During the presentation I mentioned in some depth how to perform fuzz testing, and what parts of an application should be fuzz testing targets. I also introduced an idea (that's not new) to help people who have never performed fuzz testing begin fuzz testing with very little cost and friction. The idea is to add a small layer of code to an application to automatically mutate untrusted data as it comes into an application; I called that code layer "a layer of hurt."

Before I continue, I want to point out that fuzzing is an SDL requirement, but the idea in this blog post is not an SDL requirement, it's just another way to help meet SDL fuzzing requirements.

Adding a layer of hurt, as shown in the picture below, is pretty simple as it involves adding code to an application to tweak data as it comes into an application. You can work out where to place the fuzzing code by looking at your threat models to see where data crosses trust boundaries. You could also simply grep the code looking for APIs that read data, for example:

• Read from files: fread, ReadFile
• Reading from sockets: recv, recvfrom
• For .NET code, any stream.Read

You get the picture.

The fuzzing code should appear right after the API that reads that data.

For example, C or C++ code that reads from a UDP socket and then fuzzes the data before it's consumed by the rest of the application might look like this:

Or, in C#, code that reads from an untrusted file:

In both code examples, Fuzz() mutates the incoming data. In the C++ case, the fuzzing code looks like this:

The sample C# and C++ fuzzing code is available as a ZIP file at the end of this post.

This code is an example of dumb-fuzzing, which is fuzzing with little or no regard for the data structure being manipulated. If you've never performed any kind of fuzz testing in the past, then you will probably find bugs with this simple fuzzing technique. Once you have weeded out the low-hanging bugs, you may need to turn your attention to smarter fuzzers. For example, in theory, this code would find few if any bugs in a PNG parser, because PNG files have a built in check-sum, so if you fuzz a PNG file, you'd have to recalculate the checksum to get decent code coverage.

When I showed this code during my presentation, I urged people to add it to their applications today if they currently don't do fuzz testing, and simply run their applications through their normal testing processes. Within three days of my presentation I received emails from people saying they had found bugs. I have no doubt others did too.

One of the comments I made during the session was,"If you can't spend the time on great fuzzing, fuzz anyway" and adding a "layer of hurt" is a reasonable start.

Please feel free to sound off if you have ideas to help improve the code and let us know what you think, either through email or comments to this post.

The good news is that due to the nature of this problem, it is extremely difficult to determine the vulnerability merely by analyzing the patches; a common technique malicious individuals use to figure out security weaknesses.

The typical response I heard was “what do you mean, it can’t be reverse engineered? I’ll just look at the diffs!”

In hindsight, after examining the BIND diffs (yes, I did it too) and discussing with colleagues, all most people saw was UDP source port randomization and a better PRNG for generating the transaction ID, the latter of which would appear to be related to Amit Klein’s cache poisoning attack from about a year ago.

What Rich was really saying is that you can reverse engineer the patch until you’re blue in the face, but that won’t reveal the specifics of the vulnerability.

Dan’s blog post this morning appeared to confirm that interpretation:

DJB was right. All those years ago, Dan J. Bernstein was right: Source Port Randomization should be standard on every name server in production use.

There is a fantastic quote that guides a lot of the work I do: Luck is the residue of design. Dan Bernstein is a notably lucky programmer, and that’s no accident. The professor lives and breathes systems engineering in a way that my hackish code aspires to one day experience. DJB got “lucky” here — he ended up defending himself against an attack he almost certainly never encountered.

Such is the mark of excellent design. Excellent design protects you against things you don’t have any information about. And so we are deploying this excellent design to provide no information.

To translate the fix strategy into a more familiar domain, imagine large chunks of Windows RPC went from Anonymous to Authenticated User only, or even all the way to Admin Only. Or wait, just remember Windows XPSP2 :) This is a sledgehammer, by design. It cuts off attack surface, without necessarily saying why. Astonishingly subtle bugs can be easily hidden, or even rendered irrelevant, by a suitably blunt fix.

Nate McFeters appears to think that Tom Ptacek has figured it out. I’m going to go out on a limb and say that Tom didn’t figure anything out yet but still wanted to write a pithy blog post. I think that if Tom had figured it out, he would have written it down privately and posted the SHA-1 hash, as is the trendy thing to do these days.

Speculation aside, the title of Tom’s blog entry, Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!, does make an important point — Dan didn’t sell the details to ZDI, he used his influence and reputation to coordinate a massive vendor patch effort. That’s an admirable move.

At TechEd this year, I gave a presentation called "21st century networking: time to throw away your medieval gateways." (Actually, I've given this same talk before, at events in Amsterdam, Brussels, Oslo, and numerous on-campus customer meetings. It's time to bring the knowledge to the masses.)

I described an idea of using IPv6, IPsec, NAP, and group policy to build a pretty slick replacement for clunky VPN gateways. Turns out we've been piloting this very idea on our internal corpnet. Like a good little bunny I got myself enrolled in the thing and -- pardon the unattractive gushing -- this thing rawks! Here's a brief rundown of the parts you'd configure on managed clients:

• Windows Vista Business (with Software Assurance), Enterprise, or Ultimate editions
• That are domain-joined
• Users run as non-admin
• Group policy applies numerous settings
• UAC is enabled
• BitLocker is configured to protect confidential information stored offline
• The Windows Firewall is enabled
• NAP is used for checking health
• Forefront Client Security for keeping malware off the box
• Smart cards for strong authentication of users
• IPsec is required for connection authentication and traffic encryption
• IPv6 is required for worldwide Internet connectivity
• A DNS suffix search list represents the data center name space
• Static IPv6 DNS servers provide name resolution for hosts in the data center

What does this give you? True anywhere access, anywhere in the world, directly to corpnet resources from managed and secure client PCs. The Internet has replaced private WAN links for good reason: enormous cost benefits. The only thing holding us back from fully utilizing this development has been a lack of way to enforce and monitor the security of clients not physically located within the corpnet. Well, those days are over. Now you can build PCs that are trusted just as if they were on the corpnet, without knowing or caring anything about the underlying network connections. And let me tell you, it's as addictive as a few other substances I could mention, but will refrain, since this is (I hope) a family blog :)

Maybe you've heard of the notion of "deperimeterization." Taken to its extreme, I think it's a bit silly. To put a SQL Server directly on the Internet is just plain stupid -- not because I don't think I could keep it protected, but simply because that's unnecessary risk. Only my web server -- and no one else -- should be talking to my SQL Server. But that web server will be in the same subnet as the SQL Server, and IPsec policies used also here will govern who can connect to the SQL Server. Warning to any and all network DMZs: your days are numbered!

Shrink your perimeter to that which really matters -- your data center. All your clients live (as we would say in the olden days) "on the outside of the firewall." Now then, there are two kinds of clients. Managed clients, as I described above, establish IPsec-authenticated/encrypted, group-policy-configured, NAP-enforced IPv6 connections directly to corpnet resources without going through any kind of access gateway. The router connecting you to your ISP is fully sufficient for blocking denial of service attempts. Be sure to follow my advice in "Configure your router to block DOS attempts," and then add two more rules to permit incoming port udp/500 and IP protocol 50 over IPv6. That's it. No NATing or other unnatural network acts are required (finally, you can stop lying to your significant other about why you squirrel yourself away in the computer room all those weekend nights).

Unmanaged clients will continue to use IPv4 to access published Web and Win32 applications through a gateway like IAG. Since you can't trust these clients nor can you trust the data they're throwing at you, you have to inspect and validate at the perimeter. You can take advantage of IAG's application-modifying capabilities to "wrap" security around poorly-written web apps; you can even download an ActiveX control to unmanaged clients to perform some basic health checking, policy enforcement, and cache clearing. None of these eliminates the final requirement to continue inspecting and removing malware from servers where users store data: Exchange, SharePoint, Office Communications Server, and file servers.

Machines are mobile, data is mobile. The mainframes and large desktop PCs of the past posses an effective security attribute: the heaviness of the machines. You couldn't easily saunter out the front door with a PC-AT in your pocket! These days, we all line our pockets with tiny little mobile phones stuffed with 16GB of storage. It's now a fact: data moves. And like water, data moves wherever it can, as rapidly as it can, often beyond your control if you don't prepare for that. With properly-configured and managed clients we can enjoy a single access and authentication experience no matter where the computer is physically located. For example: I can sit in my house and enter '"http://internal-web-site-name" in my browser. The DNS suffix search list adds the appropriate suffix, my browser's resolver performs an IPv6 name lookup, and my computer makes an authenticated and encrypted connection, after it meets the NAP policy, directly to that internal server. Very nice. As far as I'm concerned, there's no difference between the Internet and my corpnet. It's all just there.

For a while now many of you know I've been speaking and writing, mostly at the conceptual level, about the day when such a way of remote computing will arise. Well, my friends, that day is now. You can indeed build it now, with the products you have. I won't admit it's all peaches and cream: there's a fair number of moving parts here, it's true. But most of these moving parts are parts you're already familiar with: I'm simply encouraging you to move them in a specific way. You'll need to do some custom scripting for client-side connection diagnostics, but that's about it.

My next step is to create a more detailed guide, which I plan to publish through TechNet Magazine. I'm targeting (but not promising) the October issue. The article will include greater details about configuring your infrastructure to support the managed clients I describe.

I've lost track of the swelling number of individual conference attendees and the plethora of email writers who've expressed a desire to build this in their own environments. The one common thread from everyone is "I want to do it now!" Folks, it's really pretty exciting for me to see so many of you ready to cross the chasm from the perdition of paleo-networking (layer upon endless, complex layer of DMZs) into the paradise of flat, simple, cheap, and secure access to information. If you haven't yet, please take the time to read through some of our information (especially Scott Charney's paper) on end-to-end trust. Friends, the idea I describe above is the plumbing for realizing the end-to-end trust vision.

Enjoy.]]> Mon, 19 May 2008 02:36:31 +0000 nemesis nemesis-ip nemesis-rip nemesis-igmp nemesis-icmp nemesis-arp nemesis-tcp ettercap plugins ettercap BackTrack Beta 3 Man Pages http://securityratty.com/article/40186d92f5cac8291c8e4722ba6916a4 http://securityratty.com/article/40186d92f5cac8291c8e4722ba6916a4 aircrack-ng, airdecap-ng, airdriver-ng, aireplay-ng, airmon-ng, airodump-ng, airolib-ng, airpwn, airsev-ng, airsnort, airtun-ng, amap, ascii-xfr, atftp, bison, bsqldb, buddy-ng, cabextract, catdoc, catppt, datacopy, dcfldd, decrypt, defncopy, dhcpdump, dmitry, dos2unix, dupemap, easside-ng, etherape, flex, foremost, freebcp, gencases, getattach.pl, hexedit, httpcapture, ike-scan, ivstools, kstats, mac2unix, macchanger, magicrescue, magicsort, makeivs-ng, mboxgrep, minicom, nemesis-arp, nemesis-dns, nemesis-ethernet, nemesis-icmp, nemesis-igmp, nemesis-ip, nemesis-ospf, nemesis-rip, nemesis-tcp, nemesis-udp, nemesis, netcat, nmap, nmapfe, obexftp, obexftpd, p0f, packetforge-ng, psk-crack, rain, runscript, scrollkeeper-config, scrollkeeper-gen-seriesid, sipsak, socat, tcptraceroute, truecrypt, tsql, unicornscan, vomit, wesside-ng, wordview, xls2csv, xminicom, xnmap, gdbm, etter.conf, scrollkeeper.conf, sudoers, scrollkeeper,  80211debug, 80211stats, arpspoof, atftpd, athchans, athctrl, athdebug, athkey, athstats, ath_info, dnsspoof, dnstracer, dsniff, ettercap, ettercap_curses, ettercap_plugins, etterfilter, etterlog, filesnarf, fping, fragroute, fragtest, hping2, hping3, in.tftpd, macof, mailsnarf, msgsnarf, netdiscover, packit, scrollkeeper-preinstall, scrollkeeper-rebuilddb, scrollkeeper-update, sing, sshmitm, sshow, sudo, sudoedit, tcpick, tcpick_italian, tcpkill, tcpnice, tinyproxy, urlsnarf, visudo, webmitm, webspy, wlanconfig

Enjoy.

Enjoy.]]> Mon, 19 May 2008 02:36:31 +0000 nemesis nemesis-ip nemesis-rip nemesis-igmp nemesis-icmp nemesis-arp nemesis-tcp ettercap plugins ettercap BackTrack Beta 3 Man Pages http://securityratty.com/article/8b711d3fa65f74b0a58a1038401d1787 http://securityratty.com/article/8b711d3fa65f74b0a58a1038401d1787 Directory climbing it all of its simplicity, and OSINT quality, just like it's happened before.

The process of developing malware bots that would either succeed based on the diversification of the spreading and infection vectors used, or end up as a backdoor-ed commodity for experienced botnet masters to sent to novice ones, is entirely up to the coder, or perhaps module copy and paster. Some are going as far as implementing quality assurance approaches to ensure their malware has the lowest possible detection rate, before spreading it, on the anti malware and firewall level, while others are benchmarking and setting strategic objectives to achieve before starting the process itself.

However, there are also wannabe botnet masters whose lack of understanding of the different between project management and "to-do list organization", and of course, setting their directory permissions right, leads us to a a first-hand malware bot's to-do list courtesy of the coder itself. Here's the to-do list itself, with all the static and variable features :

Spreading the malware
- NetAPI spreading
- VNC spreading
- MSN spreading
- ICQ spreading
- Email spreading
- Seeding via torrent (warez)
- Downloading (ftp & http)

DDoS features
- general ddos attacks (udp&tcp)
- tsunami ddos (push +ack flood)

Scanning features
- latest vulnerabilities scan
- exploits scann for homepages (php/perl/cgi scripts (not a priority)

Sniffers and interceptors
- bank sniffer & readers
- paypal
- boa
- egold
- nationwide
- usw.
- game reader
- steam

Misc features
- encrypted config
- better clonning function (with timer based join (no massjoin)) + fixed channel messages
- noise at network sniffer (e.g.: honeypot (tool either shutdown and/or blocked))
- invisible to task manager
- more configuration settings
- melt exe on startup (true/false)
- startup (error) message editable (e.g.: (you need windows vista to run this programm) or (successfully installed))
- undetected source code

And while this wannabe botnet master is trying to achieve self-sufficiency, thereby slowing down the development process, others are not so close minded and are actively building communities around their malware botnets by releasing the source code for free, enjoying the innovation added by third party coders wanting to contribute to the community, where the bottom line is the inevitable localization of the bot to other languages once enough features have been developed to distinguish it among the rest of the commodity malware bots.

From a wannabe botnet master's perspective, the more propagation vectors added, the higher the probability for infection, however, the probability for infection is also proportional with the probability for detection on behalf of researcher's and vendors honeyfarms. And therefore, would less noise would mean slow infection rate, but higher lifecycle due to the less noise generated? The Stormy Wormy people for instance entirely relied on perhaps the most noise generation method - email distribution with malware hosted on IPs, however, their persistence and strategy to put more efforts into ensuring that no matter samples get obtained in the first couple of minutes a campaign is launched, the botnet itself should be harder to shut down.

Q1: For those companies that have successfully implemented enterprise-wide logging, what were the big nasty surprises that they encountered?

A1: Here are a few:

• political boundaries within the organization: "these are our logs, and you are not getting them"
• privacy laws: some logs cannot be collected in some countries; some cannot cross the border, some cannot be seen by some people, etc. This is true mostly in EU, less in US.
• legal blocks: work with legal before deploying any org-wide log management; legal might try to prevent certain data from ever being created (for fear of being legally discovered later)
• log volume: underestimating log volume is common and pretty nasty
• related to the last one: vendors being "optimistic" about their tool scalability
• time synchronization (of course!), specifically, lack thereof.

Q2: For those companies that have successfully implemented enterprise-wide logging, what was their implementation approach?

A2: Typically, 2-3 vendor PoC or pilot first. Then with the chosen vendor: phased approach based on location + type of log source (e.g. firewalls, then routers, then OS, then proxies, etc) + network topology (e.g. DMZ, then internal) + log source criticality (e.g. critical servers first; the rest next). This might be handy to look at.

Q3: What kind of storage requirements have been experienced by those organizations who have successfully implemented enterprise-wide logging?

A3: Massive? :-)

Here is a simple example: PCI DSS is a bit more aggressive than NERC since it mandates 1 year of log retention vs NERC 90 days, so: 1 year worth of logs is = 365 days x 24 hours x 3600 seconds x 1 (one!!!) busy firewall with 100 log messages each second x 200 bytes per message average (e.g. valid for PIX and ASA devices) = 588 gigabytes / year of raw log data uncompressed (assuming 10x compression you'd get about 60GB of compressed log data per year)

Store it in RDBMS? Multiple it by 2-3. Have an index? Add about 30%.

The bottom line is: terabyte is the unit to measure logs.

Q4: At the organizations that have successfully implemented enterprise-wide logging, how logging impacted network and system performance?

A4: Too broad a question, so here are a few pointers:

• logging affects performance much more on some types of systems compared to other types: most painful examples are databases where some people (can't find a link...sorry) report performance loss of up to 40% if logging all SELECT statements and other data retrieval commands (you need to log selectively on these); in other cases (e.g. web servers) there is no performance loss and logging is "always on"
• log collection: agents impact system performance (long post on this subjects): a little when they run (everybody knows this) and A LOT when they crash (few people think about it - agent software memory leaks are not uncommon); unlike agents, remote agentless log collection barely affects system performance (unless you have one of the few esoteric cases)
• log transfer and network performance: look for compressed (logs compress really well), TCP-based transfers; syslogging over UDP uncompressed has a chance of doing a pipe saturation DoS on your network. Yes, people say "use a dedicated LAN," but this is definitely wishful thinking for many. Also, raw UDP syslog in large quantities over WAN = insanity :-)

Q5: What were some successful strategies for obtaining buy-in from system owners and operators in regards to turning logging on?

A5: OK, also too broad a question, but here are some pointers:

• provide them a useful service based on their logs (e.g. performance measurement, availability monitoring, compromise detection :-), or other security metrics, etc)
• help them with their compliance mandates (e.g. create reports that they can show to the auditors that "bug" them)
• give them tools to better solve their problems (e.g. allow access to a log management tool so that can investigate issues better, search the logs, check on their users, etc)

Q6: How the organizations that have successfully implemented enterprise-wide logging dealt with unusual devices (=log sources) that have no log management vendor support?

A6: They were in massive pain - if they choose a log management vendor wrong. You need to look for vendors that have "universal log source support" with NO requirement for a custom rules or custom collector/connector/agent development. Some vendors have generic text log collectors that can grab and analyze unknown logs. Typically this is done via some form of text indexing that works across all logs, including those from unknown, vertical, esoteric or custom-developed log sources

Hope it was useful!

Montego Networks has been flying under radar for the past year and this week increased its elevation just enough to be seen on the virtualization industries radar detector. Montego Network’s announcement of securing virtual network communications between VM’s has everyone buzzing but what has caught most people’s attention is Montego Network’s technology that enables 3^rd party security vendors to do the same thing (VM to VM). Now, I’m the CTO of Montego Networks, so my comments here are a bit biased but also first hand. So, when I tell you that it’s been a great announcement, I truelly feel it has. Everyone I have spoken with in the analyst and press community thus far has embraced the idea of security vendors working together to provide a solid solution vs. every vendor trying to be all things to everybody.

So, what does this really mean and how does it work?

Let’s say you have VM1 (Virtual Machine) and VM2 (Virtual Machine) and they need to be able to transfer data between each other but only once or twice a week. This means you can’t have them 100% isolated. Because you have a communication need between them, it probably makes sense to only open up the channels (TCP/UDP Ports) that they need to communicate on vs. opening up all channels. This helps mitigate exposure. So, let’s say you open up port 6667 and only port 6667 for them to communicate with each other. Well, this is now a bit more secure than the other option of leaving all ports open but let’s say this is a very very critical server and you want deep packet inspection done on all of its traffic. The reason you want to do this is because there is the potential that worms and BOTnet communication could occur over this port 6667 but the only way to determine that is to do deep packet inspection.  I am using port 6667 as the example because I spoke with someone that had a real live case where one of their Linux VM's got infected with this BOTnet:  http://www.energymech.net/ on port 6667

Now, I could put some sort of virtual IPS product inline and look at Physical to Virtual communication for all of the VM’s (VM1, VM2, VM3, VM4, etc.) but I don’t care to take that kind of performance hit and I also already have a physical IPS handling Physical to Virtual. What I really needs is IPS between the VM’s which I haven’t been able to find from any vendor yet and even if I did find such a solution on the market I don’t care to take the performance hit of doing IPS between ALL VM’s.

So, now that you understand the challenge, how can Montego help and what’s this HyperVSecurity thing they talked about in their press release that allows other vendors to interoperate with them. Well, with Montego’s Policy Based Switching technology you, the administrator can control what types of VM to VM traffic you would like to have inspected by a 3^rd party security solution. I would simply set up a policy that says VM1 to VM2 on port 6667 will have its traffic sent to a StillSecure virtual IPS product and once a week when that traffic starts to flow it will be sent over to the IPS product for further inspection. Or if traffic starts to flow outside that once a week norm, it will still be sent for inspection. This way if some attacker tries to get in on that port he will have to make sure he can get past the IPS that now is able to VM to VM IPS.

Pretty cool huh? I think so.

 Now, back to Montego coming out of stealth mode…

You’ll start to hear and see a lot more innovation coming out of Montego Networks now that we’ve popped slightly above radar and the industry knows we are here but is scrambling trying to figure out what exactly we do, how sustainable will this new startup be and if we really have what we say we have. I’m certain competing companies will throw FUD and make all sorts of comments about what we do, how it performs, etc. etc. and all I can say is to just keep an eye on the after burners because we are starting to get lift off.

-JP