DNS flaw rocks web

network SECURITY SE CURITY

ISSN 1353-4858 August 2008

www.networksecuritynewsletter.com

Featured this month:

Contents

Fuzzing for the masses

T

raditionally, security testing involved using a predefined set of test data to see if any flaws could be found in a system. But no matter how much a tester thinks that data through, there will always be something missing that could turn up in the real world and cause a system failure. Fuzzing is a security testing technique in which testers throw random data at a system until the

system reacts in an unpredictable way.

Ari Takanen, co-founder and CTO of Codenomics, recently finished co-authoring a book on fuzzing. In this article, he describes some of the basic techniques involved, and highlights some of the different types of fuzzer that can be used to try and evaluate system security. Go to Page 4...

Seven steps to a secure virtual environment

T

he need for increased agility and the increasing cost and complexity of IT have driven the rapid adoption of virtualisation technologies. While some virtualisation experts claim that virtualised computing environments are fundamentally no less secure than physical computing environments, others claim that virtualisation can enable better security.

Both claims can be correct, but only where the management of the physical machine is secure and the configuration of each virtual machine is secured in a standardised fashion.

However, the reality is that when information security controls are improperly implemented or neglected in virtualised environments, real security risks and exposures are created faster than ever. This is the potential dark side of virtualisation, where the information security controls that adequately controlled risks before virtualisation may no longer suffice. The good news is that it doesn’t have to be this way. Gene Kim of Tripwire explains why. Go to Page 14...

DNS flaw rocks web

A

fundamental design flaw in the DNS standard left ISPs and vendors scrambling to fix their servers and avoid a major attack. A team led by Dan Kaminsky discovered the flaw, which applies to all implementations of DNS and could lead to people being directed to malicious sites instead of legitimate ones.

The flaw focuses on ‘in-bailiwick’ name referrals, in which a DNS

request is made to a subdomain (for example 1.domain.com, rather than simply domain.com. Many in-bailiwick requests can be made at the same time, which enables attackers to guess the transaction ID normally used in a DNS request.

NEWS DNS flaw rocks web

1

City worker holds San Francisco to ransom

2

Online crime networks mimic mafia

2

FEATURES Fuzzing for the masses

4

One of the most important testing mechanisms when it comes to evaluating system security is to throw significant amounts of data at it and see if it falls over. Ari Takanen describes the basic techniques behind fuzzing, and shows how to use them to render systems more secure. Cybercrime is in a state of flux Fast flux is one of the latest developments in the shady world of the bot net. Fortinet’s Guillaume Lovet explains how fast flux bot nets work. Privacy features of European eID specifications

9

Ingo Naumann and Giles Hogben of ENISA explore the technical architecture of European electronic ID cards and evaluate their privacy implications. Seven steps to a secure virtual environment

14

Increasing agility, and addressing the increasing complexity of IT is pushing IT’s rapid adoption of virtualisation. Yet virtualisation can result in the proliferation of insecure IT infrastructure. Gene Kim, CTO of Tripwire, provides seven steps to securing virtual infrastructure. 2008: Six months of information security

18

Data theft, password management and internal governance have all hit the headlines in recent months. Dario Forte looks at how the information security landscape has changed throughout the first half of the year.

REGULARS News in brief

Continued on Page 2...

6

Events

3 20

ISSN 1353-4858/08 © 2008 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS Continued from front page... Editorial Office: Elsevier Ltd, The Boulevard, Langford Lane Kidlington, Oxford OX5 1GB, United Kingdom Programme Editor: Steve Barrett Tel: +44 (0)1865 843239 Fax: +44 (0)1865 843933 Email: [email protected] Web: www.networksecuritynewsletter.com Editor: Danny Bradbury Email: [email protected] Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Editor: Lin Lucas Subscription Information An annual subscription to Network Security includes 12 printed issues and online access for up to 5 users. Prices:
992 for all European countries & Iran US$1110 for all countries except Europe and Japan ¥131 700 for Japan (Prices valid until 31 December 2008) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Network Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, e-mail: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

02158

2

Printed by Mayfield Press (Oxford) Limited

Network Security

Kaminsky and a variety of vendors and ISPs worked on the problem and were able to get a two-week head start before the details of the vulnerability were leaked. Exploit code is now in the wild, and the race has been on to get patches to all DNS servers out in time to minimise the damage. Patching such a huge code base is understandably difficult, and reports have surfaced of performance issues with anti-DNS poisoning patches. Representatives from the Internet Systems Consortium posted on a mailing list that the patches could impact performance for high-volume recursive DNS servers running BIND, the popular DNS server software. US-CERT also noted that some nameservers behind network address translation and port address translation devices may not be helped by the patch which uses port randomisation to minimise the risk. Apple took time to patch its servers, but eventually complied, although at the time of writing reports suggested that the company had still to patch Mac clients. H.D Moore, author of the Metasploit toolkit, quickly put the DNS flaw into his software. The renowned hacker then experienced a DNS attack that he said happened at his local ISP’s server, which altered the destination page for web queries. The discovery of the flaw led to renewed calls for the implementation of DNSSEC, which bolsters the security of DNS requests. The .ORG public internet registry had already announced plans in June to become the first domain to recommend the adoption of DNSSEC across the board.

The mayor of San Francisco finally got the electronic codes from a disgruntled technical worker who effectively held the city to ransom after creating a back door to take control of city computer systems. Terry Childs, a technical worker for the City of San Francisco, reportedly created passwords granting him exclusive access to the FiberWAN wide area network, which contained files crucial to administrative operations. Local paper SFGate said that officials’ emails, payroll files and law enforcement documents were on the system. Newsom got the keys after Childs experienced a change of heart in his jail cell, where he is being detained.

Online crime networks mimic mafia

A

report from Finjan has confirmed that criminals focusing on internet crime have formed highly structured networks, similar in organisation to the mafia ‘family’ model.

A top boss controls the syndicate without committing any of the crime himself. An underboss deals directly with the rest of the syndicate, providing Trojans and controlling the command and control structures. Campaign managers akin to the mafia’s ‘capos’ carry out their own malware campaigns with the help of affiliation networks. Affiliates in the network hack legitimate sites and insert references to attack code to earn rewards from the campaign managers. The attack code is then installed on victims’ machines to harvest data, and resellers sell it on.

City worker holds San Francisco to ransom

I

t’s normally the mayor that awards notable public figures the key to the city. In Gavin Newsom’s case, he was lucky to get them back from a disgruntled programmer who had been refusing to hand them over.

Global spam by category, August 2008. Source: Symantec monthly spam report.

August 2008