I found this great podcast on the network world site today from Andreas Antonopoulos. Things like Web 2.0 and unified communication applications as well as virtualization all make securing an enterprise network more difficult. Nemertes’ Andreas Antonopoulos explains how security policies and systems need to become more flexible to fit the new ways we work.
One in Four Servers Still Unpatched for the Kaminsky Vulnerability and Many More Open to Recursion
The Measurement Factory, experts in performance testing and protocol compliance, today announced results from the fourth-annual survey of domain name servers on the public Internet.
Top-line results indicate that despite the fact that most organizations are running recent versions of BIND and no longer using Microsoft DNS Servers for their external DNS servers, many organizations have not taken the necessary precautions to limit access to recursion or secure zone transfers. In addition, many still have not upgraded to the latest DNS software to protect against the recently discovered Kaminsky vulnerability and associated risk of DNS cache poisoning.
“Given the heightened awareness of DNS server vulnerabilities due to the recent Kaminsky discovery, it is surprising to see how many organizations are still leaving their DNS systems as potential victims of attack,” commented Cricket Liu, Vice President of Architecture at Infoblox and author of O’Reilly & Associates’ DNS and BIND, DNS & BIND Cookbook, and DNS on Windows Server 2003. “Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured. If not, organizations are essentially locking their door to their house, but leaving the windows wide open. Organizations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages.”
DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request, whether for Web browsing, email, ecommerce, or cloud computing. Should an enterprise or organization’s DNS systems become compromised by attacks, the results can be devastating, ranging from loss of a company’s Web presence, inability of employees to access any outside Web services, and perhaps most damaging, redirection of Web and email traffic to bogus sites, resulting in data loss, identity theft, ecommerce fraud and more.
Following are the key 2008 DNS survey results, which are based on a sample that included 5 percent of the IPv4 address space, nearly 80 million addresses.
GOOD NEWS
-- 90% of name servers that run BIND run one of the most recent versions
of BIND 9; a small but significant number of administrators continue to run
older versions of BIND on Internet-facing name servers, putting their
organizations at risk.
-- Only .17% still rely on Microsoft DNS Server, down from 2.7% (2007);
usage of unsecure Microsoft DNS Servers connected to the Internet is
vanishing.
-- Support for Sender Protection Framework (SPF) within DNS for spam
reduction increased from 12.6% of zones sampled to 16.7%; despite the
complexity of SPF configuration, validating email senders is increasing in
importance and organizations are taking email fraud seriously.
BAD NEWS
-- One in four DNS servers does not perform source port randomization --
the "patch" for "the Kaminsky vulnerability"; the effort by vendors and the
Internet's DNS community to encourage administrators to upgrade their name
servers after the announcement of the Kaminsky vulnerability paid off;
however, a surprising number have not been upgraded and are very vulnerable
to cache poisoning.
-- More than 40% of Internet name servers allow recursive queries; there
are still millions of open recursors on the Internet, a danger both to
themselves and others -- they are vulnerable to cache poisoning and
Distributed Denial of Service attacks.
-- 30% of DNS servers surveyed allow zone transfers to arbitrary
requestors; this leaves servers as easy targets for denial-of-service
attacks.
-- Only .002% of DNS zones tested support DNSSEC; administrators have not
been convinced of its importance -- perhaps intimidated by its complexity
-- but new mandates could mean a significant change in the near future.
MISC.
-- Usage of IPv6 name servers continues to increase from .27% to .44%;
while enterprises are investigating IPv6 and concerned about increasingly
scarce IPv4 address space, adoption of IPv6 is still low -- address
scarcity isn't yet considered a serious concern and they feel no urgency to
adopt IPv6.
Call to Action
Based on these statistics, there are some clear calls to action for organizations with external DNS servers. Instead of waiting until they are attacked, all organizations should assess their DNS infrastructure and immediately take the necessary steps to make them more reliable and secure. Infoblox provides a number of free, automated tools that enable organizations to test their DNS infrastructure and identify weaknesses and vulnerabilities.
Infoblox Inc. today announced that the University of Minnesota has deployed Infoblox appliances for delivery ofcore network services, including internal and external domain name resolution (DNS) and IP address assignment and management (DHCP/IPAM) –essential to daily operation of its extensive network and applications,enabling access to resources such as student registration, assignments andhealth records. In addition to bolstering reliability, manageability and security of itscore network services infrastructure, ensuring nonstop delivery of DNS and DHCP services, the University has implemented a unique authentication portal enabled by Infoblox appliances that allows more than 6,500residential hall students easy, secure and authorized network access.
The previous solution for network address management services did not meetthe University’s requirements. The University requirements expanded inscope, scale and functionality, focusing on self-service and security.
Mike LeVoir, network design engineer at the University of Minnesota,commented: “The Infoblox solution met the University’s requirements ofbuilt-in reliability and features that allow delegated management withdata-entry templates for the various departments.”
“Infoblox made the process of implementing our student authenticationportal seamless. Students used to have to locate their MAC address — notnecessarily intuitive for some — and then register their device with theIT department by physically visiting one of our centers. With Infoblox,the students don’t need to know their own MAC address, nor do they have toleave their dorm rooms. What used to take 30 minutes now takes seconds,and we moved the process from something cumbersome to something muchsimpler both for students and the IT department.”
On campus, there are 6 Infoblox appliances running the Infoblox DNSonepackage that includes Infoblox’s unique grid technology. The gridtechnology links the Infoblox appliances together so they can operate as aunified system for resiliency and management advantages. An HA pair isacting as grid masters, two are delivering DHCP services, and the remainingtwo are performing DNS services as authoritative masters. Additionally,there is one at the Univ. of Washington, which via grid technology is fullyintegrated with a remote authoritative master and the local six appliances.
The University is currently using the authenticated DHCP function in campusresidence halls with plans to roll it out to the entire University. Whenlogging on to the University network, students are automatically redirectedto a captive portal where they are shown a registration page and acceptableuse policy. Once authorized, students are then assigned aUniversity-issued IP address. Previously, students had to go to a physicallab on campus and register their device(s). It was a cumbersome and timeconsuming process. Now using the portal, students simply plug in theirdevice in their dorm room, log on and they are on the network after aseamless host registration process.
VMWare is posting about a major issue with VMWare. I’m calling around to find out what the heck is going on.
Here is information from Mattjk on the VMWare community forum (I think it’s a blog):
serious bug with our ESX cluster - serious enough that I thought I should post about it here as a prior warning for others running ESX 3.5 Update 2.
The VMWare tech support person we spoke to wouldn’t 100% confirm whether this was / would be affecting all ESX3.5u2 installs, but he strongly alluded that it was widespread. For others sake I hope I’m wrong and it’s limited.
The bug:
Starting this morning, we could not power on nor VMotion any of our Virtual Machines. The VI Client threw the error “A general system error occurred: Internal Error”.
Further digging lead us to messages like this one in /var/log/vmware/hostd.log, and the log file for any virtual machine we tried to power on or VMotion:
Aug 12 10:40:10.792: vmx| http://msg.License.product.expired This product has expired.
Aug 12 10:40:10.792: vmx| Be sure that your host machine’s date and time are set correctly.
Aug 12 10:40:10.792: vmx| There is a more recent version available at the VMware Web site: “http://www.vmware.com/info?id=4″.
A call to tech support confirmed this as a known problem with a temporary workaround.
The work-around: turn off NTP (if you’re using it), and then manually set the date of all ESX 3.5u2 hosts back to 10th of August. This can be done either through the VI Client (Host -> Configuration -> Time Configuration) or by typing date -s “08/10/2008″ at the Service Console command line on the ESX hosts.
As soon as the date was reset to the 10th - problem solved.
Note that running VMs were operating fine, this only seems to affect initial VM power-on (including from suspended state) and VMotion.
So, it sounds like a serious licensing bug has crept into 3.5u2. Further testing shows that the problem begins as soon as the date hits 12th August - 10th is fine, 11th is fine, 12th and the problem appears.
There wasn’t any real reference to similar problems in the forums as far as I could see, but it’s quite possible we’re seeing this before most of the rest of the world as we’re in Australia, and therefore the date here ticked over to the 12th “before” those in Europe, America, etc.
Hope this helps others… took us a couple of hours to get this far - at least we can power on VMs again though!
Microsoft is blogging about a vulnerability in ActiveX.
This security update resolves a privately reported vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
Office 2000, Office 2003, and XP Service Pack 3 - Remote Code Execution possible.
Mike Arrington is reporting worms now friending you on Facebook.
The worm spreads when a compromised user’s account is used to send message to others with a title such as “LOL. You’ve been catched on hidden cam, yo:” and a link to a random URL. The linked website is a YouTube-like page that shows a video player along with what looks like a standard browser message to update your Flash installation. Clicking on the button begins a malware installation of a file called “codecsetup.exe.”
I blogged about this earlier in the week but in the case of Twitter.
Look for 2009 to be the year of security hacks going social or forget Social Media maybe it’s called Social Exploits.
Look for social networking and multivendor DNS problems to be a big part of the conversation. Just this month we’ve seen the DNS monster rise up. Also what isn’t as visable are the little exploits in the social media or social network fabric. Things like twitter spoofing, twitter attacks, and a entirely new definition of “Fake Friends”.
This week it’s Twitter’s turn to host an attack - one that is targeting both Twitter users and the Internet community at large. In this case it’s a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising a video with girls posted.
This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.
If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular.
In reality, this is a Trojan downloader that proceeds to download 10 banker Trojans onto the infected machine, all of which are disguised as MP3 files. We first detected the downloader proactively as Heur.Downloader and then added a signature to detect it also as Trojan-Downloader.Win32.Banload.sco.
On other related blogging Adobe is seeing bad activity around their platform. From the Adobe web site “We have seen coverage from the security community of a worm on popular social networking sites that is using social engineering lures to get users to install a piece of malware. According to the reports, the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.”
Old infrastructure standards like DNS and new emerging environments like Web 2.0 provide a breeding ground for new security problems or black hat techniques.
Looking for a job - go into security. This will be a big growing area.
Symantec reports strong earnings amid the backdrop of a grow web of worms and other vunerabiities.
Symantec Corp today reported the results of its first quarter of fiscal year 2009, ended July 4, 2008. GAAP revenue for the quarter was $1.650 billion and non-GAAP revenue was $1.655 billion, up 16 percent over the comparable period a year ago.
The quarter’s strong growth was driven by our team’s ability to cross-sell and up-sell the breadth of our product portfolio which is reflected in the number of large transactions that include multiple products,” said John W. Thompson, chairman and chief executive officer, Symantec. “The fiscal year is off to a terrific start with solid execution and performance across all segments and geographies.”
What this means is that Symantec is taking advantage of the growing consolidation in the enterprise security space. Recently Symantec has been buying up firms to offer CIOs and enterprises a wide variety of security products. In addition Symantec has been tinkering with its’ sales mix between direct and indirect.
Overall, customers (enterprise, SMBs, and consumers) will always needs securtiy products. With consolidation this allows Symantec to take advantage of the economies of scale of multiple products while maintaining high prices.
It’s a great week for security blogging. May have to get some dedicated bloggers on this sector. Very active. Anyway today the FBI puts out a story that there is a big time virus out there. Specifically they warn of a Storm Worm Virus.
The FBI and its partner, the Internet Crime Complaint Center (IC3), have received reports of recent spam e-mails spreading the Storm Worm malicious software, known as malware. These e-mails, which contain the phrase “F.B.I. vs. facebook,” direct e-mail recipients to click on a link to view an article about the FBI and Facebook, a popular social networking website. The Storm Worm virus has also been spread in the past in e-mails advertising a holiday e-card link. Clicking on the link downloads malware onto the Internet connected device, causing it to become infected with the virus and part of the Storm Worm botnet.
A botnet is a collection of compromised computers under the remote command and control of a criminal “botherder.” Most owners of the compromised computers are unsuspecting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy.
“The spammers spreading this virus are preying on Internet users and making their computers an unwitting part of criminal botnet activity. We urge citizens to help prevent the spread of botnets by becoming web-savvy. Following some simple computer security practices will reduce the risk that their computers will be compromised,” said Special Agent Richard Kolko, Chief, FBI National Press Office.
Everyone should consider the following:
The exploit is still out there. Apple Still has not patched the DNS vunerability. This vunerability here has been running for weeks in the security circles. It feels like the energizer bunny of vunerabilities. People just get the damn patch done will you! Enough already. Ok- my rant is done.
On Slashdot Steve Shockley notes an article up at TidBITS on Apple’s unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. “Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date.”
More good stuff on Slashdot below:
Related posts from Slashdot
Kaminsky’s DNS Attack Disclosed, Then Pulled
Powered by WordPress