Last week in Infosec - 2008-10-06
A snapshot of topics of personal interest that have been talked about in the IT Security realm over the past week.
NOTE: I have changed the name of this weekly post from “this week in infosec” to “last week in infosec” to capture the obscenely obvious.
NOTE 2: Last two weeks have been crushingly busy. Will try to catch up this coming week, but have doubts about my capability :)
Threats/Countermeasures
New core networking vulnerability in TCP on the horizon
Thought things were over when Kaminsky’s bug got fixed? Guess again.
From Rich Mogul’s Securosis blog: Massive TCP Flaw Looming (selected quotes)
Basically, it’s a massive unpatched denial of service attack that can take down nearly anything that uses TCP, in some cases forcing remote systems to reboot or potentially causing local damage. Codified in a tool called “Sockstress”, Robert E. Lee and Jack C. Louis seem to be having trouble getting the infrastructure vendors to pay attention.
From what Robert told me, supported by the articles, this tool allows an attacker to basically take down anything they want from nearly anywhere (like a home connection).
Rich points to other material:
Dark Reading Room: New DOS Attack Is a Killer
SearchSecurity: New attacks reveal fundamental problems with TCP
Rich followed up with a post on October 3: Why The TCP Attack Is Likely Bad, But Not That Bad - again, quoting selectively:
Here’s what I think you need to know:
1. It is almost certainly real.
2. Using this technique, an attacker with very few resources can lock up the TCP stack of the target system, potentially draining other resources, and maybe even forcing a reboot (Could this trash a host OS? We don’t know yet.).
3. Anything that accepts TCP connections is vulnerable. I believe that means passive sniffing/routing is safe.
4. The attack is obvious and traceable. Since we are using TCP and creating open connections (not UDP) it means spoofing/anonymous attacks don’t seem possible.
5. Thus, I’d be more worried about a botnet that floods your upstream provider than this targeted attack.
6. This is the kind of thing we should be able to filter, once our defenses are updated.
Countermeasures -
None at the moment - prayer might be a good start. From the SearchSecurity article:
“The best advice I have right now is don’t allow anonymous connections. Make whitelist so only certain IP addresses can come in,” Lee said, acknowledging the impracticality of that for a Web server or mail server or virtually any other TCP-enabled device. “There’s no real workaround right now.”
Verizon - Security FAIL
From BugTraq:
Verizon FIOS (and DSL?) wireless access point insecure default WEP key
By default, the 40-bit WEP key for the wireless router provided by
Verizon to FiOS (fiber optic) and possibly DSL customers is set to the
last 40 bits of the router’s 48-bit MAC address. This is significant
because the router’s MAC address (the MAC address of it’s WAN-side
ethernet port) is easily discoverable using kismet without even
needing to know the WEP key.
When I got my FIOS, I was excited to see that they at least had WEB enabled by default.
Because I don’t trust any wireless connection, I didn’t even bother looking too closely at the default WEP key. The built-in firewall is enabled, and it seemed much better of a default configuration than I expected.
But using the MAC as the WEP key… Uh… FAIL
Countermeasure - Change your WEP key. Do it… 5 minutes…
Yes, you can crack WEP easily, but why make it obscenely obvious. Changing the default at least makes the attacker have to work more than 30 seconds.
Attack Vectors/Trends
Exploiting web trends to serve malware
From ZDNet’s ZeroDay blog post: Cybercriminals syndicating Google Trends keywords to serve malware
In an underground ecosystem that is anything but old fashioned when it comes to abusing legitimate web services, cybecriminals have started exploiting the traffic momentum, and by monitoring the peak traffic for popular search queries using Google’s Trends, are syndicating the keywords in order to acquire the traffic and direct it to malware serving blogs primarily hosted at Windows Live’s Spaces.
One method for distributing malware is getting people to visit your malicious website and then using browser hacks or other tactics to get the user to download and install your app.
This technique takes advantage of popular search terms to seed their malware pages, increasing their relevancy in searches.
Cute.