InfoSec News

Those who attended Oracle CEO Larry Ellison's keynote address at the OpenWorld conference on Wednesday hoping to learn a wealth of new detail about the vendor's long delayed Fusion Applications likely left disappointed, but plenty of vital information was available throughout the week for those interested enough to pursue it.
 
If Mark Zuckerberg had a dollar for every user on Facebook ... oh wait, he does. He has lots of dollars for every user on Facebook.
 
Apple on Wednesday released updates to its three iWork apps for the iPad. Version 1.2 of Numbers, Keynote, and Pages feature improvements to file-format support and file transferring.
 
Users may be having trouble accessing Facebook on Wednesday due to a problem the site is having with a network provider, the company said.
 
Canada's privacy commissioner has ended an investigation into Facebook's privacy practices by saying the social-networking site has resolved issues raised in a May 2008 complaint.
 
Dell said on Wednesday it is developing a 7-inch tablet as it experiments with handheld devices with different screen sizes.
 
The U.S. Federal Trade Commission has reached a settlement with online data broker US Search on complaints that the company failed to deliver on promises that it would not share the records of customers who paid a fee.
 
I liked a lot of what I saw in the Internet Explorer 9 beta, to the point where I suspect I'll end up using it more often than I did Internet Explorer 8.
 
U.S. Sen. Harry Reid has proposed legislation to would provide tax breaks to companies that replace offshore employees with U.S. workers.
 
The OAuth 2.0 API security protocol, used by Facebook and Salesforce.com, may be too easy to crack, critics contend
 
Attacks against the browser and its components would be isolated from the desktop and the network in a virtual environment.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Malware - Clients - WWW - Browsers - Web browser
 
Maine's Supreme Court has ruled that consumers affected by the data breach at supermarket chain Hannaford Bros. in 2008 cannot claim damages unless they suffered uncompensated financial losses or some other tangible injury.
 
This week's hack of Twitter probably won't prompt large companies to quickly abandon the microblogging site, but analysts said that further attacks could lead IT executives to start looking at alternative social networks.
 
Keith Shaw reviews the Rover Puck, a mobile hot spot device from Clearwire, and the Flip UltraHD video camera, by Cisco.
 
=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 


(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A 24-year-old law setting the rules on how law enforcement agencies can obtain electronic records is out of step with modern technology and privacy expectations and needs to be updated, U.S. Sen. Patrick Leahy said.
 
Sprint Nextel might increase the $10 monthly surplus it charges for 4G smartphones if their average data usage gets too high, CEO Dan Hesse said.
 
Corporations are jumping on the Google smartphone bandwagon, with Android device growth outpacing Apple's iPhone 20-fold in the last three months, a market researcher said today.
 
The security pitfalls of cloud computing can be neutralized with proper planning.
 
Cisco has released its twice-yearly set of security updates for its switches and routers.
 
Qualcomm is developing a short-range radio technology called Peanut that would require less battery power than Zigbee, Bluetooth and Ultra Wideband.
 
SAP is unleashing a set of 'Rapid Deployment' software applications that can be rolled out in as little as 12 weeks, the company announced Wednesday.
 
Contrary to reports, a bug that Microsoft patched last week had been publicly discussed a year and a half ago, security researchers said this week.
 
Marc Maiffret of eEye Digital Security talks about his hacking career and the revival of his company's zero-day tracking service. Also, Jeremiah Grossman of WhiteHat Security on the latest Twitter vulnerability.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Marc Maiffret - EEye Digital Security - Security - Jeremiah Grossman - Twitter
 
Microsoft's Cashback service didn't work out, but the company is still experimenting with the concept of repaying users, this time with a program that rewards people for searching on Bing.
 
India officials hope to negotiate a "totalization agreement" with the U.S. that would let Indian H-1B workers pay into Indian retirement and medical programs rather than pay U.S. Social Security and Medicare taxes.
 
If your Android phone has a limited pay-per-megabyte data plan, or if you often find yourself trying to get online in areas with a weak cellular signal, Opera Mini is a solid choice for Web browsing. However, if you want to watch Web videos in your browser, you can skip the rest of this review--Opera Mini doesn't handle that. (You can still download videos and view them in a separate media player app.)
 
Reader A. Hart is heartbroken that his or her MacBook refuses to obey commands issued across the room. A. writes:
 
3D laptop shipments have been slow this year, hindered by high prices and lack of consumer interest, according to research firm DisplaySearch.
 
Mobile and wireless applications are already profoundly affecting underdeveloped areas of the world, according to a "Future of Mobile" panel at the [email protected] 2010 conference today..
 
Google is at its wit's end dealing with illegal sellers of prescription drugs that market medicines on its ad network, so it has decided to take some of these allegedly rogue advertisers to court.
 
If you think its getting harder to keep up with new developments in your company or your project, youre right.
 
It may be difficult for enterprises to figure out how much they should spend on IT security, but research firm Gartner has statistics on how much their peers are spending.
 

Handling mergers and acquisitions: Career success tips for infosec pros
SearchSecurity.com
An infosec pro's ability to manage his or her career through this change can be critical to one's professional future. What follows are some career success ...

 
The use of third-party code in applications represents a big security risk for companies, according to a study from security vendor Veracode.
 
As a self confessed and self described Network Person, I design and build redundant systems every day. The kind of systems where you can lose entire racks and still be up, where you can do upgrades and reboots without down time. What struck me recently is two things:
A big part of this job lately seems to be in education - going over redundancy and recovery mechanisms and options with clients in advance of doing a design, and certainly well before a build. While many of these mechanisms have been with us for years, in many large companies decision makers don't seem to be aware of what is available to them, native on the box and for free.
The other thing that struck me is that even when I'm preaching to the choir - when the folks I'm working with know what their gear can do, and in many cases have already built their infrastructure the right way - people aren't aware of the security implications of the tools we use to make our infrastructure reliable and/or redundant. Each thing we do to make things better gives an attacker another method to attack or compromise things.
I recently heard this described as Thinking Backwards, and can't think of a better way to describe this aspect of things. (from SANSSEC542 Audio, Kevin Johnson and an unnamed student)



While I seem to be drawing the same Enterprise 101 diagram a few times per week, lately it's been a coin toss whether it's been for an Enterprise 101 discussion, or an Enterprise Attack / Defense 101 whiteboard talk. This entire ball of worms seems like a good discussion for an ISC Diary. I'll start the conversation with an Enterprise 101 review, outlining each of the mechanisms we'll discuss. In upcoming diaries, we'll tackle each of the reliability methods, and discuss how they're sometimes not as reliable as you think they are, what security pieces they are missing, why defaults are BAD, and how to secure them (if possible).



I'm hoping that our readers will help out. If I've missed a topic you'd like to see, please let us know in the comment form. If I've overlooked a topic, or if I haven't explained things completely (or just plain errored out or otherwise missed the boat), please use our comment form and fill us all in.



Enterprise 101 - The Good
I'll start off this week with the textbook descriptions. What the more common reliability methods are, what they do, why you might implement them. This discussion will be a tad non-technical, but don't worry, when we start breaking stuff in later diaries, we'll get to see some configuration examples, real tools and in some cases packets. Even this high level conversation Ithink has a lot of value - lots of folks aren't aware of basic mechanisms for ensuring network availability. With information security often defined in the context of the CIAtriad (Confidentiality, Integrity and Availability), Ifind that we often neglect the Availability aspect - we tend to consider it as more of an operational thing than a security thing. We'll base our discussion on the diagram below. Again, if you'd like to see something added, please use our comment form - I'll update this diary based on comments.



At the heart of many of these protocols and methods is either a primary/backup concept, or an active/active pairing. You'll start this as a pretty consistent pattern as we go through them.







Layer 3: HSRP / VRRP
What these protocols give you is layer 3 redundancy. If the default gateway on a subnet should go offline, then no-one on that subnet can access resources off of that network. If things like DNS servers are affected in such an outage, it's likely that even resources on that same subnet won't be accessible. HSRPand VRRP are two protocols that allow you to set up another router (or layer 3 switch) as a backup to the primary. If the primary fails, the backup takes over the gateway IP, and the clients on that subnet are none the wiser. On most days what this means to the network maintainer is that hardware or software upgrades can be done with minimal interruption, often during business hours (we all get enough late nights in this biz).



HSRP (Hot Standby Router Protocol) has been around forever, it's the Cisco answer to this problem. VRRP (Virtual Router Redundancy Protocol) is the open standards answer to this - the current version is defined in RFC5798 (previously in RFC3768 and before that in RFC2338).



Layer 2: Spanning Tree (and TRILL)
What spanning tree does is prevent loops in the network. If a layer 2 frame is sent out on the wire, and the switch does not have the destination MAC address in it's local table, it sends the packet to all of it's ports in hopes that somebody will claim the packet and reply to it. In a single switch environment, that's the end of it. In a muliple switch environment, this broadcast is potentially repeated on every switch in the environment. The problem is that if you form a loop - in the simplest case, having two wires connecting a pair of switches - this process can easily repeat infinitely. The frame will come in one port from switch A to B, then get forwarded back to switch A on the other link, then back to B and so on. In short order the network melts and becomes unusable, as these frames never go away. In a complex network loops may not be so simple or obvious, but the bigger the network the bigger the impact. What spanning tree does is simplify this - it defines a root bridge, and creates a single, least cost path with no loops between all the switches. Path costs are determined in an algorithm based mostly on hop count and port speed, but can be overridden by configuration on the boxes. With a single path (the designated path) to every bridge on the network, frames to unknown destinations transit each switch once, then eventually die if the destination host is not on the network.



In the case of a link failure on a designated path, the switches detect that the failure occurred, and one of the backup links takes over (this gets a lot more complicated, stay tuned).



The obvious downside to this is that we tend to connect switches together using our fastest, most expensive links. A pair of 10GB links can really add up, cost wise, and even 1GB links can be expensive if it's over single mode fiber or long reach ethernet. Plus it seems a real shame to leave all that bandwidth idle just in case. The answer to this is a new standard called TRILL (Transparent Interconnection of Lots of Links). In a TRILL config, all of these links are live, and in it's simplest explanation the switches discover and maintain an SPF (Shortest Path First) table of MACaddresses, which defines the best path in a multihop environment from any source to any destination MAC address. TRILL is bright-shiny-new, and is not yet widely deployed. Some vendors have TRILL compliance in their highest-end products, look for TRILL to show up in smaller switches over the next few years.



Layer 2: Etherchannel / LACP (802.3ad)/ PAGP
Etherchannel is a common method of taking a few network links and ganging them up to make a faster link. For instance, 4 100mbps links can be combined to make a faster channel. The common misconception is that combining these links simply adds them up - in our example, you'd think that 4x100 = 400Mpbs, but that's not the case. What happens is that for every source and destination, a path is chosen. So all the traffic from host A to host B will take one link, and all the traffic from Host A to C might take another. This means that, in our example of 4 links, each conversation has 100 Mbps available to it, but 4 conversations can happen at once.
The source and destination can be defined in several ways, commonly by IP address or MAC address. So if you have one large file copy or backup job, it'll likely only use one link. Using Source/Destination MAC address for balancing etherchannel links is generally easier on the hardware, but keep in mind that the default gateway on any subnet has a single MAC, so if you're communicating off your subnet, source/destination IP address might make better use of your multiple paths.



Spanning tree is disabled on Etherchannel links. PaGP (Port Aggregation Protocol) is the Cisco implementation of etherchannel. LACP is the standards based protocol (802.3ad).



Layer 1/2 Redundancy on Servers - NIC Teaming
NIC teaming is redundancy at the hardware level for servers. This is usually implemented by installing additional drivers, creating a virtual NIC, then adding the physical NICs to that to create a team. In most cases the team operates as an active/passive pair, where the passive NIC only kicks in if link fails (ie the cable is pulled) on the active. However, there are usually more advanced options, up to and including support for 802.3ad (see etherchannel above).



Layer 3 Redundancy - Routing Protocol


Routing protocols offer LOTS of avenues for redundant paths and path selection based on various metrics. They give us lots of ways of defining best paths between networks, combining links for performance and detecting and routing around failed links.
They also are, almost without exception, based on the I trust you model. If you speak their language, you can reroute or hijack any traffic you want. From an attackers perspective, the trick is to then send the traffic back on it's way, so that you can capture a useful datastream - simply being a black hole for packets doesn't accomplish anything, unless you are trying to DOS someone.



There have been some noteworthy illustrations of intentional and accidental Denial of Service based on routing protocols - last month's BGP experiment-gone-wrong launched by RIPE-NCC and Duke for instance, or any number of BGP mistakes made by one ISP or another over the years (Pakistan's PieNet DOS of Youtube in 2008 comes to mind for instance).



What's next?
Look for ISCdiaries coming up that discuss each of these topics in a lot more depth, from the perspective of defense against an attacker. We'll try to break each one of them, and discuss how best to protect them from compromise.






(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cisco Systems is updating parts of its product line for small businesses, a world where IT needs have grown up over the past few years.
 
Paul McCartney plans to digitize his collection of artwork, videos and master recordings with the goal of making most of it accessible to the public.
 
Ohio Gov. Ted Strickland defended his order to ban offshoring of state government work, describing it as "common sense".
 
Research in Motion may introduce a tablet computer next week, according to the Wall Street Journal.
 
Social-networking style services like Facebook and Twitter have a natural defense against hardcore hackers, a security researcher said.
 
Eclipse, IntelliJ IDEA, NetBeans, and Oracle JDeveloper continue Java's tradition of rich and diverse development tools
 
InfoSec News: Was Stuxnet built to attack Iran's nuclear program?: http://www.csoonline.com/article/616846/was-stuxnet-built-to-attack-iran-s-nuclear-program-
By Robert McMillan IDG News Service September 21, 2010
A highly sophisticated computer worm that has spread through Iran, Indonesia and India was built to destroy operations at one target: [...]
 
InfoSec News: Twitter internet worm attack affects thousands of users: http://www.guardian.co.uk/technology/2010/sep/21/twitter-internet-worm-hacking-attack
By Charles Arthur guardian.co.uk 21 September 2010
Sarah Brown and Lord Sugar were among thousands of Twitter users who yesterday found themselves directing people to third-party sites, [...]
 
InfoSec News: Larry Ellison Hammers Salesforce.com On Security: http://www.informationweek.com/blog/main/archives/2010/09/larry_ellison_h.html
By Bob Evans Global CIO Blog InformationWeek Sept 21, 2010
Introducing Oracle's new Exalogic Elastic Cloud machine, Larry Ellison opened his remarks by saying that cloud computing has many definitions, [...]
 
InfoSec News: Former NSC Official Criticizes Cyber Security Policies: http://blogs.wsj.com/washwire/2010/09/21/former-nsc-official-criticizes-cyber-security-policies/
By Siobhan Gorman Washington Wire The Wall Street Journal September 21, 2010
The Obama administration's cyber security policies came under fire today [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, September 12, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, September 12, 2010
5 Incidents Added.
======================================================================== [...]
 
InfoSec News: Hacking, Not Partying, At The Frats: 1 In 5 College Students Have Hacked: http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=227500353
By Kelly Jackson Higgins DarkReading Sept 21, 2010
New research shows parents have more to worry about than their college students' underage drinking: Twenty-three percent of college kids say [...]
 
InfoSec News: Microsoft warns of in-the-wild attacks on web app flaw: http://www.theregister.co.uk/2010/09/21/asp_dot_net_padding_oracle_fix/
By Dan Goodin in San Francisco The Register 21st September 2010
Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and [...]
 

Posted by InfoSec News on Sep 22

http://www.informationweek.com/blog/main/archives/2010/09/larry_ellison_h.html

By Bob Evans
Global CIO Blog
InformationWeek
Sept 21, 2010

Introducing Oracle's new Exalogic Elastic Cloud machine, Larry Ellison
opened his remarks by saying that cloud computing has many definitions,
and he cited Amazon.com and Salesforce.com as examples of profoundly
different cloud approaches. And then he unloaded on Salesforce.com for...
 

Posted by InfoSec News on Sep 22

http://blogs.wsj.com/washwire/2010/09/21/former-nsc-official-criticizes-cyber-security-policies/

By Siobhan Gorman
Washington Wire
The Wall Street Journal
September 21, 2010

The Obama administration's cyber security policies came under fire today
from unexpected quarters -- former National Security Council official
Richard Clarke, who advised the administration’s transition team.

"The Obama administration so far has failed to do the...
 

Posted by InfoSec News on Sep 22

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, September 12, 2010

5 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Sep 22

http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=227500353

By Kelly Jackson Higgins
DarkReading
Sept 21, 2010

New research shows parents have more to worry about than their college
students' underage drinking: Twenty-three percent of college kids say
they have hacked for fun or profit, although most of them believe doing
so is wrong.

The report, commissioned by Tufin Technologies and the Association of...
 

Posted by InfoSec News on Sep 22

http://www.theregister.co.uk/2010/09/21/asp_dot_net_padding_oracle_fix/

By Dan Goodin in San Francisco
The Register
21st September 2010

Attackers have begun exploiting a recently disclosed vulnerability in
Microsoft web-development applications that opens password files and
other sensitive data to interception and tampering.

The vulnerability in the way ASP.Net apps encrypt data was disclosed
last week at the Ekoparty Conference in...
 

Posted by InfoSec News on Sep 22

http://www.csoonline.com/article/616846/was-stuxnet-built-to-attack-iran-s-nuclear-program-

By Robert McMillan
IDG News Service
September 21, 2010

A highly sophisticated computer worm that has spread through Iran,
Indonesia and India was built to destroy operations at one target:
possibly Iran's Bushehr nuclear reactor.

That's the emerging consensus of security experts who have examined the
Stuxnet worm. In recent weeks, they've broken the...
 

Posted by InfoSec News on Sep 22

http://www.guardian.co.uk/technology/2010/sep/21/twitter-internet-worm-hacking-attack

By Charles Arthur
guardian.co.uk
21 September 2010

Sarah Brown and Lord Sugar were among thousands of Twitter users who
yesterday found themselves directing people to third-party sites,
including hardcore pornography, as the messaging website fell prey to an
"embarrassing" hacking attack discovered by a Japanese programmer and
then exploited by a...
 

Internet Storm Center Infocon Status