« June 2010 | Main | August 2010 »

July 2010

07/28/2010

Mobile computing vulnerabilites, DNS cache poisoning, SSL vulnerabilities

Black Hat 2010 started today and there is no shortage of vulnerabilities to be revealed. Black Hat and it's lower end companion conference, Defcon, are where security researchers disclose vulnerabilities in IT infrastructure upon which our civilization depends.

I'm a little late getting this post out but here are some things to expect, courtesy of PC World: What to Watch at Black Hat and Defcon. I am glad DNS is getting some focus as is mobile computing.

2) DNS

Two years ago, Dan Kaminsky made headlines worldwide by uncovering a flaw in the DNS (Domain Name System) used to look up the addresses of computers on the Internet. This year, Kaminsky is speaking againat Black Hat -- this time on Web security tools. But he's also been tapped to participate in a press conference where he and representatives from ICANN (Internet Corporation For Assigned Names and Numbers) and VeriSign will discuss Domain Name System Security Extensions (DNSSEC) -- a new way of doing DNS that provides a level of confidence that computers connected to the Internet are what they actually claim to be.

About two weeks ago, ICANN presided over the first cryptographic signingof a root server with a DNSSEC key. DNSSEC isn't yet widely supported, but ICANN hopes that by signing a root zone, it will spur others to support the protocol in their server and client software.

Researchers like Kaminsky say that widespread adoption of DNSSEC could curb a whole bunch of online attacks. "We've been looking at how DNSSEC is going to address not only DNS vulnerabilities, but some of the core vulnerabilities we have in security," Kaminsky said in an interview. "We're not going to solve all of those problems with DNSSEC... but there's an entire class of authentication vulnerabilities that DNSSEC does address."

Search Security also had a nice primer yesterday: Mobile threats, SSL weaknesses, Web application bugs at Black Hat 2010.  

Dasient, a Web-based antimalware company, will present its research at Black Hat on the three most critical structural vulnerabilities in websites. Daswani will talk about the vulnerabilities and problems his company's scanning technology has seen in Javascript widgets, third-party advertising services and third-party applications.

Often, Daswani said, the issue comes down to trust. The widget provider, for example, could be an attacker masquerading as a provider; the widget could be compromised; or it could be using DNS cache poisoning to redirect site visitors to an attack site. The research also points out similar issues with third-party advertising that could be serving malware or redirecting users to attack sites. The main problem is that advertising providers always have multiple partners, and chances are one or all of those partners don't vet the security of ad content. Third-party applications also exploit the trust between site visitors and the site. Apps could be vulnerable to Web-based attacks such as SQL injection or cross-site scripting; host sites need to ensure providers are vetting code for security vulnerabilities.

Stay tuned as more news comes out of the these conferences.

Posted at 04:17 PM | | Comments (1) | TrackBack (0)

Technorati Tags: , , ,

07/19/2010

New espionage malware focused on SCADA systems

Brian Krebs reported last week on recently discovered malware that attempts to compromise Siemens SCADA (supervisory control and data acquisition) systems - the systems that run industrial processes and utilities like pipelines, refineries, chemical plants, and electrical systems.

The malware utilizes USB drives and takes advantage of previously unknown flaws in Windows operating systems. See Experts Warn of New Windows Shortcut Flaw. Network World has a follow up article: New virus targets industrial secrets that provides a good explanation of how the virus spreads.

SCADA systems run critical infrastructure and Siemens is a key manufacturer. This type of malware can't be dismissed lightly. We do not know how long the virus has been in the wild, where it has spread and what systems may be affected. If a virus has infiltrated control systems for the power grid or pipelines there is no telling how much damage could be caused.

Many in the security community have been concerned about this type of malware but it doesn't get much publicity (however, see this video: Sabotaging the System: 60 Minutes reports on our dismal Internet security, a report by 60 Minutes from last November).

I zeroed in on one paragraph from KrebsonSecurity:

Ulasen said the malware installs two drivers: “mrxnet.sys” and “mrxcls.sys.” These so-called “rootkit” files are used to  hide the malware itself so that it remains invisible on the USB storage device. Interestingly, Ulasen notes that both driver files are signed with the digital signature of Realtek Semiconductor Corp., a legitimate hi-tech company.

Protecting digital signatures is critical for internet security. It's the "secret password" that makes cryptography work. Yet the hardware and general purpose operating systems that run Internet, consumer, and business software (and therefore all of their applications) are incapable of fully protecting critical cyptograghic signatures. They can only do a marginal job through obfuscation. We live with this compromise every day. DNSSEC will help with authentication, but without immunity to malware and rootkits we can never be secure.

I hope Siemens' customers are working overtime to determine that they have not been compromised.

Posted at 04:53 PM in Cloud Services | | Comments (2) | TrackBack (0)

Technorati Tags: , , , ,

07/15/2010

Root zone signed with DNSSEC

A giant step for Internet security.

From the DNSSEC deployment site:

 

Culminating years of effort on the part of many public and private organizations and individuals, ICANN has now confirmed the root zone is signed and available, and has published the root zone trust anchor so that root operators can begin to serve the signed root zone with actual keys. Initiative partner and Shinkuro CEO Steve Crocker said:

This is a very special day.  Very, very many people, working for many years all over the world made this day possible.  Like the golden spike that completed the first transcontinental railroad in the United States, the signing of the root completes the basic platform for building new levels of trust on the Internet.

Posted by Graveline in Uncategorized on July 15, 2010

DNSSEC Decoded,” a half-day seminar sponsored by Secure64, will take place July 27 from 8:30 a.m. to 11:30 a.m. in Washington, DC, at the International Spy Museum’s Zola Restaurant.

Speakers include Initiative partner and NIST computer scientist Scott Rose and Microsoft Federal Group Chief Security Officer Bill Billings.  Breakfast is included in the event, and the speakers will discuss why U.S. federal agencies’ internal networks are targets for theft of confidential information; how DNSSEC protects internal and external domains from hijacking; DNSSEC deployment requirements and FISMA requirements that pertain to DNSSEC; and case studies from other federal agencies.  Seating is limited; you also may listen to a recording of the event with the chance to ask questions of the speakers.

U.S. Commerce Secretary cites DNSSEC on eve of root signing

Posted by Graveline in Uncategorized on July 15, 2010

U.S. Commerce Secretary Gary Locke yesterday addressed a meeting of the federal agencies participating in a government-wide cybersecurity policy review, citing DNSSEC as a significant accomplishment in securing the Internet, on the eve of the signing of the root zone.  His remarks included these words:

One of the Commerce Department’s most important accomplishments will go into effect tomorrow when DNSSEC is deployed at the root of the Domain Name System.

This action will essentially give a “tamper proof seal” to the address book of the Internet – a seal that gives Internet users confidence in their online experience.

And I’d like to thank the Department’s partners in this effort — the Internet Corporation for Assigned Names and Numbers, and VeriSign.  This effort is an excellent example of public – private cooperation, which included extensive domestic and international community consultation. 

For more see Network World: Internet takes DNSSEC on board

Posted at 10:23 PM | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

07/14/2010

Cyberwar vs safe information highways; DNSSEC almost here

The July 1 issue of The Economist has a headline "Cyberwar" with the scary picture below.

201027ldp001

Bruce Schneier has a thoughtful response on CNN.com: Threat of 'cyberwar' has been hugely hyped.

I don't want to enter the debate on cyberwar, but we (including the US Government) are certainly  not doing everything we could today to improve cyber security. A more secure Internet will save money for everyone and improve our economy.

Calling the Internet the Information Superhighway is a good way to illustrate the benefits of security. If you had to pay a security toll every 10 miles (buying anti-virus/anti-spy-ware/firewall,etc. with an annual renewal) and the toll failed to prevent 10% of traffic from being hijacked, you probably would not drive on that highway, and if you did you would not carry any valuables. That is exactly what we have today with the Internet. This isn't cyberwar - it's crime. Let's address crime first by doing what we can to make the internet more secure.

Don't spend too much on Cyberwar until we do some basic security block and tackling, like deploying DNSSEC.

And speaking of DNSSEC, tomorrow is the day the DNSSEC signed root zone enters production.

Posted at 05:56 PM | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

Enter your email address:

Delivered by FeedBurner

About Steve Goodbarn

Categories

Steve's Blogroll

Archives

Disclaimer

  • All views and opinions expressed on this blog belong to me, the author, and are not those of any current or past employers, investors, or anyone else.
Blog powered by TypePad