Information Security News |
Dark Reading | 7 Signs of Infosec's Groundhog's Day Syndrome Dark Reading Sometimes working in information security can make people feel a little bit like Sisyphus. Or, at least like Bill Murray in the movie Groundhog Day. You wake up and the same types of weaknesses in your people and technology are being attacked by the ... |
(credit: Jeremy Brooks )
An open source network utility used by administrators and security professionals contains a cryptographic weakness so severe that it may have been intentionally created to give attackers a surreptitious way to eavesdrop on protected communications, its developer warned Monday.
Socat is a more feature-rich variant of the once widely used Netcat networking service for fixing bugs in network applications and for finding and exploiting security vulnerabilities. One of its features allows data to be transmitted through an encrypted channel to prevent it from being intercepted by people monitoring the traffic. Amazingly, when using the Diffie-Hellman method to establish a cryptographic key, Socat used a non-prime parameter to negotiate the key, an omission that violates one of the most basic cryptographic principles.
The Diffie-Hellman key exchange requires that the value be a prime number, meaning it's only divisible by itself and the number one. Because this crucial and most basic of rules was violated, attackers could calculate the secret key used to encrypt and decrypt the protected communications. What's more, the non-prime value was only 1,024 bits long, a length that researchers recently showed is susceptible to cracking by state-sponsored attackers even when prime numbers are used.
Read 6 remaining paragraphs | Comments
NASA breach shows again that brute force password attacks work IT World Canada It isn't uncommon for hackers to boast about their exploits; it adds a bit of credibility to their work. So infosec teams should pay attention to claims from a group called AnonSec, which says it brute-force cracked the password of an administrator at ... |
As Good As They're Getting, Analytics Don't Inherently Protect Data Dark Reading Prudent infosec professionals think about security in the context of reducing threat surface area and minimizing damage in the event of the exploit. The joke used to be that the only secure system is the one that isn't connected to the Internet. But ... |
IPv6 poses a problem for systems like Shodan, who try to enumerate vulnerabilities Internet-wide. Tools like zmap can scan the IPv4 internet in minutes (or maybe hours), but for IPv6, the same approach will still fail. The smallest IPv6 subnet is a /64, or 18.4 Quintillion addresses. A tool like zmap would take about 40,000 years to scan just the smallest subnet that may be assigned to a home user, assuming 5 minutes to scan 32 bits worth of addresses.
There are a couple of methods to make IPv6 scanning somewhat feasible:
Looks like Shodan started to use the last option recently. Systems using the pool.ntp.org NTP servers have been observed as being scanned by Shodan. It appears that the Shodan project did add one or more NTP servers to the public NTP pool to find targets for its unauthorized scans [2]. Other scanner projects may do the same. DNS servers could of course be used in the same way, but there are no open DNS servers pools like this I am aware off (OpenDNS or Google could do similar tests, but I am not aware of them allowing 3rd parties into their pool).
So what to do about it?
Depending on how you feel about being scanned by Shodan, you may not care. But in particular with IPv6, databases like Shodan (Google and other web search engines tooof course) will play a larger role in finding targets than they already do. As a first step, you probably should fix your NTP infrastructure. Systems in your network should only synchronize with internal NTP servers, and only these authorized NTP servers should communicate with the outside (or better, an internal standard like GPS or GSM). If you have a GPS signal in your environment, you may be able to setup a Raspberry Pi based master clock. [3] In an enterprise network, buy a professional NTP server that includes a GSM or GPS module. (GSM usually works better in data centers without requiring an external rooftop antenna).
Also consider using a secure NTP configuration template [4] to avoid other issues, like the famous monlist problem. NTP is a bit of a forgotten protocol in that it just works without having to mess with it in many cases. But if you didnt configure it, it probably isnt configured right for you.
FWIW: Our threat feeds include lists of internet wide research scanners (IPv4 only at this point). You can get a quick machine parsable version from our API (https://isc.sans.edu/api/threatcategory/research/), or a more visually appealing version using our threat feed map.
[1]http://arstechnica.com/security/2016/02/using-ipv6-with-linux-youve-likely-been-visited-by-shodan-and-other-scanners/
[2]http://netpatterns.blogspot.de/2016/01/the-rising-sophistication-of-network.html
[3]https://xmission.com/blog/2014/05/28/building-a-stratum-1-ntp-server-with-a-raspberry-pi
[4]http://www.team-cymru.org/secure-ntp-template.html
---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn
CSO Online | Does attribution matter to security leaders? CSO Online Levi's career as an information security professional includes unique operational and leadership experience in government (U.S. Secret Service), threat intelligence providers (Team Cymru and Recorded Future), and multi-vertical Fortune 500 enterprises ... |
Infosecurity Magazine (blog) | Accepting the Unknown Risk Infosecurity Magazine (blog) Well some may say that their brand of “Infosec-Rap” is disrespectful of their trade, while others watch over and over again. Host Unknown 'sole founder' Agnês explained the long gap between songs: “When you smash it out of the park like I did with C I ... |
2016 Information Security Predictions Blogger News Network (blog) No bones about it, 2016 is sure to see some spectacular, news-chomping data breaches, predicts many in infosec. If you thought 2015 was interesting, get your seatbelt and helmet on and prepare for lift off… 4W Wearable Devices. Cyber crooks don't care ... |