Detecting SSH tunnels

July 1, 2008 – 6:34 AM

Italian researchers have published a paper on the Detection of Encrypted Tunnels across Network Boundaries. I came across it in a google search because I’ve been thinking of writing a program which does something similar. It doesn’t seem like anyone else has picked up on this research yet so I thought I should mention it.

They claim their technique can differentiate between “normal” ssh or scp sessions and ssh sessions which are being used to tunnel traffic (through ssh’s port forwarding mechanism). This is accomplished through a naive Bayes classifier, which they first trained with “normal” ssh sessions. The two variables used to classify a session are the size of the packets and the difference in arrival time of two consecutive packets. With just these, they can classify with 99% accuracy whether an ssh session is a tunnel. They were also able to classify the actual protocol (P2P, POP, SMTP, HTTP) of the tunneled connection with close to 90% accuracy.

Although their research is quite interesting there are a few things which limit its practicality. They can only detect tunnels going through ssh servers which they control. This is because their detection mechanism can only handle a single authentication type whereas an ssh server can (and usually does) allow multiple (e.g. public-key or password). This requires admins of the server to limit the allowed authentication options to a single consistent choice. They also require the ssh server _and_ client to disable compression. Their technique will also falsely classify a second login attempt (after a failed login) as a tunnel and drop the connection. In their words: “However, this should not be a major problem: simply, if the user is entitled to connect, they will try again.”

So it seems the use of a tool like this would be limited to an extremely controlled environment where users are limited to a white-list set of network protocols (so that they can’t use a different tunneling mechanism, stunnel for example) and only allowed to ssh to servers under the control of the censoring party. In which case you would wonder why the admin wouldn’t just set the ssh servers’ AllowTcpForwarding option to false.

Source:
http://coderrr.wordpress.com/2008/06/28/detecting-ssh-tunnels/

Posted in Internet, Linux, Networking, Privacy, Security | No Comments

Exploit code released for unpatched IE 7 vulnerability

July 1, 2008 – 6:22 AM

Another day, another gaping hole affecting fully patched versions of Microsoft’s Internet Explorer browser.

According to a warning from US-CERT, proof-of-concept exploit code has been published for a new zero-day bug that can be used for a variety of malicious attacks against Windows users running IE 6, IE 7, and IE 8 beta 1.

The code, published here by ’sirdarckat’, shows how the vulnerability can be exploited to hijack an iFrame in a legitimate site and capture a target’s keystrokes. This occurs because Internet Explorer fails to properly restrict access to a document’s frames, allowing an attacker to modify the contents of frames in a different domain.

Source:
http://blogs.zdnet.com/security/?p=1370

Posted in Internet, Privacy, Security, Windows | No Comments

Cracking Physical Identity Theft

July 1, 2008 – 5:58 AM

A researcher performing social engineering exploits on behalf of several U.S. banks and other firms in the past year has “stolen” thousands of identities with a 100 percent success rate.

Joshua Perrymon, hacking director for PacketFocus Security Solutions and CEO of RedFlag Security, says organizations typically are focused on online identity theft from their data resources, and don’t think about how the same data can literally walk out the door with a criminal posing as an auditor or a computer repairman. He once walked out of a client site carrying their U.S. mail tray with 500 customer statements inside it, he says.

“This is the forgotten and overlooked” security risk for identity theft, Perrymon says. “That’s why the first time we show [our clients] what we can do, it blows them away.” But with the Federal Trade Commission’s (FTC) new identity theft regulations requiring banks, mortgage firms, credit unions, automobile dealerships, and other companies that provide credit to assess identity theft risks as well as add policies and procedures to pinpoint any “red flags” as of this November, Perrymon and his team are in hot demand to perform undercover social engineering exploits for banks and other firms to test their ID theft vulnerabilities.

Source:
http://www.darkreading.com/document.asp?doc_id=157855

Posted in Hardware, Privacy, Security | No Comments

Radmin Default Installation Security Vulnerabilities

June 30, 2008 – 10:21 AM

“By default, Radmin uses a known port, TCP port 4899 for remote access. In addition, if you are using password authentication only, a remote user only has to find an open TCP port 4899 and guess one word: your password.

Suggestions:
It is very easy to implement any or all of the following suggestions:
1) Change the default port from 4899 to something else.
2) Use IP addresses filtering to limit the host range if possible.
3) If Radmin is running on NT, Win2k or XP PRO, use WinNT options (enable the NTLM authentication option, “WinNT options”) or use a STRONG password.
4) Enable the log file and look for unknown addresses attempting to access your server.
5) Put Radmin behind a Firewall and access via VPN.”

Source:
http://www.securiteam.com/securitynews/5VP060U8AO.html

Posted in Internet, Security | No Comments

Re-blogging Ethically

June 30, 2008 – 10:01 AM

It’s no shock to anybody that on this blog I’m mainly just re-blogging good and informative articles until I graduate and actually have the time to sit and write my own content. I figured this was a great way to keep my site “active” in the eyes of the search engines while I’m in school full-time and just have no extra time to blog about the various subjects. I always felt that I’m giving credit back to the original article and author by linking to the site at the end of the teaser. I’ve changed this format many times while trying to find the easiest template to use, but I’ve always given the proper credit back. You won’t find one article on this site, that I didn’t write, without that credit and link back to the article.

I believe in spreading the word about security and I think re-blogging overall is a good thing. My question is…what format should blogs be using for giving credit back to the originator?

I’ve tried the following formats and I still had somebody complain that I’m not doing it right. Here’s a few examples of how I do it:

———-

Teaser text

Read the rest of the story… <–this is a link that goes back to the original article

———-

Text (if it’s a small article where I use the whole text)

Source:
http://www.originalsite/originalarticle.html <—-actual visible URL to the site

———-

Teaser text

Source: Name of site <—this is a link to the original article

———-

“Text” (in quotes)

Source:
http://www.originalsite/originalarticle.html <—-actual visible URL to the site

———-

So which way should blogs be doing this? And keep in mind that most of us are just geeks without a journalism degree so please don’t expect everybody to understand “APA style”. 🙂

I’m very curious and I think this will help other bloggers as well.

Posted in General BS, Internet | No Comments