Tag Archives: Alureon

DNS Threats and Security Solutions

DNS security is of great importance to the internet as a whole. DNS, or Domain Name System, is a naming standard in which names are resolved to IP addresses. When you surf the internet your ISP’s name servers are queried and the appropriate IP address is found, you’re then forwarded to the correct location of your choice.

IPv4 and IPv6 protocols may make IP addresses appear different, but DNS is used regardless of the IP protocol used. While DNS is more of a phone book or database than the method used for communicating data (the IP protocols themselves), attackers can use DNS changing techniques to their benefit. (Actually there are a lot more differences than appearances when dealing with the new IPv6, but that’s beyond the scope of this article.)

Threats from DNS exploitation include the DNS Changer/Alureon virus and social engineering/harvester attacks used in phishing. Have you ever spent any time in Backtrack Linux? You can easily create faked login pages for use during certain types of man-in-the-middle (MITM) attacks. Such pages can be concealed to appear real but, in actuality, forward your valuable information to an attacker. Some, like the aforementioned harvester attack, will forward you to the correct page afterwards… you’ll never know you were taken advantage of!

Note: Backtrack is a legitimate security auditing Linux distribution. Don’t use it against others (after all, this blog is for folks really interested in security not as a “hacking guide”).

Credential Harvester

One of the most effective attacks is the replication of a false login page. As seen by using the Metasploit Framework. Absolutely any type of false login can be created using the Social Engineering Toolkit (SET). When combined with a successful MITM attack or by including such a payload in malware, an attacker can gain sensitive information about you.

Alternative name server solutions sometimes offer greater security over your standard ISP’s DNS servers. Such tools can often be used to detect false sites as they resolve.

Further Reading on SET’s Credential Harvester

Metasploit Unleashed – Credential Harvester Attack:
http://www.offensive-security.com/metasploit-unleashed/SET_Credential_Harvester_Attack

Note: If you’re interested in seriously studying computer security you owe it to yourself to check out the Metasploit Framework.

History Repeating: The DNSChanger Scare

Almost everyone remembers the scare we had recently with the DNS Changer incident. Uncured computers infected with DNSChanger/Alureon that faced a big problem: with the arrest of botnet masters across the globe, the FBI feared that maliciously redirected DNS entries would – instead of resolving to unintended sites for phishing and advertising – instead, simply fail.

The DNS Changer Working Group (DCWG) has a nifty website that checks for whether or not your DNS resolution was hijacked. The incident turned out to be a major disaster for the FBI and few others. Internet

Service Providers compensated for this and allowed their own name servers to re-redirect the faulty computers. In the news the FBI seemed to blame everyone but themselves. In actuality they overestimated the risk. They even failed to notify people that DNSChanger was actually the very old and well known Alureon to begin with.

Also, the DCWG website would have apparently given nearly everyone in the United States a false sense of security. With ISPs compensating for DNSChanger months in advance (in some cases nearly since Alureon has been around), the page would have infected machines to be uninfected simply by virtue of your ISP correcting the problem (the number one complaint made by the FBI against ISPs).

Guess the internet didn’t shut off! Okay, disperse people. We can all go back to work safely.

Yet on an individual level DNS changing malware is still a very real security problem and, if launched successfully, can mean you handing over sensitive information to the attacker.

As I’m writing this I’ve noticed the DCWG page is back online. While the “global meltdown” is no longer a real threat, the page still can be used to attempt to detect DNSChanger on individual computers. Note that I’m not saying it isn’t a real concern, it is a concern merely not a global threat as the FBI suggested. Prior to the DCWG page going back online, a notice was post explaining how ISPs compensated for DNSChanger and therefore would have rendered their site useless against actually detecting DNSChanger.

So a joke? No. OpenDNS.com reported in blog posts that over hundreds of thousands were infected but simply didn’t know it. While there wasn’t a global meltdown of epic proportions, users should still take note that the threat is real and do everything they can to ensure their own safety. Use DCWG but simply keep in mind  that many ISPs have independently addressed this issue: if you are still infected you should get it cleaned up. Also be sure to run regularly updated malware protection.

DNS Changer Detection (DCWG): http://www.dcwg.org/detect/
Malware Bytes: http://www.malwarebytes.org/

Further Reading on DNSChanger

Blog Post on DNSChanger on Geek Street:
http://mountainloopexpress.com/index.php?fn_mode=fullnews&fn_id=694

Tech Republic Post by Alfonso Barreiro Prior to Incident:
http://www.techrepublic.com/blog/security/preparing-for-the-dnschanger-internet-outage/7863?tag=nl.e036

DNA India on DNS Changer Prior to Incident:
http://www.dnaindia.com/pune/report_dns-syndrome-not-a-major-threat-experts_1712350

Peckham, Matt. “DNSChanger: No, the Internet Isn’t Shutting Down on Monday.” Time Magazine. July 6, 2012. Note: Prior to incident, warnings that a global meltdown scenario is not accurate but threat is still real.

Chabrow, Eric. “Malware Monday: Much Ado About Nothing.” Bank Info Sec. July 5, 2012.

DNS Cache Poisoning/Spoofing Attacks

The types of attacks above are DNS Cache Poisoning attacks and rely on an attacker changing your DNS table to facilitate faulty look-ups (ones that can appear real but be used to steal your information).

More info on DNS poisoning generally can be found on these sites:
http://searchsecurity.techtarget.com/definition/cache-poisoning
http://cr.yp.to/djbdns/notes.html#poison

Alternative DNS Solutions

There are quite a number of different ways to protect against phishing online from nifty router firewall software that monitors the sites you visit to anti-virus software. In the end, used intelligently, a combination of all these methods can be utilized to safeguard your presence online. One small solution (the focus of this article) is to use an alternative name server with security tools built-in to protect you from visiting faulty or purposely misleading websites.

OpenDNS is a terrific solution which provides fast and stable name servers with anti-phishing protection. Combined with DNSCrypt, your DNS look-ups will also be encrypted so that if you have a virus, it’ll be more difficult to change your DNS look-up behavior. Plus OpenDNS enables the use of parental controls for parents to block access to certain types of sites. There’s a paid version and an ad-supported free version which, upon entering an unresolvable IP, you’ll get an error page, like normal, but with an ad.

This solution does not replace the need for a VPN, does not offer the extendability and protection of a good proxy, does not anonymize you in any way, shape, or form, and does not encrypt data passing through your network (for a free solution that encompasses all of those forms of protection, please look into running an OpenVPN+Squid Virtual Private Network as I describe as being effective in this article). This solution is for those wishing to either secure their DNS querying, protecting their system from the above risks and/or accessing sites their ISP would otherwise prohibit them from seeing (such as regional restrictions).

For more information on OpenDNS with DNSCrypt, see ghacks.net’s article entitled, “OpenDNS DNSCrypt, Increase Security By Encrypting DNS Traffic.”

DNSCrypt relies on elliptic-curve cryptography, Curve25519, as outlined here: http://dnscurve.org/crypto.html — keep in mind that the DNS server must actually use DNSCurve in order for you to gain its benefits. If in doubt, call your ISP to see if you can make use of it by itself or use DNSCrypt with the the OpenDNS Service. To setup DNSCurve without relying on OpenDNS, click here for instructions.

DNSSEC Protection: Why It Isn’t Enough

DNS Security Extensions is a way of authenticating DNS entries and ensuring that the response from a queryed server is coming from the intended server. In and of itself it offers no crypto-level protection but it does add a small layer of protection. When considering DNS service providers you should choose ones that use DNSSEC in combination with an encryption tool depending on your needs.

DNS Server Logging and Record Keeping
(Should You Use an Alternative DNS Server?)

Theoretically OpenDNS can compile a list of every site you access (name and IP address). But they do not have access to your data. Once a name server resolves a name to an IP address, a link is created and the DNS server’s role is at an end (simplistically speaking). That means that your ISP actually has even more information about you than any sole DNS server could ever have.

Not only does your ISP have access to the sites you visit through their name server logs, they could potentially see your web traffic so long as it’s unencrypted (not using SSL) since it is running through their network.

It all comes down to personal choice and who you’re willing to trust more (or more completely). Your ISP or your ISP and a third party DNS service. Everyone’s goals and desires are different, the purpose of this post is to inform you of the technology, the threat and possible solutions.

Keep in mind that despite your best efforts to be safe online, your unencrypted information is out there. Plenty of third party sites know what you do. Even by using proxy chains (and I’ve used some pretty extensive proxy chains), most of your activities can eventually be tracked back to you. Generally speaking, your ISP will always have extensive records chronicling your internet adventures.

In an insecure world, what measures do you think are acceptable and worth going through in order to safeguard your privacy?

As a great American Hero once said, “Only You Can Prevent Forest Fires.”

Related post: “Public Wi-fi? Be Mindful of Session Hijacking.”

Recap Notes on Infosec VC 2012

Recap: the Pros & Cons

Back in June we had an awesome segment of Infosec VC 2012 entitled, “Hacktivism: What, Why, and How to Protect Against It,” lead by Gregory Nowak, Head Researcher at ISF (Information Security Forum) and ISACA Security Advisory Group and Peter Wood , CEO of First Base Technology and also of ISACA. So I thought I’d attend the bulk of the Infosec VC 2012 conferences now in August. What follows is my notes on some of the presentations for those that are interested…

The Disconnect Between Managers and Technicians

Product managers and corporate executives all seem to view security in a macro sense and often don’t fully grasp or care about the minute details of data security, such was illustrated at the 2012 Infosecurity Virtual Conference. These big shot corporate types and project managers are great for selling security solutions developed by a company’s IT department to the company’s administrators. But their lack of “street level” knowledge leave a lot to be desired.

Take the keynote presentation, Data Security and Compliance in an Evolving Data Center, by Derek Tumulak (VP of Vormetric). He was extremely intelligent and understood a lot of core concepts. A few positives of his presentation included: overview of virtualization and how it’s used in data centers (globally speaking), cloud computing and associated models, the importance of mobile security and how one breach could potentially mean disaster for an insecure organization, encryption management (how and when to use encryption as a last resort) and so on.

But Mr. Tumulak failed to identify actual instances of said compromises or how an organization should safeguard their systems on a technical level.

Instead he said, hackers, by and large, have been “[s]tealing information to sell it on the black market,” which isn’t necessarily true. Corporate espionage is big but it isn’t everything. Given the rise of Hacktivism I believe a strong number of attacks are conducted by those with specific ideological views they wish to convey (Anonymous attacks against Sony to protest the prosecution of a PS3 modder and other similar attacks). Also many wish to highlight security flaws to that company and, some, see what they can get by exploiting such systems (sheer curiosity).

While I can’t claim to know every technology out there, I understand this to be a very large weakness in the corporate environment: the disconnect between the inner workings of data security and the project managers that organize teams to implement the solution. Is the solution to make all corporate executives network technicians? Obviously not but a middle ground must be met in order to appropriately data. Big pictures are wonderful but if you aren’t going to get your hands dirty or at least explain past instances of exploitation and what steps can be made to protect against such problems, you’re just ranting. Good for sales, bad for business.

Unlike conventions such as HOPE, Defcon and Black Hat Briefings (which does have a fair amount of “big picture” talks, as corporations only seem to understand that method), a lot of corporate events are presented in this kind of “dry” way at other sessions. The Infosecurity Magazine US Summer Virtual Conference 2012 was full of this. Some, but not all, of the presentations were like this.

You’d think a lot of these executives were more interested in PowerPoint or Keynote than coding.

“Providing Smart Security for Smart Devices,” by Mike Sapien and Marc Vael) was very dry and the solutions discussed were obvious ones. Anyone with smartphone knowledge would have been eons ahead of these guys. The Program Director of ISACA was a little more informative here as far as how corporate employees need to safeguard their mobile data.

Unfortunately almost 99% of the conference was targeted at CTOs, VPs, and other corporate audiences. A number of presenters stated that things that were “highly technical ” wouldn’t be useful; most people gloss over it. As such the tone of the conference was “business minded” and technology was discussed in general terms. As such it didn’t really serve to impress the tech savvy.

I really liked Theresa Payton’s address. As the Fmr. Whitehouse CIO and head of her own security company she has a warning to companies: focus on the new emerging digital landscape. She spoke about the important role social media plays in computing today.

Companies today must adopt social media, in her opinion, but they must also adopt a strong sense of security if they want to address its inherent security concerns.

So in conclusion of the cons, it wasn’t a conference detailing the finer points of information security such as firewall and network group policies, AD flaws and loopholes, social engineering techniques, encryption standards in depth, code exploits & tightening, wireless security (ARP table monitoring for MITM protection), and a myriad of other technical details. It was mostly by corporate-types for corporate-types.

A forum friend of mine actually did tell me “it’s like this. We just go to these things to get our credits for our CISSP,” after I said I wasn’t really interested in the bulk of the conferences. So I guess I’m over-analyzing the conference.

Onto the pros…

Best Presentation: “How to Protect Your Organization from a DDoS Attack”

Panelists

Michael Singer, VP of Security for AT&T
Prof. David Stupples, CCySS, University of London

At Glance

Prof. David Stupples of the Centre for Cyber Security Sciences (CCySS), City University of London was one of the greatest speakers for me. He discusses malware, DDoS attacks in-depth using past examples of such attacks are conducted. Botnets that harvest data and move through proxy servers to mask the identities of attackers are of significant concern to CCySS.

The professor explained how Botnets work and how they are analyzed before being sent to anti-virus/malware companies for safeguarding their client’s systems. He explained how analysis is conducted using mathematics when analyzing botnets in CCySS-made honeypots and how CCySS has a track record of doing just that.

Prof. David Stupples also discussed the limits of Botnets and possible preventative methods such as:

* Providing security/OS upgrades can mitigate against such malicious code exploitation.
* Vendors using honeypots to analyze known botnets/malware can help.
* IP/DNS filtering is effective to some degree against Botnets (and the Botnets ability to connect “home” to its masters).  Note that I attribute this to the way Alureon/DNSChanger was thwarted by ISPs despite the FBI’s warnings to the general public. ISPs were able to compensate for this at their level and ensure DNS didn’t resolve where they weren’t supposed to.
* Malware companies examing Botnet/malicious code fingerprints for quick identification
* Reverse engineering search engine spiders to identify threats immediately

That panel included other security professionals and their insights into the matter of software attacks, viruses, malware and DDoS attacks. They stress the importance of different countries working together to analyze, spot and thwart such attacks. Prof. David Stupples said that such international efforts have helped catch a number of attackers in the UK. He stressed the need for more international law enforcement support.

Michael Singer, Executive Director of Security for AT&T, was also among my top favorite speakers. He discussed how the safeguarding of the internet is essential but not at the expense of individual freedoms, which many people enjoy. He stressed the importance of the need for a global security organization, like Prof. Stupples, but also warns that such an organization must make sure not to curb individual freedoms.

Interestingly Mr. Singer also discussed mobile security and how Android, in particular, can be used for for such exploitation as it’s an amazing platform with the power of a small computer.

To see the presentation, click here to register and go to the conference page.

Glitches

Poor Audio – There are a lot of problems with audio. The audio was pretty bad. But all of these conferences generally have low quality audio.

Slide/video track bar – When watching older/archived sessions, moving this bar to skip or go back usually requires a refresh of the entire presentation page. Which generally stinks.