Hackin9

Business Technology

Keil Hubert: There's Always Something Worth Stealing
Business Technology
The InfoSec crew was responsible for (and limited to!) maintaining network firewalls, content filters, and maybe some intrusion detection/prevention gear; they didn't have the critical cross-functional perspective that an effective security team needs ...

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

This diary follows from Part 1, published on Sunday August 17, 2014.  

How is it possible that with no port forwarding enabled through the firewall that Internet originated NTP requests were getting past the firewall to the misconfigured NTP server?

The reason why these packets are passing the firewall is because the manufacturer of the gateway router, in this case Pace, implemented full-cone NAT as an alternative to UPnP.

What is full-cone NAT?

The secret is in these settings in the gateway router:

If strict UDP Session Control were enabled the firewall would treat outbound UDP transactions as I described earlier.  When a device on your network initiates an outbound connection to a server responses from that server are permitted back into your network.  Since UDP is stateless most firewalls simulate state with a timeout.  In other words if no traffic is seen between the device and the server for 600 seconds then don’t permit any response from the server until there is new outbound traffic. But anytime related traffic is seen on the correct port the timer is reset to 600 seconds, thus making it possible for this communication to be able to continue virtually forever as long as one or both devices continue to communicate. Visually that looks like:

However if UDP Session Control is disabled, as it is in this device, then this device implements full-cone NAT (RFC 3489). Full-cone NAT allows any external host to use the inbound window opened by the outbound traffic until the timer expires.  

Remember anytime traffic is seen on the correct port the timer is reset to 600 seconds, thus making it possible for this communication to be able to continue virtually forever as long as one or both devices continue to communicate.

The really quick among you will have realized that this is not normally a big problem since the only port exposed is the original ephemeral source port and it is waiting for a NTP reply.  It is not likely to be used as an NTP reflector.  But the design of the NTP protocol can contribute to this problem.

Symmetric Mode NTP

There is a mode of NTP called symmetric NTP in which, instead of the originating device picking an ephemeral port for the outbound connection,  both the source and the destination ports use 123. The traffic flow would look like:

Symmetric NTP opens up the misconfigured server to be an NTP reflector.  Assuming there is an NTP server running on the originating machine on UDP port 123, if an attacker can find this open NTP port before the timeout window closes they can send in NTP queries which will pass the firewall and will be answered by the NTP server.  If the source IP address is spoofed the replies will not go back to the attacker, but will go to a victim instead. 

Of course UDP is stateless so the source IP can be spoofed and there is no way for the receiver of the NTP request to validate the source IP or source port permitting the attacker to direct the attack against any IP and port on the Internet.  It is exceedingly difficult to trace these attacks back to the source so the misconfigured server behind the full-cone NAT will get the blame. As long as the attacker sends at least one packet every 600 seconds he can hold the session open virtually forever and use this device to wreak havoc on unsuspecting victims. We have seen indications of the attackers holding holding these communications open for months.  

What are the lessons to be learned here:

  • If all ISPs fully implemented anti-spoofing filters then the likelihood of this sort of attack is lowered substantially.  In a nutshell anti-spoofing says that if the traffic is headed into my network and the source IP address is from my network then the source IP must be spoofed, so drop the packet.  It also works in the converse.  If a packet is leaving my network and the source IP address is not an IP address from my network then the source IP address must be spoofed, so drop the packet.
  • It can't hurt to check your network for NTP servers.  A single nmap command will quickly confirm if any are open on your network. nmap -sU  -A -n -PN -pU:123 --script=ntp-monlist .  If you find one or more perhaps you can contact the vendor for possible resolution.
  • If you own a gateway router that implements full-cone NAT you may want to see if your gateway router implements the equivalent of  the Pace “Strict UDP Session Control”.  This will prevent an attacker from access misconfigured UDP servers on your network. 

-- Rick Wanner - rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Symantec will consolidate its cluttered Norton line of security software, folding nine products into one online service that can be used across desktop computers and mobile devices.
 
As promised by its new CEO, Sprint announced late Monday it will lower its shared data plans to prices below those offered by other national carriers starting on Friday.
 
The theft of personal data on 4.5 million patients of Community Health Systems by hackers in China highlights the increasing degree to which hospitals are becoming lucrative targets for information theft.
 
The U.S. government wants to force cars to talk to each other over wireless networks, saying that could save more than 1,000 lives every year.
 
Microsoft's Azure cloud computing platform, wobbly for more than a week, is again experiencing outages and interruptions that are impacting multiple products in the U.S. and abroad.
 
In New York City, venerable companies give luxurious corporate cars to power brokers dressed in Armani suits driving down Wall Street. But across the country in San Francisco, you're more likely to see blue jeans-clad execs driving shared Zipcars to their wacky digs in SoMa, or south of Market.
 
 
HTTP Shaming's ethos is even on a fridge.

The amount of personal data traveling to and from the Internet has exploded, yet many applications and services continue to put user information at risk by not encrypting data sent over wireless networks. Software engineer Tony Webster has a classic solution—shame. 

Webster decided to see if a little public humiliation could convince companies to better secure their customers' information. On Saturday, the consultant created a website, HTTP Shaming, and began posting cases of insecure communications, calling out businesses that send their customers' personal information to the Internet without encrypting it first.

One high-profile example includes well-liked travel-information firm TripIt. TripIt allows users to bring together information on their tickets, flight times, and itinerary and then sync it with other devices and share the information with friends and co-workers. Information shared with calendar applications, however, is not encrypted, Webster says, leaving it open to eavesdropping on public networks. Among the details that could be plucked from the air by anyone on the same wireless network: a user's full name, phone number, e-mail address, the last four digits of a credit card number, and emergency contact information. An attacker could even change or cancel the victim's flight, he says.

Read 9 remaining paragraphs | Comments

 
Apache Cordova For Android CVE-2014-3500 Security Bypass Vulnerability
 
Apache Cordova For Android CVE-2014-3501 Security Bypass Vulnerability
 
Microsoft is encouraging more hardware hackers to develop Windows-based smart devices and appliances with expanded availability of a preview OS to all owners of Intel's Galileo board.
 
IT shops that want professional support for MongoDB without paying for the enterprise edition of the company's increasingly popular NoSQL database now have an option from MongoDB itself.
 
Apple's iPhone 5C, the lower-priced model introduced last year -- by many accounts to boost sales in countries like China -- has done poorly in the People's Republic.
 
About 4.5 million people in 28 states face the risk of identity theft due to a massive data breach at Community Health Systems (CHS) a Franklin, Tenn., based health network.
 
Google is drawing from the work of the open-source community to offer its cloud customers a service to better manage their clusters of virtual servers.
 
Apple released the sixth developer preview of OS X Yosemite today.
 
Once IBM completes its x86 server line sale to Lenovo, the latter will immediately take a solid third place ranking in worldwide revenues in the market.
 
A senior U.S. senator is asking airlines about their data privacy practices, saying he's concerned about what information the companies are collecting and sharing with third parties.
 
Oracle has made it possible to run a much older but still widely used version of its database software on Exadata, in a move that could make heretofore reluctant buyers pull the trigger on a purchase of the data-processing appliance.
 
Two Russian cosmonauts are in the middle of a spacewalk outside of the International Space Station, in part to release a nanosatellite that will take images of Earth.
 
In what could be a decisive blow to the Bring Your Own Device (BYOD) mega trend, the California Court of Appeal ruled late last week that companies must reimburse employees for work-related use of personal cellphones, as described in the National Law Review.
 
[SECURITY] [DSA 3006-1] xen security update
 
LinuxSecurity.com: Updated nss, nss-util, and nss-softokn packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
ownCloud CVE-2014-4929 Local File Include Vulnerability
 
Anything "software-defined"--networks, storage, data centers--is grabbing a lot of attention these days. Security is no exception. Software-defined security (SDS) is an emerging model in which information security is deployed, controlled and managed by software.
 
Comparing commercial Hadoop big data-styled analysis systems might get a little easier, thanks to a new benchmark from the Transaction Processing Performance Council (TPC).
 
Mozilla Firefox CVE-2014-1561 Event Spoofing Vulnerability
 
LG Electronics is planning to show three monitors at IFA in Berlin, including a curved ultrawide model and a new 4K display.
 
RETIRED: LibreSSL PRNG Entropy Weakness
 
Python Bottle JSON 'content-type' Parsing Security Bypass Vulnerability
 

Amazon Fire Phone security features and pitfalls
TechTarget
By submitting you agree to receive email communications from TechTarget and its partners. Privacy Policy Terms of Use. Safe Harbor. In this tip, we'll review the Amazon Fire Phone's security features and implications in order to help enterprise infosec ...

and more »
 
Google has acquired Jetpac, known for image recognition and processing.
 
Although Microsoft has pulled a patch from Windows Update that crippled some computers, it is still pushing a truncated version of the security update that contained the flawed fix.
 
So you've said yes to the use of personal tech. How do you make it work for and in your business?
 
Drupal Fasttoggle Module Access Bypass Vulnerability
 
Outlook.com for Android SSL Certificate Validation Security Bypass Vulnerability
 
Outlook.com for Android fails to validate server certificates
 
Beginners error: Windows Live Mail 2011 runs rogue C:\Program.exe when opening associated URLs
 
Plack::App::File Information Disclosure Vulnerability
 
libgcrypt Elgamal Encryption Subkeys Information Disclosure Vulnerability
 
CVE-2014-5289 - Kolibri WebServer 2.0 Vulnerable to RCE via Overly Long POST Request
 
Beginners error: Apple's iCloudServices for Windows run rogue program C:\Program.exe (and some more)
 
Linux Kernel CVE-2014-5206 Local Security Bypass Vulnerability
 
Linux Kernel CVE-2014-5207 Local Security Bypass Vulnerability
 
Apache Subversion CVE-2014-3522 SSL Certificate Validation Information Disclosure Vulnerability
 
Beginners error: Apple's Software Update runs rogue program C:\Program.exe (and some more)
 
For all the talk by its CEO about a new and different Microsoft, the company's money-making software groups remain lashed to hardware-intensive divisions that increasingly drag down the firm's overall margin.
 
Its fast and robust data processing and storage power make Hadoop both wildly popular and wildly complex. Here's how four IT leaders have managed to bring Hadoop systems from the sandbox into production.
 
A Chinese man has been indicted for allegedly directing two China-based hackers to infiltrate Boeing and other defense contractors to steal gigabytes of documents describing U.S. military aircraft.
 
Internet Storm Center Infocon Status