0blivion nº7:(0blivion7.txt):17/09/2000 << Back To 0blivion nº 7

_____ _ _ _____ | | |_| |_|| | | | _ _ __ _ _ _ | | ____ | _ || | | |\ \\ \ | || || _ || _ \ | | | || |__ | | \ \\ \ | || || | | || | \ \ | | | || || | \ \\ \ | || || | | || | | | | |_| || [] || |___\ \\ \| || || |_| || | | | |_____||____||_____\\_\\___||_||_____||_| |_| M a g a z i n e -=[ Oblivion Magazine ]=- -=[ http://www.0blivion.org ]=- Feer Us, Because We Are Gaining R00t On You -=[ Editor: Cyber0ptix ]=- -=[ cyberoptix@0blivion.org ]=- -=[ Assistant Editor: Slider ]=- -=[ Slider_100@hotmail.com ]=- -=[ Writer/Advice: LockDown ]=- -=[ lock-down@hushmail.com ]=- Ripping Up Sanity For The Masses -=[ IRC: #OBLIVIONMAG on EFNet ]=- <XianZomby> The net is in oblivion ----------------------------- Designed On 800x600 Resolution -=[ Issue 7 - 15/09/2000 ]=- Seven Deadly Sins -=[ Contents ]=- -------- --------------------------------------- ----------------- [ Articles ] [ Author ] +-------------------------------------+ +---------------+ [ Contents ] [ 0blivion.org ] [ Introduction To Issue 7 ] [ Slider ] [ Rant ] [ Cyber0ptix ] [ Voice over IP ] [ Omega ] [ An Introduction to IPSec ] [ Kermit23 ] [ Virtual Router Redundancy Protocol ] [ Slider ] [ ADSL ] [ Kermit23 ] [ Firewall-1 + Firewalls Rant ] [ L0ck-D0wn ] [ News - http://net-security.org ] [ 0blivion.org ] [ End Credits ] [ 0blivion.org ] --------------------------------------- ----------------- <XianZomby> It bothers me though. I wonder where all the intelligent talk went to, or if the Internet, which used to be a pretty cool place for university people and military people, is now just a big source of porn and sex for AOLers and newbies. ---------------------------------------------- ********************************************** Introduction - Slider ********************************************** Re. We started Oblivion, thinking it will be a one issue spin off, that absolutley no-one would read. How wrong we were... Over 1/2 year we have been going and even channels such as #japan (Big Shoutz) have heard of us. I cant join a channel now without being asked if i help write Oblivion. Also, you may not have seen much of us this month, this is due to both of us starting new jobs, and having other commitments. I have only spoken to Cyber once the whole month! and this was for 10 minutes when i was drunk and i was just going out clubbing... Big shoutz to abattis and gossi, who are going to host 0blivion.org while caffeine is down. Big thanks to vortex who has hosted us previously. Also you may have noticed we have made it onto packetstorm.securify.com, big thanks to them... and to kermit who uploaded it! Hello to lockdown who has been eye-dal with his cyber cafe. Hopefully when he has it up and running we will advertise for him and him for us :] Big up to atomix and spammy with there bots for the chan, but these have gone down and once again we are being taken over, but now we are just leaving detached IRC sessions in the chan, if anyone has a spare bot or a bot net that they wouldnt mind sticking in the channel to help us keep it then we would be greatful. As you can see peeps are now sending in articles to us, and we are enternally thankful to them, because we need all the help we can get. This is because we cant do it all ourselves. Please will you continue sending them in, we appreciate points of view and of course your articles. This way you can get your work published to a wider audience. Also, if you are thinking of writing a article yourself then also contact us, we will help you as much as possible to write it. We are here to promote learning and sharing of information like the Internet community should be, all we ask is that you publish the document or text in Oblivion mag first, then distribute it to other mags if you wish. This gives us peace of mind knowing that we got something good out of it! As always i rant on about people sending in points of view and such, this is because Oblivion is written for you. And without you we would not be here funnyily enough...! So come and vist us in #Oblivionmag on EFNet. Many thanks to you all! Slider. <DarkStone> IRCing is not a crime, its a way of life :) ---------------------------------------------- ********************************************** Cyber0ptix Rant - Cyber0ptix ********************************************** Well what a month it has been, working too hard and not had time to do much with 0blivion. Well luckily slider came to the rescue and put the issue together, cheers mate ;o) Well as you may have noticed the site is currently down, Vortex who hosted the site on caffeine.org.uk has litterly lost the box and doesn't know where it is ;o) Now thats some good admin skills for ya ;o) Oh well we should be hosted on lab6.com in the very near future, we just need to get the hosting set up and upload the site again, cheers to slider for rescusing the site from a cached version, gonna have to keep a backup this time ;o) Well news just in this second, just been in touch with Gossi and he has set up 0blivion.org on lab6, cheers mate ;o) The site will be uploaded and available as soon as possible. Well thats all I got to say this month as this desperately needs uploading and distributing, then I've got the site to sort out ;o) and I'm at work!!! Anyways thanks to everyone who has helped 0blivion grow over the last 7 months, I cant believe how big it has got from the time I first thought about releasing a zine. Cheers everyone, beers are on me ;o) Hopefully next month with see a lot more input from myself and we'll try to make the issue bigger and better. catch ya'll later - Cyber0ptix ---------------------------------------------- ********************************************** Voice over IP - Omega ********************************************** Today we already have Voice over IP technology. As this technology matures we are almost certain to see a sharing of bandwidth between voice and data across the Internet. This raises some interesting questions for phone companies. The cost to a user of an Internet connection between New York and Japan is the same as a connection within New York - not so a phone connection. This, and the fact that the Internet is deregulated, will raise many interesting questions in the years to come. The possibility of running voice over IP networks is extremely attractive because IP technology is very low in cost and also that *bandwidth is free* on the Internet. This can reduce dramatically the costs for long distance phone calls. If the Internet can be used successfully for voice, then a range of interesting applications become possible. The disadvantage of these applications is, that they all use their own protocols and compression algorithms to transport the voice over IP networks. Therefore, most of today's Internet telephone programs are incompatible to each other. Additionally, a PC or a workstation is required to run the voice software. To provide Voice over IP, or better yet Voice over Internet, to a larger group of people, it is necessary to define a standard for the protocols and the voice compression algorithms. Furthermore, constitutions are required to use a normal phone for Voice over IP connections instead of a computer. A standard that realizes this feature is currently being developed by the Voice over IP Forum which consists of members from different telecommunications companies. The VoIP forum operates as a working group in the International Multimedia Teleconferencing Consortium. They have published the VoIP Forum Service Interoperability Implementation Agreement (the VoIP IA), which seeks to complete, and extend existing standards into a specification to provide a complete Internet telephony interoperability protocol. The VoIP forum came into being to define a framework within which existing standards could be used in a way that enabled equipment made by different manufacturers to interoperate. The VoIP IA includes specifications for Internet telephony client software and the gateways to the public telephone network. The basic standard recommended by the VoIP Forum is the International Telecommunication Union (ITU) standard H.323. It is a standard for multimedia communication over packet networks that references many other standards including definitions for the transport of voice, data and video as well as establishing standards for audio and video compression and decompression. The Forum Interoperability Implementation Agreement is: 1. A clarification (and interpretation) of the H.323 series of recommendations. 2. A specification as to how H.323 should be used. 3. An extension of H.323 to cover areas (such as Directory Services) that are absent from the standard. The key elements of the VoIP IA are: 1. H.323 is used for call establishment and capability negotiation. 2. Call signaling between service elements is performed using ITU-T recommendation Q.931 (part of H.323). Each service element provides the necessary conversion from its local endpoint signaling to the H.323/Q.931 backbone protocol. 3. Other telephony specific requirements such as the transfer and reproduction of DTMF data have been added to provide a high level of connectivity with the traditional telephone infrastructure. 4. Directory services are not covered in the base H.323 recommendation. The VoIP IA defines dynamic IP address resolution mechanisms via H.323 RAS. The main goal of the VoIP IA is to help ensure interoperability between equipment from different vendors. In order to achieve this, the VoIP Forum has specified strict conformance requirements. Currently, the VoIP IA includes support for two-party voice and similar audio communications over IP networks in a manner similar and compatible (via gateways) with existing Public Switched Telephone Network (PSTN) telephone calls. However, it is expected that the IA will be extended to include multipoint communications in the future. Such multipoint function would be added in such a way that conforming networks were backward-compatible with the existing VoIP IA. Compatibility with existing (non-IP) multipoint circuit mode conferencing standards is also considered highly desirable. Whenever possible the VoIP IA uses existing IETF and ITU-T protocols and services. Interworking between the VoIP connections and the PSTN is provided through the use of H.323 gateways. - ITU-T Recommendation H.323 H.323 is an ITU-T standard for multimedia videoconferencing on packet-switched networks. Its formal title is Visual Telephone Systems and Equipment for Local Area Networks Which Provide a Non-Guaranteed Quality of Service. Since voice is one part of multimedia the standard covers most of the things you have to do to handle voice in: * LANs * Corporate intranets * The Internet H.323 has been developed very rapidly, much more rapidly than has been customary in the past. Work commenced in the ITU-T in May 1995 and was completed by June of 1996. In January 1998, Version 2 of H.323 with added function will be under development. The components of an H.323 network are: * Terminals * Gateways * Gatekeepers * Multipoint Control Units (MCUs). An MCU consists of a Multipoint Controller (MC) and a Multipoint Processor (MP) The diagram below shows a possible VoIP configuration realized using the H.323 standard. The IP network is connected to public telephone networks through an H.323 to PSTN gateway. Therefore, users of the IP network that have an H.323 terminal (PC with LAN or modem access) can communicate with standard phones in a PSTN. Also two users of standard telephones can use the IP network for communications. H.323 TERMINAL H.323 TERMINAL | | | | |----------------------------------| | | TELEPHONE --- PSTN --- H.323 --- IP NETWORK --- H.323 --- PSTN --- TELEPHONE TO | TO PSTN | PSTN GATEWAY | GATEWAY | | ------------------------------------ | | | | H.323 GATEKEEPER DNS SERVER This example configuration shows that is is not necessary to use H.323 native mode terminals to use H.323. It is perfectly possible to use regular telephones and similar devices connected through gateways. The H.323 terminal specification is not a specification for a particular terminal type. Instead it specifies the protocols necessary to support multimedia terminal function. That is, it doesn't prescribe the design or functions of any particular device. It specifies protocols needed to support certain kinds of functions and leaves the physical realization and structure of these to the equipment designer. There are two versions of the H.323 terminal specification which are intended for use in two different environments: * Corporate network terminal This is envisaged as a high-quality, high-function device which may perform multiway videoconferencing or just point-to-point voice connection. * Internet terminal In this the specification is optimized to use the minimum bandwidth. H.323 terminals have built-in multipoint capability for ad-hoc conferences and a multicast feature which allows 3-4 people in a call without centralized mixing or switching. H.323 gateways provide interoperability between IP-connected H.323 terminals and other audio devices (such as regular telephones), either directly connected to the gateway or connected through a network that is not IP. These could be multimedia devices such as H.320 videoconference terminals or ordinary telephones connected through the public telephone network. The functions performed by the gateway include the mapping of the call signaling protocols, the control protocols and media mapping (multiplexing, rate matching and audio transcoding). The H.323 gatekeeper provides the functions of directory server and system supervisor. The network of H.323 terminals and gateways under the control of a particular gatekeeper forms an integrated sub-network within the wider TCP/IP network environment. The gatekeeper's detailed functions are as follows: * Directory Server (Address Translation) Function This function translates an H.323 alias address to an IP (transport) address using information obtained at terminal registration. This allows the user to have meaningful, unchanging names with which to refer to other users in the system. These names are arbitrary. You can use addresses similar to those used in TCP/IP e-mail systems. Alternatively you can use *phone number like* names or another completely different system. * Supervisory Functions (for example, Call Admission Control) The gatekeeper can grant or deny permission to make the call. In doing this it can apply bandwidth limits to manage the network traffic and so prevent congestion occurring. This function is particularly relevant in a LAN environment. The gatekeeper also manages gateways and provides necessary address translation between external addresses and IP addresses by which external resources are known within the H.323 network. * Call Signaling The gatekeeper may route calls in order to provide supplementary services or to provide Multipoint Controller functionality for calls with a large number of parties. * Call Management Because the gatekeeper controls network access it is also the logical place to perform call accounting and management. The Multipoint Controller and Multipoint Processor form the Multipoint Control Unit (MCU). This H.323 component provides conference management, media processing and the multipoint conference model. The MCU supports media distribution for unicast and multicast data. - Voice Compression (G.723.1 and G.729) The ITU recommendations G.723.1, G.729 and G.729A specify the operation of Codecs in low-quality networking environments similar to that found in the current public Internet. * G.723.1 Offers a relatively high degree of compression with an output bit rate of either 5.3 or 6.4 kbps. Using a data length in the packet of 20 or 24 bytes this means that each packet carries 30 ms of the real-time voice signal. The coder typically causes a one-way processing delay of 30 ms, a lookahead delay (to the next packet) of 7.5 ms and of course the packet assembly time of 30 ms (because 30 ms of voice is carried in a single packet). This imposes a one-way delay at each end of the connection of 67.5 ms, that is, 135 ms end-to-end one-way. * G.729 Comes in two flavors: G.729 and G.729A. The key difference is in the amount of processing required to implement the algorithm. In both cases the compressed bit rate is 8 kbps and the amount of real-time voice encoded is 10 ms. This gives a data packet size of 10 bytes. The algorithm used is called Conjugate Structured Algebraic Code Excited Linear Predictive (CS-ACELP). As input, CS-ACELP takes 80 samples of standard or linear PCM (64 kbps Pulse Code Modulation). This algorithm was designed for implementation by advanced Fixed Point Digital Signal Processors (DSPs) and is noted for delivering an exceptionally high level of voice quality with minimal delay. In terms of delay both of these protocols are the same, requiring 10 ms for packet assembly, 10 ms for processing and 5 ms for lookahead. This means a 50 ms end-to-end delay due to the Codecs. * GSM The Group Special Mobile (GSM) audio compression is an algorithm originally defined for use with digital mobile telephones. It is a European standard not one of the ITU set. GSM is an allowed alternative for VoIP. A frame of 160 samples (each sample consists of 16 bits signed word) is used which is then compressed it into a smaller frame of 260 bits. These 260 bits are made up of different variables, each variable requiring a different number of bits. The VoIP forum selected the use of the RTP basic packaging type which enables the packaging of even or odd number of GSM frames within a single packet of RTP. G.729 speech frames can be made into packets consuming approximately 9 kbps on a private leased line and 10.6 kbps on a frame relay link, including overhead. If silence suppression is used, the bandwidth required is reduced to an average of approximately 4 kbps. It seems obvious that it is not very efficient to add a TCP/IP header to a packet that has a data payload of only 10 bytes. Thus G.723.1 is much more efficient in use of bandwidth than G.729 but G.729 has a significantly lower delays. - The VoIP Protocol Stack The VoIP IA consists of a number of protocols interworking with one another to perform the overall function. These protocols operate in a hierarchical fashion and may be represented as a stack in the same way as most other communications systems are described. Each protocol is defined according to what its purpose is, and what relevant standard (or draft) defines it. The VoIP stack is very similar to the H.323 stack. However, there are several additional functions that are not present in H.323. CALL ESTAVLISHMENT AND CONTROL The call establishment and control protocols determine the sequence and timing of: 1. Call establishment 2. Call disconnection 3. Control of the H.323 session after it is established PRESENTATION The presentation function interprets the syntax of all transferred audio and *in-band* control information such as dual tone multiple frequency (DTMF) dialing signals. ADDRESSING Because IP networks are dynamic addressing environments, it can happen that the IP address that identified an H.323 terminal in a past telephone connection is different from the IP address in a later connection. Even if addresses were stable, it would be a big problem for every end user to know every IP address that was needed. Therefore, a very dynamic *telephone book* is needed to allow the end user to look up the IP address of an H.323 terminal dynamically. In fact there are two methods available for constructing such a *telephone book*. The first method is a protocol called RAS which allows H.323 endpoints to locate other H.323 endpoints via an H.323 gatekeeper. Alternatively an H.323 endpoint can be allowed to initially locate an H.323 gatekeeper via DNS. RAS Registration, Admission, Status (RAS) is a protocol that specifies how H.323 entities can access gatekeepers to realize address translation. AUDIO CODEC Audio Coder/Decoder (Codec) are used to convert analog audio to/from digital signals. H.245 In general, H.245 defines a control protocol for multimedia communications. In the VoIP stack H.245 specifies how the channels inside of telephone calls are established and controlled. It also includes methods for sending and receiving DTMF dial tones. H.225.0 H.225.0 is entitled Media Stream Packetisation and Synchronization on Non-Guaranteed Quality of Service LANs. It defines the method of how audio packets, control packets and DTMF dial information are transmitted over IP networks. Q.931 Q.931 is a signaling protocol that is used to set up, tear down, and control H.323 communication sessions. The protocol originated as the signaling specification for ISDN. The way in which it is used in VoIP is defined in H.225.0. RTP/RTCP RTP/RTCP and the G.723.1 RTP audio packetisation was originally standardized by the IETF. RTP is a real-time protocol that is used in VoIP control and monitors the packet delivery. The G.723.1 RTP audio packetisation defines how the G.723.1 audio frames are transmitted in the RTP payload. On the transport layer, VoIP uses UDP for RAS, DNS and RTP/RTCP and TCP for H.245, Q.931 and sometimes for DNS. - References The following RFCs contain more information on IP multicasting: - RFC 1075 Distance Vector Multicast Routing Protocol - RFC 1112 Host Extensions for IP Multicasting - RFC 1584 Multicast Extensions to OSPF - RFC 1700 Assigned Numbers - RFC 1889 RTP: A Transport Protocol for Real-Time Applications - RFC 1890 RTP Profile for Audio and Videoconferences with Minimal Control - RFC 2190 RTP Payload Format for H.263 Video Streams - RFC 2198 RTP Payload for Redundant Audio Data - RFC 2362 Protocol-Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification ---------------------------------------------- ********************************************** An Introduction to IPSec - Kermit23 ********************************************** * Slider does not suggest taking women's medicine * It has been said many times by many people (including the ever influential voice of some guests on the bbc2 program "Hack the Planet") that IP is an insecure protocol. To have secure communication a protocol must satisfy three basic requirements: 1. Authentication: You know that the person you believe you are communicating with really is that person. 2. Confidentiality: You know that no one is listening in on your communications. 3. Integrity: You know your communications have not been tampered with between leaving the sender, and being received by you. IP fails in several of these area, not that this is a criticism of IP, it was never designed for security. For one, it is trivial to spoof an IP address, simply by changing the value of the "source ip address" header field. This allows for session hi-jacking if the return communications of the target host can be predicted. For a good example of this in action see the hack that got Kevin Mitnick busted. On Ethernet is simple to breach the confidentiality of IP by sniffing the network through most Ethernet cards, and in a larger network it may be possible to intercept the data by having access to one of the points it must travel through between sender and recipient. IPSec combats these problems with a three part system. Part 1: Authentication Header or AH "signs" the packet, in the same way you may sign a message with PGP. Part 2: Encapsulation Payload or ESP encrypts the information in the packet, theoretically with any symmetric encryption method, but most commonly with 56 bit DES. Part 3: Internet Key Exchange or IKE is a complex negotiation protocol for the safe exchange of keys across an insecure environment. ----- The ESP Packet The IPsec ESP packet is encapsulated within an IP packet which allows compatibility with most networks, and is tightly integrated with IPv6 ( see Oblivion 4 for more information on IPv6). >>IP headers here<< ___________________ | SPI | 1 |-------------------| | Sequence # | 2 |-------------------| | Data | 3 | | | | | | |-------------------| | padding | 4 |-------------------| | pad length | next | 5 & 6 |-------------------| | Authentication | 7 | Data | |___________________| 1 - SPI: Security Parameter Index - This is a 32 bit number which describes the security protocols being used, what keys, algorithm, key expiry and so on. 2 - Sequence Number: An incrementing counter of the packet number. 3 - Data: This is the information for the higher level applications, and varies in length. 4 - Padding: From 0 to 255 bytes to confuse sniffers planning to analyse data size to determine the algorithm used. 5 - Pad Length: How large the padding field is. 6 - Next: Same as in IP, identifies the type of data carried and what protocol is for, 7 - Authentication Data - This is an optional field that contains an Integrity Check Value (ICV). This is computed by taking a hash of the encrypted packet, and attached at the end, varying in length depending on the algorithm, The standard specify that SHA-1 and MD5 are supported. Parts 1-6 are authenticated. Parts 3-6 are encrypted. Multiple cipher algorithms can be used to encrypt the data carried by the packet, but the standard defines 56 bit DES to ensure there is a minimum level of interoperability between various implementations. As you can see by this, it is possible to encapsulate IP in an ESP packet, and hence set up a VPN, tunnelling IP though IPSec. ----- The AH Packet. The Authentication Header is used to provide, fairly obviously, authentication, but does not provide any confidentiality (read encryption) so sniffed data is usable by an attacker. However, it can be combined with ESP. If combined in this way, the AH goes before ESP (or TCP if used on its own), and after IP. >>>IP Headers Here<<< ___________________ |Next|Leng|Rsvd | 1,2 & 3 |-------------------| | SPI | 4 |-------------------| | Sequence # | 5 |-------------------| | Authentication | 6 | Data | |___________________| >>>EFS Header Here<<< 1 - Next: Indicates the type of the following protocol. 2 - Length: An 8 bit field which specifies the size of the AH in 32 bit words, mine 2^10. 3 - Reserved: Always 0. 4 - Security Parameter Index: As ESP. 5 - Sequence Number: Packet order tracking etc. 6 - Authentication Data: AN ICV similar to that of the ESP, which may be padded to a multiple of 32 or 64 bits (for ipv4 or v6) ----- Key Points (I bet someone at a management course would find that funny). It is safe to assume that no matter how strong the algorithm is, it's not a whole lot of use if the attacker has the key. To ensure this doesn't happen it's generally considered that exchanging keys personally is the only option. However, a network is to be built which incorporates a reasonable number of people, all of whom wanting to changing their keys monthly, you would need an awful lot of one to one meetings. This is fairly impractical and highlights the need to find a good way to exchange keys without being physically together. IPSec addresses the three major problems: 1: That you have to negotiate which protocols, algorithms and keys to use. 2: You have to exchange keys (potentially a lot). 3: You have to keep track of it all. -- Keeping track of this information is done by a big bundle of chewy data called the Security Association, cunning abbreviated to SA. A SA includes: - The authentication algorithm being used for AH, and the keys for it. - The encryption algorithm being used by ESP, and the keys. - How communications are authenticated (protocol, algorithm, key). - How communications are kept private (protocol, algorithm, key). - When the keys expire. - Lifetime of the SA - The SA source address. - Sensitivity Level Descriptor - a indication of levels of security. The SA itself is identified by the SPI field in the packets earlier. -- Key Exchange is dealt with by IKE, Industrial Strength Key Exchange. There is also provision to exchange keys via face to face meetings, if you feel the need. IKE goes through two phases, and eventually returns a complete SA. Phase 1 establishes secure connections between the two peers which is used in Phase 2 to negotiate the SA. It can be used in three modes: Main - Secures a channel for phase 1. Aggressive - As main, but passes identity information before the secure link has been established, which is quicker but could allow an attacker to determine the members of the SA. Quick - Used after main or aggressive, and assume that the tunnel already established is secure. . To establish a temporary SA for the negotiation of the general SA, (the temp. one being known as an IKE SA), the first peer proposes: - Encryption algorithms - Hash algorithms - Authentication method - Information to base a Diffie-Hellman exchange on. - The Pseudo Random Function to be used for certain hash operations (can use hash established earlier instead, so this is optional). - Type of protection, ESP or AH. For those that haven't heard of it Difffie-Hellman is a pretty cool bit of crypto that takes a public key from another source, and your own public key and combines them, (using your own private key), to make a symmetric (non public key style) encryption code that both parties can use from only public keys, while being incredibly difficult for an attacker with both public keys to duplicate. Once the secure channel has been established SA's are generated and SPI values are assigned, then communicated to the other party. From then on a SPI with IP address and protocol uniquely identifies a particular SA, and can be used for secure communication and tunnelling. ---- Who's who. There still at this point needs to be an authentication that the person you are talking to is the person you think you are talking to. With what I have mentioned so far you can be sure that you will always be talking to the same person, and that your communications with them are secure, but not that they are who they say they are. This is covered by a common idea, and one used is IPsec, the Certification Authority, or CA. A CA is a third part trusted by the parties wishing to communicate, one who will vouch for the identity of the person who the communication is intended for or to. In general a CA will have give you three things to validate someone - A unique identity. - The persons public key (linking it to that identity). - The CA's public key (used to verify these communications). The key to this is that the CA has a very well known public key, so it is easily verified, and hard to spoof. IPsec used X.509, like just about everyone else, where the web of trust style has proved extremely effective. ----- Who's got it? IPsec is available in Windows 2000, Linux, most BSD's and probably the other major flavours of Unix and NT 4. Hopefully as more and more vendors incorporate it into their OS's it will become a universally *used* standard, providing low level security across the internet. However until then, try getting hold of a implementation and have a go. Kermit23 -- kermit23@raegunne.com http://www.raegunne.com ---------------------------------------------- ********************************************** Virtual Router Redundancy Protocol (VRRP) - Slider ********************************************** This was written after BT failed last month setting up their SurfTime network which was down for 17 hours last month when a fibre cable split. And to quote Cyber : "Oh well its a routing network you would of thought, no need to worry. Well BT didn't think about building backup routes into the network and decided to leave it with a single point of failure, which resulted in no one being able to connect." So, Oblivion decided that BT needed to be sk00led in how to use Virtual Router Redundancy Protocol... VRRP was issued to the IETF by IBM, Ascend Communications, Microsoft and Digital Equipment Corp. in April 1998 and is documented in RFC number 2338. - Introduction The use of a statically configured default route is quite popular for host IP configurations. It minimizes configuration and processing overhead on the end host and is supported by virtually every IP implementation. This mode of operation is likely where dynamic host configuration protocols such as DHCP are deployed, which typically provide configuration for an end-host IP address and default gateway. However, this creates a single point of failure. Loss of the default router results in a catastrophic event, isolating all end hosts that are unable to detect any alternate path that may be available. VRRP is designed to eliminate the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling the IP address(es) associated with a virtual router is called the master, and forwards packets sent to these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility should the master become unavailable. Any of the virtual router's IP addresses on a LAN can then be used as the default first hop router by end hosts. The advantage gained from using VRRP is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end host. - VRRP Definitions Before giving an overview of VRRP, some terms used in VRRP need to be defined. * VRRP Router A router running the Virtual Router Redundancy Protocol. It may participate in one or more virtual routers. * Virtual Router An abstract object managed by VRRP that acts as a default router for hosts on a shared LAN. It consists of a virtual router identifier and a set of associated IP address(es) across a common LAN. A VRRP Router may back up one or more virtual routers. * IP Address Owner The VRRP router that has the virtual router's IP address(es) as real interface address(es). This is the router that, when up, will respond to packets addressed to one of these IP addresses for ICMP pings, TCP connections, etc. * Primary IP Address An IP address selected from the set of real interface addresses. One possible selection algorithm is to always select the first address. VRRP advertisements are always sent using the primary IP address as the source of the IP packet. * Virtual Router Master The VRRP router that is assuming the responsibility of forwarding packets sent to the IP address(es) associated with the virtual router, and answering ARP requests for these IP addresses. Note that if the IP address owner is available, then it will always become the master. * Virtual Router Backup The set of VRRP routers available to assume forwarding responsibility for a virtual router should the current master fail. - VRRP Overview VRRP specifies an election protocol to provide the virtual router function described earlier. All protocol messaging is performed using IP multicast datagrams, thus the protocol can operate over a variety of multiaccess LAN technologies supporting IP multicast. Each VRRP virtual router has a single well-known MAC address allocated to it. The virtual router MAC address is used as the source in all periodic VRRP messages sent by the master router to enable bridge learning in an extended LAN. A virtual router is defined by its virtual router identifier (VRID) and a set of IP addresses. A VRRP router can associate a virtual router with its real addresses on an interface, and can also be configured with additional virtual router mappings and priority for virtual routers it is willing to back up. The mapping between VRID and addresses must be coordinated among all VRRP routers on a LAN. However, there is no restriction against reusing a VRID with a different address mapping on different LANs. The scope of each virtual router is restricted to a single LAN. To minimize network traffic, only the master for each virtual router sends periodic VRRP advertisement messages. A backup router will not attempt to pre-empt the master unless it has higher priority. This eliminates service disruption unless a more preferred path becomes available. It's also possible to administratively prohibit all pre-emption attempts. The only exception is that a VRRP router will always become master of any virtual router associated with addresses it owns. If the master becomes unavailable then the highest priority backup will transition to master after a short delay, providing a controlled transition of the virtual router responsibility with minimal service interruption. The VRRP protocol design provides rapid transition from master to backup to minimize service interruption, and incorporates optimizations that reduce protocol complexity while guaranteeing controlled master transition for typical operational scenarios. The optimizations result in an election protocol with minimal runtime state requirements, minimal active protocol states, and a single message type and sender. The typical operational scenarios are defined to be two redundant routers and/or distinct path preferences among each router. A side effect when these assumptions are violated (for example, more than two redundant paths all with equal preference) is that duplicate packets can be forwarded for a brief period during master election. However, the typical scenario assumptions are likely to cover the vast majority of deployments, loss of the master router is infrequent, and the expected duration in master election convergence is quite small ( << 1 second). Thus the VRRP optimizations represent significant simplifications in the protocol design while incurring an insignificant probability of brief network degradation. -Sample Configuration The following figure shows a simple example network with two VRRP routers implementing one virtual router. RTR-1 RTR-2 VRID=1 (master) VRID=1 9.180.20.3 9.180.20.4 | | | | | | --------------------------------------------------- | | | | | | | | | | | | HOST1 HOST2 HOST3 HOST4 The above configuration shows a very simple VRRP scenario. In this configuration, the end hosts install a default route to the IP address of virtual router #1 (IP address 9.180.20.3) and both routers run VRRP. The router on the left becomes the master for virtual router #1 (VRID=1) and the router on the right is the backup for virtual router #1. If the router on the left should fail, the other router will take over virtual router #1 and its IP addresses, and provide uninterrupted service for the hosts. Note that in this example, IP address 9.180.20.4 is not backed up by the router on the left. IP address 9.180.20.4 is only used by the router on the right as its interface address. In order to back up IP address 9.180.20.4, a second virtual router would have to be configured. This is shown in following example. RTR-1 RTR-2 VRID=1 (master) VRID=1 VRID=2 VRID=2 (master) 9.180.20.3 9.180.20.4 | | | | | | --------------------------------------------------- | | | | | | | | | | | | HOST1 HOST2 HOST3 HOST4 The following figure shows a configuration with two virtual routers with the hosts splitting their traffic between them. This example is expected to be very common in actual practice. In the above configuration, half of the hosts install a default route to virtual router #1's (IP address 9.180.20.3), and the other half of the hosts install a default route to virtual router #2's (IP address 9.180.20.4). This has the effect of load balancing the traffic from the hosts through the routers, while also providing full redundancy. - VRRP Packet Format The purpose of the VRRP packet is to communicate to all VRRP routers the priority and the state of the master router associated with the virtual router ID. VRRP packets are sent encapsulated in IP packets. They are sent to the IPv4 multicast address assigned to VRRP. The IP address as assigned by the IANA for VRRP is 224.0.0.18. This is a link local scope multicast address. Routers must not forward a datagram with this destination address regardless of its TTL. The TTL must be set to 255. A VRRP router receiving a packet with the TTL not equal to 255 must discard the packet. The fields of the VRRP header are defined as follows: Version The version field specifies the VRRP protocol version of this packet. (In RFC 2338 the version is 2.) Type The type field specifies the type of this VRRP packet. The only packet type defined in this version of the protocol is 1. Virtual Router ID (VRID) The virtual router identifier (VRID) field identifies the virtual router this packet is reporting status for. Priority The priority field specifies the sending VRRP router's priority for the virtual router. Higher values equal higher priority. The priority value for the VRRP router that owns the IP address(es) associated with the virtual router must be 255. VRRP routers backing up a virtual router must use priority values between 1-254. The default priority value for VRRP routers backing up a virtual router is 100. The priority value zero (0) has special meaning indicating that the current master has stopped participating in VRRP. This is used to trigger backup routers to quickly transition to master without having to wait for the current master to time out. Count IP Addrs The number of IP addresses contained in this VRRP advertisement. Auth Type The authentication type field identifies the authentication method being utilized. Authentication type is unique on a per interface basis. The authentication type field is an 8-bit unsigned integer. A packet with unknown authentication type or that does not match the locally configured authentication method must be discarded. The authentication methods currently defined are: * 0 - No Authentication * 1 - Simple text password * 2 - IP Authentication Header Advertisement Interval (Adver Int) The default is 1 second. This field may be used for troubleshooting misconfigured routers. Checksum It is used to detect data corruption in the VRRP message. IP Address(es) One or more IP addresses that are associated with the virtual router. Authentication Data The authentication string is currently only utilized for simple text authentication. Slider. ---------------------------------------------- ********************************************** ADSL - Kermit23 ********************************************** Several people reading this may at this very moment be waiting for ADSL to be installed for their personal use, or may be using ADSL right now. It is a significant jump for BT, and an improvement on the 56k that many people will have been using previously. However, there is often some confusion on how exactly ADSL works, which I will attempt to cover at least a little in this quick text. I am assuming that you have at least basic knowledge of what ADSL is. Asymmetric, as in you can't send the same amount of data up and down it. Digital, as in 1's and 0's. Subscriber, as in you. Line, as in the twisted pair copper lines which you have been using for years. Unless your local teleco has a lot of spare fibre that is. As you can see from this brief breakdown, or possibly from talking with your adsl provider, there is no separate ADSL line in the same way there would be if you had a T1 installed. What turns the copper lines into ADSL is just a modem, albeit a slightly different one from the standard v.90 jobs. Normal modems use the same range of frequencies as normal voice is allocated on the telephone, from 600Hz to 4KHz. This is a fairly narrow band that has been pushed pretty hard to get you 56k of raw speed, not bad considering the bandpass is just 3.4KHz. Anything out of this range is considered "out of band" (such as signalling, which is one of the reasons why you can't blue box any more). ADSL sends information out in an analogue form in this out of band area, which gives it a much bigger bandpass to play with than conventional modems. This 4KHz limit is mainly imposed by filters at the local exchange, but just from your house to the exchange there is a problem with loss of signal quality over fairly short distances. Though digital signal processing (DSP) is a fairly mature area, there is still a natural distance limit, as cross talk between different wires and resistance degrade the signal to an unusable level. The cross talk comes from the fact that while 1 wire goes out of your house, it will be bundled with the wires of the other houses around, and those with other houses and so on, so the teleco does not have to dig up a huge amount of land to run direct wires to each house (in fact each pair of wires are twisted to reduce this, hence twisted pair). As you may guess the line could still be fairly noisy while being usable for ADSL, so ADSL modems incorporate CRC error checking, which is a common method for checking data integrity. They also ignore extremely noisy sections of the band, until they become quieter, handy in the case of short term interference. A transmission from an ADSL modem goes thus. Digital data (from the computer) is encoded and sent on after being combined with any analogue data (from the phone line, via the POTS splitter). This is run though a D/A converter (digital to analogue) and mixed in with the native digital streams. The POTS splitter is just a filter, but one that can also add two streams together. However, no one wants to go around saying POTS splitter/combiner. Once it arrives at the ATM pipe, it is multiplexed (mixed with) with a number of other ADSL streams, and sent on up the network. When the response arrives it is demultiplexed, sent to the appropriate line. The ADSL modem splits the native digital streams from the non-native ones. The native digital is sent to the computer, the analogue stuff to the phone line, via the D/A converter then POTS splitter. Easy. As ATM over ADSL (the common method of data transfer over ADSL), the actual data the ADSL modem sends are in, as could be expected frames. The modem syncs at the 4KHz frequency. It then sends a service information frame, explaining what is going to be travelling over this channel of frequency, then a lot of data frames containing what you actually want to send. This is known as a super frame. Finally it sends a sync frame. The super frame contains 68 data frames, an 8-bit CRC frame, and a 24 bit OAM frame, each data frame having having a 250 microseconds period. The sync frame esuring both ends are ticking to the same beat, so that frames appear when expected and are processed properly. Kermit23 -- kermit23@raegunne.com http://www.raegunne.com Glossary: ADSL: Asymmetric Digital Subscriber Line. ATM: Asynchronous Transfer Mode D/A: Digital to analogue OAM: Operations Administration and Management POTS: Plains Old Telephone System. ---------------------------------------------- ********************************************** Firewall-1 'n General Firewall Rants... A two part series - Lock-down ********************************************** Quick Over view of this firewall + some general firewall rants about why allowing tcp session to untrusted hosts is a real bad idea.. this is no means a firewall cookbook, just some observation made over a couple of days...I'm sure slider will have plenty to say about this... (it' run on AIX too slider.. ;-) ) Okay, I've been playing with firewall-1 this week, if your new to firewall's this is probably not the txt for you. I'm not a security expert, I always look at designing a firewall in such a way that I would not be able to hack in myself. Read lot's of hacker txt's, become a hacker, that's the only way to know if your secure.... tee hee This txt was going to purly about firewall-1 but it's turning more into a firewall manual, I'll try not to get to distacted and Rant on about general security too much ;-). I've found out the following things about this product. - What is it? A Packet Level Filtering Firewall Has Extra Application proxies for web and smtp Has the ablity to do cvp (content vectoring Protcol), so you can direct content to third party scanning tools, e.g. virus protection for downloaded files over http or ftp. Compliant with Opsec Standards (standard api for writing cvp's) -- Down Side * It's let down by *extermely* poor documentation * It's let down by very poor 'commercial' Books * It's not an application level firewall :-( * It's come from a Unix background, so is more suited to unix enviroments, but will handle trust and netbios + other NT/windoze traffic patterns. * Rather confusing NAT/Rule base system, probably because NAT was added in a later version, rather than from the ground up. * Does not handle DNS it self, either pass through dns, or traditonal dns server on internal/dmz network. * You have to manualy fidle with config files on the firewall for it to respond to more the one public IP address, example if your using your DMZ to host a web server for example. * Cannot transaprently redirect based destination port :-(. * Has major exploits :-( -- Up side * It has floodgate-1 built in, which is a rather snazzy bandwidth and qos add on! * It's Pretty Easy to get up and running * It run on Unix and NT * It's Even Run's on LINUX (nice one checkpoint!) * It's can managed security policy and configs on other devices, such a routers and switches! * It can manage multiple firewalls, either on the same site, or across the internet via a vpn * Extensive open VPN support, can even link to cisco routers for vpn connections. * Interesting reporting log module, and is able to consolidate logs from mutliple firewalls. * Well tested, most 'easy' exploits have been,,ahem, exploited. * Very friendly mailing list, with 'real' experts who are willing to help (for a change!) * Syn Flood protection * Ip Spoofing Protection * Can be fault tollerant, requires two machines (and licenses) for fail over, new version can even fail over encrypted vpn tunnels, but I've not tested this, and I doubt' this works ;-) .hehe. Using secure remote client software, you can have your mobile user ras in' via the firewall over a encrypted tunnel. YUM! BARK! ------------------------ So I came with it a fresh pair of eye's, I'm no stranger to firewall's, as raptor is one of my favourites (application level firewall). Obviously I printed the firewall-1 manual, many many reames of waste paper there. I've never read so much twaddle in my life, some chapter's go on for pages , where a few pages of concise information could of covered the whole concept's. I did find some excellent faq on the web by hackers/users, you'll see them at the end in the resources section. So I did want any self respecting 'security' guy would do, go and buy a book, the only book I could find was check point firewall-1 administration guide (marcus goncalves and steven brown) and it's a bag of shit, if I had a quid for every time it said 'This is beyone the scope of this book, or please check out this, check out that', I'd have...err err, a lot of bloody money anyway ;-). To NAT or not NAT, that is the question... (let's jump straigt in) Let's take an 'old' firewall design method. (no NAT!) Internal LAN 192.168.0.0<---------->FW-1<------------------->Internet | | | | DMZ (Public Address Range) MAIL DNS WEB/SOCKS FTP WEB PROXY SERVER SERVER so, here we have a three pronged network, a private address for the internal subnet, a DMZ with a public range, and a Internet connection with a public range (of course!). Machine on the internal network, can only access the DMZ, server's in the DMZ can access both the internal LAN, and the Internet. People from the internet can only access the DMZ. The fw-1 is acting as a fancy router, by applying 'rules' to the fw-1 the dmz can be protected in the following ways. -------------------- Connection from the internet to the DMZ can be controlled, thus if the dmz only has a smtp server, the only traffic allowed into the dmz is smtp traffic. fw-1 can control how connection are made to the dmz, thus preventing syn flood or other IP DOS attacks. fw-1 has a hardend IP stack, and will also reject malformed packets, that would normally would arrive uncheck to a dmz machine and other weird do traffic. If you have time to kill, attach a packet sniffer to your public interface, you'll be amaze of the shit flying around out there...makes space junk look like a walk in the park! --------------------- The internal LAN is protected from the internet , as the firewall 'know's' what subnets are connected to which physical interfaces, if it see's for an example a packet with destination 192.168.0.x or source of 192.168.0.x come's into the internet interface, it will drop it, as there is no reason why a private internal address space is being received on this external interface. Same goes for the DMZ public address and the other interface, as long as you tell the firewall what subnet's are connected to what interfaces, you will be spoofed protected (nice!) --------------------------- So, how the hell do internal machine communicate to the internet, obviously, there no way the internal machine can send packet straight out to the internet, they would probably reach thier destination, but when the came back (to the 192.168.0.x) the would (hopefully) get dropped , misrouted by the internet a dissapear for ever (bemuda triangle style). There are two way two get around the problem. Application level Proxies or Network Address Translation. (NAT) (we'll talk about this later). the above example uses Application level Proxies, so just think that a proxy makes connection on behalf of the internal machines, it a bit like using a 'man in the middle', if third party to say finish a drug deal, you yourself have no contact with the dealer, the man in the middle sort's everything out, and the dealer talks to the man in the middle. you on the other hand never see the dealer dude, thus this offers more protection. ;-). Is this method safe?, we'll kind of, but we'll discuss that later (no firewall is safe!). because applcation proxies stand in the middle of the the tcp/udp/icmp/etc connection, they break the end-to-end nature of the internet (unquote), so proxies can acutally make application's incompatible (you have to use NAT then), and also add to the complixty of network troubleshooting. Proxies have improved to a high degree, and you'll find even the most simple proxies 'rfc' compliant these days. We add rules to the firewall so that the internal lan can make connection to the dmz proxies, the dmz proxies can make connection's to the internet. the dmz proxies cannot make connection to the internal, the internet cannot make a connection to the dmz. connection from/to the internet from/to the internal lan are impossible, as there is no way they can be routed (without some special hacker action!) from one to the other. (this assume no NAT is being used!). Each machine on the DMZ, should be lockeddown ( ;-) ), as much as possible, only offering basic services to the whole of the unauthenticated internet community. This minises the risk of for example a hacker exploiting an rpc buffer overflow to install trojan code, thus initate attacks from the dmz (which is bad!). Remember, if this does happen, that the firewall should be watching (logging) every connection attempt, so as long as you check your traffic for suspious traffic every now and then you'll be okay. (unless somebody compromises your firewall, if that's the case, you might as well shut up shop and go home ;-) ). You Must 'harden' the machine's on the DMZ, minimal set of user accounts, mininal set of services, minimal o/s configuration, Latest operating system + patches, latest application software + patches + add extra security tools such a trip wire to battle harden hosts. You want to know if a pin drop's (including if any services crash or coredump! very suspious in a non NT enviroment ;-) ) in the dmz, the rest of the internal lan can carry on in organised chaos, the dmz need's to be tightly controlled (please!). If you really must have a public available resource such as an ftp site for customers, make sure they authenticate with the firewall first, then use authentication on the ftp servers. This is a layered security approach, and at the momement you using the first layer of authentication at the firewall, and a second level of authentication at the ftp application level ;-). yum yum. If you wan't to run a public service such as a web server, or public ftp, make sure you position it on the dmz. Ask question's , like, if my ftp server is compromised, what other machines are at risk from attack via the compromised machine. take for example this dmz Internlan---------------->FW-1------------------> Internet | | Shared 10mb HUB Public | FTP SERVER---------------------------------Unix Web Server okay, so the FTP server on the dmz has been buffer overflowed, the firewall missed it (it was sleeping perhaps ;-) ), and the attackers now control the ftp server via a root/admistrator shell. the fw-1 is configured to not accept connections from the dmz ftp server to the internal lan, but is configured to accecpt telnet from the dmz web server to the internal lan (this is silly, but I have seen this configuration in the 'field' ;-) ). and telnet from the internal lan to the webserver. So, the attacker's, run's a packet sniffer on the compromised ftp server, and they wait......wait..waits some more, until some bright spark log's on via telnet as root to the unix web server....bingo... we have now compromised the unix web server. we're getting there. From the unix web server, we examine the logs , and find the a number of telnet sessions from the dmz to the internal network occurs. We install monitoring software onto the unix web server, thus gaining passwords for internal machines. Bingo, we have now compromised internal network, bad news for the admin of this firewall, the firewall sit's there quite happly accecpting connection, loggin them, but how does it know who doing what., it does'nt, firewall are thick....really they are, you probably need some IDS system, but more on that in our next installment (i.e. I can't be bother to write about that now!). How do we fix particular this situation. We could install a Switched hub instead of shared 10mb hub, this would prevent snooping of packets from the FTP server (Beware some elite skillz hackers can overload a switch causing it to flood frames to all port's..............nasty). Use Strong Encryption/Authentication to gain access to the unix web server (perhaps ssh), this would increase dmz security greatly (prevents snooping!). Avoid the paractise of allowing telnet session to be initated from the dmz web server. (best method, always ask why firewall rules are installed, ask ask ask , and demand to know, if know one can tell you why it exist's , it should not be there'. as you can see, every machine on dmz has a role to play in security of the network, and compromised dmz machine can be very hazardous to network health. Surley NAT can save us all?? ---------------------------- Network address translation is being used heavly on securit/firewall devices at the moment. what is nat? NAT is a way of connection private addresses (e.g. 192.168.0.x) subnets to the public internet. look.. Internlan---------------->FW-1------------------> Internet 192.168.0.x <-NAT->| Public Address | 212.3.4.2 f1-1 Public Interface 212.3.4.1 any packet being sent from the internal lan , to the internet is translated. The translation takes place as you can't send 192.168.0.x address out onto the internet, the will get to thier destination, but there is now way the internet can route, or is in fact designed to route these private address. So NAT replaces the source address with the public interface address of the firewall. An internal connection table make sure the machines on the internal network, receives the right connection at the right time, funky stuff. no proxies, no dmz, no nothing, just raw nat, wow we're secure now arn't we, because any incomming connection attempts are dropped.......nope.. we are not secure at all in fact.... Any incomming traffic 212.3.4.1 from the internet that has not already been established is discarded (i.e. hackers can't create connections to internal machine, as they are 'hiding' behing the firewall's public address'). (that's secure????). So, I said we are not secure with nat, most nat configuration I've seen have the following config's. Internal Lan------------------------fw-1-------------------Internet <NAT> Source Destination Action Internallan Internet Allow Internet Internallan Drop ok, only out going tcp connection are allowed, cool! This method is extermley bad, as connections initated from within the internal lan can be as dangerous as allowing incomming connections to the lan. Tcp connections are full duplex, that is they are two way pipes, there nothing stopping somebody rewriting back orrofice, and instead of waiting for incomming connections, which NAT usually renders useless, the backoffice trojan's 'dial' out of the network to a remote (usually another compromised system) trojan control program. Compromised---- tcp connecton>>>>--firewall---------Internet-----------Hacker's Machine on NAT Machine Internal Lan | | backorrice <<<-------TCP Reverse Control Channel Established----------- revesed server so, as you can see, we're using the full duplex properties of tcp connection to tunnel into the internal network, from a connection initated by a comprosmied internal machine, now if this does'nt scare you, then your a braver man than me, now where did I leave my assembler??? ;-). The NAT box will quite happly allow this to happen, hmmm.....I could be wrong on this, and winsock programmers out there wanna contact me help me write a proof of concept code??? ;-). Can Application Proxies stop this? ---------------------------------- Yes, and no, proxies can give you another level of logging and authentication, and if the application proxy understand's the protcol it is trying to proxy very well, then it may dectect than the data flowing between client and server is not within limits (i.e., why is http traffic encrypted, when it is not https for example!) , but none that I know of can prevent this kind of attack if the server/client is well written (look's like normal http traffic for example). The only way to prevent this is to secure the internal network from trojan attack, most firewall solution can help with this, using email filtering, ftp/http filtering etc etc, which can cut down the risk of trojan programs entering the network via the internet. (does'nt stop someone bringing in on a floppy disk with it on though ;-) ). Else you must only allow NAT/proxy firewall's to connect to untrusted sites!!! hmmm, hope this one got you thinking, anyway enough ranting, back to firewall-1. So what is the best design? NAT or Fully Routable DMZ with application proxies, that depends (ooh I'm sitting on the fence with this). Most ISP are really mean with thier IP allocation, most ISP with give you 6 or less! IP addresses!, thus you have to use NAT to host server's and proxies, as you just don't get enough to play with, NAT can be useful here. NAT can also add to security, as when the packet get's translated the IP header is effectivly rewriten, this can eliminate weird options in the header fields for instance (this is true on cisco routers that support NAT, firewall-1 one uses it's own inspect 'secret' engine). A DMZ network will effectivly slow down an attacker, perhaps enough to allow detection. A DMZ network also allow extra security and IDS tool's to be delployed along side the firewall, another layer of security can be added via this method. Again, this layed method is something I'm really into, you build up security not by adding all singing all dancing firewall, but add layers of security, like an onion..wtf??? (wow, I gotta stay off the booze!) cool. The design mention above, with full dmz and application level proxies, requires extensive hardware and software (+licenese), so it's the more expensive route, raptor firewall for instance acutally contains all the proxies and dns services it self, so although the product is slightly more expensive, you do get value for money ;-). (raptor is also slower, but for the UK speed is acdemic, as not many site's can afford faster than an E-1 at the moment (that will change, just as soon as BT are crushed!)) heh heh. Should I allow ICMP into my DMZ?. ------------------------------------ Depends how paranoid you are, but most of the time you can safely drop this traffic at the firewall, there lots of nasty tricks you can play with ICMP (espcially icmp redirect!), so best to avoid block, I don't know of any essential internet services (smtp, ftp, http), that require icmp traffic to operate correctly. ICMP initated from you network should also be dropped. Why? we all know how easy it is to embedded 'real' data into icmp packets, icmp has already been used as a control channel for various trojans, if your *really* need icmp stuff, limit it to a number of secure internal hosts or setup a server in the DMZ, which users can use to ping other server's via a remote session, this should keep everyone happy. rememeber , inspect all the rules on a firewall, ask questions, cause trouble... that's the only way to verify it's rule base. If you firewall has more than twenty rules defined...worry...... How do I handle DNS?? ------------------------------------------- next....installment. Is there anything that can be done at the Internet router level to make my network more secure- ------------------------------------------------------------------------ check out phracks article on creating bastion router configurations @ http://www.attrition.org/~modify/texts/phrack/Phrack55/P55-10 nice stuff, I recommend you *READ* this. What should I do if my firewall is portscanned (bite back!). (phun!) ----------------------------------------------- That's easy, you need to hire 15 E-1 Links, connected to 15 different networks. If you recieve keep receive port scans from the same subnet, just hit a few c00l shell script's and fire up the 15 E-1 links to the source of the port scan. The script kiddie will suddnley have to deal with 30mb/s of internet traffic, and most probably if he's on an modem connection, his access device will die, or he will be rendered harmless a bandwidth ddos ;-). he he he. I don't recommomed this type action, but sometimes it's the only way, fight fire with fire! (why does napster come to mind). Portscan's are a fact of life, your going to get them, I get about 6 or 7 a day, which is incredible, you can ignore them in most instances, you should know what port's you have open, and closed, so what if a remote attacker guesses your running firewall-1, you've got all the latest patches install, have'nt you.....you haven't, disconnect from the internet until you do. Honeypots, who call winnie the poo. the fly to the spider... ----------------------------------------------- If your really paranoid, why not set a trap for a intruders? yep, set up a default installation of NT/unix what ever, make it as insecure as possibe (that's right, just use the out of the box config ;-). Install either loggin tools on the hosts, or make the firewall alert if connection is made to this machine. Any hacker can resist to compromise this system first, once the alarm bell's start ringing, you can watch them, and see where there from, what they are up to, and what they are try to achive, it's a good way of picking up tools/technique too ;-), and it's a whole lot of phun too. ;-). But remember, if you play with fire..... Resources for firewall 1 that are worth checking. ----------------------------------- Checkpoint firewall 1 list, via www.checkpoint.com http://www.phoneboy.com/ - firewall 1 faq http://www.deathstar.ch/security/fw1/ - obiwan's Death Star site, this guy is quite mad, but cool ;-) S T A R W A R S.....safe. if you feel I've missed anything, feedback and I'll make the next one better..yeah sure! I'll be covering the things I missed next issue. (if I don't get drunk and forget!), I wish I'd had more time to get this finished, I must sign back on the dole soon and get more time to myself ;-). I'll try and cover some floodgate-1, and how to protect video streams, against say ftp traffic, juicy stuff. L0ck-d0wn@hushmail.com ---------------------------------------------- ********************************************** News - 0blivion.org + Net-security.org ********************************************** Net-Sec newsletter Issue 26 - 21.08.2000 http://net-security.org Net-Sec is a newsletter delivered to you by Help Net Security. It covers weekly roundups of security events that were in the news the past week. Visit Help Net Security for the latest security news - http://www.net-security.org. Subscribe to this weekly digest on: http://www.net-security.org/text/newsletter General security news --------------------- ---------------------------------------------------------------------------- ANTI-VIRUS SOFTWARE FOR FUTURE PHONES RELEASED Anti-virus company F-Secure revealed software designed to protect Symbian's EPOC operating system. The EPOC operating system is licensed by major mobile phone companies including Ericsson, Nokia, Motorola, Panasonic and Sony and is expected to power future mobile Internet devices from these companies. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.co.uk/news/2000/32/ns-17258.html EPA'S WEB SECURITY STILL VULNERABLE TO ATTACKERS A report released today by the General Accounting Office, the investigative arm of Congress, found that the agency's system continues to be "riddled with security weaknesses" that could allow attackers to tamper with data, view sensitive information or attack other agencies using the EPA system. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.cnet.com/news/0-1005-200-2497497.html CREDIT CARD INFORMATION EXPOSED ON WOOLWORTHS SITE The personal information of two Woolworths customers, including their credit card numbers, was inadvertently published on one of the company's Web pages, according to a spokesman. The spokesman says that the information was up for a few minutes and to Woolworths' knowledge no one has made fraudulent use of the customer's credit card details. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.co.uk/news/2000/31/ns-17267.html ANOTHER MASSIVE NET ATTACK LOOMING? Six months after devastating attacks took down the Web's biggest sites, MSNBC has learned of new evidence that indicates it could easily happen again: A security researcher has found 125,000 networks with the same flaw that allowed the attacks. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.msnbc.com/news/444815.asp SAFEWAY SHOPPERS HIT BY E-MAIL HOAX Safeway has become the latest company to suffer an Internet security breach when customers were sent an e-mail appearing to come from the supermarket chain advising them to shop elsewhere. Up to 1,000 customers telephoned to complain Saturday after a hacker appeared to have accessed a Safeway database containing details on 25,000 shoppers, The Sunday Times reported. The hoax e-mail - signed "from the Safeway team'' and headed with the company's e-mail address - announced a 25 percent price increase and told customers that if they were unhappy they should shop at rivals Tesco or Sainsbury, the newspaper said. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.mercurycenter.com/svtech/news/ breaking/internet/docs/302771l.htm VERIZON SITE EXPOSED CUSTOMER DATA Verizon Communications had to pull down a new customer service Web site over the weekend when a private researcher discovered a security hole. According to a report by SecurityFocus.com, users could gain access to personal data simply by entering a customers' phone numbers. A Verizon spokesman said few, if any, records were compromised and that the actual exposed information was minimal. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.msnbc.com/news/445991.asp EDMONTON-BASED SERVICE PROVIDER ATTACKED (DoS) RCMP are working with the FBI to track down computer hackers who overloaded an Edmonton-based Internet service provider yesterday, denying access to some customers. Edmonton RCMP found the "denial of service" attack on OA Group Inc.'s server that barred subscribers from logging on to their Internet accounts originated in Chicago and they were working with the FBI to zero in on the culprit, said RCMP Cpl. Gibson Glavin. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.canoe.ca/TechNews0008/15_hackers.html NEW æLOVE BUGÆ TARGETS SWISS BANK The virus, known as ôVBS/Loveletter.bd,ö is a variant of the original Love Letter virus that circulated in May, and many versions have been created using the original as a template.Computer virus variant steals bank passwords also. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.msnbc.com/news/447320.asp HACKER DEFACES SITES IN NAPSTER'S NAME Pro-Napster hacker "Pimpshiz" said Wednesday he has exploited a bug in Windows NT to deface five dozen Web sites in the past two weeks, including NASA and the French national library. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.com/zdnn/stories/news/0,4586,2616266,00.html SSH-AGENT - A TUTORIAL "Security is best when it is handy. ssh-agent is pretty darn handy. Ssh-agent can authenticate you to a remote machine via keypairs, rather than the traditional hand-typed username/password combination, with no loss of security." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.deadman.org/ssh-tut.html CONFIGURE LINUX TO PRESENT PRE-LOGIN SECURITY WARNINGS User ignorance continues to be a thorn in the side of Linux system administrators trying to maintain a secure network. In this article, learn how to configure three distributions, with or without KDE and GNOME, to display pre-login messages via virtual consoles and over the network. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.linuxworld.com/linuxworld/lw-2000-08/lw-08-login.html CONTEST Attackers may be able to change the NetworkDoc Inc. site, but the only way they'll get their hands on the cash prize is if they can defeat the company's "anti-hacking" software and keep any changes made on the page until the end of a 36-hour period. It's offering to pay them 1 million yen in cash if they can do it. Contributed by Apocalyse Dow. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.mainichi.co..jp/english/news/archive/200008/19/news08.html UPDATE ON BOHTTPD Alexey Yarovinsky posted a patch for Netscape Communicator Java Security bug (known trought BOHTTPD issue). Also, Deepquest posted that Brown Orifice is patched by Netscape 4.75 that is available on Netscape web site. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.netscape.com/computing/download/index.html CHARGES DROPPED AGAINST LOVE LETTER CREATOR Prosecutors dismissed all charges filed against a former computer college student accused of having released the "I Love You" computer virus that crippled email systems worldwide. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.cnet.com/news/0-1005-200-2574585.html? tag=st.ne.1430735..ni --------------------------------------------------------------------- Net-Sec newsletter Issue 27 - 28.08.2000 http://net-security.org General security news --------------------- ---------------------------------------------------------------------------- TROJAN USERS CAUGHT IN CHINA Three local high school students were arrested on Monday for allegedly running Trojan programs to steal dial-up account passwords from compromised computer systems. Reporter speaks about SunSeven trojan program, but it is obvious that SubSeven was used... Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.chinatimes.com.tw//english/esociety/89082202.htm ATTACKING WEB SITES TO GET THE MESSAGE OUT Several sites around the world were reportedly broken into and changed last week by one or more people claiming to be calling attention to the fight between the music industry and the digital music-swapping Web site Napster. A manifesto of sorts was posted in support of Napster's fight against music industry labels, titled "The Save Napster Hack Attack." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cnn.com/2000/TECH/computing/08/21/ napster.hacks.idg/index.html HIRING HACKERS - RANT "Palante", who works in an unnamed Fortune 500 company's infosec consulting division, posted his opinion on all those struggles that some companies started with saying that people shouldn't hire hackers. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.globetechnology.com/archive/gam/News/20000822/ROUTS.html PRETENDER Someone tried to dupe several Malaysian Internet users into giving away their private financial information by posing as an online executive at Maybank company. The article has a standard mistake - trojans are connected with the word hacker. Link: http://thestar.com.my/tech/story.asp/2000/8/22/technology/22hack&sec=technology TREND MICRO ITALIA SITE DEFACED Italian branch of anti virus company Trend Micro (www.trendmicro.it), got its site defaced yesterday for two times. A note was left for the admins - "secure yourself man, *hint - securityfocus.com". Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.attrition.org/mirror/attrition/2000/08/21/www.trendmicro.it/ WRISTWATCHES COULD PROVIDE THE KEY TO BETTER IT SECURITY A US company has devised a plan to make IT security as simple as telling the time - by incorporating an automated PC locking device into wristwatches. Michigan-based Ensure technologies argue that despite the furore about attackers, most breaches of security occur in-house - namely in users' complacency in leaving PCs switched on or divulging their passwords to others. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.ananova.com/news/story/technology_us -gadgets-privacy_942524.html SECURE MESSAGING OFFERED VeriSign and Slam Dunk Networks are teaming up to offer a message delivery infrastructure that will guarantee business-to-business transaction participants that their messages will be protected, delivered, and properly accepted at their rightful destinations. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.infoworld.com/articles/hn/xml/00/08/22/000822hnverslam.xml AUSTRALIA FEARS HACKERS MAY TARGET GAMES Computer experts will work around the clock during the Sydney Olympics to keep out cyber hackers who might try to vandalize Games Web sites. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.mercurycenter.com/svtech/news/breaking/ internet/docs/334890l.htm THE WORLD'S MOST SECURE OPERATING SYSTEM "OpenBSD is probably one of the most secure operating systems out there," says Chris Brenton, author of Mastering Network Security. "The crew does a fantastic job of locking down and being responsive when vulnerabilities are found." Such a good job that the U.S. Department of Justice uses 260 copies of OpenBSD to store and transmit its most sensitive data..." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.thestandard.com/article/article_print/1,1153,17541,00.html BT WEB SITE SECURITY BLUNDER The Insight Interactive portion of the BT.com Web site has a gaping hole in its security. Any registered user's details can be accessed by entering their user name and password. The trouble is, the same password works whichever username you use. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/6/12794.html WILL 3G DEVICES BE SECURE? While anticipating the delights of 3G, be aware of the inherent dangers. According to computer security experts, all this connectivity and functionality will inevitably mean an increased risk of attack by mobile viruses and worms as well as malicious attackers. Evidence of potential for new threats can already be seen. Earlier this month Japan's highly successful mobile broadband standard i-mode ran into its first major security issue highlighting the dangers ahead. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.co.uk/news/2000/33/ns-17466.html YET ANOTHER CONTEST Noted Chinese consumer electronics production company, Hisense, has challenged everybody to penetrate a server equipped with its newly developed firewall products before September 1 to win 500,000 yuan. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://english.peopledaily.com.cn/200008/23/eng20000823_48861.html PIMPSHIZ INTERVIEWED BY HWA HWA Security has an interview with 16 year old 'pimpshiz' who reportedly defaced over 60 sites in a pro-napster social disobedience action. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.hwa-security.net/pimpshiz.txt BIG BROTHER DATABASE APPARENTLY COMPROMIZED An unknown attacker has apparently gained unauthorized access to the main database of contestants for Spain's version of Big Brother, called Gran Hermano in Spain. According to reports, the database contains details including credit history, IQs, and mental health on over 1,700 would-be contestants. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.geek.com/news/geeknews/q22000/gee2000824002209.htm NASTY PGP BUG Ralf Senderek has found a nasty bug in PGP versions 5 and 6. It's of scientific interest because it spectacularly confirms a prediction made by a number of researchers in the paper on `The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption' that key escrow would make it much more difficult than people thought to build secure systems. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://cryptome.org/pgp-badbug.htm PIKACHU WORM SPREADING A computer worm featuring the cuddly Japanese cartoon character Pikachu has been found in computers in the United States, leaving some operating systems devastated, an anti-virus software firm said on Thursday. The worm was found by Trend Micro near two months ago. Link: http://net-security.org/text/viruses/962474496,16084,.shtml HOW TO SPY ON YOUR EMPLOYEES Companies that want to spy on employees' Internet usage already have an array of tools. Research firm IDC predicts that in four years, the industry will generate $562 million in revenue. But employers fixated on monitoring employees may be wasting time and killing morale. Moreover, they may be setting themselves up to be sued. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.msnbc.com/news/449233.asp?cp1=1 YAHOO TO OFFER ENCRYPTED EMAIL OPTION Yahoo plans to let its email account holders use data scrambling to protect the privacy of their messages, marking a potentially significant advance for the mainstream use of encryption. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.cnet.com/news/0-1005-200-2605437.html TRUSTE PRIVACY SITUATION Interhack Corporation has issued a report stating that visitors to the TRUSTe website have themselves unknowingly been tracked and were having pseudonymous information about them being directed to a third party, TheCounter.com. Link: http://www.securitywatch.com/scripts/news/list.asp?AID=3697 RSA UPGRADING SECURITY SOFTWARE RSA Security next week will unveil an upgraded version of its PKI software, adding support for digital certificates from multiple vendors and making it easier for security administrators to register users to receive certificates through an automated download process. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.infoworld.com/articles/hn/xml/00/08/25/000825hnrsa.xml HOAX HITS EMULEX Shares of Emulex tumbled to $43 from their previous close of $113.063 after false news circulated that the California-based company was restating its earnings, that its CEO had quit, and that it was under investigation by the Securities and Exchange Commission. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.techserver.com/noframes/story/0,2294, 500243647-500360148-502111278-0,00.html NEW PGP RELEASE MIT Distribution Center for PGP software has the new version of the program posted on-line. This release corrects a security-related bug with Additional Decryption Keys (ADKs) that may allow sophisticated attackers to add unauthorized ADK key IDs to the unhashed areas of PGP public keys. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://web.mit.edu/network/pgp.html KOREAN MINISTRY WEBSITE HIT BY DOS The Ministry of Information and Communication fell prey to attackers who managed to bring the Web site to a standstill for 10 hours Saturday. The Web site was downed at 12 but all services were restored by 10 p.m. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://koreaherald.co.kr/news/2000/08/__10/20000828_1038.htm MAC OS X SERVER - SECURITY GUIDELINES This document outlines some security measures for the Mac OS X Server 1.0 - 1.2 platform. While Mac OS X Server (OSXS) is a fairly secure environment out of the box, these basic measures help create a more secure computing environment. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securemac.com/osxsecurity.cfm ARACHNE BROWSER ARCHITECT DISMISSES VIRUS CHARGE Michael Polak, a Czech scientist whose browser has been causing so many problems for its users that he was accused of disseminating a virus, issued an explanation on his Web site this week. Polak, who offers Arachne free of charge for non-commercial use, had received numerous complaints from people who had their files wiped out after they installed the browser. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.computeruser.com/news/00/08/28/news1.html BUG HUNTERS Associated Press has an article entitled "Bug hunters consider whether to reveal software flaws" which speaks of bug reporting to software vendors. The interesting part is that they have quotes from bug hunters and several companies about reacting to security issues. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.techserver.com/noframes/story/0,2294,500244316 -500361480-502123615-0,00.html --------------------------------------------------------------------- Net-Sec newsletter Issue 28 - 06.08.2000 http://net-security.org General security news --------------------- ---------------------------------------------------------------------------- INFO.SEC.RADIO IFR broadcast featuring the 2nd installment in a new four part series on Hacking Through the Ages, including part II of an interview with Kevin Mitnick. David A hmed also takes a look at the previous weeks top vulnerabilities. Part two of the Hot Topic series on Hacking Through the Ages looks at the following issues: The hacking renaissance, The Legion of Doom and Masters of Deception. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/media/58 NORTON ANTIVIRUS FREEZES SOME PCS Users of Norton AntiVirus 4.0 and later versions have reported a slew of problems with the product, including annoying computer freeze-ups. With these system hangs, pressing Ctrl-Alt-Delete produces the error message "Msgsrv32.exe (Not responding)." ScanDisk may then create numerous temporary subdirectories (named DIR00000, DIR00001, and so on) that you can't easily remove. Link: http://www.pcworld.com/heres_how/article/0,1400,17680+1+0,00.html RABOBANK DENIES RUMORED ATM BREACH A rumor on the Dutch e-security site Security.nl suggested that between 10.30 and 11.00 p.m. on June 2, it was possible, due to a system error in Rabobank's credit system, to empty ATMs across the Netherlands by simply entering a valid account password. Link: http://www.securitywatch.com/scripts/news/list.asp?AID=3796 ANCIENT VIRUS CATCHES OUT US GOVERNMENT The US government has been accused of scaremongering after issuing a security alert about a a Trojan horse called DonaldD.trojan which was discovered more than a year ago. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.vnunet.com/News/1110145 PALM TROJAN UPDATE Relating to all the hype about last week's situation with Palm trojan, read a brief update. As posted on PalmStation.com by J.Brown - "I have learned from two separate sources today that both Aaron Ardiri and Gambit Studios - creators of the Liberty Gameboy emulator for Palm - will be sued for damages by an individual who had their Palm data destroyed by Ardiri's fake Liberty crack last week." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.palmstation.com/ SECURE REMOTE BACKUPS What do you do when your site is attacked or your system fails? Backup, Avi Rubin argues, is the most reliable way to ensure that what you've lost can be recovered. Here he takes a look at protecting your backup and recommends some products that can help. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.sunworld.com/sunworldonline/swol-08-2000/swol-0811-remote.html NEW PHILIPPINES VIRUS A LOW RISK The U.S. National Infrastructure Protection Center has issued a warning about a new computer computer virus originating from the Philippines which bears a resemblance to the 'Love' bug. The virus was first detected on Friday, and has been infecting some computer users this Labor Day weekend. But anti-virus experts told MSNBC that there have not been any reports of widespread infections. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.com/zdnn/stories/news/0,4586,2623456,00.html SITUATION IN AUSTRALIA "There are at least 20 readily identifiable unauthorised attempts to access defence systems through defence's firewalls each day," a Departmentof Defence report said. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.com.au/common/story_page/0,4057,1157013%255E421,00.html HFCHECK (UN)AVAILABLE Microsoft released a new tool that is designed to help administrators ensure that their servers are up to date on all IIS 5.0 security patches. The link on their tools section is broken, and in a real quick reply on my mail, they said: "We apologize for the error. We are looking into the situation and will correct it as soon as we can - it may be Tuesday until it is available - Monday is a holiday, and our team has no access to the download center pages." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.microsoft.com/technet/security A POCKET GUIDE TO NSA SABOTAGE "The NSA engages in sabotage, much of it against American companies and products. One campaign apparently occurred at about the time when PGP's most serious vulnerability was added." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://cryptome.org/nsa-sabotage.htm ICMP USAGE IN SCANNING VERSION 2.0 The Internet Control Message Protocol is one of the debate full protocols in the TCP/IP protocol suite regarding its security hazards. There is no consent between the experts in charge for securing Internet networks (Firewall Administrators, Network Administrators, System Administrators, Security Officers, etc.) regarding the actions that should be taken to secure their network infrastructure in order to prevent those risks. In this paper Ofir Arkin has tried to outline what can be done with the ICMP protocol regarding scanning. Link: http://www.net-security.org/various/bookstore/ICMP_Scanning_v2.0.pdf FREE 30 DAY TRIAL COPY OF SCANMAIL Trend Micro is offering 30-day free trial copy of ScanMail for Exchange. Try it out if you need that kind of protection. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.antivirus.com/products/smex TOP TEN VIRUSES Sophos published the latest in a series of monthly charts counting down the ten most frequently occurring viruses compiled on one place. Kakworm leads in the top ten with almost 19%. Link: http://www.net-security.org/text/press/967860803,96551,.shtml PRIVACY ADD-ON FROM MICROSOFT Microsoft released a browser add-on Friday intended to provide users with greater control over the browser-tracking cookies handed out by websites. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.wired.com/news/technology/0,1282,38578,00.html ANOTHER "HACKING" CHALLENGE Beginning today, you are invited to take a shot at penetrating the security of Balistraria Technologies Inc. netMIND Internet firewall appliance. The prize is $1000. Altought all contests are media stunts, why not to try to snatch their $1K :) More information could be found on the URL below. Link: http://www.net-security.org/text/press/967859104,50716,.shtml TROUBLE WITH SMS MESSAGES FOR NOKIA PHONES Security Watch reports that "Web2Wap has discovered that a Nokia 7110 mobile phone can be jammed if it receives a malformed SMS message. The company says the only way to restore service is to unplug and replug the phones batteries." Also one of our readers Tom, replied on the article we run entitled "Kaspersky Lab Demystifies the Discovery of the First True Wireless Virus", saying: "It obviously isn't a virus. I'd more consider it a denial of service attack. Anyway I presume you know how its done, but if you don't here is the info - just send a nokia 5110 160 full stops in an sms message. It will only work on older software version's though. I'm not sure what software versions exactly but this has be known for quite some time now." I just tested this with my Nokia 3210 (running older software), and nothing happened. Link: http://www.net-security.org/phorum/list.php?f=2 @STAKE JILTS PHIBER OPTIK When Mark Abene aka Phiber Optik found himself being wooed last month by security services firm @stake, he didn't expect his hacker earlier to come back to haunt him - in the final phases of hiring they withdrew its offer saying: "We ran a background check". BTW if you have any comments, HNS forum is alive you know :) Link: http://www.securityfocus.com/news/79 CYBERCRIME LOSES The figures in an annual computer crime and security survey presented to congress by the Federal Bureau of Investigation and the Computer Security Institute polled 643 companies and government agencies, which reported total financial losses of $265m last year, compared with $120m the previous year. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.bday.co.za/bday/content/direct/0,3523,688861-6129-0,00.html ANTIFRAUD MEASURES The Halifax bank has responded to growing concerns over online security Monday by offering antifraud measures and antivirus services to its customers. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.co.uk/news/2000/34/ns-17551.html INEXPENSIVE MEASURES TO SOLVE SECURITY PROBLEMS Computer security is difficult to achieve. It requires constant vigilance, and it involves inconvenience. Sometimes, expensive products are offered that are claimed to solve your security problems with no problems, and they do not deliver. However, there are a number of inexpensive measures that would seem to solve a lot of security problems that aren't being used. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityportal.com/topnews/magic20000901.html WATERMARKING TO PREVENT HOAXES Blue Spike, a company that already produces digital watermarking technologies for video and audio files, started to develop technology that would make it possible for Internet Wire and others to verify the electronic text documents they receive. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.techweb.com/wire/story/TWB20000831S0009 DOS ON ST GEORGE BANK SERVERS After thousands of St George Bank customers were denied access to its online banking service, police started investigating this Denial of Service attack. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.com.au/common/story_page/0,4057,1150199%255E421,00.html ARRESTED IN EMULEX HOAX STORY A 23-year-old college student was arrested Thursday and charged with staging one of the biggest financial hoaxes ever on the Interne. Of course we are talking about Emulex hoax. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.excite.com/news/r/000831/17/tech-emulex-arrest-dc 15 YEAR OLD FINED FOR THE ATTACK An Indonesian teenager who penetrated to one Singapore site from, was slapped with a hefty fine, and his parents told to reimburse the National University of Singapore, it was reported yesterday. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.it.fairfax.com.au/breaking/20000901/A40585-2000Sep1.html SECURITY MARKET Lisa Meyer from RedHerring.com did an overview on the security market. According to the article Baltimore Technologies was quick to deny rumors that U.S computer giant Microsoft was considering a takeover bid. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://cgi.cnnfn.com/output/pfv/2000/08/31/technology/herring_security/ --------------------------------------------------------------------- Net-Sec newsletter Issue 29 - 11.09.2000 http://net-security.org General security news --------------------- ---------------------------------------------------------------------------- ANCIENT VIRUS CATCHES OUT US GOVERNMENT The US government has been accused of scaremongering after issuing a security alert about a a Trojan horse called DonaldD.trojan which was discovered more than a year ago. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.vnunet.com/News/1110145 INTERVIEW WITH BRIAN KERNIGHAN Mihai Budiu interviewed Brian Kernighan, one of the High Creator's of C, for the Romanian computer magazine PC Report Romania, for which Mihai is the assistant editor. Nevertheless, the interview is in english. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cs.cmu.edu/~mihaib/kernighan-interview/index.html RABOBANK DENIES RUMORED ATM BREACH A rumor on the Dutch e-security site Security.nl suggested that between 10.30 and 11.00 p.m. on June 2, it was possible, due to a system error in Rabobank's credit system, to empty ATMs across the Netherlands by simply entering a valid account password. Link: http://www.securitywatch.com/scripts/news/list.asp?AID=3796 ALLEGED SECURITY BREACHES 17-year old, who caused penetrated Eircom system two weeks ago, claims he has infiltrated RTE, the state broadcaster, and NTL, an American phone and cable company, but they deny alleged security breaches. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.sunday-times.co.uk/news/pages/ sti/2000/09/03/stiireire01013.html BACK THE ACT The UK Data Protection Commissioner could come under scrutiny from the Trade & Industry Select Committee next month, over its ability to safeguard consumers' online personal details. Responding to silicon.com's 'Back the Act' campaign, Select Committee chairman Martin O'Neill MP yesterday said he will talk to the DPC, the British Bankers Association and the e-envoy's office about the recent incidents at Powergen and Barclays. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.silicon.com/a39450 FALLING APART AT THE SEAMS Last month's Brown Orifice program opened a backdoor to an insecure future. Because the new inter-component security flaws differ so substantially from more traditional holes, a different sort of programmer is likely to find them. Open source allows the widest variety of coders to search the source for the flaws that they know best. This can only improve security. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/commentary/80 NEW DoS TOOL - TRINITY V3 A new Distributed Denial of Service tool, "Trinity v3", has been discovered in the wild. There have been reports of up to 400 hosts running the Trinity agent. In one IRC channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many differentn versions of Trinity are in the wild. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://xforce.iss.net/alerts/advise59.php SECURITY RELATED INTERVIEW BY NIKEI Harumi Yasui, Deputy Editor of Nikkei Communications did interview with Akiyoshi Imaizumi who works as a consultant to the Security Systems Division of Kyocera Communication Systems and is a member of ISS X-Force team and Hideharu Ishikawa, a chairman of Artemis Inc. Follow the link to Nikei web site for the interview, but if you have some problems with viewing it follow the link to our forum where there's a copy of the interview. Link: http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/fw/111147 Forum: http://www.net-security.org/phorum/read.php?f=2&i=95&t=95 ZIMMERMANN RESPONDS Phil Zimmermann, the creator of PGP, responds to the recent flaw discovered in Network Associates implementation of the Additional Decryption Key feature. He gave his explanation of the problem and rebuttal to the conspiracy argument to Senior Editor of Network World. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.nwfusion.com/archive/2000/106300_09-04-2000.html REASONS FOR GUATEMALA SAT DEFACEMENT After defacing web site of Superintendent of Tax Administration (SAT) in Guatemala, attacker called "Hack", sent an e-mail message to major newspapers, where he claimes to have been offended by a recent story in the daily Prensa Latina which assured that Guatemala had no computer hackers. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.ananova.com/news/story/sm_54131.html FIREWALLS - COMMON CONFIGURATION PROBLEMS There are many common configuration problems with firewalls, ranging in severity and scope. By far the most common problems relate to what should be blocked or allowed. This is often problematic because needs change; you may need to allow video-streaming, for example, and unless done properly, the addition of new firewall rules can seriously undermine the security provided by a firewall. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/topnews/fw20000905.html COMPUTER CRIME INSURANCE BECOMES A PRIORITY Insurance firms are hoping for a boom in business as companies scramble to protect themselves against the rise in computer crime. Internet fraud, email abuse, hacking and viruses are among the crimes set to rise over the next 20 years, according to research commissioned by the Association of British Insurers. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.vnunet.com/News/1110206 COPROCESSORS MOVE SECURITY ONTO PC MOTHERBOARDS Responding to industry demand for better built-in security, vendors of PC chips and smart-card ICs are racing to develop security coprocessors that mount on a PC motherboard. Architectural approaches vary, but suppliers agree that this new design socket will start showing up in motherboards as early as the middle of next year. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.techweb.com/wire/story/TWB20000905S0019 USING POSTFIX The MTA uses multiple layers of defense to protect the local system against intruders, as well as having the ability to run in a chroot jail. Installing on most operation systems is a trivial procedure, although in FreeBSD installation should be done differently to avoid the overwriting of the binaries when a make world is done. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.bsdtoday.com/2000/September/Features274.html BOOTING WITHOUT ALL THE EXTRAS "Not all of the above programs are security risks; some are just unnecessary. A complete explanation of all these services is beyond the scope of this article, but if you check your man, info, and HOWTO pages, you should be able to determine which services you need. A decent rule of thumb: if you don't know how to use it, turn it off." Part 1: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.linuxworld.com/lw-2000-08/lw-08-geek_2.html Part 2: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.linuxworld.com/lw-2000-08/lw-08-geek_3.html PSION WAPS SECURE REVO Psion has launched The Revo Plus, a new version of its Revo handheld with secure access facilities provided by its bundled Opera browser. OperaÆs Secure Web Browser provides 128-bit SSL encryption, the highest level of commercial encryption available. It is only available to Psion EPOC platform users, says the company, although it should be extended to other Psion devices in the future. Link: http://www.netimperative.com/technology/newsarticle.asp?ArticleID=4945 IKEA EXPOSES CUSTOMER INFORMATION ON CATALOG SITE Home furnishings retailer IKEA closed its online catalog order site last night after a privacy breach made the personal information of tens of thousands of its customers available online. The information had been exposed since at least Monday morning, when an IKEA customer uncovered an unprotected database file containing customer records. The file, which was accessible until yesterday evening, contained the names, addresses, phone numbers and email addresses of customers who ordered IKEA catalogs. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.cnet.com/news/0-1007-200-2709867.html THE NEW ISRAELI STANDARD FOR INFORMATION SECURITY The Standards Institute of Israel will base its new information security standard upon the British Standard BS 7799, the most widely recognized standard for information security management today. To implement this standard, the SII will draw on Israeli and international standards as well as accepted implementation methodologies for information security, including the e-Sure security standard for e-commerce certification. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.globes.co.il/cgi-bin/Serve_Arena/pages/English/1.3.1.9 ABN AMRO E-BANKING SERVICE ATTACKED An investigative programme for Dutch TV has exposed security flaws in national bank ABN Amro's e-banking service Home Net. Attackers managed to breach defences and divert payments into their own accounts. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister..co.uk/content/1/13033.html FBI DEFENDS CARNIVORE BEFORE CONGRESS The FBI vigorously defended its controversial Carnivore email spy tool during Congressional hearings probing the balance between law enforcement needs and privacy rights. Senator Orrin Hatch, chairman of the Senate Judiciary Committee, told the assembled senators and witnesses that the hearings were held to examine the Constitutional and policy implications of new surveillance technologies in general, and the Carnivore system in particular. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdtv.com/zdtv/zdtvnews/politicsandlaw/ story/0,3685,10194,00.html REFERENCE GUIDE TO CREATING A REMOTE LOG SERVER In this, the first of a series of security HOWTO-type papers, Eric explains how to create a secure remote log server on a unix platform. Reliable logging is a must for a properly secured network, and this paper provides a much-needed step-by-step tutorial on how to achieve this. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/announcements/184 IMPROVING SECURITY IN AUSTRALIA Australian Minister of Defence, John Moore, said that he would be insisting on improvements to security of Defence Department computer equipment, following the theft of desktop and notebook PCs. Link: http://www.minister.defence.gov.au/mintpl.cfm?CurrentId=144&_ref=233393570 SILLY MISTAKES Technological holes account for a great number of the successful break-ins, but people do their share, as well. SANS Institute has a lists of silly things people do that enable attackers to succeed. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.sans.org/mistakes.htm WEAK SECURITY FOUND IN MANY WEB SERVERS One in three supposedly secure ebusiness servers are using software with known security weaknesses, and European sites are the worst offenders, according to a survey. Eric Murray, a consulting security architect based in the US, found that in a random sample of more than 8000 web servers running the SSL protocol, 32 per cent were "dangerously weak". Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.vnunet.com/News/1110445 SPAM SPREADS TO PAPER If "traditional" electronic spam isn't enough for you, there's a new service from Zairmail that lets you spread your electronic word even to those unfortunates not connected to the Internet. Zairmail Express Direct provides postal mail-on-demand services. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.pcworld.com/shared/printable_articles/0,1440,18370,00.html NEW SECURITY CHALLENGES - WIRELESS TECHNOLOGY On July 27, Jeff Schmidt tried out a brand-new wireless LAN card on his laptop at work. He didn't expect anything to happen, because his organization's wireless LAN wasn't up and running yet. But to his surprise, he was able to connect without any trouble to the network of an office down the street. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cnn.com/2000/TECH/computing/09/07/wireless.risks.idg/index.html BORDERHACK EVENT Borderhack, a three-day event that took place over Labor Day weekend, promoted hacktivism as a means of protest about the inequalities and dangerous conditions that would-be Mexican immigrants face. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdtv.com/zdtv/cybercrime/ hackingandsecurity/story/0,9955,10407,00.html DECSS T-SHIRTS ILLEGAL? DVD CCA contends that Copyleft misappropriated trade secrets by printing the code on the T-shirt. Designed by Dominic Dellizzi, a programmer at Copyleft, the back of the shirt bears the source code to DeCSS, a program that decrypts DVD. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cnn.com/2000/TECH/computing/09/08/decss.shirt.idg/index.html WHY BAYTSP WON'T COMPROMISE PRIVACY? ZDNet News recently ran an article about BayTSP's efforts to work with law enforcement to track child pornography and copyright infringements on the Internet and report them to the proper authorities. Based on the enormous response in the TalkBack section of that article, it is apparent that there is confusion regarding law enforcement's application of our technology. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.com/zdnn/stories/comment/0,5859,2625627,00.html SECURE TUNNELING BETWEEN INTRANETS WITH VTUN "VTun was written by Maxim Krasnyansky and is a fast and flexible package that allows you to create encrypted tunnels between hosts. It supports a number of tunnel types, compression, and traffic shaping. According to the site, it can run on Linux, Solaris, FreeBSD, and other BSD clones. I will be using Solaris 2.7 for the examples in this article." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.unixreview.com/administration/articles/000815sec.shtml INVESTIGATORS WITH PHONY E-MAIL IDS False identities may be a time-honored tradition on the Web, but as the case of the e-mail messages about DFL U.S. Senate candidate Mike Ciresi illustrates, fake isn't the same as anonymous. Most Internet users probably don't realize how easy it is to trace the origin of an e-mail, and how willingly their internet service provider or e-mail provider will aid in the search. Link: http://www.startribune.com/viewers/qview/cgi/qview.cgi?template=biz_a_cache&slug=isp09 PGP DESKTOP SECURITY 7.0 PGP Desktop Security 7.0 is the first and only security product to combine personal firewall, intrusion detection, VPN client, and encryption technologies into a single solution that fully protects computers against intruders and theft and loss of data. Whether employees work at home or in the office, PGP Desktop Security provides seamless protection from cyber-hijackers, easy-to-use e-mail and disk encryption, protects integrity of the companies information, controls access to files, and offers a host of other important security features. Developed by PGP Security, a Network Associates business, PGP Desktop Security 7.0 empowers overburdened network administrators who must balance the role of protecting digital assets, embracing e-business, and managing network shifts toward telecommuting. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.pgp.com/products/dtop-security/default-encryption.asp KASPERSKY OPENS SHOP IN CALIFORNIA Our partners at Kaspersky Labs, creator sof AVP, are setting up shop in California, moving its war against computer viruses - and the debate surrounding its motives - further into the mainstream. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.com/zdnn/stories/news/0,4586,2626141,00.html SITUATION IN INDIA "Company in India received an e-mail demanding a huge sum to retrieve the domain and was given an address in Mumbai where the firm has its head office, for the payment to be made". Standard cybersquatting. Article starts with this, and finishes by saying that 52 strategically vital Indian sites were defaced in the month of August. Two different topics... Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.timesofindia.com/080900/08mahm2.htm SPAM PERMITTED FOR BIG COMPANIES !? Microsoft announced Friday that it would permit Harris Interactive, an online polling concern, to spam its 70 million Hotmail email accounts with Web surveys. Harris had sued Microsoft, America Online, Qwest, and others for blocking its email surveys, and had already cleared AOL's blockage when Microsoft caved. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.upside.com/Executive_Briefing/39b9782a0.html WESTERN UNION SITE COMPROMIZED Western Union has warned thousands of online customers that someone has broken into the US money transferring company's website. It is unclear whether the attackers obtained any personal account information from the company. The web site now contains the text "Our Web site is temporarily out of service. We apologize for any inconvenience." Link: http://www.ananova.com/alerts/details.html?ealertid=1752&lp=50315 ---------------------------------------------------------------------------- Questions, contributions, comments or ideas go to: Help Net Security staff staff@net-security.org http://net-security.org Or layout please email Slider_100@hotmail.com ---------------------------------------------- | | | \____ 0wning The World Is A Slow Process,So Give Up And Let Us Gain R00t On You #OblivionMag EFNet Copyright 0blivion.org 2000 B0w Down And Feer The Revolution Of Oblivion Designed On 800x600 Resolution Sponsors : http://www.slidersecurity.co.uk http://net-security.org http://www.hackernews.com http://www.caffeine.org.uk http://www.lab6.com http://packetstorm.securify.com Music : Smash Mouth - All Star Drink : Tequila Thanks : Vortex, For hosting 0blivion.org Abattis and Gossi for re-hosting 0blivion.org Lockdown, kermit and Omega for their work. Atomix for his Bot's on #oblivionmag Spammy for his Bot's on #oblivionmag UK Uncovered - Filming me for the new show Creation in Bristol for a top nite Aleph1, R.F.P and all the h0es that make our lives worth living online And Akt0r, DC_`, d0tslash, Cl0wn, TNC, redmang, Slinkie and a few others #darkcyde, #bellcrew, #2600-uk, #bifemunix, #hax0r, #b10z, #beyond, #japan Woman : Denise Van Outen - Big Breakfast styleey!