Distributed identity system

OpenID (http://www.danga.com/openid/), developed by the creators LiveJournal, is another attempt at a single sign-on system. The system is similar TypeKey and Password, but focused more towards blogs and promises to actually be "distributed".

"An OpenID-enabled site/blog lets you authenticate using your existing login from your homesite (whether that's on your own server or a hosted service) without giving away your password to the 3rd-party site you're visiting, or making a new account there, or giving away your email address. And it's secure, and can run entirely in the browser without extensions, without moving between pages."

The overview mentions the possible use of SAML, which might be of interest to the conversation of about placing XML services in Ajax thread.

There is also a demo available using Ajax: http://www.danga.com/openid/demo/demo.html

and detailed system specifications: http://www.danga.com/openid/specs.bml

Critical flaws in IPsec protocols

Flawed cryptography is leaving people using IPsec security protocols vulnerable to hacking, according to the UK's National Infrastructure Security Coordination Centre (NISCC).The organisation has released an advisory about the discovery of three key flaws in the Encapsulating Security Payload (ESP) that provides base-level encryption of data, typically travelling though virtual private networks.

"An attacker could modify sections of the IPsec packet, causing either the cleartext inner packet to be redirected or a network host to generate an error message," warned NISCC.

"In the latter case, these errors are relayed via the Internet Control Message Protocol. Because of the Protocol's design, these messages directly reveal segments of the header and payload of the inner datagram in cleartext.

"The attacks have been implemented and demonstrated to work under realistic conditions."

The organisation rates the flaws as 'highly critical' and added that the Authentication Header protocols that guarantee the authenticity of data packets are also vulnerable.The advisory provides three ways to work around the problem, including reconfiguring the ESP system and using Authentication Header and ESP simultaneously to defeat eavesdroppers.

IP Security (IPsec) is a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of packets at the IP layer; IPsec has been deployed widely to implement Virtual Private Networks (VPNs).

Three attacks that apply to certain configurations of IPsec have been identified. These configurations use Encapsulating Security Payload (ESP) in tunnel mode with confidentiality only, or with integrity protection being provided by a higher layer protocol. Some configurations using AH to provide integrity protection are also vulnerable. In these configurations, an attacker can modify sections of the IPsec packet, causing either the cleartext inner packet to be redirected or a network host to generate an error message. In the latter case, these errors are relayed via the Internet Control Message Protocol (ICMP); because of the design of ICMP, these messages directly reveal segments of the header and payload of the inner datagram in cleartext. An attacker who can intercept the ICMP messages can then retrieve plaintext data. The attacks have been implemented and demonstrated to work under realistic conditions. http://www.vnunet.com/news/1163022

Virus versus backdoors in popularity

A reader pointed out that "backdoor.hackdefender" was rather popular at virustotal. Looking at the top 10, it shows that most of the top 10 are backdoors.

Perhaps time to make a mental note that although backdoors typically don't have fast rates to spread they do seem to be widely available in the wild.

Add to that that cleaning up from a backdoor is tricky business: what else was installed/changed/... while the backdoor was installed ? Typical viruses are much more predictable and therefore easier to clean up.

As such it might be a good moment to check the risk levels of backdoors in your organization and perhaps take some more measures.

Let me know what you think about it. If you do have extra measures in addition to the typical anti-virus measures to counter the threat of backdoors, let me know which.

Cheers M$

Is it the Win 95 on C64..?? hah..sure to get lost..!!

Botnets and phising

A recent post to the Dailydave mailing list, titled Distributed Phishing, described an incident similar to the report we received yesterday. The report outlined a large organization's battle against a botnet that implemented a phishing attack against the organization's customers. The trend to use bots for hosting phishing websites on compromised systems is not new, and was documented in the Register article titled Phishers Tapping Botnets to Automate Attacks. Using bots in this manner makes it difficult to shut down the malicious site, because the attacker can quickly modify the domain record to point to another compromised system. One way to defend against such attacks is to work with the company hosting the DNS server that resolves the malicious domain name to remove or modify the offending records.

Attacks that we're observing now are becoming more elaborate. In the most recent report, the attacker was using a botnet to host not only the malicious websites, but also the DNS servers that provided domain resolution services for the targeted domain name. This setup allowed the attacker to move to a new DNS server when one of the malicious servers got shut down. An organization battling this threat typically has to deal with the registrar of the malicious domain, instead of attempting to shut down the individual DNS server. Unfortunately, many domain registrars don't have formal procedures for dealing with such requests, which makes it difficult for organizations to defend against such attacks.

Some ISP can help their customers combat such attacks by implementing a type of domain hijacking, intercepting and redirecting malicious DNS traffic that traverses their network. While this approach does not entirely mitigate the issue, it does mitigate it within the ISP's network; it is particularly effective if implemented by a large ISP. Considering the limitations of this mechanism, having domain registrars develop processes for addressing this attack scenario would be very helpful.

Still changing the thoughts...

Several companies which fear hackers will think after reading this - "f*ck, we have to tighten the "new employee" process". But I will tell you something: Too late ... we are already everywhere. In all major consultant, audit and software development, banks and IT security companies are former hackers. And guess what? The world is not crumbling down in despair. Most hackers have ethics. You might not like their ethical code, but most of them have a code of honour, and would never hack the company they are working for. You might say - "but the others, not all are good" - yes, that's true, but so is the rest of the world - same is true about people who are not hackers. If you fight us you will loose - valuable team-members, with strong skills and experiences. Think about it. And to the hacker scene: having a cool security job and still doing greyhat stuff - this is the best thing which can happen to us. Having fun - and getting paid for it.

Changing the thoughts...

Young hackers usually dream about becoming a well-known security expert, whose job is about executing high profile penetration tests on fortune 100 companies. Why? Cool and interesting projects, bleeding edge hard and software to work with, new areas to learn and gain knowledge, earning money, creating (another) high profile - this time with the real name - most hackers dream of that - few actually achieve that. It is mostly about the pitfalls a hacker has to overcome, especially when a company doesn't like "evil" hackers for the job. Therefore a sound and seemingly logical explanation, where he did get this security knowledge is very important. Some people might say "hey, nice article, but it is not really about hacking" - well, I say it is. It is about hacking coporate minds. You want to achieve your goal - working for that fortune 10 bank as an IT security expert, but f*ck, they don't like hackers. Hackers are evil, criminals, they say. So you have to hack their brains to get what you want! First, it should be clear what a "security job" is about - or being a whitehead. The world, work and views are different. The section "Hacker World vs. Security World" is describing this. Then you might need additional knowledge to impress your hope-fully new employer - also the ways for that are pretty clear, you can find some hints at "Getting a Background". After you know what will await you, you actually have to apply for a job. There are some do's and some don'ts you should keep in mind for writing your application documents and when you've got your job interview. The sections "Truthful or not", "How to find a job", "Getting your CV right" and "The Job Interview" will keep you on the right track. And finally: "Things you should not do after getting the job". This might be more important than you think. Last thing you should keep in mind when reading this text: it is especially meant for people who have a hard time to get employed because the company they are interested in have got a "no-hacker" policy, or the country they are living in are seeing hackers not as an enrichment to the security business. If you are trying to get into a company which welcomes hackers with open arms - which is rarely the case - this text can still be important to you. Enjoy.(Will come up with more in the next part.. :))