Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Are All Networks Vulnerable?

Published: 2011-06-27
Last Updated: 2011-06-27 23:10:26 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

One of the assertions made by the recent run of high profile attacks was that all networks are vulnerable, and the groups behind these attacks either had or could have access to many more systems if they wish.

Several articles expanded on this assertion and using the recent compromises as evidence considered this fact a failure of information security. I would like to question the conclusion that recent attacks prove that all networks are vulnerable, or that these attacks prove a large scale failure of information security.

First of all, let me state my philosophy of information security: I don't believe it is the goal of information security to prevent every single breach. As little, as it is the goal of a guard at a bank to prevent every single bank heist.

As an information security professional, it should be your goal to mitigate risks to a level that is small enough to be acceptable to business. It is much more about risk management then avoiding every single risk.

With that focus on risk management, information security itself becomes a solvable problem.

But back to Lulzsec. What did Lulzsec proof? Lulzsec proved that there are insecure networks. They did not prove that all networks are insecure. Lulzsec took very large targets ("the government", "banks", "on-line gaming") and rattled doors until they found an open one.

How do you protect yourself against that? First of all, you don't. Lets get back to the basics of risk: "the probable frequency and probable magnitude of future loss" [1]. We can address risk two ways:

- Reduce the probably frequency of a loss

This comes down to reducing your attack surface, and hardening the remaining castle. Most organizations suffer from the diffusion of confidential information. The better your are able to compartmentalize and limit access to confidential organization, the less likely it is that some of this information will leak. The tricky part in my opinion is the labeling or classification of information. This can be difficult and labor intensive. Classifications may also change over time.

- Reduce the probable magnitude of a loss

Limit the information you store to information the business needs. Consider information a liability, not just an asset. Storing credit card numbers will lead to more purchases. But will it be enough to justify the risk?

In the end, doing business on-line is to a large extend about trust. The difficult part is that trust is asymmetric. Trust is much easier lost then gained. Last week, when someone announced that Lulzsec may have compromised UK census data, the overall sentiment was to assume the announcement was true. Even though there was no evidence to proof this, and later Lulzsec stated that the claim was wrong.

In the end, it is not your job to prevent every single breach. It is your job to build trust in your systems so suppliers and customers will use them. A well written privacy policy, and being open and transparent may be as important in achieving this trust as the firewall, the IDS and the DLP appliance used to enforce it. 

[1] http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
3 comment(s)

DNS cache poisoning: still works and still makes lots of damage

Published: 2011-06-27
Last Updated: 2011-06-27 19:19:08 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
5 comment(s)

I was teaching this week at University. It was a pretty normal class until I heard the following from one of my students:

What happened to google?

A couple of seconds after, many people started to make the same complaint and one minute after nobody had access to google. I typed the google URL from my computer and got the following screen:

Strange google appearance

First thing I though was that google suffered an attack. Looking further, I queried for the current google IP and found the following:

Changed google ip

When I looked for the owner of that IP address, ARIN says it is not precisely google. I performed a nslookup from another domain and got the correct ip address for google:

Correct IP address for google

At this time I found out we were victim of a DNS cache poisoning attack.Since the network admin was not at his office because class was in the night, there was nothing I could do but wait for the DNS cache to expire.

How this attack works and How we can protect ourselves

The DNS process works as follows to resolve ip address from a fully qualified domain name (FQDN):

  • Client sends a query to the internal DNS looking for an ip address for a machine name.
  • Internal DNS server performs recursion and if it's not present in the cache looks for the IP address on the internet from the authoritative nameserver of the domain.
  • The authoritative nameserver answers the IP address requested.
  • The Internal DNS server answers the IP address to the client.

The attack works as follows:

  • Attacker queries the target DNS server for a FQDN not present in the cache.
  • Target DNS server performs recursion and looks for the IP address on the internet from the authoritative nameserver of the domain.
  • Attacker floods the target DNS server with fake responses for the query.
  • Target DNS server updates the cache and begins serving the fake ip address every time the FQDN is requested.

How do we protect ourselves from the attack?

  • Use the last version of your DNS server (I really like BIND) as it randomize the source port of your queries.
  • Do not allow recursion from outside of your network. Allow it only from your corporate network computers.
  • Use DNSSEC. The root servers support it since July 15 2010 and the protocol allows to authenticate valid records from domains zones.

Any other protection measure you want to share with us? Please use our contact form.

Manuel Humberto Santander Peláez | http://manuel.santander.name | http://twitter.com/manuelsantander

Keywords:
5 comment(s)

Phishy Spam

Published: 2011-06-27
Last Updated: 2011-06-27 04:19:02 UTC
by Kevin Shortt (Version: 1)
6 comment(s)

Lately there has been an increased surge in spam.  This past week I've received four messages that impersonate a message from Facebook.   The messages are actually a Phishing attempt to sell you some drugs.  They are very "facebook" like and to an unsuspecting email recipient they would likely capture a click thru.  I followed through the links to find  dead pharmacy links.  It appears there is spam campaign to sell med's through phishing emails.

A snapshot of one of the emails is below and all of the emails had a consistent link inside the email.  The links were as follows.  The ultimate destinations never loaded and appear to be removed as of this writing. The pharm url's were all on the same IP block.  So someone has caught up to this batch.  Be vigilant and on the look out for more.

hxxp://hajayanee.com/directories.html                      -> hxxp://controlpills.net
hxxp://carrosserieaerni.ch/ascension.html               -> hxxp://medicarerxdrugstore.com
hxxp://mallorcaso.com/postprocessor.html              -> hxxp://pillpillspharmacy.net
hxxp://firstclassmotorsports.com/screeching.html   -> <no response received>

Phishy Spam

Feel free to tell us about any of your phishing spam email.

--
Kevin Shortt
ISC Handler on Duty

Keywords: facebook phish Spam
6 comment(s)
Diary Archives