Additional Comodo Breach

March 30, 2011

In the wake of last week’s compromise at Comodo, which was use to issue fraudulent certificates, two more breaches have been announced.

Certification Authorities, or CAs, are at the top of the trust hierarchy for SSL connections. They are the people that verify that a certificate claiming to be from is actually from Google. If a large CA is compromised, and certificates can be forged, the entire trust system built into SSL implementation begins to crumble. This is, to put it lightly, a Bad Thing.

Individual Security

March 29, 2011

Are the days of individual computer security behind us? The president of the Australian Internet Industry Association seems to think so.

While security was once implemented on a per-machine basis, new threats require countermeasures at the network and protocol levels. Nowhere is this more obvious than in hosted applications and other SaaS implementations. Man-in-the-middle attacks, session hijacks, even attacks against “cloud” providers are all beyond the capabilities of an individual user to handle.

Brave new world.


Definition Monday: Network Access Control

March 28, 2011

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Network Access Control.

In an extraordinarily high security environment, it’s possible that only devices personally vetted by the IT team could be connected to a network. Using strict procedures as well as technologies like 802.1x, multifactor authentication, and MAC address port locking, it would be possible to ensure that only a specific set of network devices would be able to pass data.


However, very, very few networks are run with that sort of tight security. In a typical enterprise environment, previously unknown and unvetted clients need to connect all the time. Salesmen or consultants visiting the office will need network resources to work. Student interns might bring their own laptops or palmtops, since few companies will actually issue computers to the unpaid. Employees might want to use an iPad or some other personally owned device in addition to their corporate computer.

So the question becomes this: how do we ensure the security of the network as a whole, including all of the information assets on it, while still being flexible enough to accommodate any random piece of hardware that someone brings in that happens to speak TCP/IP?

Network Access Control.

As the name implies, a Network Access Control (or NAC) system acts as a gatekeeper, controlling client access to network resources. Whether you’re looking at an Open Source system like Packetfence or a commercial product like Cisco Clean Access or Bradford Campus Manager, the methodology is more or less the same.

When a device is connected to the network, a message is sent to a central database server with the hardware address of the device; this is to determine whether this is something that has been used on the network in the past or if it is some entirely new visitor. If it is a new device, the system will generally ask for some user credentials to ensure that the person plugging in this item is an authorized user of the network. This is especially important in wireless environments, where clients cannot be assumed to be in a particular geographic area but may be out in a parking lot or on another floor of a shared building.

Once the credentials are authenticated, generally via a RADIUS or LDAP central directory server, the NAC system will evaluate the security posture of the device. This is usually done via a piece of software called an “agent”, which is downloaded to the client machine and executed to gather data. This agent will retrieve information like the patch level of the operating system, the presence or absence of items like antivirus software, the networking settings, and so on. Information retrieved from the agent is then relayed back to the NAC, which will use it to define network connection parameters for the new client.

For example, imagine a student intern brings in his home netbook to use on the company network. When he connects, he is prompted for his username and password; this establishes that the item is owned by an intern, not a full time employee, so he may be placed on a VLAN for end users who don’t need access to database servers and other critical infrastructure. The agent then relays that the netbook has antivirus software installed, but the definition file is out of date; this information could be used to put the netbook into a “guest” VLAN with only Internet access, sealed off from company resources. It could even be used to put the device into a “remediation” VLAN that only has access to Windows Update, Symantec, and other web sites that would be useful for getting the machine up to snuff. Once it has been brought up to date, the agent will run again, realize that it is fixed, and reallocate network resources accordingly.

Obviously, the initial deployment of a NAC requires a lot of thought and planning. But with more and more employees wanting to just use their own equipment in the office, a Network Access Control system can save tremendous amounts of time for your IT staff by relieving them of the need to personally evaluate and update each new machine that someone wants to use at work.

Nortel Sells IPv4 Space

March 25, 2011

Nortel, the bankrupt Canadian networking giant, sold off its IPv4 address space this week to raise money to pay its creditors. The addresses sold to Microsoft for $7.5 million, an average of roughly eleven and a half dollars per IP.

As the article says, prices are only likely to go up as the reality of a dual-stack or v6 implementation becomes more apparent.

Lost Business

March 24, 2011

A new study from the Ponemon Institute indicates that nearly half the cost of a data breach is due to lost business, both from current customers and increased cost to acquire new customers. A failure to protect customer data is seen as a major breach of trust from which many companies have trouble recovering.

Rustock Takedown

March 23, 2011

Brian Krebs has done his usual excellent job outlining the Microsoft takedown of the Rustock botnet. Because of the resiliency of the architecture, a combination of technical and legal maneuvers were employed to seize the control structure of the botnet and render the compromised clients ineffective.

VoIP Encryption Vulnerability

March 22, 2011

It’s a well-known fact that conversations using Voice-over-IP (VoIP) technologies need to be encrypted to ensure privacy; after all, tools like Wireshark offer special modes for reconstructing a phone conversation from a packet capture. But according to this paper (warning: PDF file), encryption might not be enough.

From the paper abstract:

Despite the rapid adoption of Voice over IP
(VoIP), its security implications are not yet fully un-
derstood. Since VoIP calls may traverse untrusted
networks, packets should be encrypted to ensure
confidentiality. However, we show that when the
audio is encoded using variable bit rate codecs, the
lengths of encrypted VoIP packets can be used to
identify the phrases spoken within a call. Our re-
sults indicate that a passive observer can identify
phrases from a standard speech corpus within en-
crypted calls with an average accuracy of 50%, and
with accuracy greater than 90% for some phrases.
Clearly, such an attack calls into question the effi-
cacy of current VoIP encryption standards. In ad-
dition, we examine the impact of various features of
the underlying audio on our performance and dis-
cuss methods for mitigation.

Definition Monday: Defense In Depth

March 21, 2011

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Defense In Depth.

There was a time, when the Internet was young and optimistic and not nearly so hostile as it is now, when the main defense of an Internet connected site was a single simple firewall at the network border.

Of course, this was also a time when the majority of users had a dumb terminal, if anything, that remained on their desk and the data that they worked with was on a DEC VAX or some other minicomputer maintained by the high priests of the IT department.

Those days are long, long gone.

Defense In Depth refers to an information security strategy where multiple redundant layers of defense are using to protect information assets. This strategy can mitigate technology failures, vendor-specific exploits, and multiple attack vectors that simply could not be handled by a single layer of defense.

For example, consider a Windows workstation in the controller’s office of your business. The network as a whole is probably protected by at least one firewall. There is likely a router in between this workstation and the Internet as well, which has its own abilities to accept or deny traffic. An Intrusion Detection System may be monitoring the traffic between the Internet and the computers in the controller’s department, watching for signs of attack or compromise. Finally, the machine itself is probably running a host-based firewall (either the Microsoft-supplied one that comes with Windows or a third-party installation), virus scanner, adware scanner, and so on. The thought is that if a threat manages to get past the border firewall, it still needs to get past the other measures in place before data can be compromised.

Another example – most companies run different virus detection packages on their mail server and their workstations, despite the fact that the licensing is often more expensive than just running one in both places. Why do this? Because if a virus can elude one of those packages but not the other, it will still be stopped. But an antivirus monoculture has no such built-in safeguards.

Two things to keep in mind when deploying a Defense In Depth strategy:

  • Consider mixing vendors, or at least mixing up product lines and operating systems among a single vendor’s offerings. Imagine that your office is an all-Cisco shop, from the firewall to the core routing to the wireless network. Now imagine that a new vulnerability is discovered, specific to Cisco embedded operating systems, that allows for traffic to be exfiltrated without tripping any sensors. You’re going to be a lot more vulnerable than someone who sprinkled in some snort boxes, Vyatta routers, or some other non-Cisco equipment when designing the network.
  • Employing proper Defense In Depth can be expensive, especially if you go with a multi-vendor approach. It means buying multiple products with overlapping functionality. It means juggling more physical hardware. It means justifying purchasing new equipment rather than repurposing old stuff to cover a functional hole. It’s an expense that can be difficult to justify because the return on investment is not clear to the layman – but it is vitally important to make the case.

In the modern information environment, where network borders are fuzzy, where corporate data is showing up on personally owned laptops and smartphones, where people might be using their work laptop to help with their kids’ homework, the old “hard outside and a chewy center” model of a single network firewall at the office just doesn’t cut it any more. Defense In Depth is an important concept to remember when implementing your policies and technologies.


Flash Vulnerability

March 18, 2011

Sometimes I feel like there should be a category on here specific to Adobe Flash vulnerabilities. It seems to leak like a sieve.

Well, here’s another one. The Flash plugin can be exploited by an attacker to run arbitrary code or cause a DoS condition. A fix is expected next week; disabling Flash in your browser this week might be a smart move.

RSA Hacked

March 18, 2011

It appears that RSA – yes, that RSA, the demigods of security – has been hacked.

An APT attack was used to exfiltrate information related to their SecureID multifactor authentication products. While they don’t think that it was information that could lead to a successful breaking of the product’s capabilities, it might make an attack simpler. Details will be forthcoming to SecureID customers.