NetSec
  corner   



HOME

LINUX

CYBERLAW

VIRTUALIZATION

Bugtraq

Packetstorm

FD

GrokLaw


RSS Feed


Netsec, comsec, infosec and IA news, research and trends

 

4.24.2004

 
Advisory: Symantec Multiple Firewall TCP Options Denial of Service

posted by GeeWhiz Saturday, April 24, 2004

 
Recommended Reading: UNITED STATES CODE: TITLE 18. CRIMES AND CRIMINAL PROCEDURE: PART I--CRIMES, CHAPTER 119--WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND INTERCEPTION OF ORAL COMMUNICATIONS

"It shall not be unlawful under this chapter or chapter 121 of this title for any person to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public."

A good deal of Internet communication is occuring through "an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." Does this mean it is or is not legal to intercept Internet traffic? How about your neighbor's unswitched cable modem traffic? One thing this certainly does mean is that it is legal to intercept most unencrypted wireless communications.

posted by GeeWhiz Saturday, April 24, 2004

 
One way to prevent the recent THCIISSLAME exploit from working is to disable PCT on IIS.
Here is the Private Communication Technology standard

posted by GeeWhiz Saturday, April 24, 2004



4.22.2004

 
Found on PacketStorm, PAM_usb is a module for authenticating users based on a key stored on a USB storage drive.

The latest revision is version 0.2.2, and seems to be functional and well documented. This method of authentication will one day be much more widespread, in the future.

posted by Anonymous Thursday, April 22, 2004



4.21.2004

 
Here's a compiled version of the IIS Exploit Patched by MS04-011

posted by GeeWhiz Wednesday, April 21, 2004

 
K-otik brings you a new exploit in the Linux 2.X series up to 2.6.3 (!). Check out the setsockopt MCAST_MSFILTER Denial-of-Service Proof Of Concept.

From the code:
printf ("Calling setsockopt(), this should crash the box...\n");

sockprot = setsockopt (mysocket, SOL_IP, MCAST_MSFILTER, &mygroup, optlen);
This code also seems to have commented hooks for exploiting this vulnerability to gain root access. Ouch!

posted by Anonymous Wednesday, April 21, 2004

 
DoD Wireless Security Policy Published: STD 8100.2

posted by GeeWhiz Wednesday, April 21, 2004

 
Cisco Advisory on the TCP Spoofed RST Window DoS Issue Reported Earlier by Brenda R. This actually looks like it affects most TCP implementations. Keep your eyes out for other vendor announcements.

More Info: Generally speaking this allows for targeting of endpoints, not in "shutting down the Internet" as some press seem to be reporting. This is the same functionality that allows many so-called Intrusion Prevention Systems (IPS) to work and, as such, isn't too much of a "discovery". However, I was unaware that any RST sent with SEQ numbers within the current TCP window size would work. This makes blind attacks easy.

This issue will be covered in further depth by CanSecWest presenter Paul Watson in his presentation tomorrow. When the slashdot effect stops, you may find his network security weblog here.

posted by GeeWhiz Wednesday, April 21, 2004

 
MS04-011 IIS SSL Proof of Concept code from Johnny Cyberpunk of THC. The MS04-011 SSL issue was supposed to only be a DoS condition. What happened? Looks more like a remote root. Ouch. Thanks to Tim for the link.

posted by GeeWhiz Wednesday, April 21, 2004



4.20.2004

 
Vulnerabilities in TCP and routers supporting Border Gateway Protocol (BGP)

A vulnerability exists in the reliance of the Border Gateway Protocol (BGP) on the Transmission Control Protocol (TCP) to maintain persistent sessions. Attackers guess a suitable range of values for sequence numbers and can send packets with sequence numbers a TCP window-size apart until one of these packets is accepted. The attack could lead to a DoS affecting a large segment of the Internet community.

More details here. NISCC Vulnerability Advisory 236929

I didn't mention Cisco routers, did I? No, not me.

posted by Brenda Tuesday, April 20, 2004

 
Here is a homegrown WIDS for the home user using OpenBSD and the arpwatch, fping, xprobe, nmap, and NBTScan utilities. The script that is run in the deployment of WIDS has three purposes: 1) to provide a way to identify new hosts on a wireless network, 2) to collect info that is useful in identifying these hosts, and 3) to provide a method of notification to the home admin.

posted by Anonymous Tuesday, April 20, 2004

 
Fighting Spammers With Honeypots: Part 1 and Part II - Laurent Oudot
Honeyd Research: Honeypots Against Spam
A Virtual Honeypot Framework - Niels Provos
-from Andy

posted by GeeWhiz Tuesday, April 20, 2004

 
Keep Your Eyes on the CanSecWest Files Area for the 2004 Presentations. Anybody want to fund a netsec "field trip" to Vancouver on Wed/Thur? This is the pre-eminent netsec research conference. How about this: "Laurent Oudot - Towards Evil Honeypots ?! When they bite back." Neat stuff. I heard a rumor that they are having "second breakfast" catered every day. So they have a sense of humor too?

posted by GeeWhiz Tuesday, April 20, 2004

 
Programmble Hardware Filtering of Viruses and Malware Developed at Washington University from Andy

posted by GeeWhiz Tuesday, April 20, 2004



4.19.2004

 
Here are some good Wireless Intrusion Detection (WIDS) References:

Detecting Wireless LAN MAC Address spoofing

Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection. This paper has some good information you can use to write rules to detect Netstumbler, Wellenreiter and Dstumbler...

Wireless Intrusion Detection and Response. These guys modified an AP and set up a prototype WIDS with various modules meant to detect specific kinds of attacks. Generally provides a wish list of what a WIDS should be capable of.

Wireless Intrusion Detection in Ad-hoc Networks

posted by Anonymous Monday, April 19, 2004

 
The Latest LSA Vuln Will Likely Be Exploited Widely Soon (if it isn't already): PoC Anyone? This looks very easy to exploit and it took M$ SEVEN MONTHS to Patch This Issue. M$ is a threat to our national security interests... when will we stop the insanity?

posted by GeeWhiz Monday, April 19, 2004

 
Federal Regs: FISMA Compliance Site at NIST

posted by GeeWhiz Monday, April 19, 2004

 
Telconi Terminal is a GUI Cisco Configuration Utility that Supports Windows, Mac OS-X and Unix/Linux Systems. Link from Bryan

posted by GeeWhiz Monday, April 19, 2004





This page is powered by Blogger.
Site Meter Locations of visitors to this page