Eating Ubuntu


That's right, there is now a restaurant called Ubuntu in Napa region of CA. Competitor Knoppix seen pulling up with a food-mobile to serve your immediate nourishment needs, but never actually constructing a building. (OK that's a horrible joke)
Posted on 6:24 PM by Tim Cronin and filed under | 0 Comments »

Mobile Devices on the LAN

iPhone Hype, get your iPhone hype here!

Those handsome, intelligent and engaging folks over at Astaro Internet Security have just introduced a very easy IPSec client auto-setup for an iPhone to connect to a protected LAN. This got me thinking. There is a lot of information available on securing your iPhone and other mobile devices from intrusion, but there isn't a lot of information available about securing your LAN from intrusion from your mobile users.

The idea of using a full IPSec tunnel for all network traffic is great for iPhone security. You are no longer sending data in the clear whether it's to your corporate mail server or gmail. This should cut back on some threats at the iPhone level. Because you are also giving access to your LAN, it can also create an all new set of issues on your LAN.

A lot of security types are used to thinking about mobile devices similar to laptops. After all, they are similar: they're mobile, they can hop on and off your local (trusted) wireless link, they have remote access capabilities, etc... I posit that they are, in fact, different in a few key ways. For instance most people turn their laptops off (or at least have them sleep) when they are actively traveling. This is not the case for mobile devices. The chances of a mobile device attaching to a rogue, unsecured or malevolent access point is far greater. Therefore the exposure to all sorts of nastiness is greater. How can you trust something like that on your LAN?

I would like to suggest some ideas (In bullet point goodness):
  • Expect the Worst
    • Always assume that a mobile device is owned and treat it as such, because it will be easier to deal with when it happens
  • Segment Mobile Devices:
    • Whenever possible, limit access to the LAN. Only give access to business critical infrastructure that is in a secure place, preferably segmented from any LAN.
    • Set up different SSIDs, WLANS and access points specifically for mobile users when in the office.
    • Do not allow mobiles to communicate with laptops and other wireless devices.
  • Use Device Level Security
    • Find reputable applications that protect the mobile device from intrusion
    • Use VPNs when possible to ensure no data is sent in the clear. This can often have an effect on your LAN.
  • Make Concise and Enforceable Usage Policies
    • Make sure that anybody that can gain access to your network with a mobile device is subject to a strict usage policy. This can at least allow you to take action when/if an incident occurs. This policy should be different from any other current remote access policy as the concepts are different
    • Training is considered somewhat "controversial" as you can't ensure that people will learn from it and listen. However, it is a good start and most people will be receptive (or face your wrath).
As always I would love to hear some feedback. Let me know if anything I've said has worked successfully. Report bugs in this theory to bugtaq... (or in the comments section)

Posted on 1:05 PM by Tim Cronin and filed under , , | 155 Comments »

Adobe Reader Exploit in the Wild

Hi All,

Just passing this info on. I just read on The Register that fully updated and patched Adobe Reader applications running on fully patched Windows systems are vulnerable to a new exploit. The original info from the Reg. article is at Shadow Server but Adobe fully recognizes the Vulnerability here. More info from US-CERT here.

Apparently, this exploit leverages a known vulnerability in the way MS Windows XP/2003 handles URIs. Using that vulnerability, it is possible to open a trojaned pdf file and have your PC injected with arbitrary commands.

The "Fix" stated in that article is to disable Acrobat Javascript (We all have Javascript off already right???). I can assume (but have not tested) that the Firefox NoScript add-on can save you from this. Adobe, on the other hand, "strongly recommends" updating to 8.1.1 of the Adobe Acrobat (Reader) application.

Here is a quote from pdp of GNUCitizen (credited with the find)

I am closing the season with the following HIGH Risk vulnerability:
Adobe Acrobat/Reader PDF documents can be used to compromise your
Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in
the core of today's modern business. This and the fact that it may
take a while for Adobe to fix their closed source product, are the
reasons why I am not going to publish any POCs. You have to take my
word for it. The POCs will be released when an update is available.

Adobe's representatives can contact me from the usual place. My advise
for you is not to open any PDF files (locally or remotely). Other PDF
viewers might be vulnerable too. The issues was verified on Windows XP
SP2 with the latest Adobe Reader 8.1, although previous versions and
other setups are also affected.

A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon.


pdp (architect) | petko d. petkov

Posted on 12:22 AM by Tim Cronin and filed under , , | 5 Comments »

SPF - Not Just for Your Skin

SPF - I need 200, how 'bout you?

Anecdotally, I have seen more reports of targeted "spoofed domain" spam. This is a troubling scenario if your domain really is targeted rather than just picked up by a bot. I'll outline a rather nasty one, no names given of course.

The Idea is that you receive an email from yourself or another user on your domain. A common one is that everyone on your domain gets an email from someone claiming to be a domain admin. You may think that you need to have a pwn'd machine on your network for this to happen, but that is not the case. As long as someone knows your email domain, this attack vector is easy to produce manually as well as automatically.

The incident that was reported to me is interesting. There was a learning institution that had a user's mail account compromised. This quickly meant that the IP address and domain name were blacklisted. The admin is now stressed to begin with and is not necessarily thinking straight.

Next, the compromised account was flushed out and the un-blacklisting process started when everyone got an email from a "domain admin." The email address looked authentic to the unsuspecting users because it cam from the correct domain. This new admin asked everyone on the domain to click a link and enter their usernames and passwords or their email account would be deleted. (uh-oh) Well, another email went out from the real admin telling them not to reply no matter what. And most listened...

(we all know what the ... means)

long story short, an SPF (Sender Policy Framework) record could have saved this "spear phishing" attack from happening. SPF is basically a DNS record for your domain. It specifies the IP addresses (or hostnames) for hosts that are allowed to send for your domain. Normally, after specifying the allowed servers, it has a '-all'. the - means "not allowed", all means - well, all. This is very important.

He had a security appliance that was checking for SPF from all domains. This would also check for *his own* domain. It diligently checked SPF and allowed the message anyways. Why? If he had an SPF record, it would say that the server that sent the message was not allowed to send the message. As it turns out, his domain has an SPF record, but it didn't tell the appliance to drop the message. Instead it had '~all', which means "this is bad, but let it go anyways".

I guess auditing may have been a good thing here. It's strange how a single character can ruin an entire day or more.

Posted on 9:58 PM by Tim Cronin and filed under , , | 0 Comments »

Art Imitating Life

(or life imitating art?)

Above is a comic from one of my favorite geeky websites, I like the site because there are 3 comics a week that are funny because they usually hit close to home. Just by looking at the image above, you know that the people that we are trying to keep away from our networks are in the right panel.

To be serious, miscreants don't use bleeding edge technology to target your facebook page (unless they're really bored), people with nefarious purpose will break in using the computational equivalent of a $5 dolar wrench. I like this comic because it puts so much into perspective. We need to be secure from the ubergeeks on the left, but we need to be watchful for the thugs on the right. Besides, the thugs on the right are more likely to post embarrassing things about you or your company online.

Let's take the scenario in the comic as real life. I just left my company laptop on the seat in the airport while I went to the bathroom. The two guys grabbed my laptop and noticed that a sticker on it says "property of [fortune 500 company]" -- SCORE!!! They boot it up and notice that it's encrypted. They aren't going to take it and work on the encryption at home, they're going to wait for me to leave the bathroom and coerce me to give them any password necessary.

Here's what can stop this:
  • Educate users that their laptop is, in essence, their livelihood. They wouldn't leave their wallet on the seat, why should they leave their laptop?
  • Try not to advertise the added value of a laptop. Stealing my mom's photos is less valuable than stealing my company's financial and customer data. It's one thing to say "if found return to [a discrete address(make sure when people here aren't vulnerable to social engineering] another to tell everyone that there is important data in here.
  • Encryption is still a good idea. It's better to know that anyone can't just get into the laptop's data if this situation arises.
Granted, this article lacks some real substance, but at least you got a chuckle from the comic ;)

Posted on 7:20 PM by Tim Cronin and filed under | 0 Comments »

More Bad News

Oh The Humanity!!

Nobody seems to be untouched by the Hindenburg economy. Right now there is so much hatch battening happening that nobody can afford to move forward. What does this mean to security practitioners (other than having to do more with even less)? It means that as attacks and attackers become more sophisticated, we as an industry, are not able to move into a good position to fight back.

Anecdotally, there are an astounding number of SMEs that have old systems and systems administrators/security folk have to put band-aids on everything from printers that are only a little broken to network security appliances that only have a small amount of vulnerability. Essentially, there are a lot of companies that offer services that are customizable by subscriptions. If you have cutbacks and now can not afford that IPS subscription, well, that's too bad - it still has to work, somehow.

This is not so much of an informational post as a post to express solidarity among the admins of the world that have to make things run extremely smoothly with nothing more than two paper clips and rubber bands. Keep it going and keep smiling.
Posted on 1:18 PM by Tim Cronin and filed under | 0 Comments »