You are here: Home / 2010 / Archives for March 2010

Scary tool – dnscat

March 18, 2010 By 9 Comments

The idea of this tool is that you can run just about any program and/or copy files to/from the machine, say an ssh session, using DNS packets to/from the client.  In other words, a workstation sitting on a network somewhere, behind the companies firewalls, IPS/IDS, AV, etc., etc. could communicate with a system on the Internet, using DNS packets.  Thus completely bypassing the security that the company has setup.  Certainly not something that a company would want to happen.  Also hard to detect, since DNS queries are a common thing on a network.

You should know that from a attack/defend perspective, I am currently, much more of a defender than an attacker.  That is to say, when I learn about tools like this, my brain starts to think “okay how do I defend against or stop this?”.

The answer in this case is that the clients (i.e. workstations/other internal devices) are not allowed to get information about any domain on the Internet.  In other words any request from them for say www.google.com or www.cnn.com would get back a response from their DNS server(s) of does not exist, period the end.  The internal DNS servers to the company would perform recursive DNS calls but only for the internal zone.

Then how do they reach the Internet for say www.cnn.com?  The clients must use proxies.  The proxy server(s) are allowed to talk with specific DNS servers inside the DMZ that would allow recursive queries from only the proxy servers and thus enable the proxy to fetch the data from www.cnn.com, for example.

Compared to say an Internet Cafe offering free WiFi service, such a corporate network would seem very restrictive and probably not considered “friendly” to the employees.  On the other hand if I was the owner of the company or the CSO I’d sleep better at night.   Defense in depth is something I learned early on in my days of information security and continue to refine.

Of course these same rules apply within the company as well.  If a particular area needs additional protections, then it should treat the rest of the company just like the Internet and barricade itself off.

What do you think?

Filed Under: security Tagged With: ,

FBI Supply chain compromised :)

March 11, 2010 By Leave a Comment

http://blogs.csoonline.com/the_fbi_supply_chain_illustrated

Funny!

Filed Under: Blogs

A great example of why you need…

March 11, 2010 By Leave a Comment

defense in depth (which includes egress filters) and Network Security Monitoring (NSM).  This diary post on isc.sans.org is a good example of why companies need to practice defense in depth.  I have spent many years involved with messaging, back in 1995 I didn’t know what SMTP meant, but thanks to a gentleman at then Xerox PARC , the nice folks at what was then Innosoft, Joel from Opus1, and the countless posts on info-PMDF I learned a lot.

Many companies have problems with viruses, and for years I referred to Outlook as “the best virus distribution tool” around.  My point being that if the workstations are not allowed to connect to outside servers/services then that stops a lot of stuff in it tracks.  For example if a workstation became infected and the malicious software was trying to send out spam and the firewall let it out, then out goes the spam.  On the other hand if the firewall rules prevented the workstation from directly talking with SMTP servers outside of the company, then malicious software would have to find a different way.  Maybe instead the malicious software would talk with the companies mail server and let it then send the SPAM out.  As long as the mail server is setup correctly, i.e. anti-spam/virus for outbound messages as well, then this problem would be stopped or at least slowed. Another thing to do, force the use of secure authentication for all users, regardless of location.

Another trick, rate limiting. TCP/IP connection rate limiting and message rate limiting should be put in place on the messaging server.  If an internal machine violates these limits then the machine could be put into a deny all list and an administrator alerted.

I find is surprising that a company, in this day and age, would not have at least have egress filters on their firewall.  I can understand companies not having NSM in place, but I hope to change that as I build out our mananged services offering to include NSM.

Filed Under: security Tagged With: ,