Network Security Blog

I had major hardware problems earlier this week which completely destroyed my main system. CPU’s, Hard drive, video card, motherboard, all toast. The only thing I could save from the system was the CD and DVD-RW drives. Luckily, everything that was really important to me was backed up on another computer. On the other hand, I’m sure that I’ll find that there’s a document on the old hard drive that I’m really, really going to need some day.

Since I’m rebuilding the system, I have a question: What are the first programs you install on a new system when you build it? This question was raised on Slashdot earlier this week, but I’m wondering what other security professionals put on their computers first thing.

Here’s what I installed, pretty much in order:

OS: Win2k Server
Video drivers (Nvidia): I can’t stand working at 640×480, and my systems are behind a couple of firewalls, so I wasn’t worried about instant infection from the internet.
Patch, patch, patch the OS.
GRISoft AVG AntiVirus
LavaSoft AdAware
Putty
WinSCP
City of Heroes (I admit it, I have always secretly wanted to be a super-hero, and this game is about as close to it as I’ll ever come.)

I haven’t heard of any active viruses out there using the latest SSL vulnerability in IIS, but there is an exploit tool, and it is apparently being used. Microsoft is taking this one seriously, to the point that they are calling people directly to tell them to patch. Or at least that’s what one comment I received says. I’ve never heard of Microsoft calling an admin to patch their systems, but there’s a first for everything. I’m not sure if I like that. If they start emailing patches to people, I’ll be really concerned; I’ve always told my users to delete any email coming from Microsoft with attachments, since MS doesn’t do that. Oh well, I’ll burn that bridge when I come to it.

One of the (many) mailing lists I subscribe to is the Snort Signature list. Yesterday a signature for the SSL exploit was posted, by … I’m not sure who; the email is replied and forwarded, making identification difficult. If this is your Snort signature, let me know and I’ll post the credit. In any case, here’s the signature, which I haven’t tested yet. Your mileage may vary. If you have a better or different signature, let m e know.

alert tcp any any -> $HOME_NET 443 (msg:”MS04-011 SSL exploit (THCIISSLame by Johnny Cyberpunk)”; sid:900034;content:”|54 48 43 4F 57 4E 5A 49 49 53 21 32 5E BE 98|”;within:36;)

K-OTik : Microsoft IIS 5.0 SSL Remote buffer overflow Exploit (MS04-011)

Here is the exploit code for Microsoft IIS 5.0 SSL Remote buffer Overflow.

There are rumors that there will be an exploit and/or worm released this afternoon. Yay, just what we need to kick off the weekend, a new worm!

This is why I’m using an apache server.

4030: TCP Reset Spoofing

It took me several minutes to find the link to the actual presentation. It’s down near the bottom of the links listed as Generic Informational URL. Or you could just follow this link.

If you hadn’t already guessed, I’m following this issue pretty closely. The reaction to this has been very interesting to watch, and I think the security community can learn from how this was handled. There were some mistakes made, for example the vulnerability information was leaked 3 days early (Paul Watson on The ScreenSavers). But, overall, the security community has handled the vulnerability with calm alacrity. Some reporters tried to blow the issue out of proportion, but the bells tolling the death of the Internet were kept to a minimum.

And,for once, Microsoft was not to blame.

First, here is a couple of more links to information about the TCP vulnerability.

From the joatBlog, TCP RST His views on the vulnerability reflect my own. Be aware, and be prepared.

And from Dana Epps: New TCP Flaw Found – Reset Attacks around the corner?

And now news from the Dark Side:

A proof of concept tool for attacking the TCP Vulnerability: TCP Connection Reset Remote Windows 2K/XP Attack Tool Source Code The first virus with this as an embedded part of the code can’t be that far off. Or at least a script kiddie tool.

Here’s a link to an article from SearchSecurity.com on the nature of the TCP vulnerability disclosed earlier this week. The article has several good links directly to the sources of information on the vulnerability and how to defend against it. It presents the vulnerability as another reason to be cautious, but urges us not to panic.

I agree with this point of view. We need to be aware of the vulnerability and take appropriate steps to mitigate the problem. The solution to the vulnerability is simple, a minor configuration change to enable MD5 signatures on BGP traffic. What worries me is this now becomes another configuration line we have to remember to in each and every edge router from now on. Another entry in the ‘Best Practices’ manual. This stuff continues to build up.

Someone, somewhere, soon is going to get hit on this one, hopefully not in too harmful of a way. I hope most companies are taking the time to defend themselves now, before the automated tools hit the mainstream. We don’t need to panic, but we need to be aware that the script kiddie tools will come out and we need to be protected before they do. How’s the saying go? “Plan for the worst, hope for the best.”

I’ve included the full text of the article in the extended entry to preserve the links. Please refer to the original article if your going to do any linking.

Continue Reading »

US-CERT Cyber Security Tip ST04-007 — Reducing Spam

I think this article is a case of too little, too late, but I’m glad to see it anyways. I just set up an email account for my wife, and I think I’ll see if I can get her to read this.

Well, my DNS issues brought to light one thing for me: I need to perform a configuration review of some of the more vital portions of my web server. I found a number of minor errors and exclusions in the named.conf file, and I still have problems with one or two services starting correctly after a reboot. Soon it will be time for a complete review of the system.

That would be nice, but now is the time for reality to interfere. I have two small, wonderful bundles of energy that live with me and take up quite a bit of my time. While I could do the review simply and quickly in a perfect world, the truth is, I will probably have to do a lot of relearning to see why I did some things the way I did in the first place. It’s hard to get any significant time alone in my house, so I’ll have to do both the review and relearning in small chunks.

So, for the next little while I will be tweaking stuff behind the scenes to make sure that it’s working to the best of my ability. I may break some features, but that will hopefully be a temporary condition. But I’m doing this in order to forego more serious issues in the future.

I had some DNS issues this weekend. A lot of minor config changes and one reboot later, everything seems to be up and running again. Don’t know exactly what happened, but named was refusing to run for more than 5 minutes at a time. I’ll keep digging.

Employment Digest: Want a job? Interview well.

I like this article because it attempts to make us aware of some of the negative habits we may displaying. It made me think about my last telephone interview, and some of the mistakes I made. One was blanking on some aspects of the OSI model, another was just having a bad day. I think I’ll see if I can reschedule future phone interviews, rather than just take the call and being called flat-footed.

Speaking of which, I read an article somewhere last week that suggested writing yourself a list of answers for some of the more commonly asked interview questions. I’ve started doing this a little, and I’d like to know, what are some of the more common interview questions you have troubles dealing with? I’ll share the questions, and probably my own answers, in a later blog entry.