It’s inherited to Rootkits that they are difficult to reveal. Nevertheless, many Security Suites out there claim to can detect and remove them. The Information Week has now evaluated some specialized Rootkit Detectors, definitively worth a look.
But one should not forget that no Program in the world can guarantee that malicious Software found on your Computer has been removed completely, so you should always consider a re installation of your System.

Bookmark to:

Security | Kein Kommentar »

Once in a while administrators are asking themselves, why the use of p2p Applications like Skype is possible in their networks with a Firewall blocking all incoming traffic.
I’ll try to explain this in a simple way. The mentioned Applications are no ‘real’ p2p Apps, because they’re using a Server to establish the connection.
So what happens when Alice (IP 10.0.0.1) wants to call Bob (IP 11.0.0.1)? She sends a request to the Server, who’s requesting Bob and informs him about Alice (her IP and Port she wants tu use, let’s say 2020). As a result, Bob sends a UDP message to Alice on that Port. While Alice’S Firewalls drops this, Bobs one is in a state where it accepts replys from Alice on this Port. Alice does the same now, and we have two Firewalls, both Accepting communication over this „Connection“, thinking they’re accepting answers to former requests.
This uses the feature of many Firewalls to treat UDP as „statefull“, thinking that packets with corresponding ports and addresses are belonging to the same connection, what can be a mistake. This is different to the TCP Protocol, where there’s a real, reliable creating of connections.
So one should think twice before allowing all outgoing traffic, because this can have strange side-effects.

Bookmark to:

Allgemein, Security | 3 Kommentare »

Today it’s again about server hardening, better to say RedHat hardening. Because I ‘ll have to deal with that system from time to time, this paper by Werner Puschitz is quite helpful, providing some very useful tricks and hints. For example how to enable scp without providing login prompts.

Bookmark to:

Security, Adventskalender | Kein Kommentar »

A little Update for yesterday’s article.

After computing for about 11 hours (with only 900 Mhz) my own crafted binarys are ready. Same site, same md5 checksum, different behaviour. While the good reveals an English verse, the evil talks to you in the black speech of Mordor

Bookmark to:

Security | Kein Kommentar »

At the weekend, i found the time to have a closer look on md5 and the attacks released for this algorithm. One of these attacks, published by Xiaoyun Wang deals with the problem of finding collisions. This attack is about two so called initial vectors having the same md5 hash. Afterwards it is possible to append arbitrary data to these vectors without changing the fact that the md5 hashes remain identical. (this is an inherited problem of block based (hash-)algorithms. If one has two Blocks with the same hash, after appending the same arbitrary data to these Blocks, they still have the same hash.) In clear:
if md5(x)==md5(y) then md5(x+z)=md5(y+z)
The initial vectors differ in Wangs example only by 6 Bit, but appending more of these blocks results in some byte free for adding payload. A closer mathematical view would exceed the frame of this article, therefore I like to refer (beside the initial paper from the beginning) to the text by Peter Selinger, which deals with the problem in a more detailed way. Here, a small example should show what to do with two initial vectors, named vec1 and vec2. Both are having a identical md5 hash, but are different, as proven by the sha1 hash.

ftp:/md5coll# md5sum vec*; sha1sum vec*
da5c61e1edc0f18337e46418e48c1290 vec1
da5c61e1edc0f18337e46418e48c1290 vec2
8f42c29f6ac45423d2a7dd614d666a26e39f29ee vec1
dfce366c23c88044ad57a5eaa7d5420024a7fd14 vec2

Now lets append some data, and observe that the md5 hashes stay identical.

ftp:/md5coll# dd if=/dev/urandom of=foo bs=32460 count=1
1+0 Datensätze ein
1+0 Datensätze aus
32460 Bytes (32 kB) kopiert, 0,044771 Sekunden, 725 kB/s
ftp:/md5coll# cat foo >> vec1
ftp:/md5coll# cat foo >> vec2
ftp:/md5coll# md5sum vec*; sha1sum vec*
64dbc8e1f2cc1855f09f37528181484b vec1
64dbc8e1f2cc1855f09f37528181484b vec2
b73dde6a98b46c53fd32fb709330dad835a9d116 vec1
e60795346ab6041ff1a315e8ca745c854ffe6ae2 vec2

While the attack is not published completely yet (there are only initial vectors, while it should be possible to have these ‘doppelgangers’ at any point in the data) there are some nice things to do with this.

Fore example a binary that record it’s way through p2p file sharing networks like Kkazaa, collecting Information about the users sharing this binary. Kazaas hashes not the whole file, but does this with 32KB blocks. So you can use one Bit for every block for your own purposes. Talking about a binary of 60MB, this makes 1920 bit of payload, without changing the hash of the file (changing the hash would result in multiple appearance of the file in the p2p network, which would surely be noticed) Now its not necessary for the binary to phone home, its enough to download it from time to time via the p2p network an see what it has collected. (For example MAC addresses, email data or host names.)

Security Tools that check the md5’s of a systems files also have no chance to detect a replacement.

Peter Selinger has published a nice tool that’s able to create a pair of executables with identical Hash, but distinct behaviour. While my computer is still computing my own example, I’ll use Peter’s example files here.

mschmidt@ftp:~$ md5sum erase; md5sum hello; sha1sum erase; sha1sum hello
da5c61e1edc0f18337e46418e48c1290 erase
da5c61e1edc0f18337e46418e48c1290 hello
dfce366c23c88044ad57a5eaa7d5420024a7fd14 erase
8f42c29f6ac45423d2a7dd614d666a26e39f29ee hello
mschmidt@ftp:~$ ./erase This program is evil!!!
Erasing hard drive…1Gb…2Gb… just kidding! Nothing was erased.
(press enter to quit)
mschmidt@ftp:~$ ./hello
Hello, world! (press enter to quit)

It scares me a Bit, that
if md5(binA)==md5(binB) then behaviour(binA)==behaviour(binB)
is no longer supposed to be true. So is this the end of md5? Well, i don’t think so, because the usage of the published attack is rather limited. But it should be clear that the end of md5 has started, and moving to an alternative (sha1) should happen as fast as possible.

Who’s interested in more details shoul have a look at this book, especially chapter 3 and 11 are showing what’s possible with md5 collisions.

Update

Bookmark to:

Security, Adventskalender | Kein Kommentar »

Today its about the security of the most popular web server around, Apache. The main things to secure a (not only web-) server are not new, and always the same. Disable unused modules/services, care about access privileges, use the latest patches and so on…
Pete Freitag has collected some important facts for the Apache in some kind of check list, wich has helped me quite a few times, especially when in a hurry, or check a foreign configuration.
Who likes to have a closer look at the topic should think about consuming this book, published by O’Reilly.

Bookmark to:

Security, HowTo, Adventskalender | 3 Kommentare »

After Web 2.0, there’s now security 2.0, according to Symantec. Some say, Symantec is going to publish all their work as a sort of „anti-pattern“, calling this security 2.0
Well, Symantec itself claims security 2.0 to be a shiny new bunch of Software for the automation of security tasks, especially when it comes to dealing with all the new laws awaiting us.
By now, google has more than half a million results for security 2.0, but most of these articles are screaming for BullshitBingo2.0, the rest is Bashing 2.0.

It seems that marketing comes over know-how, while security 1.0 has still beta status. Or shoul we all migrate to 3.0?

Bookmark to:

Security, Thoughts | 1 Kommentar »

There is a wide variety of pro’s and con’s about Desktop Firewalls. The main problem is, that a normal user has no idea which tools should get access to the internet, and which should not.
Checkpoint offers a quite mighty piece of Software to solve this problem, named ‘Integrity‘, originating from the ZoneAlarm Desktop firewall that Checkpoint bought some time ago.
Along with that Client, there comes the Integrity server, and within lies the biggest part of the systems power.
This server is responsible for the management, the creation and the deployment of the policies enforced on the desktop clients. These policies can enforce restrictions on OSI Layer 4, based on IT addresses and ports, nothing new. But in addition, there’s the chance to restrict the Software on the clients on an application basis.
Based on a checksum, a file name or whatever, only ‘good’ programs are allowed to access the internet, or even ale allowed tu run. For example, if there’s a file sharing client active, Integrity Client can close this, prevent it’s access to the Internet, or isolates the whole client from the company’s network. It can also have an eye on the Windows Hotfixes, or make decisions based on the kind and freshness of the Anti Virus Solution.
But all this is a lot for an Administrator to handle, an therefore, Integrity provides solution to help him with the software management. At first, every client reports the programs trying to connect to somewhere to the server, so the Administrator can see what kind of software is hanging around in his network, and make decisions what to restrict. A second nice feature is the chance to set up reference clients. All the Software on this clients is regarded as ‘good’, an can be used on other systems with the same restrictions as on that reference machine. So the Administrator has only to keep one machine up to date.
In times where notebooks and PDA’s are getting more and more common, and employees are often working with their machines in different, sometimes untrusted networks, this s a good way to not only keep an eye on the interface to the outside world, but also deal with the traffic inside a network.

There’s a lot more of interesting features in the Integrity Bundle, so if you’re interested you’re welcome to leave a short comment, maybe I’ll do a part 2, or even a more thorough how-to.

Bookmark to:

Security, Checkpoint | Kein Kommentar »

H.D. Moore, head of the Metasplotit Framework, announced a new, interesting project. With the help of google, he published a search engine for finding malicious software.

This works quite simple. Based on known fingerprints, it searches for them via google. The trigger for this Project has come from the Websense guys, who had the intention to build a similar engine, but based upon SOAP and the google API. But that stuff turned out to be non free, and far less powerful than initally announced.

So why search for malware? For research for example, or for simply testing one’s own security policy. But be aware, malware found by google can be seen as rather aged, and is not a suitable metric for the quality of a defending software framework.

Bookmark to:

Security | 1 Kommentar »

It’s a firewalls job to protect the network behind, based in the policy implemented by the administrator. Therefore, a firewall can only be as good as the guy behind. There are mostly two rules considered as substantial, and for the “clean-up” rule I think this is true. That rule is the last one in the policy, and drops (or rejects) all connections that have not been allowed so far. The second one is the “stealth rule”, blocking any kind of communication with the firewall. Of course, the administrator has to take care of not locking out himself. In common systems, this happens by implied rules, allowing communication with the firewalls management initiated by miscellaneous computers.

Well, I’m not a totally friend of this rule. Of course one should avoid unnecessary risk and block for example ssh from the outside world as long as not using this, ’cause why should an attacker get the chance of guessing this password? It’s also a fact that there should be no other daemon running on the firewall. But what about ICMP? Is this one necessary? It’s quite easy to gain quite a lot of information based on ICMP with common tools (ping, nmap). There are also known attacks from the past, the “ping of death” is widely known. So why take a risk of an attack, and giving information about the system to the world? But there are voices claming that ICMP is absolutely important, and needs to be untouched. Well, indeed, troubleshooting without ICMP is not that easy.

I’d like to discuss the advantages, and disadvantages, of the stealth rule. I hope that you have a minute to propagate your opinion.

Bookmark to:

Security | 3 Kommentare »