Network Security

Conficker, Downadup worm hype? Get the facts

Update 1/23: Microsoft has released a blog post explaining everything you need to know about Conficker/Downadup. The bottom line: Ensure that MS08-067 is installed on all machines in the environment, use up-to-date antivirus, ensure you have strong passwords for user accounts, consider disabling AutoPlay.

——————————————————————-
Security vendors from across the spectrum have warned that a stingy worm has been successfully exploiting a hole in Microsoft Windows server service. Known as Conficker or Downadup, the worm spreads by exploiting a remote procedure call (RPC) vulnerability.

The flaw was patched by Microsoft in October. The MS08-067 update was meant to stop the worm in its tracks. Many patching vendors say organizations apparently have been slow to deploy the update.

But that may not be the case. Symantec released data explaining which countries have had the highest worm infection rates. North America does not even rank in the top 10 countries infected by the worm. It has spread in countries where software pirating is rampant. Bootlegged versions of Microsoft Windows won’t receive the latest security updates. Is it a coincidence that the highest infection rates are in China, Russia, Argentina, Taiwan and Brazil? (In that order) China and Russia have been at the top of the list of software pirating countries for years.

So first don’t panic. If you’re running antivirus and it’s up-to-date, you’re probably fine. Second, ensure that the MS08-067 update has been deployed. If it hasn’t deploy it and then do a thorough review of your patch management processes. This patch should have been deployed months ago.

In its latest round of updates, Microsoft security experts addressed the spread of the worm and how people can check to see if their machines are infected. Microsoft advises customers to scan the machine with up-to-date antivirus. The worm also blocks access to a large number of security websites listed by Microsoft.

Also, Microsoft said its Malicious Software Removal Tool completely cleans the registry elements related to the worm.

What’s all the fascination among security researchers about Conficker/Downadup? It’s not necessarily who’s infected, but how they are being infected. As Derek Brown, of TippingPoint’s DVLabs points out, the worm is an example of advanced malicious software coding. Conficker/Downadup can self-propagate by guessing a person’s weak password or it can spread by simply being passed along on someone’s portable storage device. It disables several system services and security products and then signals to its host that it is ready to download additional instructions.

Cable cuts in Mediterranean kill Internet service in Egypt, other countries

Several undersea cables in the Mediterranean Sea that carry the bulk of Internet traffic between Asia and Europe have been cut, resulting in a massive Internet outage in Egypt and problems in other countries. Early reports are speculating that the cut, which happened Friday morning, may have been the result of an anchor drop. A report on Fibresystems.org said the three cable cuts happened separately, but within a few minutes of one another. The cuts seem to be in the link between Sicily and Tunisia in the Mediterranean.

France Telecom observed today that 3 major underwater cables were cut: “Sea Me We 4” at 7:28am, “Sea Me We3” at 7:33am and FLAG at 8:06am. The causes of the cut, which is located in the Mediterranean between Sicily and Tunisia, on sections linking Sicily to Egypt, remain unclear.

Most of the B to B traffic between Europe and Asia is rerouted through the USA. Traffic from Europe to Algeria and Tunisia is not affected, but traffic from Europe to the Near East and Asia is interrupted to a greater or lesser extent.

There is apparently a work crew on the way to fix the cuts, but it likely will be several days before the repairs are complete.

ICANN transfers EstDomains customers to Directi

After a few delays, ICANN has officially transferred all of the domains that formerly belonged to registrar EstDomains to another registrar in response to EstDomain’s president being convicted of several crimes earlier this year. ICANN, which governs the use of top-level domains and accredits domain registrars, said it is transferring the domains that had belonged to EstDomains over to Directi Internet Solutions. The action comes more than a month after ICANN originally notified EstDomains of its decision to de-accredit the regitsrar, which is based in Estonia. The company has been linked to a number of malware distributors and has been a target of security researchers and antispam activists for years.

EstDomains was informed on 28 October 2008 that ICANN was terminating the company’s accreditation due to its president’s conviction for credit card fraud, money laundering and document forgery. ICANN stayed that termination following  correspondence with EstDomains. However, after further investigation, ICANN decided to go ahead with the termination, effective yesterday, 24 November 2008.

In accordance with the De-Accredited Registrar Transition Procedure, ICANN put out a request for statements of interest from registrars interested in receiving a bulk transfer of the names formerly managed by EstDomains.

As part of that procedure, EstDomains is permitted to designate a gaining registrar. It chose to use that option and identified ICANN-accredited registrar Directi. ICANN reviewed that request and approved it.

Earlier this year, Directi was implicated as helping to control EstDomains, but that report was later dismissed and Directi and the group that put out the report, HostExploit, have been collaborating on actions to try and stop domain registry abuse.

Can Kaminsky prevent partial disclosure?

The past few months have seen a lot of activity around some really serious Internet-level vulnerabilities, starting with the problems in the DNS system that Dan Kaminsky found, and continuing with the clickjacking attacks from Robert Hansen and Jeremiah Grossman, and the recent news of new DoS attacks on the TCP stack by Robert E. Lee and Jack C. Louis. Each of these problems got a lot of attention in the press and in the vendor and research communities, and rightly so. They’re all serious problems. But they all have one other thing in common: They were all the subjects of so-called partial disclosure efforts. In each case, some details of the vulnerability were released, and then the researchers involved said that the problems were too serious to discuss fully until patches, workarounds or other fixes were available.

This disclosure model — whether it’s intentional or accidental — is clearly not the optimal way to handle new vulnerabilities.  Ideally, a researcher finds a bug, tells the affected vendors, who then produce patches in a timely manner and the details come out later. Everyone lives happily ever after. But it doesn’t always work that way. Sometimes word of the bug leaks out (Kaminsky’s DNS flaw), and sometimes the researchers deliberately reveal some details of the bug for one reason or another (clickjacking and the TCP DoS attacks). Either way, the result is often that the small bits of information available drive speculation and doomsaying, which in turn bring out the people who say this bug is: A. Nothing new; B. Not as serious as it sounds; or C. Both. Sometimes, that turns out to be the case. But other times, as in the case of the DNS flaw, the problem was not only new, but also extremely serious. But either way, the partial disclosure mode of operation exposes everyone involved to charges of fear-mongering and publicity seeking.

Now, Kaminsky is trying to halt this nascent trend by setting up a tribunal of trusted security experts – such as himself — to whom researchers can show details of bugs that they consider to be potential Internet-killers under the cover of a non-disclosure agreement. What they’ll do with the details and how they’ll disclose them if they deem the bug to be an Internet-killer isn’t clear. Here’s what Kaminsky says about his idea:

Members of this council will have to have publicly presented work in the subject area that is under consideration. I’ve spoken to a decent number of people, and everyone is somewhere between very pissed and legitimately afraid of a flood of unjustified partial disclosures.

Faced with an unending stream of “is the Internet dead yet?” Slashdot posts, everyone I’ve spoken to appears fully on board with providing an honest judgement regarding the legitimacy of findings.

Now, I expect we will reject, out of hand, almost all claims. But we will do so, with the full technical argument brought by the finder, rather than presumptions based on old flaws. Attacking the strawmen implied by partial disclosure is a losing scenario for literally everyone involved.

This is an interesting idea, especially given that it comes from Kaminsky himself, who has fallen on his sword repeatedly in the last few months for talking publicly about the DNS bug without having had anyone else in the security community review the details. (He eventually did give the details to Tom Ptacek and Dino Dai Zovi, who vouched for the seriousness of the vulnerability.) Dan’s rationale is mostly sound. He says that unless some kind of independent authority is set up to verify the claims of researchers who say they’ve found killer bugs, inevitably someone will game the system and simply do the following: claim to have a monster flaw, dole out a few juicy details to the press, then sit back while admins panic and rush off to buy security gear from the researcher’s company to fix the imaginary (or semi-real) problem.

Dan is exactly right in saying this scenario is a very real possibility. I’ve been writing about security for about eight years and I know a lot of the researchers and industry executives and other players well. I understand the technology pretty well, but I’m not an engineer or a computer scientist, so I rely on the people I talk to for explanations and context. So it’s certainly not out of the realm of possibility that a researcher could take me or any other reporter for a ride with a description of a fictional bug or attack. That’s why I check these stories with experts I know and trust. That’s the best defense.

But there’s another factor in play that I think mitigates against what Dan is worried about, and that’s the fact that any researcher pulling that kind of stunt has far more to lose than he does to gain. Let’s use Dan as an example. He has spent a lot of years building up his reputation in the security community, and people tend to take what he has to say on certain issues seriously. So if he uses that credibility in order to hype some bug that turns out to be insignificant or even imaginary, any short-term gain he would’ve gotten from the publicity would be completely wiped out by the resulting backlash. For someone who is always in the news anyway, the way that Dan is, there’s no percentage in that play. And even for an unknown researcher looking to make a name for himself, the negatives far outweigh the positives in that equation.

I agree with Dan’s premise that partial disclosure is counterproductive in most cases, but I’m not sold on the idea of a Justice League of the Internet parceling out information as it sees fit. One of the reasons why things work relatively well right now is that the specter of public embarrassment for falsely hyping a bug looms large. And that’s not likely to change anytime soon.

Penetration testing without the penetration

When the subject of penetration testing and security assessments comes up, it usually conjures thoughts of highly skilled consultants deploying an array of custom tools to gather information on a target network and look for potential weak spots. But there are a number of guys out there doing these assessments who are using less-technical methods and putting the Web’s seemingly boundless stores of information to use instead. Chris Gates is one of those guys, and he gave a fascinating talk on his methods at ToorCon over the weekend, telling the audience that tools like Maltego and Metagoofil can be invaluable in gathering data on a target network.

Maltego, which finds, organizes and displays information on specific networks and reveals the relationships among companies and individual people, can be a tremendous resource, he said. “I can start with mail servers and name servers and get all the domains on those servers and then move onto netblocks,” he said.

Gate also said that programs such as email harvesters can be great sources of information on a company’s employees, as can social networking sites such as LinkedIn, Facebook and MySpace. That’s not a huge revelation, but using information gathered on those sites in conjunction with the other tools Gates talked about can lead to major caches of data on specific employees or companies in general, all of which can then be leveraged to glean more information.

Also, be sure to check out the photos of ToorCon I took this weekend.

UCSniff, new VoIP tool, allows sniffing of specific traffic

After years of hype and mostly unfulfilled promise, VoIP has begun making some headway in large enterprises. A lot of IT managers are attracted by the technology’s potential to help them save money through lower phone bills and converged services. And don’t think that the attackers haven’t noticed VoIP’s emergence. At the ToorCon conference in San Diego this weekend, Jason Ostrom, a security researcher with Sipera VIPER Lab, gave a talk that featured several tools he’s built, including VoIP Hopper, that can be used to test the security of VoIP deployments and look for potential attack vectors.

Ostrom talked about a new tool he’s developed, called UCSniff, that enables a user to monitor VoIP traffic on a network in several different ways. The most interesting and potentially useful function of UCSniff is its ability to sniff all of the conversations on a particular extension. It also can be set to passively monitor all of the VoIP traffic on a network and learn the interactions among devices, discovering which extensions belong to whom. Then, once that mapping is accomplished, the user can identify which devices he’s interested in monitoring and target those specifically.

Ostrom said he plans to port UCSniff to Windows in the near future and that it will also soon include support for the H.323 standard. Much of the threat to VoIP networks at this point has come from various denial-of-service attacks, but security experts for years have been warning that the nature of IP phones and the ways in which VoIP networks are set up could make them susceptible to traffic-sniffing attacks like the ones that Ostrom described.

Ostrom and some of his coworkers also have developed a third tool, called XTest, which can test VoIP infrastructures for security problems. XTest is designed specifically to audit wired 802.1x implementations, and can check the strength of the passwords used in these implementations through an offline EAP-MD5 dictionary attack against the password file.

Fyodor meets his fans at Black Hat; unveils Worldscan

No one’s going to confuse Nmap creator Fyodor with Wayne Newton, but here in Vegas at Black Hat, Fyodor is definitely a cult hero the blue hairs. Only thing is, these blue hairs are a bunch of 20-something coding geeks who turned out en masse today to get a glimpse of the man who developed the de facto network scanner.

Fyodor tore back the curtain on his Worldscan project this morning, a modestly ambitious project to scan tens of millions of IP addresses on the Internet, all in the name of enhanced functionality and effectiveness for Nmap and resolution of bugs in the tool.

Funny thing is, it almost didn’t happen.

As soon as Fyodor turned his version of Nmap on steroids loose on the Net, his phone was ringing with more than a few concerned sysadmins at his local ISP on the other end of the line. Watching Fyodor’s scanning thousands of hosts per second, they thought a superworm was on the loose.

“No. I’m not infected. I’m doing it on purpose,” he had to tell them. Lucky for him, once Fyodor explained who he was and what he was doing, the ISP sysadmins fell in line quickly. Turns out, they’re part of the blue-haired cult of Fyodor too.

“Once I told them I was doing the scans to ultimately make Nmap faster, they said ‘Carry on!” Fyodor said. “I had to slow it down a bit so I wouldn’t melt their switches. I don’t want to get kicked off my ISP — again.”

Juniper Networks announces new UAC

Network infrastructure vendors can help differentiate themselves in the security market with tight integration of their network and security products. Managing my firewalls, intrusion detection/prevention, network access control (NAC), etc., together with my routers and switches is an inducement to make my network provider a one-stop shop for security products as well.

Today, Juniper Networks Inc. announced centralized management for its security portfolio which it has been building through acquisitions in recent years, and its J-Series Routers and EX-series switches. On the security side, Network and Security Manager (NSM), formerly Netscreen-Security Manager, encompasses Secure Access SSL VPN, Juniper’s various firewall/VPN and intrusion detection/prevention appliance, and the latest version of its NAC product Unified Access Control 2.2, also announced today.

“Our goal in the enterprise space is to walk in as a portfolio player,” said Sanjay Kapoor, senior director of product management for Juniper’s Network Management Group. “If you are deploying an overall portfolio of security, access, routers and switches, you should have functionally, a single configuration system, and a single monitoring system from Juniper — all appliance based.”

With the new Unified Access Control (UAC) release, Juniper also announced two Infranet Controller appliances. The 4500 appliances for mid-sized to large enterprises support up to 5,000 simultaneous endpoint devices; the 6500 appliances for large multinational enterprise deployments support up to 20,000 simultaneous devices (30,000 in a cluster). Current Infranet Inc. appliances can be upgraded to UAC 2.2 to take advantage of the new NSM.

Underlying the unified management structure is the XML-based Device Management Interface, based on the Netconf network configuration standard. This establishes a standard configuration scheme for all Juniper devices (WAN optimization is on the roadmap), and will make it easier for Juniper to integrate future acquisitions without modifying the NSM platform.

NSM provides portioned management, so different groups, say security and network ops in SOCs and NOCs, can use it without deploying multiple instances of the same system.

Symantec upgrades NAC with better guest user integration

The latest upgrade to Symantec Network Access Control (SNAC) significantly improves management of guest users, a prime driver in the NAC market and not a strong suit for Symantec Corp. until now.

“Network-based vendors tend to focus on guest users and unmanaged devices, because that’s where their strength is on the network,” said Patrick Wheeler, Symantec’s senior product manager for endpoint security.

Wheeler said Symantec has always been strong in the managed user area. He said the upgrade gives managed and unmanaged users a single product.

The upgrade allows Symantec NAC customers to centralize policy for both managed and unmanaged users and devices in one place, through Symantec Endpoint Protection Manager. Further, temporary guest client software — dissolvable Java agents — can be issued directly by the Network Access Control Enforcer appliance in gateway or DHCP mode.

Up until now, these guest features were only available in a separate product, Symantec On-Demand Protection for Web Applications. Wheeler said this is serviceable, but requires some integration and two management points.

Symantec customers can have a Web login and RADIUS or Active Directory authentication for guests, as well as a single point of policy control for both managed and unmanaged users.

In addition to guest users, Symantec NAC now supports MAC-based 802.1X authentication for undamaged devices, such as printers and UPS devices.

Users may be the weakest link, but it’s not their fault

Security experts and vendor execs are fond of saying that users are always the weak point in any security system. They open malicious emails, visit sketchy Web sites and write down their passwords on sticky notes. And, if you listen to the analysts speaking at the Gartner Security Summit this week in Washington, there’s little chance that set of circumstances is going to get better in the next few years. In fact, it may get worse, as attackers become more adept at finding the gullible souls willing to click on a link promising them pictures of Angelina Jolie.

“Attacks are searching out stupid users, not unpatched machines. Antivirus isn’t helping, because these are targeted attacks and IPS isn’t helping because there’s no signature for it,” said Gartner analyst John Pescatore. “Think about how little progress we’ve made on the arbitrary malware problem in the last 15 years. We’ve made almost no progress. If you don’t have a signature, it gets through to the user. And the user is going to open it.”

That’s all true, of course. Users make bad choices and they’ll continue to do so. But to me, that’s not a technology problem, it’s a people problem. It’s a matter of giving users better information, helping them understand the consequences of their actions and explaining how to avoid malicious content. In today’s environment, there’s no excuse for not having at least a basic security awareness course for every user in your organization who touches a PC. It should be table stakes, but for whatever reason, it’s not. Whether it’s laziness or ignorance or just apathy, many enterprises still don’t give their employees any kind of information on security. If the parade of stolen laptops and lost data tapes doesn’t drive home the importance of this issue, it’s hard to say what will. But right now, the attackers are thanking you for every extra day they get to target untrained employees.