Dan Kaminsky received fame a few months ago by querying DNS cache results to see how many DNS servers worldwide had cached the resolution of the fqdn used to check in by machines with the Sony rootkit. He talked about that as well as IP Fragmentation attacks, DNS poisoning, and the trouble you get into when scanning all the dns servers on the internet.
Archive for January 2006
Shmoocon: Covert Crawling
Billy Hoffman of SPI Labs presented on Covert Crawling: A Wolf Among Lambs. He is discussing how he created a web crawler that is designed to subvert log analysis.
Attacks are foreshadowed by reconnaissance (other than by worms) and are often followed by the attacker checking the site to see if they are successful.
You might want to check websites for many reasons. Monitoring competitors progress, where they are speaking etc. When AT&T ran the patent office website, it was possible for them to see what competitors were working on based on what they were looking at on the patent office website.
Making the website crawl appear like normal surfing avoids obvious signs in the logs.
Shmoocon: Network Policy enforcement
Steve Manzuik, Toby Madhat, and Chris Farrow presented a Birds of a Feather titled “Network Policy Enforcement / Network Quarantine : Latest Security Gimmick or Good Idea.
NAC controls access to the network until the computer is brought into compliance. A lot of users go around the country plugging into any port available. What happens when they get back home. While they may get a cycle of penicillin, their computer gets attached to the network spreading anything the computer may have picked up.
You can have a lot of problems with NAC if you apply it foolishly. A company with 5-6 thousand users had NAC implemented. On Friday they configured NAC to require the WMF patch. When monday came, they had 3 thousand computers that couldn’t access the network. (does NAC have remediation? With a system with remediation, I dont see how this is a bad thing as long as management was on board that this was a critical requirement and they also had been made to understand what would happen.
There are three types of network enforcement. The client could isolate itself using a personal firewall. The switch could isolate bad clients. Or an appliance could be added in-line to the network to provide enforcement.
One of the key problems with Network Policy Enforcement is handling heterogeneous environments. Can you deal with mac and Linux. Second, how do you interrogate the clients. Is it only a network vuln scan like nessus, or is there a client agent. If you dont trust the computer, how can you trust the answer it gives to the agent. Someone could go to a lot of trouble to fool the agent. Or they could just write their own agent to give answers to the device assuming the protocols are that insecure.
In their experience it takes a huge amount of manpower and money. Some things just don’t scale well and Network Policy enforcement may never work on large 10k+ implementations.
Shmoocon: Keynote
Dan Greer was the Keynote speaker at Shmoocon.
For a statistician he made a rather broad brush statement that current security workers have no formal training. Yet now every college has a security course. The non-credentialed he says are the ones with skills while those with credentials are the charlatans.
Was the world really better when the astronomers where the ones hunting down the hackers? Is the best hacker one with no formal training? It certainly is popular to attack anyone who has bothered to get a certification or a degree as if that certifies them as having no skills at all.
I do agree with his statement that as demand for security professionals outstrips supply, the number of charlatans increases. Its very annoying to watch clueless people stampede after the money. At least in the pre-credential days, you knew people were doing it because they loved the challenge.
Greer also talked about a change in focus from prevention to detection and recovery. Ceeding that attacks will succeed but making sure what is important is recoverable. With strong recovery capability in place, you can apply patches at they are released without a formal q/a process.
Another interesting comment from Greer is that according to Symantec’s own data a new virus is released every 4 hours. How often do you update your antivirus definitions? It is a doomed model.
Shmoocon
I’m going down to the Shmoo Con at the Wardmen Park Marriott in DC. My next few posts will be about the sessions I saw there. Of course since people read the posts in reverse order, you wont see this until later.
Breaking News from the Tin Foil Hat Crowd
I haven’t had time to check the transcripts as I am walking out the door to shmoocon.
According to reports, Steve Gibson claims that the wmf vulnerability could not have been a mistake, it was in intentional backdoor inserted by microsoft.
http://thisweekintech.com/sn22
LOL. yet more fodder for grcsucks.com as well as the Microsoft haters.
Steve Gibson. What an idiot.
Cisco Demo
Today I was over at Cisco in Herndon for presentation on their wireless solution. Trying to figure out how to architect a solution in a semi-secure manner.
If we authenticate wireless clients onto our internal network, AD credentials aren’t good enough. So now I have a concern about the usability. Another concern is how to deal with guest access.
Addendum to the Symantec AV support comment
One good thing about that call is that I had zero wait time. Either no one is calling support this week or Symantec has really improved the Gold level response time.
Commenting spam filter tweaked
The comment spam filter was a bit overzealous and trashed some comments because the commenter didn’t provide a url. I’ve turned the sensitivity down two clicks so hopefully that wont happen anymore. If you left a comment in December that didn’t get posted, sorry, its gone. If you commented earlier this month, its up now, and I’ve probably replied with my own comment.
