[SecurityRatty] tag: dns

IETF: Should we ignore the Kaminsky bug?

Thu, 20 Nov 2008 02:00:00 +0000

The ongoing debate about a serious flaw in the DNS discovered this summer brings to mind a famous quotation from Voltaire: "The perfect is the enemy of the good."

Presented By:

Expedition Week Continues Tonight

Seven nights of one great discovery after another continues tonight at 9P e/p only on National Geographic Channel. From the ancient pyramids to the ocean depths, from lost cities to outer space, travel with the latest generation of intrepid explorers as they make one great discovery after another. Expedition Week, only on National Geographic Channel.
www.natgeotv.com/expedition

Ads by Pheedo

IETF: Should we ignore the Kaminsky bug?

Wed, 19 Nov 2008 21:00:00 +0000

The Internet engineering community is grappling with what to do about a serious flaw in the DNS discovered this summer, and the ongoing debate brings to mind a famous quotation from Voltaire: "The perfect is the enemy of the good."

Survey: One DNS server in 10 is 'trivially vulnerable'

Mon, 10 Nov 2008 02:00:00 +0000

Cache-poisoning attacks are still a problem, according to a worldwide survey of public-facing Internet nameservers.

One in four DNS servers still vulnerable to Kaminsky flaw, survey says

Sun, 09 Nov 2008 21:00:00 +0000

he Measurement Factory's 4th annual study of 80 million addresses in the IPv4 space proves several in the Internet community didn't heed the industry's warning to upgrade their DNS servers with patches for the Kaminsky flaw and other known vulnerabilities.

A Diverse Portfolio of Fake Security Software - Part Twelve

Mon, 03 Nov 2008 13:11:25 +0000

These very latest rogue security software domains have been in circulation -- blackhat SEO, SQL injections, traffic redirection scripts -- since Friday and remain active :

premium-pc-scan .com (78.159.118.217; 89.149.253.215; 91.203.92.47)
antivirus-pc-scan .com (208.72.169.100)
securityfullscan .com (84.243.197.184)
antivirus-live-scan .com (84.243.196.136; 89.149.227.196)
windefender-2009 .com - (200.63.45.55)
windefender2009 .com

What these domains have in common, excluding the last two WinDefender ones, is the domain registrant, the DNS servers used, and that despite the fact that it has already been featured in several malicious doorways, meaning these are receiving traffic already, they forgot to upload the binaries on all of the active domains :

"Not Found. The requested URL /2009/download/trial/A9installer_.exe was not found on this server."

Registrant:
Vladimir Polilov
Email: gpdomains@yahoo.com
Organization: Private person
Address: ul. Bauma 13-76
City: Moskva
State: Moskovskaya oblast
ZIP: 112621
Country: RU
Phone: +7.9031609536

DNS servers used - ns1.freefastdns.com; ns2.freefastdns.com

Moreover, the following domains are also parked at the same IPs, but are currently in stand-by mode, yet they're also using the same DNS servers with the only difference in the registrant who seems to have been running a very extensive portfolio of bogus domains, potentially making hundreds of thousands in the process :

save-my-pc-now .com
real-antivirus .com
liveantivirustest .com
antiviruspctest .com
premium-live-scan .com
liveantivirustest .com
antiviruspersonaltest .com
mysecuritysupport .com
updateyourprotection .com
antivirus-premiumscan .com
securitylivescan .com
security-full-scan .com
secured-liveupdate .com
livepcupdate .com
protection-update .com
antivirus-scan-online .com
xpsoftupgrade .com
live-virus-defence .com

Pseudo Email Marketing Tools Empowering Spammers

Wed, 29 Oct 2008 16:28:30 +0000

Largely ignoring its real life applicability, a vendor of "email marketing" tools continues the development of a DIY spamming tools, whose features greatly evolved throughout the last couple of years. Originally released in 2004, the vendor appears to have been actively improving the real-time metrics of the campaigns, next to building interactivity into the spamming process through the WYSIWYG editor.

For better or worse, despite that these applications are empowering spammers and lowering down the entry barriers into spamming, the tools have gotten largely replaced by the increasing number of managed spamming services, whose quality assurance features of bypassing spam filters act as a main differentiation factor. Here are some of this tool's features :

"- High speed distribution - 200,000 letters per hour.
- Contains an embedded SMTP server that allows you to send letters directly to the recipient's mailbox without using your provider's SMTP server.
- If you are accessing the Internet via modem, and distribution using the SMTP server, you do not fit - also allowed to send mail through any number of remote SMTP servers (relay), or via SMTP server provider.
- Support for SMTP authentication.

- Supports up to 500 concurrent streams to send to each mailing.
- Automatic caching DNS requests to speed up distribution and reducing the load on the DNS server.
- Ability to run multiple independent shots at the same time.
- Ability to suspend delivery and continue later with a point.
- All modes distribution - TO, CC, BCC and PersonalCopy. In the latter case, the program generates a personal letter to each recipient.

- Ability to specify the size of BCC package regimes TO, CC, and BCC.
- Ability to specify the TO: field for mailing regimes and CS BCC.
- Full emulation signature letters Outlook Express to increase cross-your-mails through spam filters.
- Support for distribution via a proxy server.
- Automatically detect the bad (non-existent) and not by E-Mail addresses directly in the process of distribution based on a flexible, user SMTP rules. Thanks SMTP rules achieved a very precise definition of bad addresses virtually no false positives.

- Ability to create lists of addresses, depending on the specific responses of remote servers for SMTP commands.
- Organize automatically subscribe / unsubscribe to the mailing addresses.
- Perform any processing of existing lists.
- Develop a letter to the powerful WYSIWYG Html editor.

- Automatically apply to each recipient by name, as well as paste in a letter to a specific, personalized information through powerful Mail Merge templates.

- Set the calendar to automatically launch shots at the right time.
- Quickly send out mail."

With managed spam services' on-demand, risk forwarding and completely outsourced processes, they're not only going to replace such DIY tools, but also, position them as a dynamically evolving cybercrime platforms.

Partial Disclosure - The Good, Bad, and Ugly

Tue, 21 Oct 2008 09:58:00 +0000

There is apparently a bit of fear going around information security circles that the next big trend in the disclosure wars is going to be “Partial Disclosure”. In the past, the vulnerability research community has embraced the concepts of “Full Disclosure” and/or “Non-Disclosure”. Once those concepts had been sufficiently played out, the general consensus was to move towards “Responsible Disclosure” whereby the security researcher responsibly discloses the discovered vulnerability to the vendor and works in a cooperative fashion in an effort to minimize the risk to the general user populous. This has worked well in the vast majority of cases that I have had the pleasure of managing the disclosure process.

Partial Disclosure - The Good

The responsible disclosure process tends to break down in rare occasions where the vendor doesn’t want to fix the issue. When this occurs, the researcher is put into a difficult position whereby full disclosure could put users’ systems at high risk of compromise. The other case where partial disclosure becomes an alternative is when the researcher has discovered a design flaw in a protocol or underlying multiple vendor component. Examples of this case include the DNS flaws published this past summer by Dan Kaminsky and the TCP denial of service condition discovered by Robert E. Lee and Jack Louis that is currently in the disclosure process. When the flaw affects a very large number of vendors and the actual problem is located within the underlying protocols that support the communications of the Internet as a whole, one possible solution is to follow a partial disclosure model where phasing the details to the general public can be used to encourage adoption and creation of patches throughout the enormous target audience.

Partial Disclosure - The Bad

What is driving the fear surrounding partial disclosure is the potential for abuse. When a major flaw is partially disclosed, a number of potential issues may occur. First and foremost, the further along the partial disclosure path we are, the more details will be released to the public, and the higher the probability that someone (either good or bad intentioned) will figure out the exploit and disclose the details. Second, when partially disclosing, the vendor’s hand is being forced into a situation that could speed up fixes, reduce testing, and cause ripple problems elsewhere within the infrastructure. It is difficult enough to dance the fine time line when doing responsible disclosure, but if we are escalated to the point of partial disclosure, additional fuel is added to the fire.

The Ugly

The real ugly part of partial disclosure is when we add to the equation the ability to spread fear, uncertainty, and doubt into the normal user community. It is generally well accepted that FUD can be used to drive additional revenue. If it is possible to increase the perceived magnitude of the “problem” that your product or service solves, it is possible to directly impact the demand for that product or service. That is the major fear imposed by the growing trend of partial disclosure. By releasing just enough information to trigger wide scale speculation into the flaw, it is possible to create buzz and garner media attention resulting in a lot of speculation and very little hard facts around the issue. The potential for abuse by the security industry at large is enormous.

The Fix

Some have suggested a group of security researchers be convened to vet the requirement of partial disclosure and to allow for independent peer review of any security research that requires the partial disclosure process. This suggestion leaves questions regarding who would stand on this group and who would be impartial enough to ensure that the right thing was always done regardless of profit potential. It also leaves open the opportunity for member researchers to utilize the information gathered during the vetting process to position themselves to profit from the data upon release. It might be wiser to rely on a higher level authority or government entity to manage this process and use the services of security researchers as required for subject matter expertise. While a group of this type wouldn’t ensure that all partial disclosure is appropriate, it would hopefully limit the potential for abuse and the ever present chance that people try to profit from the FUD that surrounds the current partial disclosure process.

Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

Mon, 20 Oct 2008 04:32:28 +0000

Synopsis: Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

Welcome to Blue Box: The VoIP Security Podcast #84, a 30-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Three-year anniversary of Blue Box coming up on October 24th - any thoughts you'd like to share with us? (Please send them to us by October 23rd.)
VoIPShield announces new vulnerabilities and http://www.voipshield.com/research.php
http://www.theregister.co.uk/2008/09/30/voip_eavesdropping_tool/
"Sipera Develops VoIP Spy Program - to Prove a Point" - http://www.voipplanet.com/trends/article.php/3776136
SecureLogix Announces Free Availability of VoIP Security Tools
NY Times: Surveillance of Skype Messages Found in China - http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?_r=2&partner=rssnyt&pagewanted=print
http://securitywatch.eweek.com/privacy/skypechina_breach_is_anyone_really_surprised.html
http://www.informationweek.com/news/telecom/voip/showArticle.jhtml?articleID=210605439
Skype CEO's blog post about the issue: http://share.skype.com/sites/en/2008/10/answers_to_some_commonly_asked.html
http://www.itbusinessedge.com/blogs/top/?p=398
http://www.voip-news.com/feature/google-phone-europe-growth-092408/
http://www.itnewsafrica.com/?p=1269
http://news.cnet.com/8301-1009_3-10052393-83.html
http://www.broadbandreports.com/shownews/VoIP-Vulnerabilities-Being-Exposed-Today-98039
http://www.itbusinessedge.com/blogs/top/?p=402
http://voipsa.org/blog/2008/10/07/5th-emergency-services-workshop-to-be-held-oct-21-23-in-vienna/
http://eon.businesswire.com/news/eon/20080924005342/en
http://www.crn.com/security/210602442
http://it.tmcnet.com/topics/it/articles/41236-infoblox-unveils-dns-firewall-address-dns-vulnerability-concerns.htm
http://www.newswire.ca/en/releases/archive/September2008/29/c9005.html
No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list
Wrap-up of the show
30:26 - End of show

NOTE: Long-time listeners will note that the show notes above are in a less descriptive form than usual. After almost three years of using one wiki for preparing for our shows, Jonathan and I switched to using a new system and are still working out some of the details that will speed the input into show notes.

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

How DNS cache poisoning works

Sun, 19 Oct 2008 20:00:00 +0000

There has been a long history of attacks on the DNS ranging from brute-force denial-of-service attacks to targeted attacks requiring specialized software. In July 2008 a new DNS cache-poisoning attack was unveiled that is considered especially dangerous because it does not require substantial bandwidth or processor resources nor does it require sophisticated techniques.

Ethernet and WiFi and Bluetooth, oh my!

Wed, 15 Oct 2008 17:16:48 +0000

Customers have long requested a way to configure a computer to automatically disable its wireless NIC when its Ethernet is in use. Many third-party utilities can do this for you, but neither XP nor Vista have a built-in way to accomplish this, nor will Windows 7. Although having both NICs enabled first appears to cause a security issue, in reality that would be true only if both of the following were also true:

The user is logged on as a local administrator
The user, or some code the user runs, enables IP routing

By default, all forms of IP routing (including NIC bridging) are disabled. Only local administrators (or group policy) can enable them. So the risk, actually, is minimal.

If you have a stroll through group policy, you'll discover this setting: "Prohibit installation and configuration of Network Bridge on your DNS domain network" (more here, here). This setting allows you turn a computer into a router that bridges two networks. The bridging works only when one of the interfaces is in the same DNS namespace it was in when the bridge setting was enabled, and it works only when the Windows firewall is disabled on both interfaces (never a good idea). Additionally, regardless of the group policy setting, the function doesn’t even appear as an option when the user is logged in as a non-admin. The group policy setting simply removes the option from people who are local admins of their computers. So here's a way you can remove the ability even for local admins to enable routing.

However, let me admit that I wish we did have a way to implement your request, but for an entirely different reason: IP address preservation. Consider what happens when I'm on my own corpnet in my office. I put my laptop in its dock, which is connected to the Ethernet. I never bother disabling my wireless (I'm lazy). So whenever I'm in my office I'm taking up two IP addresses: one on the Ethernet and one on the wireless. Such wasteful profligacy, I know! (Note this isn’t a problem for any Bluetooth adapter, which always uses APIPA in its default configuration; I can’t imagine a scenario where you’d want Bluetooth to use DHCP.)

If you agree with me that this is something we should address post Windows 7, not for "security" reasons but as a good general networking practice of being conservative with address allocation, please speak up. Now's the time for your input.