Securing the Corporate Network When There is No Perimeter

Do not try and bend the spoon. That’s impossible. Instead, only try to realize the truth … There is no spoon – Spoon Boy, The Matrix

Early computer security thinking taught that computer security followed the patterns of Physical Security. The object was to create a secure perimeter and then strictly control ingress/egress through a few gateways. Early pen-testing often-included attempts to gain physical access to a facility or specific system because everyone “knew” that physical access always trumped computer or network security.

Following those principals, every reasonable security architect specified firewalls, locked doors and CCTV to safeguard their systems. These elements became part of the “building code” for any secure facility.

Dear Readers, it’s time we updated our building code. We’ve had our digital Earthquakes and Hurricanes. This architecture of hardened perimeter and gateway firewall is obsolete. Today’s mobile devices carry threats and bad behavior directly onto your core network. Wireless and p2p are everywhere and the botnets, malware and Trojans ride in on port 80 and masquerade as harmless web surfing.

Today’s security architect must design and implement processes across their network comprehensively and with proper attention to every server, desktop, laptop, dormant virtual machine and wireless enabled device. Use automation to protect against flash-threats and Warhol worms. Use malware and behavioral analysis to detect Spear Phishing, targeted Trojans and command-and-control networks.

The new building code for networks requires endpoint security. The building specification for endpoint security includes but is not limited to:

• Continuous vulnerability and patch management
• Malware protection and host integrity
• Policy enforcement and compliance validation
• Policy and behavior based Pre and Post network admission control
• Continuous performance and security monitoring

There are many products in this space. I recommend being wary of complexity and forklift upgrades. Look for products that simplify operations and solve real IT problems along with improving security.

Microsoft Security Response Center Blog

I did want to note that this month, the Thursday before the Second Tuesday is actually the second Thursday of the month. That will be the case for March as well.

We sometimes get people who associate the Advance Notification with the first Thursday of the month, so I wanted to remind folks that it’s actually tied to the second Tuesday, the release day. So, if you have any reminders for today’s notification for March tied to the first Thursday of March, you’ll want to update them to March 8 2007: which is when we’ll make the next Advance Notification.

If that isn’t perfectly clear to you, I recommend further reading.

One item is clear, this will be an important patch event for most Microsoft users. There are a fair number of Critical and Important patches for core operating system and application elements. It would be nice to know which CVE are being addressed .

Turning Your Typo into Profit

Have you noticed what happens when you mistype the name of your favorite web site? As reported by Daniel Wesemann at the Internet Storm Center this is not an accident, this is a profit center.

A few sites like www.gogle.com go where intended – www.google.com. Type in www.googe.com and you end up at Go Daddy. Just a little while ago, my browser would have shown me, “Cannot find server or DNS error.” Now on my Dell system, most of my mistakes take me to a customized Dell/Google results page. Being redirected to a search engine might seem innocuous, but this is actually a real bad thing™.

• As Daniel points out in his blog entry these redirect sites create an opportunity for the pharmers and phishers
• Some SSL/VPN software relies on the standard DNS behavior to redirect you to your companies internal servers
• Getting redirected to an unexpected site can be very embarrassing, in this instance Bell South users were redirected to porn sites and who can forget when www.whitehouse.com was an explicit porn site?

These are all a form of hijacking. How bad is this? Just last year a Phisher was targeting Wells Fargo customers with a “welsfargo” URL. Wells Fargo has registered the domain “welsfargo.com” but has not redirected the domain as Google did with Gogle. The folks at Wells Fargo need to correct this lack.

If you have an e-commerce or popular web site then you need to protect yourself and protect your customers:

1. Register the confusingly similar domain names and configure their DNS records to point to the correct site

2. Monitor all of your domain records and DNS servers for failure or compromise

3. Deter the pharmers with protection against defacement, cross-site scripting and man-in-the-middle attacks

Another Attack on DNS Root Server Infrastructure

Hackers overwhelm key Web computers

For those of you who need more information, Wikipedia has a good article on why DNS root servers are important to everybody.

Every time you type a URL, or click on a link in your web browser a DNS server directs your computer’s browser to the right server on the Internet. For performance reasons, you usually use the DNS server on your local network or one provided by your ISP. Your local DNS server relies in-turn, on other DNS servers in a tree-like hierarchy. Ultimately, all DNS servers rely on the smooth functioning of the thirteen DNS root servers.

An attack on the root servers is an attack on the fundamental structure of the Internet. It’s the DDOS equivalent of a doomsday device. This the sort of thing a villain like Ernest Blofeld would attempt; it could be the action of a sociopath, the prelude to a grand attempt at extortion, the test of an info-weapon or an act of war.

Fortunately, as noted by John Crain, this type of attack has become much harder to pull-off. However, Harder ≠ Impossible. The current infrastructure can handle an enormous load, but there are limits. The picture below shows the situation at 11:00 AM PST:

Picture 1: dnsmon.ripe.net (2/6 17:00 UTC - 19:00 UTC)

As you can see in this reporting period, two of the thirteen servers are still experiencing significant load. The following picture shows the effect of the attack from its beginning:

Picture 2: dnsmon.ripe.net (2/6 08:00 UTC - 2/7 08:00 UTC)

As you can see, the attack hit server ‘’G’’ and ‘’L’’ the hardest. The red spikes indicate an average probe failure rate exceeding 90%.

Most likely, this attack will not affect you directly. It is a lot like a solar flare’s effect on radio communications – there’s a lot more noise in the system today and don’t be surprised if you notice a slightly different “feel” to the Internet today.

The lesson here?

Performance monitoring is often a leading indicator to an attack on your computer infrastructure. It is important to understand your baseline performance and monitor the systems you rely on for any significant deviation from baseline.

For the Internet, we can thank the very good folks at RIPE .

Web Site Security Affects You

1987 - Mitnick invades system at Santa Cruz Operation. Santa Cruz police travel to Los Angeles to search apartment where call coming into SCO originates. ( …) Mitnick's representation bargains felony charge down to misdemeanor. Sentence: three years probation.

At SCO, Mitnick found his way in via “war-dialing” onto a UNIX system. Did he crack root? No, root on this system had no password at all… Kevin wasn’t after SCO, he wanted UNIX source so he could get even deeper into Ma Bell’s computers.

20 years later, another hacker discovers a system they can access, only this guy isn’t after big business, he was after YOU.

Last week, Websense discovered that several Super Bowl related web sites had been hacked. According to news reports, these systems were compromised on or before January 26, but engineers at the affected sites were not alerted until February 2^nd. For a period of a week, a malware package installed on the victim web server attacked every visitor to the site.

You might not discover “Hackistan” but Hackistan wants to discover you. I intend no offense to my friends from South East Asia, but I like this idea of Hackistan (more on this later).

The crooks are making the Internet their own. Gone are the days when Kids broke into systems to prove their l33t skill, the game is all about money now. And the money is getting very very big.

We can only guess how many systems this attack affected. Enough however, that it appears that the malware server in China was failing under load. Get the irony? The bad guy’s computer was crashing because he had too many victims phoning home.

This hacker was not after fame. No vandalism or political messages, the web sites continued to operate as normal. By the way, I don’t consider people like this to be hackers… this person is a crook, a perpetrator after your login, passwords, credit card info – anything and everything he could get, so he could sell your identity or rip you off directly.

Solution? Simple:

1. If you have a computer, keep it patched and use a personal firewall.
2. If you have a web site, monitor the hell out of it.Find someone who will watch your web site and the entire infrastructure it relies on. Don’t settle for a once a quarter/month scan. Find someone who looks at your web site the way the hackers do. Pay them to check it now and check it every day, 365 days a year. This is not a choice any more.

Michael