Archive for the ‘News’ Category

Serious DNS Vulnerability

July 15, 2008

Older versions of almost every popular implementation of DNS (eg. BIND, Windows, Cisco, Solaris, Juniper) have a vulnerability which would allow an attacker to “cache-poison” the server. This means that a compromised server, possibly your ISP’s, could direct you to fraudulent websites.

For example, this sort of attack could mean that if you typed http://www.paypal.com into your browser, a cache-poisoned DNS could direct you to an IP address that is not operated by PayPal, but the address bar would still say http://www.paypal.com. This attack can not spoof the PayPal SSL certificates, but could list one with a similar name, making this an extremely dangerous phishing technique.

One would hope all the major ISPs and public name servers would have patched this vulnerability, but it’s likely that smaller servers, such as at businesses, universities or individuals, may not have.

Test your DNS server here, many large ISPs have been very slow to patch:

http://www.doxpara.com/

If this test shows your DNS to be vulnarable, change your DNS settings to the ones specified at OpenDNS.

Vulnerability specifications:
http://www.auscert.org.au/render.html?it=9546

OpenVPN Guide

June 27, 2008

I’ve finally finished my OpenVPN guide. It’s based on the guide I used from It’s a Tech World, but I’ve beefed up the security and added explanations and detail to some of the more complicated steps.

Here is the URL (it’s linked from the homepage as well): https://lockup.wordpress.com/configure-openvpn/

As I mentioned in a previous post, using this configuration of OpenVPN, you’ll be able to securely connect to your host network from anywhere, access files, services and the host internet connection, but you’re host network will remain completely invisible to ports scans.

This product is amazingly effective, simple to use (once setup) and, with the right configuration, secure. I think my guide is fairly comprehensive, but if you have any suggestions, feel free to comment.

Big thanks to Riley at It’s a Tech World for writing such a great guide.

gpcode.ak: New-gen Ransomware

June 10, 2008

This isn’t new, but worrying. A ransomware virus from over a year ago, called ‘gpcode’ has resurfaced. The new version is called ‘gpcode.ak’.

What’s interesting about this virus is that, when infection occurs, it encrypts a victim’s documents (.doc, .pdf, etc) and leaves a ransom note on the computer demanding money in return for the decryption key. The original version of this particular virus used a 660-bit asymmetric key which was eventually cracked, but this new version uses 1024-bits. The internet security company Kaspersky has stated:

“Along with antivirus companies around the world, we’re faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key.”

Obviously this is very bad news for anyone infected by gpcode.ak, but it does provide some evidence as to the strength of good cryptography. For example, in the OpenVPN guide I’m putting together, I recommend using a 2048-bit key for certificate generation. That’s 2^1024 harder to crack than a 1024-bit key and, going on Kaspersky’s calculation, it would take 15 million modern computers 2^1024 years to crack. While computers are always becoming more powerful, this sort of key strength will surely remain safe for some time to come.

There’s a good page explaining all the details of gpcode.ak here.

New to NAC

May 6, 2008

Reading through the news coming out of the Interop conference in Las Vegas, I’ve learnt about a relatively new class of security product called NAC or Network Access Control.

NAC involves verifying the integrity of a system before granting it access to a network. This might involve checking that anti-malware is up-to-date, the OS is patched and that group policies have been applied. The aim of this is to stop attacks on new systems as they join a network and to protect a network from compromised systems.

NAC is generally enforced by client software, which is now included in XP and Vista (but called Network Access Protection), with the latest round of service packs. Security vendors such as Symantec, McAfee and Sophos have also have packages released to market.

This approach to network security seems much more comprehensive and seamless than using combinations of software, group policy, scripting and user priviledge control, but increased security always comes at a price.

One of the greatest difficulties with implementing NAC is the challenge of authenticating and monitoring non-PC devices such as VoIP phones, network printers and IP security cameras. While exceptions could be made based on IP or MAC address for such devices, if a rogue system spoofs these addresses, NAC could be bypassed. Developing secure ways to authenticate and verify the integrity of such devices will not be a trivial task.

Challenges aside, this is a promising technology for enhancing the security of any network.

Read more about NAC here.

Aussie Govt wants Companies to Spy on Workers

April 14, 2008

Bosses will be able to spy on workers’ emails without consent under new anti-terror laws being considered in Australia, Deputy Prime Minister Julia Gillard said Monday.

Anti-terror? Really?

While it’s unclear as to what the extent (“internet communication” is the specified term) of the proposed legislation is, the Australian government has suggested that offering these new powers to employers will aid the prevention of denial of service attacks on the country’s digital infrastructure.

This can be ridiculous in one of (at least) two ways. The first is that, hopefully, this was drafted by government advisors who actually do have an understanding of technology, but Ms. Gillard either does not or has dumbed-down her announcement for the mass media. The second, and more concerning, is that, the government actually believes that this sanctioned invasion of privacy by corporations justifies the minimal amount of national security information which could be obtained from employee emails.

One of the examples the government has mentioned is that of a distributed denial of service (DDoS) attack. If such a threat were to propagate through email, surely email virus filtering would be a better thing to mandate than this proposed law. What about simply providing organisations with solid advice on network security policy? Prevention is better than a cure.

The other implication with the “anti-terror” label is that “terrorists” might be sending each other notes at work. While no-one can say for sure, practically speaking, who would use a work email to swap bomb recipes? There are more subtle ways to send sensitive information.

It’s one thing for a government to have power to intercept personal emails (which many, including the Australian government, do), but giving those rights to private citizens (eg. network admins) crosses the line.

If a company really wants this power, they can stipulate it in their employee contracts. While not great, at least the employees are informed. On the other hand, this sort of legislation will serve only to unnecessarily increase government powers and the powers of employers, without our consent.

Who’s winning here?

AFP Article