• Home
• Blog Archive
  • December 2005
  • November 2005
  • October 2005
  • September 2005
  • August 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • February 2005
  • January 2005
  • December 2004
• Newsletter Archive
• Categories
  • Book Reviews
  • Commentary
  • General
  • How-To
  • Networking Tips
  • New Technology
  • Podcasts
  • Pretty Good Practices
  • Product Recommendations
  • Security Alerts

December 2004

Main Next Month »

December 21, 2004

Internet Explorer Cross-Site Scripting Flaw

Platform: Internet Explorer 6.0
Microsoft Severity: no comment yet
Actual Severity: CRITICAL

Danish security firm Secunia reported last Friday an IE vulnerability that lets phishers trick users into thinking they are securely connected to their financial institution or other commerce site, when in fact they're being spoofed by the phisher to capture the victims user ID and password.

Secunia says the problem occurs even on systems running SP2 and the latest Microsoft security patches. It results from an error in the "DHTML Edit" ActiveX control when invoked by the execScript() function.

The end user must first visit a malicious site, which invokes the bug and then waits for the user to visit a targeted commerce site, at which point the user is surepticiously redirected to a forged replica site. To the user, the URL in the navigation bar looks correct and the SSL lock icon may even appear. When the user logs into the forged site, the forger captures the victim's user ID and password.

Secunia's site includes an online demonstration of the flaw to let you test your browser.

Microsoft says it is looking into the problem and will publish a fix if warranted. In lieu of a fix, you should disable ActiveX controls in IE, or set the browser security level to "high" for the Internet zone. When visiting any commerce site, Dr. I. Doctor recommends that you always hand-type the URL in a fresh browser window, and ideally never using Internet Explorer!

Secunia's advisory bulletin, SA13482, is online at:

http://secunia.com/advisories/13482/

Secunia's demonstration of the flaw is at:

http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/

Posted by Mel Beckman on December 21, 2004 at 11:22 AM

Service Pack 2 Firewall Flaw

Platform: Windows XP with Service Pack 2 running Microsoft's integrated firewall
Microsoft Severity: CRITICAL
Actual Severity: CRITICAL

Service Pack 2 has a critical vulnerability which can give the entire Internet access to file and print services that Microsoft's integrated firewall is supposed to protect.

According to a knowledgebase article Microsoft released last week (#886185), a flaw in the way the firewall interprets network scopes results in the Internet being considered a local network (The "My network" subnet). This happens when the Windows dial-up adapter is used to make the Internet connection, which can be the case with both modem and broadband Internet services. In particular, PPP-over-Ethernet connections, favored by some cable and DSL providers, often use this approach.

Microsoft has a fix available.

If an XP user opens printer and/or file sharing to his local network (not uncommon), the same services then become accessible via the Internet. Microsoft says this is not a bug, but rather "a configuration setting that shipped with Windows XP that was not optimal, but that is not classified as a security vulnerability," (Gary Schare, Windows director of product management, in a copyrighted Network World story). You can hear the weasels being tortured in every word.

Dr. I. Doctor always recommends a hardware firewall, even at home, as the primary security for a network. Software firewalls built on general purpose operating systems like Windows are just too unreliable to count on as your first line of defense. A hardware firewall, consisting of purpose-built software running on a dedicated network appliance, has a much lower probability of catastrophic bugs like this one. And you can buy very good name-brand firewalls for as little as $50, so cost is no excuse.

Microsoft's KB bulletin on the problem:

http://support.microsoft.com/kb/886185

The downloadble hot fix:

http://www.microsoft.com/downloads/details.aspx?familyid=da66a0ac-55ca-4591-b3e6-d78695899141&displaylang=en

Posted by Mel Beckman on December 21, 2004 at 10:57 AM

December 15, 2004

WINS Compromised in Windows Server

Platform: All versions of Windows Server
Microsoft Severity: Important
Actual Severity: CRITICAL

Microsoft released a service bulletin yesterday announcing a vulnerability in WINS (UDP port 42) and already network security watchers are seeing apparent attempts to exploit the bug.

The flaw affects all versions of Windows Server, from NT through 2003 64-bit. Fortunately, Microsoft has a fix, and you�d better install it fast. According to SANS� Internet Storm Center, Internet watchers are reporting spikes in port 22 traffic � a pretty clear indication of attempts to subvert WINS, which is normally a LAN-only protocol.

A hacker exploits the flaw by sending a specially-crafted malicious packet to a WINS server. Although WINS servers are typically not Internet-accessible, they are still vulnerable to inside attacks launched by viruses. And some people have unwittingly exposed their WINS servers to the Internet, which is why hackers are diligently scanning the Internet right now looking for them. Once the hacker finds a vulnerable server, she can take it over completely.

Even if you�re currently on Active Directory, you should install this fix, to forestall problems should somebody inadvertently enable WINS on one of your servers. Indeed, many shops are running WINS without knowing it; it�s installed and enabled by default on Windows 2000 Server and Windows Server 2003.

Windows Server 2003 is slightly less vulnerable to takeover than 2000, but only because it usually crashes when attacked by this exploit. If it crashes three times in a row, it shuts down permanently until you manually restart it. So this exploit doubles as a Denial of Service attack.

One can only wonder that Microsoft rates this merely an �Important�, rather than �Critical�, alert.

Microsoft�s security bulletin MS04-045 is at:

http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx

The SANS Internet Storm Center is at:

http://isc.sans.org/

Posted by Mel Beckman on December 15, 2004 at 2:00 PM

Book Review- Wi-Foo: The Secrets of Wireless Hacking

Wi-Foo: The Secrets of Wireless Hacking
(Vladimirov, Andrew, et. Al; Addison Wesley, June 2004; ISBN 0-321-20217-1, 592 pages)

There are a lot of WiFi security books out there, but most of them are shallow rehashes of basic security issues without a lot of hands-on depth.

One test I use to test the mettle of a WiFi security tome is to see what is says about VPN encryption. If you don�t already know, VPN encryption is the only way to reliably protect WiFi network traffic; WEP, WPA, and 802.11i all have serious flaws that make them vulnerable to attack.

Most WiFi guides make only a passing reference to VPN encryption. Wi-Foo passes my test by incorporating an entire chapter on VPNs, with detailed instructions on setting up VPN protection using open source components. This definitely piqued my interest in the rest of the book, and I wasn�t disappointed with what I found.

Wi-Foo is an insiders guide to securing wireless networks, taking the point of view of an attacker. The book teaches you about 802.11 network hardware software, and then graphically illustrates WiFi vulnerabilities by giving you detailed instructions on exploiting them. Some might worry that this amounts to a hacker�s instruction manual, but trust me � the real hackers have had this information for a long time.

Wi-Foo gives you a clear description of hacker processes without forcing you to go through the trouble of digging up the information online � something most hackers are willing to spend hours doing, but which most network security administrators can�t afford. The book describes Wardriving � the act of traveling around a city looking for victim networks � and how to attack prospective victims once you�ve found them. It then explains how to effectively thwart such attacks, how to select appropriate encryption algorithms for a given application, and how to monitor your now-secure network for intrusion attempts and potential breakins.

A series of appendices provide handy reference material on WiFi equipment and utilities, and an extremely useful penetration test plan that you can employ immediately to test your own WiFi security.

I�ve looked at every WiFi security book currently in U.S. publication, and this one is by far the best of the breed. It�s essential reading for every network security guru. If you aren�t a guru and don�t think you need all the information in this huge volume, it�s worth adding to your O�Reilly Safari bookshelf for a month of online reading.

The publisher�s site:

http://www.aw-bc.com/catalog/academic/product/0,1144,0321202171,00.html

Read the book online at O�Reilly�s Safari library:

http://safari.oreilly.com/JVXSL.asp?xmlid=0321202171

Posted by Mel Beckman on December 15, 2004 at 1:17 PM | Comments (1)

HA7NET: Remote Environmental Monitoring on the Cheap

Environmental monitoring is an important aspect of network administration, but it�s always been kind of pricey to do remotely. Most environmental monitoring platforms cost several hundred to several thousand dollars, support only a few expensive, proprietary sensors, and aren�t readily automated through web interactions. As a result, we network administrators tend to monitor one or two environmental variables � temperature, and perhaps humidity � per data center or rack, even though we�d like to measure many more things.

The HA7Net from Embedded Data Systems is a palm-sized Ethernet-equipped Web-enabled environmental monitoring platform that costs only $150.

It supports a huge array of standard off-the-shelf sensors based on the famous Maxim (formerly Dallas Semiconductor) OneWire interface. If you�re not familiar with it, the OneWire interface is a simple single-wire daisy-chain network for slow speed communication with tiny, cheap remote sensing and control devices. These devices include temperature, humidity, and contact closure sensors, remote relays, analog-to-digital and digital-to-analog converters, digital displays, digital key readers, and audible alarms. The operative word here is �cheap.� Unlike competing sensors costing $100 each or more, these typically cost under $20 in single quantities, and you can buy the OneWire components themselves for two or three dollars each and make your own sensors.

Every OneWire device has a unique 64-bit serial number programmed into it, and you can individually address, read, and write to as many as 100 device on the OneWire network through the HA7Net. In OneWire lingo, the HA7Net is a �Bus Master�. But because it�s both Ethernet and Web enabled, it�s an eminently programmable Bus Master that you can easily integrate into your existing network management system.

You interact with the HA7Net using a web browser, over either http or https (SSL) connections. The box has a reasonably friendly Web GUI, but actually manipulating OneWire devices requires a bit of study to understand how the OneWire protocol works. In a nutshell, every OneWire interaction consists of two steps: selecting a device, and then communicating with it. You perform these steps using two HTML transactions, which you can enter manually by hand using any Web browser or automate using a Web scripting engine such as Wget or Lynx.

One of the HA7Net�s HTML commands returns an inventory of all the devices connected to the OneWire network, which lets you quickly verify in a single operation that all your sensors and controls are online and available. You can then communicate with devices individually using additional HTML commands.

Internally the HA7Net sports a multi-user Web server, a battery-backed, SNTP-capable real time clock, a DHCP client, and three-port One-Wire hub that lets you quickly connect off-the-shelf sensors using ordinary modular phone cable. The HA7Net is purely a Web device � it does not support FTP or SNMP -- but it does include telnet terminal access for debugging purposes.

The basic package doesn�t include any sensors, but you can buy plug-and-play units from Embedded Data Systems for $15 or so each, or go right to the source at Maxim and buy raw devices for $2 or $3 each and wire them up yourself. The HA7Net includes a thorough manual that teaches you everything you need to know about OneWire programming, and a number of ready-to-run examples.

In just a few minutes I was able to hook the HA7Net into my Intermapper network management system using a custom script.

Find out more about the HA7Net online at:

http://embeddeddatasystems.com/page/EDS/PROD/HA/HA7Net

You can purchase OneWire devices directly from Maxim at:

http://www.maxim-ic.com/1-Wire.cfm

To find out more about Intermapper, Dr. I. Doctor�s network monitoring tool of choice, visit:

http://www.intermapper.com

Posted by Mel Beckman on December 15, 2004 at 10:46 AM | Comments (3)