Archive for the ‘security’ Category

How to Really Fix Your DNS

July 25, 2008

Obviously the first thing everyone should be doing is to apply the patches that the major vendors rolled out, and do it quickly.  It is no longer the time for debate in regard to whether or not you really do need to patch… the answer to that question is quite clear; Yes.  Yes you do. Stop reading this, go to your vendor right now, and get the patches. Then apply them.  This will still be here when you get back…

Unfortunately, the existing patch doesn’t really fix the problem, it just makes it much harder to attack, which is a good thing.  If you still aren’t patched, you obviously didn’t follow my instructions in the first paragraph, so I’ll reiterate: Stop reading this, go to your vendor right now, and get the patches. Then apply them.

The patches that most major vendors rolled out when this vulnerability was announced, albeit with no technical details, primarily revolves around randomizing the source port that the nameserver makes it’s queries from.  Without this randomization, the only other piece of random information in the DNS packet is the transaction ID, which DNS servers use to correlate queries and replies, and also helps prevent reply-spoofing attacks by requiring that the attacker correctly guess this value.  Given the randomized hostname exploitation technique used in this attack, the attacker can force the nameserver to do as many queries as they like, which provides a birthday attack scenario for guessing the transaction ID value and succeeding in spoofing the reply.  The search space of the transaction ID is 16 bits, which provides possible values of 0-65535 within which the attacker has to guess correctly.  Given as many attempts as the attacker likes, this can take anywhere from a few seconds to a couple of minutes.  By adding the source port randomization to the picture, this adds around another 16 bits to the equation (minus source ports already used, privileged source port range, etc.), making the time it takes to correctly guess much longer, but still not impossible.



The Internet is a Dirty, Dirty Mistress

June 27, 2008

It’s been quite a while since I wrote or updated DFW, the I)ruidic FireWall.  Included with that utility is a default iptables firewall policy which the user can use directly, tweak to their liking, or completely throw away and start over from scratch.  NetFilter (iptables) has come a long way since I was actively working in the firewall space and regularly maintaining the DFW utility, so I thought it high time that I update the firewall policies on my servers to take advantage of some of it’s newer features, and in doing so update DFW’s default policy with some extra bells and whistles.  The primary goal I wanted to accomplish was to significantly clean up my firewall logs, as the Internet is an extremely dirty and hostile place to connect a computer to.  Regularly my logs would be full of default drop log entries for entire port-scans, the same worm-infected hosts connecting to the same closed ports over and over and over again, and other general random connection attempts.


Padding the Numbers: Vulnerability Duplication

June 26, 2008

Recently the OSVDB Blog had an interesting article regarding vulnerability duplication via the “hazard of 0day” wherein a vulnerability being exploited in the wild was mistaken for a new vulnerability when in fact it was not.  This caused many of the vulnerability database vendors to issue new IDs, send out threat warnings, bring in the livestock from the impending storm, and so forth.  The resulting fallout from realization that it in fact was not a new vulnerability ranged in varying degrees between one vendor’s complete backtrack and removal of the vulnerability from their database to another vendor’s nearly ignoring the mistake altogether.

While this is definitely a serious problem, resulting in various degrees of erroneous or duplicated vulnerability information, it’s not nearly as bad as the real topic of this post, intentional vulnerability duplication.


MS08-033 AVI/MJPG Vulnerability

June 17, 2008

Since last Tuesday (Microsoft Patch Tuesday), I’ve taken a break from coding Application Protocol Simulators (the hot-button item at BreakingPoint right now) and worked on the Security side of the product. I’ve spent almost exactly one week working on a Strike-set for the ms08-033 AVI/MJPG vulnerability.  The Strike-set includes 8 Strikes all which generate dynamic, randomized, malicious AVI files to attack and trigger the vulnerability. If you’re into vulnerability exploitation technology, you should check out the details over at my employer’s blog.

CSI-SX 2008

April 30, 2008

CSI-SX is the new branding for the CSI NetSec conference, which is co-located with Interop Las Vegas, and is essentially the security-focused portion of the overall conference. As with the annual CSI conference, this conference targets a different demographic than I’m used to speaking for as the attendance is usually comprised of very large enterprise and government employees and I usually speak for conferences targeted at the research and hacker communities.

The night before the first day of conference sessions a speaker reception was held which I attended. I met a number of people from the conference staff whom I had not met before as well as a few of the other speakers. Surprisingly I was well-received by this crowd, even with my spiked green hair, which I’m sure they don’t see a lot of at this type of conference.

Below are my thoughts on the couple of talks I was able to attend.


ToorCon Seattle 2008

April 22, 2008

The ToorCon organization puts on some of the best conferences in my opinion, and this last weekend was version 1.0 of their Seattle conference (beta was last year, which I also attended). Friday night was entirely 5-minute lightning talks and then Saturday was entirely 20-minute turbo talks. Sunday was workshops, which unfortunately I could not attend since I had to fly back to Austin mid-day. Last year was invite only and if you were there last year you received a coupon code for a discounted rate this year ($300), otherwise it was a little expensive to attend ($1000). Overall there were a number of excellent speakers with excellent content.

Due to the sheer number of talks (and I did see all of them), I’ll only cover the ones I found most interesting below:


Context-keyed Payload Encoding Whitepaper

January 28, 2008

Today, my research paper entitled “Context-keyed Payload Encoding” was published in Uninformed Journal vol. 9. If you’re into cutting-edge exploitation technology, you should check it out. This is the research I presented at ToorCon 9 last October.

Metroid Security Mechanism

November 16, 2007

Having recently played most of the way through Metroid Prime 3: Corruption, I came across an interesting security mechanism in the game that I haven’t really seen paralleled in the real world…



November 13, 2007

My second Microsoft Patch Tuesday at the new employer was fairly uneventful. This Tuesday there was only one patch rated critical, MS07-061, and as it turns out it was the bug that I had already worked on last week. Essentially all I had to do was update my strikes from last week with the new reference and rename them, and our team was essentially done. You can read the details about the patched vulnerability over at the BreakingPoint BreakingPoint blog.

CSI 2007

November 8, 2007

CSI 2007 was the first time I’ve ever attended a CSI conference. I was actually a CSI member way back in the day when I was running my own consulting firm and needed as many business development avenues to explore as possible, but after closing my consultancy and going back to work for The Man(tm) I didn’t keep up my membership as I really wasn’t getting much out of the organization at that point. For some reason I had never attended any of their conferences. The CSI Annual Conference is billed as “The leading management, strategy and policy event for today’s security professionals”, so it’s a very different conference from what I’m used to. While I generally attend the more technical events, this one was targeted at an entirely different demographic. There was a lot of large enterprise and government presence, and I got plenty of scowls as people noticed my green hair, but in the end I believe I won most of them over…

The evening of my talk there was also a Capture the Flag game. Unfortunately I wasn’t aware of this until I ran into Dave Aitel that evening and he told me about it, or I would have had my laptop with me and been prepared to compete. This game was essentially a race through various goals with clues and hints along the way. The guy that won achieved the final goal at just under 2 hours. One potential vulnerability that I pointed out to the event organizers was that most of the information was given away to the audience in the observation room near the start of the competition, and had the competition not been 3 floors underground where there was no cellular signal, I could have easily relayed the information to Dave’s mobile via SMS or AIM or something. Had we had some other form of local wireless communication, cheating would have been trivial. Perhaps next time they’ll not give away so much information at the beginning to the audience…

Below are my thoughts on the couple of talks I was able to attend. Unfortunately I was only there for the one day that I was speaking and I was busy preparing to speak and recording a shorter version of my talk to actually attend many of them.