New DOS Attack Is a Killer

Things are a-brewin’ in Sweden. Sweden is not just home of the infamous bikini team, it is also the home of Outpost 24, an equally sexy software-as-a-service network scanning service, and the employer of my friend Robert E. Lee and his colleague Jack C. Louis. These guys are the inventors of UnicornScan, a user-land TCP stack turned into a port scanner. Never heard of it? Use Nmap exclusively? Well if you run Linux, I suggest checking it out, especially if missed ports in your portscan is inexcusable. But I digress.

Robert and Jack are smart dudes. I’ve known them for years, and they’ve always been one step ahead of the game. A couple of years ago, Jack found some anomalies in which machines would stop working in some very specific circumstances while being scanned. A few experiments, tons of reading through documentation, and one mysteriously named tool called “sockstress” later, and the two are now touting a nearly universal denial-of-service (DoS) attack that can be performed on almost any normal broadband Internet connection — in just a few seconds.

How bad is it? Well, in an interview — (fast-forward five minutes in to hear it in English), the two were asked if they could take out a data center. While they’ve never tried, it appears to be a totally plausible attack. Worse yet, unlike most DoS attacks, the machines often do not come back online once the attack is over. The victim system just doesn’t respond any more. Great, huh?

Robert and I talk a lot, and I asked him if he’d be willing to DoS us, and he flatly said, “Unfortunately, it may affect other devices between here and there so it’s not really a good idea.” Got an idea of what we’re talking about now? This appears not to be a single bug, but in fact at least five, and maybe as many as 30 different potential problems. They just haven’t dug far enough into it to really know how bad it can get. The results range from complete shutdown of the vulnerable machine, to dropping legitimate traffic.

The two researchers have already contacted multiple vendors since the beginning of September (I’ve had a small hand in getting them in contact with one of the vendors). Robert and Jack are waiting with no specific timeline to hear back from the affected TCP stack vendors. Think firewalls, OSes, Web-enabled devices, and so on. Yup, they’ll all need to be hardened, if the vendors can come up with a good solution to the problem. IPv6 services appear to be more affected by the fact that they require more resources and are no more secure since they still reside on top of an unhardened TCP stack.

Source:
http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=164939

Posted in Internet, Linux, Networking, Security, Windows | No Comments

How to Root Out Bots in Your Network

Even routinely clean antivirus scans can’t hide the dirty little secret more enterprises are facing today: Some of their client machines are members of botnets.

That’s why Matt Sergeant, senior anti-spam technologist for MessageLabs Ltd. , hopes to educate some large organizations and ISPs on how to detect and clean up their bot-infested machines next week at the SecTor security conference in Toronto. Sergeant says a little grass-roots help with botnet detection would help. “There aren’t enough DNS blacklists tracking botnets. That’s not good for the anti-spam economy,” he says. “I would like to see more people tracking these things, listing IP addresses, and that type of thing.”

Big organizations can start by cleaning up their own house. While the size and scope of the botnet problem continues to grow — 90 percent of all spam comes from bots — awareness of the botnet problem is still relatively low among enterprises, Sergeant says. Enterprises are often caught off guard when they realize they harbor bots; they assume antivirus engines will catch them, but they typically don’t, he says. “So often we hear that they are running multiple AV and haven’t found anything. But we’re still seeing [bots there] when AV hasn’t found them,” Sergeant says.

Antivirus (AV) technology struggles when it comes to bot infections, he says, because AV vendors get tens of thousands of new pieces of malware samples every day, and there’s simply no way they can keep up with that, he says. Botnets also tend to operate in multiple stages: A user may first get infected by a piece of malware, but by the time AV detects it, the malware will have downloaded a second stage of malware, deleting the original infected file, for instance, he says. Many botnets also disable AV so they can remain undetected, Sergeant says.

Sergeant says it takes a lot of determination and some expertise to detect bots in-house. “This type of thing is time-consuming. You have to be able to recognize patterns in large quantities of email, and recognize new things coming in,” Sergeant says. And most mail servers don’t provide the level of detail on messages that you need to weed out bot-borne messages.

The first step is to block Port 25 for both incoming and outgoing traffic — except to your mail server, he says. Your firewall logs should reveal any client machines trying to spam out of your network. One hint: Bots tend to do more DNS queries than normal, so keep an eye on that as well as any MX lookups and .ru, .cn, and .info lookups, which are often red flags for bots trying to communicate with their command-and-control server.

Source:
http://www.darkreading.com/document.asp?doc_id=165143

Posted in Internet, Networking, Privacy, Security | No Comments

Researchers uncover major IP flaw

Researchers at Finnish security firm Outpost 24 claim to have discovered a flaw in the Internet Protocol that can disrupt any computer or server.

After keeping the flaw quiet for years, the researchers hope that going public will help accelerate the creation of a solution.

The flaw allows attackers to cripple computers and servers by sending a few specially formed TCP/IP packets. The result can be compared to a denial of service attack, in which networks are flooded with traffic. But in the case of the newly revealed flaw, only a minimum of traffic is required. “We’re talking 10 packets per second to take down one service,” Jack Lewis, a senior researcher with Outpost24.

Researchers at Fox-IT, a Dutch security firm, confirm the issue. “Based on the available information, this vulnerability may be a serious problem for system availability,” observed Erwin Paternotte, a researcher with Fox-IT. “If the technical details are publicly disclosed, performing a denial-of-service attack will become relatively trivial.”

The problem surfaced during a test scan of 67 million Internet hosts. The researchers were alerted when a test caused some hosts to become unresponsive. Further investigation led to an issue in the TCP/IP stack. After a connection is successfully made, important system resources are at the attacker’s disposal.

Each operating system is affected by the flaw, although different systems respond in different ways. “Each operating system does behave differently, of course. You might notice with OS X that a couple attacks that don’t seem to bother too much completely devastate Windows XP and the other way around,” said Lewis.

The researchers have crafted proof-of-concept code that demonstrates the issues. They claim that they hadn’t seen a single implementation of TCP/IP that wasn’t vulnerable. Systems remain unresponsive after an attack. “After the attack is over, the system never seems to recover until it is rebooted,” said Robert Lee, Outpost24’s chief security officer.

Source:
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=105086

Posted in Internet, Linux, Networking, Security, Windows | No Comments

All Major Browsers Vulnerable To Clickjacking

Security research sites are buzzing about a new attack description called “clickjacking.” The descriptions are still pretty vague, but they are scary enough that US Cert has weighed in and browser vendors are reported to have patches in the works.

The basic description of the attack is that it allows the attack to trick the user into clicking on something other than what they thought they were clicking on. The two researchers who discovered the technique say that it “…gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.” This click could be the gateway to many other kinds of exploits on your system.

The researchers pulled a speech they were to give last week on it, as well as proof of concept code that was said to affect every major browser and “an Adobe product” (Flash? Acrobat?)

Source:
http://blogs.pcmag.com/securitywatch/2008/09/all_major_browsers_vulnerable.php

Posted in Internet, Privacy, Security | No Comments

Web Gives Hackers More Territory, Tools

As more people become accustomed to Web surfing and downloading software and multimedia, legitimate Web sites have become the favorite targets of hackers.

“The hacking of legitimate Web sites is the biggest threat today,” said David Freer, Symantec’s vice president for consumer business in Asia-Pacific and Japan.

Freer revealed that based on the latest Threat Landscape study made by Norton (Symantec’s manufacturer of security solutions), the Web is emerging as the preferred platform for security attacks and no longer just the users’ PCs.

“The threat landscape is driven by consumer behavior,” Freer said, explaining that since people are accustomed to viewing and downloading multimedia online, many hackers use this to trick users into installing fake codes and setting up applications.

“The exploits focus on Web browser and plug-in vulnerabilities, but attacks based on trickery are emerging as the dominant tactic,” he said. “This means more attacks will be language and service-specific.”

Norton observes that attackers focus heavily on finding Web site flaws since it is much easier than “traditional” vulnerability; and that research and patch times are much lower — only 4% of the vulnerabilities for the second half of 2007 were patched as of March 2008.

“We observe 10,000 unique attacking domains (Web sites) daily and 1,500 of these have not been seen attacking users previously,” Freer said.

Source:
http://www.pcworld.com/article/151618/web_hackers_security.html?tk=rss_news

Posted in Internet, Privacy, Security | No Comments