Ping? Why do I need to block ping?
On one of the security lists I follow, a firewall admin (who I assume is new at his job) asked the following question:
All this while I’m not allowing any public ping to the website I’m
maintaining, but it’s making me tougher to troubleshoot should any
user from the globe having trouble to access our website, as I can’t
make them to send a proper traceroute report.
website ? Is this security practice still relevant in today exploit
technology ?
And if you think it’s still necessary, how do I make sure my user’s
traceroute still work when all ICMP is dropped from public ?
Hmmm. Interesting question. Then, a flurry of replies which included the following gem.
Why are you not allowing ICMP? Is the server itself exposed or behind a netscaler or some routing device? Even if it’s not covered behind, you can allow ping. The only exploit with ping is the ping of death, which is obsolete now. Use a software IDS\IPS?
My observations:
1. The original poster is pretty new. If he wants to know whether to allow ping or not, explaining the different types of ICMP will probably go “whoosh” over his head. Its entirely possible it might go “whoosh” over the head of his firewall management software, too!
2. While its true that most routing systems have fixed ping-of-death, this is not the only ICMP based attack. Suggesting to allow it and put in a “software IDS/IPS” is not terribly bright, and gives you some idea why you’ll (probably) get hacked if you outsource your systems to that person’s employer.
What I would suggest as a maxim for firewall engineering is this:
1. Understand the traffic through your firewall(s), including application and protocol specifics. This can win you bonus points in future careers, for example when you spot a bug in the way a firewall handles TCP reassembly, and earn much geek cred thereby.
2. Allow only the traffic you absolutely need.
3. In case of doubt, go to step 1.
4. Drop all else.
Blocking twitter to stop a riot?
In an effort to control the communications used by rioters, the UK government are seeking ways to limit access to social media during a riot.
There’s an old saying amongst techie types – “The Internet interprets censorship as damage and routes around it”. And another one is similar – “It is a mistake to try and solve social problems with technological solutions.” Both of these maxims have been tried, tested, and validated again and again by people who tend to make the mistake of thinking that in order to control action, it is necessary to control communication.
I see various talking heads suggesting that the recent unrest is the fault of (pick your own particular target group). It appears from looking at who have gone through the courts that there is a wide spectrum of people, most of whom have some technological literacy.
Limiting access to “social media” is unlikely to prevent future riot occurrences, for the following reasons.
1. Blocking access by IP address, even if you could put every ISP under riot control, would not work. VPNs and tunnelling are consumerised produucts and are easy to use to evade bans (as seen in recent court rulings to block access to Newzbin).
2. Putting every ISP under riot control would be an interesting message regarding free speech, and would be liable to a) go wrong b) create more unrest
3. Turning off internet access from out of the UK in its entirety could have unforseen circumstances. It is probable that critical national infrastructure would fail (for example, grocery/fuel logistics, electronic payment systems, and some telecommunications trunking VOIP).
There is a real failure in intelligence to determine that these channels are being used to foment unrest, however selective blocking is technically hard-to-impossible, and blanket blocking of all IP traffic in the UK is likely to increase panic rather than reduce it.
Making the frank admission that the policies of the last 30 years have been exposed as deeply flawed will require great intellectual honesty and moral courage. Its a lot easier to create a technical bogeyman and declare that as the problem.
Still, at least no one is offering to “hug a hoodie” any more.
I know what you did this summer
Seriously? deathrun? Anyway, yes I have noticed you. Well done.
Best thing about active defense? Drops people onto the naughty step, saves the logging data, reports it to the SOC.
Correlation Alert (6 alerts): Multiple failed login against a single account Brute Force attack 184-22-244-202.static.hostnoc.net:tcp UserId name: deathrun UserId name: deathrun UserId name: deathrun UserId name: deathrun UserId name: deathrun UserId name: deathrun
13:24:00 (sent at 13:26:05) Correlation Alert (7 alerts): Multiple failed login Brute Force attack 184-22-244-202.static.hostnoc.net:tcp UserId name: tomcat UserId name: deathrun UserId name: deathrun UserId name: deathrun UserId name: deathrun UserId name: deathrun UserId name: deathrun
Broken Windows and Information Security
I first came across the broken window theory reading a novel. It basically says that there are two approaches to fighting urban crime. In the first, you set up a big program, trumpet that you are “tough on crime, tough on the causes of crime” and other big sayings. You commission studies, management consultants and engage social workers in outreach programs to reach the urban criminals “in their bedrooms”, and bang the hearts and minds drum until money runs out, or an election comes. Some legislators hate you, others love you. The press talk about you a lot.
In the second option, you fix the broken windows. You pick up the litter. Vandals are less likely to pick on well maintained buildings, crack dens don’t form, and the “good residents” stay in a neighbourhood.
I think we need a broken window theory for information security. I’ve seen a lot of incredibly ambitious information security programmes, touting “step changes for information security” with business analysts busy drawing use cases, project managers drawing up transformational change implementation phases (or whatever they do), and everyone getting very excited about the fact that they get to do some work which is a) indoors, b) well paid, and c) doesn’t involve much heavy lifting.
So what broken windows can we fix in information security? (Avoiding the obvious pun).
- Patch your systems. Its really not cool when someone says “Hey, we can’t patch this stuff because we don’t know what will break” – this is a sign that your engineers have lost control of the systems they are managing. If you can’t patch it, you can’t change it. If you can’t change it, its not yours any more.
- Talk with your colleagues. Its a rule of thumb that if people understand why they shouldn’t engage in a behaviour, they are less likely to resort to that behaviour in order to reach a goal. Humans are rationalising animals after all. If your colleagues (and you) understand why sending out confidential information without authorisation is a bad idea, then they are less susceptible to social engineering and data loss attacks such as the “lost laptop”. While there are a lot of fluffy governance folks who lack technical credibility to back up their posture, a set of standards that simply explains why you care about the information entrusted to you, and what this means to your business can do a lot of good.
- Default passwords. Using default passwords on any system is like leaving the keys to your house in the front door. Even if you think there’s nothing worth stealing, then the chances of vandals coming in and causing grief is increased. (Of course, we could also talk about how we don’t really like the idea of passwords anyway, but that’s another day – let’s fix the windows first).
- Understand what’s going on in your network. Artfully simple, but being able to work out what applications are running on your infrastructure is important. Is there a reason why your backend database is getting repeated failed login attempts? (It isn’t? How do you know?) What does that connection to your router from somewhere out in the internet indicate? Is there a really good reason why you’ve left the web interface to your HVAC system open to everyone on the internet (“But who’d want to change it?”)
We’ve seen a storm of attacks over the last few weeks, hence my thoughts on “This is when the cyber war started“. How many of those could have been fixed with some simple, cost-effective controls in place?
More than we’d care to admit.
At some point, people will point to the last month and say
“This is when the cyberwar started”.
We are seeing an explosion of internet attacks. Organisations of all sectors – be it tech, non-tech, commercial, non-profit or whatever.
If you are on the internet, you are being attacked. If you can’t prove that they are not successful, chances are they might be. Checking your logs and IDS will show you that probes are hitting your perimeter all the time. This is not news, and has been going on a while. The difference now is a) the frequency of the attacks and b) the persistence and quality of the attacker. To coin a phrase, this ain’t your Mom’s Nmap scan.
It appears that the MoD are waking up to this as well, and are busily recruiting.
“The law of armed conflict, we believe, does apply to cyber-space,”
Foreign and Commonwealth Office cyber-policy director Tim Dowse told
the EastWest Institute Cyber Security Summit in London on
Wednesday……’
You need to rethink. Quickly. There are a lot of consultants out there that will promise you that a good information security management system (ISMS) is all you need. Ask them the following polite questions:
- If an ISMS guarantees security, why is it that companies who have implemented one are getting breached?
- Just supposing that my central mail server is breached right now, how will the ISMS detect it? How will it help in
Governance is important, and ISO27000 if implemented properly across the enterprise will assist you in finding the things you need to fix. But its not the whole picture.
And in other news, I can make a shrewd guess (from looking at our SIEM dashboard) what the next big company to get publically pwned will be.
Business Intelligence : What’s going on inside your network?
SIEM (otherwise known as good old fashioned Log management) is the forgotten child of information security, and is applied business intelligence at its finest. Information Security is now a recognised business function, and business intelligence for this area is found in the logs generated by the systems and applications we govern.
Business intelligence is the hottest of hot topics. Sharp young things in great suits arrive and promise to transform that dark repository of old data into a dynamic tool that provides unique insight into customer behaviours, allowing a paradigm shift …
With that blizzard of buzzwords behind us, we can look at what this thing is, what it achieves, and how we get the best out of it.
The technique is simple, get hold of all of the event messages that matter in an organisation (and first, decide what matter actually means), then funnel those into a smart device which will correlate them against each other, and provide you with an insight into what is happening in your network. Is that server rejecting its patches? Is the firewall seeing unusual probes? Strange traffic coming from a box that is due to be decommissioned (or a user about to leave the business)? Your trusty log management system will shout out for attention, you’ll confirm the issue, roll it into the break-fix schedule, and move on.
It should be easy, but there are several gotcha’s. First of all, the systems you care about don’t all generate logs in the same way. Although there are several de-facto standards like the venerable unix syslog format (and its Windows cousin, the Event Log), you can’t guarantee that everything will work the same way. Indeed, even these formats have a wide wide range of possible permutations, meaning that your web server may not deliver the data in the format you’re expecting, leading to a situation where your supposedly lynx-eyed SIEM system will bat its eyelids as key data sails serenely past.
Its for this reason (and ok yes, perhaps some bad engineering) that CIO’s are disillusioned with this space. Many CIO’s (and yes, CSO’s too) look at any problem as essentially a procurement exercise – someone, somewhere will produce a box with blinking lights that will take the problem away. More savvy CxO’s already know that even if you find a vendor product that works, you then have to find skilled resources to monitor the SIEM, tune it, integrate new applications into it, and then wonder why it quietly fails when you add those new systems to it!
The solution that we’ve come up with draws from our experience in seeing lots of these abandoned log systems in our clients. Providing a cost-effective way to perform that vital detection and customer awareness, and then link our expertise as required to the people who administer our client’s systems on a day-to-day basis, providing rapid problem remediation.
And best of all, it works. KBO.
SCADA vulnerability alert
A story has come to light which I think is worth replaying. If you don’t feel the value of a threat intelligence service and you are running a utility, then you are missing out. This one came to us via the quite excellent Dragon News Bytes. Remote execution of malicious code is as bad as it gets – previous exploits have focused on crashing programmable logic controllers (PLCs) so for example, the controller which should start the pumps to drain fluid simply sits there as the floor becomes less than habitable! With this kind of exploit we could see additional control rules added to systems, leading to all sorts of undesirable behaviour.
A group collaborating with the US Computer Emergency Readiness Team is warning oil refineries, power plants, and other industrial facilities of a bug in a popular piece of software that could allow attackers to take control of their computer systems.
The vulnerability in the Genesis32 and BizViz products made by Massachusetts-based Iconics could allow attackers to remotely execute malicious code on machines that run these SCADA, or supervisory control and data acquisition, programs, the Industrial Control Systems CERT warned (PDF) on Wednesday. The programs are used to control equipment used in factories, water, wastewater and electric utilities, and oil and gas refineries.
The vulnerability stems from a stack-overflow bug found in an ActiveX control used by the SCADA programs and can be exploited to gain command-execution capability, researchers from Australasia-based Security-Assessment.com warned (PDF).
KBO.
New vulnerability scan service launched
So we’re pleased to announce that we’ve got our scanning towers launched. We’re able to offer you internet and (if you are a MSSP customer) LAN based scans which will feed into your portal account.
We’re happy to provide one-off scans of your infrastructure, web applications or if you’re a security minded, we’ll provide a monthly “all you can eat” subscription service, which means you can check after every update to your website that no security holes have inadvertently been introduced.
KBO.
Watching a breach in progress
Before I start, I have to tell you that I have deliberately obscured the names of this company to protect the sources. However, this is a live story, and absolutely true.
Let’s call the company Eckgle ltd. Eckgle make their living in call centres and other low-level outsourcing type work, and for some of their customers they process card payments, both in person, over the phone, and through a portal. As a part of their work they get a very full profile of the card holder, including name, address, and everything else that is needed to verify (or fake) an identity.
Eckgle engaged a Qualified Security Assessor (QSA) some years ago, and this QSA did a fine job, and validated that the environment they have is compliant with PCI DSS. This makes Eckgle a PCI DSS compliant service provider, which they can proudly proclaim in their marketing, and they are also listed on VISA’s website.
Eckgle have a problem. They are in a competitive market with low margin, and their managers (under a great deal of pressure themselves) are playing fast and loose with security and information management procedures. Staff are going sick with stress continually, others are leaving. Another stress factor is that Eckgle have recently removed their internal HR team, offshoring the basic clerical work, which has left staff greivances largely ignored.
One of the challenges staff are facing is being ordered to share passwords with each other and management on systems that process card payments – this is a big no-no and I doubt that the QSA was aware of this when he gave validated their compliance. Now cash is going missing (which Eckgle are reluctant to disclose to their outsourced clients) and it seems probable that card data is going missing as well, together with the full set of identity data, which is quite valuable on the black market.
All these factors, coupled with a couple of managers who use the “beating will stop when morale improves” approach to leadership, have created what can truly be called “Insider Threats”. I’ve previously called Insider Threats a class of “Advanced Perisistent Threat” – I still believe this to be true as insiders can cause more damage when they go rogue than any external attacker. When morale is low, and security is deliberately lax, its only a matter of time before the results are very publicly reaped.
When the external fraud investigators come a-knocking, admitting that you share passwords between staff will get you that exasperated look. Worse than that, your chances of finding out who was responsible for that breach will be slim to none, and the guilty party (if challenged) will have an excellent defence that it wasn’t them. If you’re the QSA company that gave them the positive assessment, you may well find some unwelcome attention from the PCI Security Standards Council, and quite rightly so. (They don’t call it a “critical violation” for nothing).
And why did I call them Eckgle? Well, that’s the noise I made in the back of my throat when I heard about this, and I expect that you just did too.
It’s not your phone, its the wifi (and you)
I see that the Guardian have managed to re-publicise a well known flaw in WiFi. SSID’s (the name of the network you’re connecting to) are just a string of characters. Couple this with a WiFi devices propensity to reconnect to “known” SSID’s and you have the Evil Twin attack. If I want to get you, I’ll set up a fake (or real) wifi hotspot called “BT FON”, “BT OpenZone”, “Tmobile”, or if I’m really targeting, I will research your corporate environment and use that. (Mind you, if you find a WiFi network for “CORPNAME” at your local railway station and connect to it, you really do need to start staying awake in all those security awareness sessions).
There’s a technical element to this, in that it would be nice if WiFi identifiers were more robust than just a tag. But I’m quite glad that none of the esteemed pundits in that article called for mandatory registration of SSID’s (and if you don’t think that there’s an army of people hungry for more bureaucracy, then you don’t know Government).
However, there will never be enough red tape to effectively protect against lack of awareness, and lack of caution. Considering the possible real-world example: if you saw a sign saying “Free Cash here” would you stick your credit card in it?
Bad Example. And shame on you for thinking “Yea!”
The truth is we are drawn to the idea of “free” – free banking, free internet, free coffee. Getting something for nothing always has a price tag attached. And if you have responsibility for sensitive information, that could well be the price you pay for free surfing in Paddington.