You are here: Home / Archives for security

Scary tool – dnscat

March 18, 2010 By 9 Comments

The idea of this tool is that you can run just about any program and/or copy files to/from the machine, say an ssh session, using DNS packets to/from the client.  In other words, a workstation sitting on a network somewhere, behind the companies firewalls, IPS/IDS, AV, etc., etc. could communicate with a system on the Internet, using DNS packets.  Thus completely bypassing the security that the company has setup.  Certainly not something that a company would want to happen.  Also hard to detect, since DNS queries are a common thing on a network.

You should know that from a attack/defend perspective, I am currently, much more of a defender than an attacker.  That is to say, when I learn about tools like this, my brain starts to think “okay how do I defend against or stop this?”.

The answer in this case is that the clients (i.e. workstations/other internal devices) are not allowed to get information about any domain on the Internet.  In other words any request from them for say www.google.com or www.cnn.com would get back a response from their DNS server(s) of does not exist, period the end.  The internal DNS servers to the company would perform recursive DNS calls but only for the internal zone.

Then how do they reach the Internet for say www.cnn.com?  The clients must use proxies.  The proxy server(s) are allowed to talk with specific DNS servers inside the DMZ that would allow recursive queries from only the proxy servers and thus enable the proxy to fetch the data from www.cnn.com, for example.

Compared to say an Internet Cafe offering free WiFi service, such a corporate network would seem very restrictive and probably not considered “friendly” to the employees.  On the other hand if I was the owner of the company or the CSO I’d sleep better at night.   Defense in depth is something I learned early on in my days of information security and continue to refine.

Of course these same rules apply within the company as well.  If a particular area needs additional protections, then it should treat the rest of the company just like the Internet and barricade itself off.

What do you think?

Filed Under: security Tagged With: ,

A great example of why you need…

March 11, 2010 By Leave a Comment

defense in depth (which includes egress filters) and Network Security Monitoring (NSM).  This diary post on isc.sans.org is a good example of why companies need to practice defense in depth.  I have spent many years involved with messaging, back in 1995 I didn’t know what SMTP meant, but thanks to a gentleman at then Xerox PARC , the nice folks at what was then Innosoft, Joel from Opus1, and the countless posts on info-PMDF I learned a lot.

Many companies have problems with viruses, and for years I referred to Outlook as “the best virus distribution tool” around.  My point being that if the workstations are not allowed to connect to outside servers/services then that stops a lot of stuff in it tracks.  For example if a workstation became infected and the malicious software was trying to send out spam and the firewall let it out, then out goes the spam.  On the other hand if the firewall rules prevented the workstation from directly talking with SMTP servers outside of the company, then malicious software would have to find a different way.  Maybe instead the malicious software would talk with the companies mail server and let it then send the SPAM out.  As long as the mail server is setup correctly, i.e. anti-spam/virus for outbound messages as well, then this problem would be stopped or at least slowed. Another thing to do, force the use of secure authentication for all users, regardless of location.

Another trick, rate limiting. TCP/IP connection rate limiting and message rate limiting should be put in place on the messaging server.  If an internal machine violates these limits then the machine could be put into a deny all list and an administrator alerted.

I find is surprising that a company, in this day and age, would not have at least have egress filters on their firewall.  I can understand companies not having NSM in place, but I hope to change that as I build out our mananged services offering to include NSM.

Filed Under: security Tagged With: ,

Google asking NSA for help

February 7, 2010 By Leave a Comment

In this article Google is reportedly asking for assistance from the NSA. From my limited knowledge of the NSA, this sounds like the right thing to do. I have done plenty of work under non-discolure agreements (NDAs). Given the people that work at the NSA, I don’t see a problem with Google working with them.  The people at the NSA are very bright (on par with the talent Google has in-house, perhaps even brighter).

Sources familiar with the new initiative said the focus is not figuring out who was behind the recent cyberattacks — doing so is a nearly impossible task after the fact — but building a better defense of Google’s networks, or what its technicians call “information assurance.”

I have two words for Google, “air gap”, at the most basic level.  If the packets can not enter or leave the computer/network than at least the system is secure from over the wire attacks.  Ignoring physical attacks. After all the DoD operates SIPRNet and except for a few cases of people bringing a virus to SIPRNet it is secure.  Of course that is just one small part of a complete “information assurance” program, but a good foundation is required.

Unlike SIPRNet which could have multiple organizations connected which thus opens up potential security challenges, Google could have a less difficult time.  Google has one entity, itself.  If the reports about employees assisting the attackers is true, in a way the air gap is even more important.  On the other hand if an employee(s) wanted to collaborate and get information from a secure network to the open Internet it would not impossible.  If this network is secured properly, then it would be extremely difficult to accomplish, if not impossible. With no CDs, USB device, physical inspections upon entering/leaving the rooms and armed guards the ability to get information off the network either electronically or in hard copy would be difficult.

Filed Under: security Tagged With: ,

Forcing ssh login via s/key

February 3, 2010 By Leave a Comment

In the back of my mind are the recent attacks against Google and others by the Chinese government.  I keep asking myself how I would setup and defend against such attacks, and more importantly mitigate them. The end goal of this exercise for me, is to limit Internet access to devices that have authenticated to the gateway/proxy.  Thus when the user logouts of their workstation for the day and goes home, their computer is now cut off from the Internet.

I’ve thought about using key based authentication.  Trick is, if the system has a keyboard logger installed, then both the keys and the passphrase protecting the keys can be stolen.  Harder than most, but not fool proof.

I’m thinking of a case where the user’s computer is compromised by someone external to the company.  At this point my intent is to limit the ability of the computer to access the Internet.  If the computer can not talk with the Internet then the person who compromised the system can not get data out of the company network.

At this point the solution in my head was to use authpf, ssh, and s/key.  I would prefer that users not have a local password.  Instead they can only use s/key to login.  I also would prefer that users don’t have to type user:skey@host and instead just user@host and have s/key forced upon them.  I created a new login class, a new user, and had s/key as the authentication method for the class.  I assigned the user to the class.  Then  I ‘su – user’ and then tried skeyinit but the “user” then gets prompted for their password.  Because their login class requires s/key the password being requested is an s/key password.  A catch-22.  :(

If you’re reading this and have a suggestion or idea on how I might work around this or otherwise accomplish my goal, please leave a comment.

Filed Under: Blogs, security Tagged With: , , ,

iPhone – ip forwarding YES

November 27, 2009 By Leave a Comment

As I tweeted earlier I was poking around my jail broken iPhone and discovered IP forwarding does work.  I’ve been searching for ways to tether my iPhone to various computers.  I was able to use OpenSSH and establish a SOCKS proxy yesterday.  That works nicely and given the “Location” feature of OS X and the Profile support of Firefox, that does provide a decent solution.

Problem is that Mail.app does not like to speak IMAPS  over a port forwarding SSH tunnel.  Actually it may been SMTPS over an SSH tunnel that it may dislike completely. Which I never did figure out or understand why. From a packet perspective they go into the tunnel and come out.

I’m looking to setup my iPhone into an IP router for my computers.  Now that I know the phone is capable of IP forwarding it is just a matter of getting the rest of the stuff setup. Ideally I want to setup an SSH VPN between my portable computer and my server.  Then all of my traffic will be encrypted until it exits @ my server at which point I don’t care.

I’m going to continue exploring the possibilities of the iPhone as a router and also as a stealth attack device.  Inside Cydia the normal good network goodies of nmap, netcat, tcpdump and are now installed on my phone.

Yes I’ve changed the default root password from ‘alpine’ to something else.  I go a step further on any public facing SSH enabled devices, I only allow key based authentication.

If you have any tips or suggestions let me know.

Filed Under: Blogs, security, Tech Tagged With: , ,
« Older Posts