Archive for the ‘4-notice’ category

Spawning A CMD Prompt From MS Word or Excel

October 15th, 2009

This is an old trick, but I still see a number of Administrators that think they have locked users out of the command prompt by simply removing the icon from the menu and disabling the Start–> Run option. In this post I’ll discuss how to create a command prompt with Visual Basic for Applications (VBA), as well as how to mitigate (although never completely eliminate) the risk of someone achieving access to the prompt.

Creating a command prompt with VBA

This technique will work with any application that supports VBA, but I’m specifically going to use Microsoft Word in my example. Here’s what you need to do:

  1. Launch Microsoft Word
  2. Press “ALT-F11” to launch the VBA editor
  3. Double click “ThisDocument” in the left pane
  4. When the editor window appears, type in the text shown in Figure #1
  5. Press the “F5” key
Figure 1: Our simple VB script

Figure 1: Our simple VB script

You should see a command prompt window appear in your task bar. Here’s a copy of the code you need in step 4 so you can copy/paste:

Sub GetCMD()

Shell “cmd.exe cmd.exe”

End Sub

How to prevent VBA from spawning a command prompt

Execution of the command prompt can be disabled with the Group Policy Editor tool. Here are the steps:

  1. Click Start –> Run
  2. Type in “gpedit.msc” (without the quotes)
  3. Click User Configuration –> Administrative Templates –> System
  4. Search down the list for “Prevent access to the command prompt” and double click it

You have two options available to you:

  • Enable/Disable access to the command prompt
  • Yes/No Disable command prompt scripting process

If you only disable the first option, direct access to cmd.exe is prevented but a smart user can still get to it via a batch file. To prevent script access, need to disable the second option as well. This prevents ALL scripting however and can play havoc in many environments. Also, both of these settings will apply to the Administrator account as well. This can make admin and troubleshooting far more difficult.

Even with both options disabled, a user can still get around these settings by using command.com instead of cmd.exe. To fix this, you need to restrict access to command.com via user permissions. If you are still running some old 16-bit apps, this fix will break them.

All of these steps do not completely solve the problem however. A user who knows what they are doing with debug can simply copy cmd.exe to another location and modify it so a prompt is achieved when using it to run a bogus command. So we also have to delete “debug.exe”.

Even then, a savvy programmer can create an executable to get around all of the above security checks. So we need to remove all ability to copy or write to the drive as well. Needless to say we have a pretty useless computer at that point.

Exec Summary

If someone smart has access to your system, it is doubtful you will be able to prevent him or her from getting to the command line. The Group Policy Editor can most certainly make it more difficult, but the tool simply reduces the risk of attack. You cannot completely eliminate the risk without severely hampering the system’s operation and usefulness.

No comments »

Posted in 4-notice, Windows Security

Tags:

How To Use Windows Auto-Complete And Command Line History

August 13th, 2009

Ran into this issue at a client site today so I thought I would post some info on it. I see a lot of Windows administrators that don’t know how to fully leverage the Windows auto-complete functionality as well as the command line history. I also see Linux and UNIX administrators who get confused because these features work differently under Windows. Thought I would write up a quick how-to.

Windows auto-complete

Auto-complete permits you to type in a portion of a file name and have the system fill in the rest of the name for you. It’s a great way to save a few keystrokes. Simply type in the first couple of letters for the file name and press the <tab> key. The first file in the current directory, which starts with the letters you typed, will be filled in on the command line. This is shown in Figure #1.

win-auto-complete

For the folks that have used auto-complete on UNIX or Linux, here is where they get confused. Both platforms require you to type in enough of the command to be unique. You can then press <tab> to fill in the rest of the file. Windows works a little different.

Note in Figure #1 Windows filled in the first file name match to the character string “nets” the first time the <tab> key was pressed. If this is not the file you wanted, simply press the <tab> key a second time. You can continue to press the <tab> key and scroll through all of the possible file options.

Eventually the system will wrap and return to the first file it presented. For example pressing <tab> six times in the above example will return you to the file named “netsetup.cpl”. If you need to scroll backwards through the file options, simply hold down the <shift> key while you press <tab>.

Windows command history

Most folks realize you can press the up and down arrow keys to scroll through your command line history. Have you tried the <F7> key? If you are working in a command prompt and press the function 7 key ( <F7> ), a menu appears showing all the commands that you typed. This is shown in Figure #2. You can then use the up and down arrows, as well as the <Page Up> and <Page Down> keys, to navigate this list of commands.

prompt-history

Here’s another area where Windows works a little differently than Linux and UNIX. With Linux and UNIX, pressing the up arrow will always retrieve the last command you typed. If you have 10 sequential commands you wish to repeat, you will have to repeatedly hit the up arrow key 10 times to retrieve each command in sequence. Windows makes this process a little easier.

Try this on your Windows system:

  • Open a command prompt
  • Type the number 1 and press <enter>
  • Ignore the command not found error
  • Repeat the last two steps for numbers 2 – 10
  • Press the up arrow till you retrieve the number 5
  • Press enter
  • Press <F7>

An example is shown in Figure #3. Note the menu bar is over the number 5. This is the current reference point in the command history. While pressing the up arrow on a Linux or UNIX command line will always recalls the last command you typed, Windows shift the reference point to last recalled command. So pressing up arrow recalls the command prior to the last recalled command, not the last executed command like Linux and UNIX.

win-auto-complete2

To test this, press the <Esc> key. This will return you to the command prompt. Now press the up arrow. This will recall “4”, the command prior to “5” in the history, not “10” which was the last command executed prior to recalling “5”. Now press the down arrow until the “7” command is displayed and press <Enter>. If you now press <F7> you will notice the reference pointer has been moved to “7”, the last recalled command.

Exec Summary

Some functions operated differently at the Windows command line than their UNIX or Linux counterparts. Auto-complete and command line history are two great examples. Which implementation is preferable, unusually depends on which operating system you are most comfortable using.

No comments »

Posted in 4-notice, Windows Security

Tags:

DLP FAQ

August 7th, 2009

I’ve had a few queries regarding the SANS Data Leak Prevention & Encryption Summit I’ll be keynoting next month. The questions have revolved around DLP in general, so I thought I would give a run down on the technology.

What is DLP?

DLP stands for “Data Leak Prevention” or “Data Loss Prevention”, depending on which vendor you are talking to. There are a few other names currently being bounced around (gotta love marketing people trying to make their stuff look newer and cooler ;) ), but they are effectively the same technology. DLP attempts to log, or possibly prohibit, the transfer of sensitive information from a secure location to an insecure location.

Sensitive information usually includes data like credit card numbers or social security numbers. Most will also give you the ability to define phrases or specific files as sensitive as well. Of course how much customization you get depends on the product, but these features are pretty standard. The big difference tends to be with the ease of policy creation. Some let you use a simple, natural language while others may require you to learn a Regex type of expression language to create policies and write filters.

Think of DLP devices as intrusion detection systems for specific keywords and you’ll get the idea. In fact some established NIDS and NIPS vendors are now touting their DLP capabilities as well. You also have a number of startups that are focused specifically on the DLP market.

How does DLP work?

Currently there are three different methods of DLP deployment:

  • On the wire
  • On the server
  • On the desktop

Some vendors support a single method of deployment while others support all three. There are strengths and weaknesses to each, which I will cover later in this FAQ.

How much does DLP cost?

Since it’s a new technology, prices are all over the board. A medium size company (50-500 nodes) can expect to pay anywhere from $30,000 to $200,000 US. These devices are by no means plug and play, so a portion of the cost includes configuring the device and customizing it for the specific environment. You should also expect a bit of lead-time in getting the device(s) deployed properly.

What are the problems with DLP?

Probably the biggest problem with DLP technology is that it can easily be defeated. It is really designed to prevent accidental data leakage, rather than a true attack. You should consider DLP an enhancement to your existing security posture, not a replacement for any previously deployed technology.

For example, deploying DLP on the wire is probably the fastest and most effective deployment. The problem is it can easily be defeated by encryption. So if I encrypt a sensitive file prior to transmission, or leverage a VPN technology (see items 5 and 4 on my Top 5 Firewall Threats) post, the network based DLP will be unable to see the passing information.

Some DLP devices can give you limited ability to work around the encryption problem. For example Fedelis will integrate with a number of proxy products to check passing HTTPS. You have to purchase a supported product however and configure it specifically to prevent end-to-end encryption of HTTPS (the proxy breaks the encrypted stream so payload can be analyzed). Even then you’ve only solved the problem over HTTPS. Encrypted data through other ports will still be an issue. Or an attacker could encrypt the file locally and then transmit via HTTPS because all the proxy can strip away is the SSL encryption.

Deploying DLP on the desktop solves some of these problems, but not all of them. For example the desktop agents I’ve looked at do a pretty good job of preventing me from transferring a sensitive file via the Internet or to a local USB drive. If you run an agent based DLP, try this:

  1. Open a sensitive file
  2. Create a screen capture of sensitive info (CTRL-ALT-Print screen)
  3. Open Windows Paint and press CTRL-V
  4. Save the file as a GIF or JPG
  5. Copy to a USB drive or transfer via the Internet

If your results are similar to mine, you’ll find this very simple trick fools the agent into letting the data pass by. If you wanted to get really slick, you could add a bit of Steganography.

Exec Summary

DLP is a powerful technology that can help prevent the release of sensitive information. Currently it is better suited for preventing against accidental data leakage rather than a determined attacker. If the release of sensitive data is a serious concern, you may need to rework your current architecture in order to close the holes DLP cannot defend.

No comments »

Posted in 4-notice, General Security

Tags:

Quick Access To Windows Admin Tools

July 28th, 2009

In my last post I talked about how using the Windows GUI can at times be cumbersome. If you administer a Windows network, you are frequently leveraging the Windows admin tools. Here are some tips to make that task a bit easier.

List of Tools

Here’s a list of the most commonly used Window’s admin tools as well as the command needed to launch them:

  • Add/Remove Programs = appwiz.cpl
  • Certificate Manager = certmgr.msc
  • Computer Manager = compmgmt.msc
  • Control Panel = control.exe
  • Copy screen to clipboard = <ctrl><Print Scrn>
  • Copy active window to clipboard = <ctrl><alt><Print Scrn>
  • Device Manager = devmgmt.msc
  • Event Viewer = eventvwr.msc
  • File Explorer = explorer.exe
  • File Signature Verification = sigverif.exe
  • Group Policy Editor = gpedit.msc
  • MS Management Console = mmc
  • Network Properties = control netconnections
  • Performance Monitor = perfmon.msc
  • Registry Editor = regedt32.exe
  • Security Center = wscui.cpl
  • User Manager = lusrmgr.msc
  • Security Policy Editor = secpol.msc
  • Services Screen = services.msc
  • Solitaire = sol.exe
  • System Config Utility = msconfig.exe
  • Task Manager = taskmgr.exe
  • Task Manager = <ctrl><shift><esc>
  • Task Scheduler = control schedtasks
  • User Manager = lusrmgr.msc

Quick Launch Options

Here are some tips for making each of the above easily accessible:

  1. Click Start –> Run then type in the command listed above
  2. Press <Windows key><r> then type in the command listed above
  3. Create a desktop shortcut
  4. Create a taskbar shortcut
  5. Create a single program group so everything is in one place

No comments »

Posted in 4-notice, Windows Security

Tags:

Helpful Shortcuts For The Windows IP Geek

July 25th, 2009

Many of us do testing with our Windows systems which inevitably require us to change firewall settings and IP info. While Windows has given us a pretty GUI for performing these tasks, it can be cumbersome to navigate the menu options. In this post I’ll show you how creating a few icons can help you take better control of this problem.

Dealing with the Windows firewall

One of the common tasks I need to perform is disabling and enabling the Windows firewall. I sometimes need to shut it off for testing, but of course want it turned back on again if I’m connected to a potentially hostile network. This introduces the additional problem that I can never remember if I had it turned on or off the last time the system was booted.

Disabling the Windows firewall

Open up a text editor and create a file named disable-firewall.bat. Type the following line into the file:

netsh firewall set opmode disable

Now save the file and create a desktop shortcut that points to it. Whenever you double click the icon, the Windows firewall will shut down.

Enabling the Windows firewall

Open up a text editor and create a file named enable-firewall.bat. The file will contain only a single line:

netsh firewall set opmode enable

Now save the file and create a desktop shortcut that points to it. Whenever you double click the icon, the Windows firewall will turn on.

Checking the Windows firewall status

Open up a text editor and create a file named fw-status.bat. Type the following three lines into the file:

netsh firewall show state
pause
exit

Now save the file and create two shortcuts pointing to it. One on the desktop and one in your startup group. When your system first boots up, a command prompt will open showing the current state of the Windows firewall. It will then pause on the screen until you press a key. Anytime you need to check the current status, simply double click the shortcut you placed on the desktop.

Dealing with IP settings

If every network used DHCP, dealing with IP would be much easier. When we work in a lab however, we typically have to manually configure IP for communications. Obviously we can use the GUI for this, but its easy to streamline the process with a couple of shortcuts.

Manually setting a wired IP address

For the purpose of this exercise I’ll assume the IP address you want to assign is 192.168.1.10. Change this IP address as needed.
Open up a text editor and create a file named 192-168-1-10.bat. The file will contain only a single line:

netsh interface ip set address local static 192.168.1.10 255.255.255.0

Now save the file and create a desktop shortcut that points to it. When ever you double click the icon, the IP address on your wired interface will be changed.

Adding a default gateway

If there is a default gateway you need to specify, we can do that as well. Assuming the gateway is at 192.168.1.1, we would change the above command to read:

netsh interface ip set address local static 192.168.1.10 255.255.255.0 192.168.1.1 1

Specifying a DNS server

If you need to specify DNS servers, we’ll need to add a few extra lines to the batch file. Let’s build on the last example and assume we have two DNS servers, one at 10.1.1.1 and another at 172.30.1.10. In this case our batch file would contain the following:

netsh interface ip set address local static 192.168.1.10 255.255.255.0 192.168.1.1 1
netsh interface ip set dns local static 10.1.1.1
netsh interface ip set dns local static 172.30.1.10

Reverting back to DHCP

Open up a text editor and create a file named reset-dhcp.bat. The file will contain only a single line:

netsh interface ip set address local dhcp

Now save the file and create a desktop shortcut that points to it. When ever you double click the icon, Windows will look to a local DHCP server for the IP info it will use.

What if I use multiple IP addresses?

The above example works great provided you consistently use the same IP address. What if you need a bit more flexibility to change it on the fly? Luckily we can handle that problem through the use of variables.

Open up a text editor and create a file named varip.bat. The file will contain only a single line:

netsh interface ip set address local static %1 255.255.255.0

Now save the file to a directory in your path statement. The Windows directory itself is usually a good last ditch option. If you don’t know which directories are in your path, simply open a command prompt and type the command “path”. This will produce a semi-colon ( ; ) separated list of all directories in your path. This tip will not work if the file is not saved to a directory in your path statement.
Whenever you need to set your IP address simply click Start–> Run and type in:

varip 192.168.50.25

or what ever IP address you wish to use. If you commonly need to change the subnet mask, change the command to read:

netsh interface ip set address local static %1 %2
Now when you click Start–> Run you would type:

varip 192.168.50.25 255.255.255.128

or whatever IP address/subnet mask combination you wish to use.

Exec Summary

While the Windows GUI is relatively easy to navigate, it can be cumbersome for common tasks like changing IP address or firewall settings. This can easily be rectified by creating a few batch files and placing shortcuts to them on the desktop.

1 comment »

Posted in 4-notice, Windows Security

Tags:

Making The Web a Safer Place With NoScript

July 24th, 2009

Yesterday I was reviewing the stats for this site and was pleasantly surprised to see that 70%+ of all visitors are using the Firefox browser. In a previous post I discussed What Makes A System Vulnerable and defined it as being when we permit remote users to interact with code running on the local system. Firefox has an excellent security extension called NoScript which can dramatically reduce this vector of exposure.

The premise of NoScript is so rudimentary, you have to wonder why every browser vendor does not make this functionality a built in option. NoScript gives you control of which sites can execute code on your system. Its that simple. So merely browsing to a Web site no longer immediately implies that you trust them enough to execute programs (Java, Flash, etc.) on your desktop. NoScript is flexible, relatively unobtrusive, and a “must have” extension for staying safe on the Internet.

Getting NoScript

The easiest way to retrieve and install NoScript is right through the Firefox Add-ons window. Simply click “Tools” from the main menu bar and select “Add-ons” from the drop down menu. When the Add-ons window appears, click the “Get Add-ons” button at the top left side of the Window. If you do not see NoScript mentioned on the “Recommended” list, click the “Browse All Add-ons” link on the top right of the screen.

Clicking the link will spawn a new Firefox tab directing you to the Firefox add-ons site. In the search bar type in “noscript”. When NoScript appears in the results, click the “Add to Firefox” button. When the installation is complete simply restart your Firefox browser. You are now ready for safer Web browsing. When new updates become available you will be automatically notified.

Using NoScript

When you first start using NoScript it may appear that many of your favorite Web sites are broken. Flash video will no longer auto-load, drop down menus may fail, etc. Take a look at the bottom of your Firefox window. You will see output similar to Figure #1. NoScript is telling us that all script execution is currently disabled for this site. The site tried to run 12 scripts and there were 0 embedded objects (like frames displaying text or video from other sites). To change this behavior simply click the “Options…” button.

noscript-status

Clicking “Options…” will produce a menu similar to Figure #2. The information pertaining to this specific site is at the bottom of the menu. NoScript is telling us that the site tried to execute scripts from four different domains; mmismm.com, revsci.net, com.com and cnet.com. We are given two options for each domain, let the scripts from that domain run just for this session (Temporarily), or permit the domain to execute scripts for this and future sessions as well (Allow).

noscript-options

Mmismm.com and revsci.net are advertising companies. They also have a poor trust rating through the Web Of Trust (WOT is another cool Firefox plug-in by the way) so we may want to leave scripts from these domains disabled. The remaining two domains are part of CNET. So if we like to view news and articles from this company we may wish to grant access. Note this should not be automatic however. For example this menu was generated while I was visiting the CNET News site. I was still able to view all the content I was interested in just fine, so really there is no reason to permit any of these domains to execute scripts and expose myself to potential attack.

If you do permit script execution from certain domains, Firefox will automatically reload the page and execute the permitted scripts. You’ll now notice that the NoScript status bar will now look more like Figure #3. NoScript is telling us that the site we visited tried to execute scripts from six different domains, but only four of them were permitted. The domains allowed to run scripts are then listed out for us to review. There were 69 scripts total and zero embedded object.

noscript-status2

If we later decide a site is not so trustworthy, its easy to revoke permissions. If we are at the site in question, simply click “Options…” and select the “Forbid” menu item for that domain. If we are not currently browsing the site, go to the top of the menu and select “Options…” (second appearance of this title). Click the “Whitelist” tab, scroll through the list to find the site in question, and click the Remove Selected Sites” button. Problem solved.

Once you have used NoScript for a while and wish to get into some of the more advanced options, the NoScript site has some excellent information. Start with the FAQ and then move on to the user forums. If you find NoScript saves you even once from an attack, it may be worth clicking the “Donate” button at the top of the main page. ;)

No comments »

Posted in 4-notice, General Security

Tags:

Why Firewall Reject Rules Are Better Than Firewall Drop Rules

July 23rd, 2009

Most firewalls come pre-configured to quietly drop traffic rather than reject it. But what’s the difference between the two and is it truly better to drop instead of reject? If you have never given this question much thought, the answer might surprise you.

Firewall traffic control options

Firewalls typically give you three options when interacting with traffic, these are:

  • Accept – Let the traffic pass through
  • Drop – Remove the packet from the wire and generate no error packet
  • Reject – Remove the packet from the wire and return an ICMP “Communication administratively prohibited” (ICMP type 3, code 13) error packet

Some firewalls are customizable when it comes to the reject packet that gets returned. For example Netfilter provides options from making the port look like its closed to tar pitting the connection. For the purpose of this post I’ll stick with just the administratively prohibited message since that’s the most widely deployed.

What happens when you port scan a system

An attacker can identify open versus closed ports on a system because each responds differently to a stimulus packet. When I send a TCP SYN packet to a system, one of the following is going to occur:

  • If the port is open a TCP SYN/ACK will be returned
  • If the port is closed a TCP RST/ACK will be returned

So if a SYN/ACK is returned, I know the port is open. If a RST (reset)/ACK is returned, I know the port is closed.

Now expand this out to the Internet level and some other possibilities come into play:

  • If the host is off-line an ICMP host unreachable will be returned by the upstream router
  • If the network the host is connected to is off-line, an ICMP network unreachable will be returned by the upstream router
  • If a router or a firewall with a reject rule is blocking the connection, an administratively prohibited error is returned
  • If the port is protected by a firewall with a drop rule, nothing is returned

Note that its the final two possibilities that involve traffic control. If we drop traffic, nothing is returned to the scanner. If we reject, then an ICMP error is returned.

The myth of stealthing the firewall

Vendors favor drop rules for two reasons, both of which are incorrect. The first is that dropping traffic helps to “stealth” the firewall. The concept is that since the firewall is returning no data, an attacker will be unable to determine you have a firewall. Look at the above response options again. The only time nothing is returned consistently is when a firewall with a drop rule is in the way. So by dropping traffic you are not stealthing the firewall, you are advertising it. This is why tools like nmap will actually report the probe as “filtered” when nothing comes back.

When I’ve confronted vendors with this fact, the response is either “Huh?” or “They still don’t know your firewall’s IP address so its still stealthed”. The second statement is only partially true in that an attacker would have to perform the additional step of running a tool such as tcptraceroute to determine the IP address of the firewall.

So the concept of being able to stealth a device that interacts with traffic flow is a complete myth. The closest match is probably Netfilter’s ability to reject via host unreachable messages. While this does not hide the IP address of the firewall, it does make the firewall look more like a router and help to mask the network segmentation behind it.

The myth of using less bandwidth

The second reason vendors favor drop rules is they think it generates less traffic on the wire. This makes sense logically unless you understand how TCP/IP communicates. In other words, on the surface this statement seems rational. Keep the ICMP errors off the wire and you are using less bandwidth. The reality however is that TCP tries very hard to be reliable. This means that when the first probe packet is quietly dropped, the source is going to send two, possibly four more packets to try again. If you add up the bits on the wire, you actually end up using more bandwidth when you force the source into retransmission mode.

What do the RFC’s say?

So which method is RFC legal, dropping or rejecting? If we reference RFC 1122 it says:

3.3.8  Error Reporting

         Wherever practical, hosts MUST return ICMP error datagrams on
         detection of an error, except in those cases where returning an
         ICMP error message is specifically prohibited.

“Specifically prohibited” refers to the fact that you should never respond to an error packet with another error packet. Its just too easy to create infinite loops. So if we are prohibiting traffic flow we are suppose to be returning an ICMP error message.

Making your IP range less attractive to spoofing

One of the biggest problems with using drop rules is that you make your IP range more attractive for spoofing. Consider the typical SYN flood attack where an attacker attempts to fill up a server’s TCP connection queue so that legitimate connection requests can not be serviced. The attacker will flood the target with TCP connection requests, typically from multiple zombie hosts. Since the attacker has no intention of completing the TCP three packet handshake, the source IP address is spoofed to help protect the true identity of the zombie.

If an attacker spoofs one of your IP addresses as part of their SYN flood, you will see the server under attack send unsolicited SYN/ACK packets to the spoofed IP address. This is not the server attacking your network, its simply the server responding to a connection request and it has no idea the source IP address was spoofed.

OK, let’s return to the above listed scanning options and combine that with your network setup to see what impact you will have on the attacker’s ability to perform a successful SYN flood attack. If your IP address they are spoofing is:

  • Exposed host = RST/ACK returned, connection queue cleared on server in approximately 50 ms.
  • Host off-line = Upstream router returns host unreachable in approximately 3 seconds
  • Network off-line = Upstream router returns network unreachable in approximately 50 ms
  • Reject rule = Firewall/router returns Administratively prohibited message in approximately 50 ms
  • Drop rule = Server under attack attempts to respond for 30 seconds or more

The anatomy of a SYN flood

There are two metrics that come into play in making a SYN flood successful. The first is how many SYN packets can the attacker spoof per second. This metric will be determined by the size of the attacker’s zombie army. The second metric however, is something you have control of. That is “How long will each spoofed connection request tie up memory in the server’s connection queue?”.

As you can see in the above responses, when an attacker spoofs an IP address protected by a firewall drop rule, the bogus connection request ties up the server’s connection queue for the greatest amount of time. So let’s say the attacker wants to tie up one connection slot worth of memory for 60 seconds. That would take two spoofed packets protected by a firewall drop rule, or 1,200 spoofed packets if each spoofed IP is protected by a firewall reject rule. So spoofing dropped source IPs means the attacker requires fewer SYN packets per second in order to perform a successful attack. By deploying a drop rule you are inadvertently helping the attacker and making your address space more attractive to IP address spoofing.

Exec Summary

Using drop rules to prevent traffic flow is widely deployed. This author feels this has more to do with “everyone following the herd” than with a drop implementation truly being a better security posture than using reject rules. Reject rules are more RFC compliant, generate less traffic on the wire, and make your address space less attractive for IP address spoofing.

Cheers!

C

3 comments »

Posted in 4-notice, Network Security

Tags:

Uber Geek Your Windows Laptop

July 12th, 2009

Thought some folks might find this useful. I’ve noticed that over the last few years working with the Windows command line has become a bit of a lost art. This is too bad as you can do some really cool stuff. This instructional is geared towards those folks that do not know the power of working from “the dark place”. There are general tips for setup, how to perform common task, common error codes and how to resolve them, as well as batch file basics.

This is relatively low level material, but IMHO its a great primer for those who have not spent a lot of time working at the command line.

Enjoy!

C

Uber Geek Your Windows Laptop

No comments »

Posted in 4-notice, Windows Security

Tags:

TIC article on Networkworld

July 10th, 2009

Networkworld has an article on the DDoS attacks that appears to be originating out of North Korea. Here’s a link to it. The jist of the article is that the DDoS attacks were worse than they should have been because security folks did not know what ISP they were using. The claim was that if the government would hurry up and implement the Trusted Internet Connect (TIC) program, these problems would be a thing of the past.

First a little background, TIC is an effort to reduce the number of connections to the Internet maintained by federal, state and military networks. In 2006 there was somewhere in the neighborhood of 4,500 connections (at the time I was involved no one knew for sure exactly how many connections there were). The original goal was to reduce this to 50 connections. Last I heard the goal was 113. Expect it to float around in this ballpark for a while. Currently they’ve been able to eliminate about 25% of the connections.

There are many reasons why this is a good idea. Single point of security implementation, consolidation of resources, a more uniform implementation of security policy, just to name a few. There are many reasons why this is also a bad idea, one of which is the mitigation of DDoS attacks like the one described in the article.

Look at it this way, if I take 100 Internet connections and consolidate it into 1, I’m not going to implement a single link with 100X bandwidth (30 Gb is about the max we can push today anyway and running at that level severely limits your security product options). I’m going to do the same thing ISPs do, over subscribe the link. Since it is unlikely everyone will try and access the Internet at the same time, normally this works just fine. The problem occurs when a DDoS attack takes place as now there is less bandwidth that needs to be saturated in order for the DoS to be successful. It also means that a greater number of sites will be affected. So I would argue that TIC has the potential to make this problem worse, not better.

But let’s try and look at the true root cause of all of this. They quote Alan Paller as saying they could not get the ISP to filter the traffic. The author states this is because they didn’t know which ISP to contact. Huh? How about a whois query on the address space? Traceroute? Check the monthly bill? Direct ARIN query? I find it hard to believe that a staff of security folks would sit around staring at each other with no idea how to figure out who their ISP is. More likely the ISP did not want to take responsibility for filtering the traffic. I know I’ve run into that problem dozens of times over my career.

Its also possible that this was a pretty low priority. Think about it. The attack started on July 4th. Think back to that day. Were you out enjoying sun and family or thinking “Humm, I wonder if the Federal Trade Commission posted anything today on the state of the economy. OMG I’m financially ruined, I can’t get to their Web site!”? :) My guess is the former. This is/was a relatively lame attack which was easily mitigated by Monday morning, when access to the site actually had some value. For anyone who’s taken one of my classes, you know I’m fond of saying “Its OK to accept risk provided its an informed decision”. I can see someone making a business decision that it was better to get it working by Monday morning than to spend time, resources and tax dollars on recovering the site during a time period when it would see little use.

So it remains to be seen if TIC will make the DDoS problem better or worse. What would certainly help is a good SLA written into the contract requiring the ISP to respond to these types of attacks.

May the bits be with you,

C

No comments »

Posted in 4-notice, Network Security

Tags: