Hackers attack DNS exploit, ISPs failing to update servers

theregister.co.uk are reporting that many ISPs have still not acted up on the now infamous DNS security flaw and miscreants are actively exploiting the gaping hole in the internet's address lookup system that can cause millions of web surfers to receive counterfeit pages when they try to access online banking services and other types of websites.

many laggard internet service providers reported to be dragging their feet in applying patches that fix the devastating DNS flaw. Dan Kaminsky says more ISPs appear to be getting the message. Last week, about 51 per cent of unique name servers tested on his site (see the "check my DNS" button to the right) showed up as vulnerable. Now, he says it's closer to 35 percent.

Test your own ISP here.

If it still fails then you can always update your settings to use OpenDNS

Debian/Ubuntu: Serious OpenSSL/SSH vulnerability

Back in September 2006 a line of code was removed from the Debian distributed OpenSSL package. The reason? That one line of code was responsible for causing an uninitialized data warning in Valgrind, the linux based programming tool used for memory debugging, memory leak detection, and profiling, by removing it the error went away!

Unfortunately that one line of code also seeded the random number generator used by OpenSSL, so as a result the keyspace used by affected systems went from 2^1024 to about 2^15.

Secure Sockets Layer (SSL), and the newer Transport Layer Security (TLS) are the cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, instant messaging and other data transfers. There are slight differences between SSL and TLS, but they are essentially the same.

The problem is when creating a encryption key with the affected version of OpenSSH, there are only 32,767 possible outcomes for a given architecture, key size, and key type (as opposed to the intended 1.79769 × 10³⁰⁸), leaving it wide open to attack.

A large majority of Debian and Ubuntu systems are affected. To correct the problem, users need to not only update OpenSSL, but also revoke and replace any cryptographic keys and certificates that were generated on the affected systems. From the Debian security advisory:

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

For most people this affects the SSH server's host key and any public key pairs used for remote SSH authentication. However it is a more of a headache for people with web servers as any keys or certificates generated on the affected machines for SSL/Https use also need to be revoked and regenerated.

There is a lot to think about here. I have worked with many software developers and have noticed that many have this natural tendency to want to fix and re engineer things that aren't even broken. (I am guilty of it myself)

This stems from an engineer's weird desire to make sense of thing, by taking something apart and putting it back together is a common way to increases familiarity and understanding of the machine, engine or indeed the code they are working on. But it hard to restrict the tendency is to try and make 'improvements'.

More discussion of the problem here
Debian OpenSSL Predictable PRNG Toys

Security flaw turns Gmail into spam open-relay server

A recently-discovered flaw in Google's very popular email service is capable of turning Gmail into an effective spam machine. According to the Information Security Research Team (INSERT) the flaw allows a spammer to send thousands of bulk e-mails through Google's servers without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail.

The worry is not just that the flaw allows spammers to send a potentially unlimited number of messages, it is also the trustworthiness given Gmail by other e-mail providers could exacerbate any potential spam attack.

Spam currently accounts for 95 percent of all e-mail traffic and many e-mail providers have adopted whitelists and blacklists as a first line of defence against the flood. An e-mail from a known spamming domain (or the corresponding IP address block) may be automatically blocked by any given e-mail service, while an e-mail from a trusted, authenticated source such as Gmail is automatically allowed through the gateway.

Most e-mail providers use multi-level filtering services, which might detect that the forged Gmail message is spam, but the message will have cleared a substantial hurdle that would have otherwise stopped it. Messages originating from Google, it seems are well-regarded by both Yahoo and Hotmail. The INSERT team tested the degree of trust between the three major e-mail providers by sending spam messages to Yahoo and Hotmail using two sources. In the first test, messages were sent from personal systems whose IP addresses had been blacklisted by Yahoo and Hotmail. The second test consisted of sending the exact same message via the Gmail flaw that INSERT discovered.

The difference was significant. E-mail sent to Yahoo and Hotmail from a blacklisted IP didn't even necessarily reach the account's spam box, while forged e-mail sent via Gmail always arrived. That is not to say that trusted-source filtering is bad, but it demonstrate how a security flaw in a single product or service can ripple through an ecosystem.

It is being reported the flaw is still present at the time of this post.

(credit to the Arstechnica report)

Secunia PSI - Personal Security Inspector

Secunia is a respected Danish computer security service provider, one of their primary missions is to track vulnerabilities in software and provide security tools primarily for the corporate IT market.

In addition they also provide a free tool (for personal non-corporate use) called PSI - Personal Security Inspector.

PSI acts on a dangerous problem of vulnerabilities on auxiliary and add-on software. The problem of vulnerabilities in the Microsoft Windows operating system and Microsoft Office are tackled by the much improved Microsoft Update system. However what about all the other installed software which are prone to vulnerabilities? Software like Adobe Acrobat Reader, Flash, Java VM, Media players, compression utilities, third party browsers to name but a few.

Most vulnerabilities are triggered by malformed data files distributed across the internet and unless addressed can prove a real danger to the regular user. The problem is despite a lot of these programs having update systems built in it is easy to miss important updates and critical patches can be forgotten, leaving your system exposed.

PSI using a huge database from Secunia to verify your installed software and will indicate if they are insecure and have updates available.

I liked to think I kept my software updated, but after running the tool for the first time I was told I was only 92% secure there were around 15 programs that were running old insecure versions. I few updates later and I am up to 96%, there are still some programs that updates are not available for with know vulnerabilities, and some whose update process is so confusing and convoluted that updating is next to impossible (not helped by hideously unnavigable support websites, Yes Adobe/Macromedia I am looking at you!)

In my scan there were some expected culprits for being out of date, Adobe Flash, Acrobat Reader, Quicktime and Realplayer and others I was not aware of, such as VLC, 7-Zip and WinZip. It is easy is to have vulnerable software running on your computer. If you are not using anything to keep track of software updates, try PSI, you may be surprised. PSI does a good job on detecting software that needs to be updated, so I heartily recommend it.

There is a on-line version available but the installable client is much more capable. The scanning process is a bit resource intensive, so I would suggest you run it periodically (say once a week) rather than letting it permanently run, which is it's default setting.

OpenDNS

My current ISP is VirginMedia née NTL née Diamond Cable and has generally been pretty reliable, what issues I have had with connectivity and browsing have often been DNS related.

Most people have experienced this problem at some time, you type in the website address and hit enter then there is a long delay before the website appears, or doesn't appear instead you get an error message. This is quite often the result of Domain Name System (DNS) problems, DNS is the system where the websites alphanumeric name (e.g www.virginmedia.com) is converted into the IP number (212.250.162.12) , effectively it's an internet phone book.

If that system is slow or fails either due to server load, or connectivity problems it creates a delay or failure when using the internet. Also like much of the original infrastructure of the internet DNS was not originally designed with security in mind, and thus has a number of security issues have occured, such as DNS Cache poisoning which has lead to phishing attacks. Because DNS works in the background the idea behind these attacks is to feed the browser an alternative IP address we redirects it to spoof and fake website, either in an attempt to introduce malware or to harvest personal information for ID fraud from the unsuspecting user.

In an attempt to offer a solution to these growing problems or reliability, speed and security David Ulevitch created OpenDNS in July 2006.

OpenDNS offers DNS resolution for consumers and businesses as an alternative to using their internet service provider's DNS servers. The system comprises of servers in strategic locations and employing a large cache of the domain names, the result is DNS queries are usually processed much more quickly, increasing page retrieval speed.

Other features of OpenDNS include a phishing filter and typo error correction (for example, typing wikipedia.og instead of wikipedia.org). By collecting a list of malicious sites, OpenDNS blocks access to these sites when a user tries to access them through their service. OpenDNS has also launched Phishtank, where computer users around the world can submit and review suspected phishing sites. OpenDNS can also be configured to limit access to adult related sites. Details of all the features on offer can be found here.

I have switched my network to OpenDNS, full instructions and HowTos are available on the site. It was painless and simple, browsing does seem quicker but I haven't used it long enough to really comment on the speed improvements but the ability to view statistics and lots of graphs is enough to convince me!

Doing my duty - Malicious activity detection

For several years I have been using a Linksys WRT54G V1.1 wireless router with the official firmware attached to my cable modem. It has a built in firewall but lacked any proper network intrusion detection system it did have a rudimentary log which could be accessed via the web-page interface but that was pretty much useless when trying to look for malicious activity such as denial of service attacks, port scans and attempts to crack into the network via vulnerabilities.

It always worried me as to what attempts were being made to get past the firewall on to my network. Some of my network PCs have software firewalls as a backup and alerts have been almost non-existent but it still nagged away. Last year I toyed with taking an old PC and creating a Smoothwall firewall, because of the logging and ability to install Snort but I really could justify the space and expensive of having another PC on 24/7.

As I posted yesterday I finally got the nerve up to install one of the numerous third party replacement firmwares for the router. Plumping for the Tomato variety!

One of the first things I noticed was the improved logging, which can be sent to an external PC running a monitoring/analysis program. In the wikibooks page it mentioned the WallWatcher software for Windows so I downloaded and installed it, configured the router and lo and behold I was getting information about all those Chinese TCP/IP packets bombarding my router!

I have now signed up and have installed the necessary client software to upload the logs to the SANS Institute Internet Storm Centre DShield system and myNetWatchman systems. These organisations use volunteers who submit their data to help detect problems and analyse threats, creating technical information and alerts to the general public.

The system works by having a network of hundreds or thousands of people from all over the world submitting information from their firewalls and intrusion detection systems about unwanted traffic arriving from the Internet. This data feeds the appropriate database where analysis is made looking for abnormal trends and behaviour. In the case of DShield the resulting analysis is posted to the ISC's main web page where it can be automatically retrieved by simple scripts or can be viewed in near real time by any Internet user.

I really feel like I am doing something good, and of course it is fairly geeky! These are the 'attacked' ports from today!