "We've been looking at how DNSSEC is going to address not only DNS vulnerabilities, but some of the core vulnerabilities we have in security," Kaminsky said in an interview. "We're not going to solve all of those problems with DNSSEC... but there's an entire class of authentication vulnerabilities that DNSSEC does address."

Search Security also had a nice primer yesterday: Mobile threats, SSL weaknesses, Web application bugs at Black Hat 2010.

Dasient, a Web-based antimalware company, will present its research at Black Hat on the three most critical structural vulnerabilities in websites. Daswani will talk about the vulnerabilities and problems his company's scanning technology has seen in Javascript widgets, third-party advertising services and third-party applications.
Often, Daswani said, the issue comes down to trust. The widget provider, for example, could be an attacker masquerading as a provider; the widget could be compromised; or it could be using DNS cache poisoning to redirect site visitors to an attack site. The research also points out similar issues with third-party advertising that could be serving malware or redirecting users to attack sites. The main problem is that advertising providers always have multiple partners, and chances are one or all of those partners don't vet the security of ad content. Third-party applications also exploit the trust between site visitors and the site. Apps could be vulnerable to Web-based attacks such as SQL injection or cross-site scripting; host sites need to ensure providers are vetting code for security vulnerabilities.

Stay tuned as more news comes out of the these conferences.

New espionage malware focused on SCADA systems

2010-07-19T16:53:05-06:00

Brian Krebs reported last week on recently discovered malware that attempts to compromise Siemens SCADA (supervisory control and data acquisition) systems - the systems that run industrial processes and utilities like pipelines, refineries, chemical plants, and electrical systems.

The malware utilizes USB drives and takes advantage of previously unknown flaws in Windows operating systems. See Experts Warn of New Windows Shortcut Flaw. Network World has a follow up article: New virus targets industrial secrets that provides a good explanation of how the virus spreads.

SCADA systems run critical infrastructure and Siemens is a key manufacturer. This type of malware can't be dismissed lightly. We do not know how long the virus has been in the wild, where it has spread and what systems may be affected. If a virus has infiltrated control systems for the power grid or pipelines there is no telling how much damage could be caused.

Many in the security community have been concerned about this type of malware but it doesn't get much publicity (however, see this video: Sabotaging the System: 60 Minutes reports on our dismal Internet security, a report by 60 Minutes from last November).

I zeroed in on one paragraph from KrebsonSecurity:

Ulasen said the malware installs two drivers: “mrxnet.sys” and “mrxcls.sys.” These so-called “rootkit” files are used to hide the malware itself so that it remains invisible on the USB storage device. Interestingly, Ulasen notes that both driver files are signed with the digital signature of Realtek Semiconductor Corp., a legitimate hi-tech company.

Protecting digital signatures is critical for internet security. It's the "secret password" that makes cryptography work. Yet the hardware and general purpose operating systems that run Internet, consumer, and business software (and therefore all of their applications) are incapable of fully protecting critical cyptograghic signatures. They can only do a marginal job through obfuscation. We live with this compromise every day. DNSSEC will help with authentication, but without immunity to malware and rootkits we can never be secure.

I hope Siemens' customers are working overtime to determine that they have not been compromised.

Root zone signed with DNSSEC

2010-07-15T22:23:39-06:00

A giant step for Internet security.

From the DNSSEC deployment site:

Root zone signed with DNSSEC, “building new levels of trust on the Internet”

Culminating years of effort on the part of many public and private organizations and individuals, ICANN has now confirmed the root zone is signed and available, and has published the root zone trust anchor so that root operators can begin to serve the signed root zone with actual keys. Initiative partner and Shinkuro CEO Steve Crocker said:

This is a very special day. Very, very many people, working for many years all over the world made this day possible. Like the golden spike that completed the first transcontinental railroad in the United States, the signing of the root completes the basic platform for building new levels of trust on the Internet.

Free “DNSSEC Decoded” seminar set for July 27

Posted by Graveline in Uncategorized on July 15, 2010

“DNSSEC Decoded,” a half-day seminar sponsored by Secure64, will take place July 27 from 8:30 a.m. to 11:30 a.m. in Washington, DC, at the International Spy Museum’s Zola Restaurant.

Speakers include Initiative partner and NIST computer scientist Scott Rose and Microsoft Federal Group Chief Security Officer Bill Billings. Breakfast is included in the event, and the speakers will discuss why U.S. federal agencies’ internal networks are targets for theft of confidential information; how DNSSEC protects internal and external domains from hijacking; DNSSEC deployment requirements and FISMA requirements that pertain to DNSSEC; and case studies from other federal agencies. Seating is limited; you also may listen to a recording of the event with the chance to ask questions of the speakers.

U.S. Commerce Secretary cites DNSSEC on eve of root signing

Posted by Graveline in Uncategorized on July 15, 2010

U.S. Commerce Secretary Gary Locke yesterday addressed a meeting of the federal agencies participating in a government-wide cybersecurity policy review, citing DNSSEC as a significant accomplishment in securing the Internet, on the eve of the signing of the root zone. His remarks included these words:

One of the Commerce Department’s most important accomplishments will go into effect tomorrow when DNSSEC is deployed at the root of the Domain Name System.

This action will essentially give a “tamper proof seal” to the address book of the Internet – a seal that gives Internet users confidence in their online experience.

And I’d like to thank the Department’s partners in this effort — the Internet Corporation for Assigned Names and Numbers, and VeriSign. This effort is an excellent example of public – private cooperation, which included extensive domestic and international community consultation.

For more see Network World: Internet takes DNSSEC on board

Cyberwar vs safe information highways; DNSSEC almost here

2010-07-14T17:56:46-06:00

The July 1 issue of The Economist has a headline "Cyberwar" with the scary picture below.

Bruce Schneier has a thoughtful response on CNN.com: Threat of 'cyberwar' has been hugely hyped.

I don't want to enter the debate on cyberwar, but we (including the US Government) are certainly not doing everything we could today to improve cyber security. A more secure Internet will save money for everyone and improve our economy.

Calling the Internet the Information Superhighway is a good way to illustrate the benefits of security. If you had to pay a security toll every 10 miles (buying anti-virus/anti-spy-ware/firewall,etc. with an annual renewal) and the toll failed to prevent 10% of traffic from being hijacked, you probably would not drive on that highway, and if you did you would not carry any valuables. That is exactly what we have today with the Internet. This isn't cyberwar - it's crime. Let's address crime first by doing what we can to make the internet more secure.

Don't spend too much on Cyberwar until we do some basic security block and tackling, like deploying DNSSEC.

And speaking of DNSSEC, tomorrow is the day the DNSSEC signed root zone enters production.

Cyber attacks on Colleges, Denial of Service Attack takes down broadband news site

2010-06-30T18:04:16-06:00

Colleges have been a Rich hunting ground for cyber criminals and even with school out of session it appears there is no letup, The New Internet reports: June Busy Month for Cyber Criminals Targeting Colleges.

Most of these attacks are focused on stealing personal information from college records as well as directly from students. The .edu domain is in the process of rolling out DNSSEC, which will provide an authentication mechanism that will make many of these attacks more difficult. Yet very few colleges have adopted DNSSEC or are in the process of adopting DNSSEC. The cost is not significant nor is it difficult.

Also in this publication is a report on a DDoS attack that took down Australian news site Whirlpool.net.au:

Lorenzo Modesto, chief operating officer for the website’s hosting service Bulletproof Networks, said customers were alerted about the attack at 12:46 a.m. After immediately blocking Whirlpool IP addresses to observe it better, Bulletproof discovered the attackers were originating from Denmark and the United States, Modesto said.

Other Bulletproof customers were affected for around an hour, but Whirlpool was left offline until around 8 a.m. When the Bulletproof operations team tried to bring Whirlpool back online, the service went down within a minute.

“We unblocked them at 8 a.m. and within a minute or two, the denial-of-service attack was back on,” Modesto said. “We escalated the issue to block it upstream with our upstream providers. Once we provided them with the source IP addresses they actually blocked those IP addresses upstream.”

Denial of service attacks continue to be a problem that is difficult to address. Blocking IP addresses and taking sites like Whirlpool down for over 8 hours is not a good solution.

I am curious as to how high the traffic load was in this attack and whether there was any mitigation in place that failed to stop the attack.

Operational Challenges When Implementing DNSSEC

2010-06-29T14:44:52-06:00

This article from the Internet Protocol Forum might be a bit technical for some of my readers but it gives you a sense of the preparation required for a network to adopt DNSSEC.

Operational Challenges When Implementing DNSSEC

One point from the article cannot be stressed enough:

Most problems with DNSSEC are related to firewalls. Make sure to involve your security and networking administrators so that they can make the required changes before taking DNSSEC into production.

The publicity around DNSSEC over the past two weeks has generated quite a bit of interest in adoption. With a good plan and automation this is not rocket science and can be accomplished in days. But without it the risk of going dark can be significant.

DNSSEC a reality, Chinese script domains approved, .xxx approved for pornography

2010-06-25T16:26:45-06:00

The 38th ICANN meeting in Brussels is now history and was certainly historic. DNSSEC going live for the .org domain is the beginning of a new, more secure era for the Internet. See my previous post on June 23 for details.

It was also announced that the first internationalized domain names, those using Chinese characters, have been approved. A link the the announcement at the ICANN site (with a video) is here and the press release here.

Also approved is the .XXX domain, presumably for the porn industry. This controversial domain has been under consideration for years and was initially rejected by ICANN. The press release linked above has further details on this domain.

DNSSEC is live in the .org domain

2010-06-23T18:11:38-06:00

The Public Interest Registry announced today that the .org domain - the third largest domain after .com and .net - has deployed DNSSEC in production. This is a huge milestone and a notable technical achievement by Afilias, which operates the .org domain and uses Secure64 DNS Signer software for DNSSEC signing operations.

The announcement came at the ICANN conference in Brussels. I embedded secions of the press conference below but they seem to have troubel working in Explorer. You can view the press conference here at the ICANN site. If you view just one of these I recommend Dan Kaminsky's segment.

Alexa Radd is th President of PIR, the most trusted internet domain. PIR has taken a leadership role in DNSSEC deployment and user education about internet security.

Steve Crocker is one of the inventors of the internet and has been the leader of DNSSEC development from the very beginning and is the leader of the DNSSEC Deployment Initiative.

Dan Kaminsky is an internet security expert who discovered the vulnerability in the DNS that carries his name. It was this vulnerability that gave momentum to DNSSEC adoption, because even with the patch the vulnerability still exists and the patch does not work at high speeds. He also pointed out that without DNSSEC both SSL and VPN tunneling are not truly secure, and therefore ecommerce and remote email access are not secure.

Rod Beckstrom is the CEO of ICANN, the governing body over the DNS and of the DNS root servers, which go live with DNSSEC on July 15. Believe me, the political issues related to signing the root servers were not trivial and ICANN must be congratulated for persistence in getting this done.

DNSSEC keys will be published in 22 days. This is an enormous achievement. Here is a link to an earlier post that explains a bit about the process and its significance.

Are smartphones the next malware target?

2010-06-22T15:20:12-06:00

Network World's article yesterday on 4G smartphone vulnerabilities (Securing 4G smartphones:

Added data capacity, connection speeds will make 4G smartphones more vulnerable) provides a glimpse into the next security battleground.

Mobile computing is vulnerable to cyberattack. Smartphones bring all of the security issues of the internet (that have been affecting your PC for years) to your phone. Denial of service attacks are a particular issue and they appear to be growing.

Higher speeds and larger memory create a playground for malware, an attack mechanism for cloud applications, and greater risks for denial of service attacks:

But like all good things, this increase in speed and power comes with greater risks. Sanjay Beri, the vice president and general manager of Juniper's Access and Acceleration business unit, says that the money-stealing malware that appeared on Symbian-based phones last year is sadly a sign of things to come in the era of 4G.

"4G makes the situation more accelerated," he says. "And what will really accelerate the growth of mobile malware and spyware will be the volume of traffic that people will be able to use. Data usage will increase and there are going to be more places that will get infected."

This increased mobile data usage is only expected to intensify in the enterprise as more executives could try to use their favorite devices for both work and personal use. Mike Siegel, a senior director of product management at McAfee, says this will put a particular strain on IT departments' abilities to protect data across multiple operating systems and applications.

"We have senior executives now who are pushing on IT to support Android or iPhone," he says. "With iPhone and Android, you have a propagation of applications that have connections back to sensitive corporate data in the cloud. So these devices now are very much a data leakage vulnerability."

Smartphones add security risks to enterprise, government, and not-for-profit IT shops through the potential for loss of data, spying and disruption through denial of service attacks or other malware.

They also add risks for individual through loss of privacy, loss of use (one denial of service attack launches applications that drain your smart phone battery - simple and effective), and theft.

What I don't like about proposed solutions is that they seem to require less privacy, slower response times and more user hassle. But without greater security it will be difficult and expensive to realize the full potential of Smartphones to transform our lives. Anyone with a Smartphone understands this.

If your phone could also securely carry money, credit or debit card information, health care information, etc. (basically your identity), then no need for a wallet, credit cards, health care ID, car keys, money. But it needs to work 24/7 with 99.999% reliability and some means of backup.

To realize the full potential of smartphones 4G service providers must build in DDoS resilience, authentication (DNSSEC at a minimum), and malware immunity in addition to fast response times. All of this costs money, but complicated and ineffective identity management and firewall applications are even more costly in the long run.

DNS, authentication, and cellular networks

2010-06-18T00:09:00-06:00

TMC Net has an article discussing the growing importance of DNS and authentication for cellular networks. Awareness of the importance of DNS and DNSSEC to mobile computing is limited so I'm glad someone is writing about this topic.

See: DNS Has Become One of Cellular Operators' Biggest Challenges.

The article is focused on a vendor but nevertheless highlights the growing challenge of DNS in handling and authenticating smartphones and mobile devices that have their own IP addresses. These devices are used for on-line transactions and contain quite a bit of private information. So security and authentication are not trivial requirements - they are critical.

As operators move to IP-based, next-generation environments, they face the challenges of dealing with diverse and premium services and applications. And they need to understand how the network is operating and how to optimize it to offer the requisite user experience.

That’s the word from Steve Shalita, vice president of marketing at NetScout (News - Alert), who says one of the biggest challenges mobile service providers now face has to do with DNS and RADIUS authentication.

As noted above, Shalita says one of the biggest challenges mobile service providers now face has to do with DNS and RADIUS authentication. In a mobile environment, he explains, handsets tap into the mobile towers constantly, and with every transaction there’s a need to re-authenticate. So if a DNS server is flooded, he says, that impacts the ability to complete an application transaction. That means it’s important to monitor what’s happening with DNS, says Shalita, noting that AT&T (News - Alert)was recently facing issues with its DNS servers being flooded by attacks.

There are strong financial incentives for carriers to offer the fasted, most reliable and most secure network. So improvements are going to happen, and sooner rather than later.