uncompiled.com

Abstract

This document contains a security assessment of the IETF
specifications of the Internet Protocol version 4, and of a number of
mechanisms and policies in use by popular IPv4 implementations. It
is based on the results of a project carried out by the UK’s Centre
for the Protection of National Infrastructure (CPNI).

Status of this Memo

This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at

http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at

http://www.ietf.org/shadow.html.

This Internet-Draft will expire on August 24, 2010.

Source

Official government cyber defenders are now required to have the skills of a hacker according to a mandatory certification approved this week by the Department of Defense.

The DoD now requires its computer network defenders (CNDs) pass Certified Ethical Hacker certification program from the International Council of E-Commerce Consultants (EC-Council) to fulfill baseline skills.

The Certified Ethical Hacker qualification tests someone’s knowledge in the mindset, tools, and techniques of a hacker.

CNDs — who are part of the DoD’s information assurance workforce — protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks.

Assistant Secretary of Defense John Grimes officially instated the Certified Ethical Hacker requirement in late February under DoD Directive 8570, which provides guidance for how DoD information workers should be trained and managed.

The move is significant because it solidifies the practice of ethical hacking — also known as penetration testing — in mainstream IT practices, said Jay Bavisi, co/founder and president of EC-Council. The council is a vendor-neutral organization that certifies IT professionals in security-related skills.

“Now hacking is no longer a bad word in mainstream IT community,” he said, adding that ethical hacking is not exactly what people think of when they hear that word anyway.

“What we are doing is not hacking — we are seeking permission from the owners of the network to beat the hackers at their own game,” Bavisi said. In fact, the tag line for the EC-Council’s Certified Ethical Hacker educational program is: “To beat a hacker, you must think like one.”

IBM coined the term “ethical hacking” in the 1960s to define a way for IT security researchers to emulate the work of hackers so they can better defend networks, Bavisi said.

Ironically, though ethical hacking was first adopted in covert practices by the U.S. military, in the last decade or so it has become a common practice among Fortune 500 companies to employ ethical hackers to defend networks, he added.

The practice seems to have come full circle with the DoD directive, which Bavisi said the department took three years to approve.

“We were put through a lot of hoops before the DoD accepted us,” he said. “It was a very well-thought, very well-planned, researched movement.”

Source

2600 has become the victim of what is either an example of epic incompetence or sheer malice on the part of Verizon. Whichever it is, we have suffered devastating losses as a result of their inability to restore connectivity to us since severing our Internet connection on Monday. As our website is run at a different facility, we’re able to get this information out to the world in this manner. However, all of our email as well as access to vital files necessary for the completion of our Spring issue has been cut off since Monday. In addition, orders on our store and ticket sales to The Next HOPE have been seriously disrupted.

The irony of this is that we’re not even a Verizon customer. Or perhaps, that’s the reason this is happening in the first place. In the past, we’ve had DSL circuits with other companies, only to have Verizon come along and “accidentally” cut the wires. We would then have to wait for them to fix the connection. On at least one occasion, a Verizon repairman told us that this wouldn’t happen if we “had only used Verizon in the first place.” Such mob-like tactics have been reported by multiple individuals and one has only to chat with owners of any competitor of Verizon to hear many such horror stories. It’s all made possible by the fact that Verizon (in our area, at least) continues to own the actual copper that many of these circuits make use of.

In this particular case, an outage of unknown origin occurred on Monday. It was initially blamed on Time Warner Cable, which now appears to be inaccurate. Verizon apparently isn’t able to tell when their own circuits go down so they had to be notified by our DSL provider. However, even when it’s obvious that something is wrong, Verizon won’t even open a ticket until someone physically turns the modem on and off. On this occasion, we had nobody on site to do this and we basically had to wait an entire day for someone to get to the location so they could perform this useless action so that Verizon could finally start their job. Which they then said they’d get around to on Wednesday. All day Wednesday, our DSL provider was on the phone with them (on hold, mostly) and all they were told was that a technician “had been dispatched.” We had people walk around the area looking for such a technician and we were even able to find one who was out on another call. That Verizon employee told us that this was the only call he was aware of in that vicinity. Even when presented with this evidence, we were told Verizon claimed to be on the job and had a “commit time” of 5 pm. Shortly after 5 pm, Verizon said they would dispatch someone first thing Thursday morning, since union regulations prohibited them from dispatching someone after 5 pm. Which basically means they were lying the entire time they said a technician had been dispatched, since they apparently weren’t even going to start the job until Thursday!

To be fair, outages are frequent in New York City and they’re not always Verizon’s fault. Cables get cut by construction workers, there are power failures and water main breaks, and transformers and manhole covers explode on a regular basis. It’s par for the course. What’s exceptional here is that a company with a near monopoly in the business isn’t on top of the situation when it happens, and has to basically be guided through the entire process by the end user. Verizon’s lines failed on Monday, yet they wouldn’t even acknowledge this fact until Tuesday and didn’t do a thing about it until Thursday (supposedly). As of this writing on Thursday afternoon, we continue to be completely cut off with no explanation. We’re still waiting for answers but, since we didn’t choose to use Verizon in the first place, we’re not even able to talk to them directly.

The unfortunate reality here is that this is forcing us to sever our connection with Hurricane Electric, a dependable and friendly DSL provider that we’ve been with for many years. However, we just can’t continue to operate under these conditions so we will be moving these servers to our existing colocation facility in the very near future. We’re sad to have to do this and we wonder how many other competitors to Verizon have lost customers due to similar circumstances. And we wonder when Verizon will suggest that we subscribe to their FIOS service to avoid such unfortunate circumstances in the future.

As to the effect this has had on 2600, much mail is being bounced as we technically don’t exist on the Internet. If you’ve sent us something on Monday or later, you’ll probably have to send it again when this nightmare finally ends. Preregistration tickets for The Next HOPE conference have been unable to be sent out since we have no email service to communicate with attendees. This is also true for any order placed via our Internet store. Orders can be placed but fulfillment is stalled so if we need to verify information or answer any questions, the order is on hold. It will take some time to get through the backlog once this is all over. Speaker submissions for The Next HOPE have also been interrupted. If you’ve emailed us any speaker or panel suggestion anytime this week, you will likely have to resend it when we’re back up. (Look at the end of this piece to see if/when our service was restored.) And, of course, as this is deadline week for the Spring issue of 2600 where numerous emails are sent back and forth between lots of people, this disruption has been especially disastrous for us. In the event that this causes us to miss our deadline with the printer, we will lose our place in their queue and either be forced to come out late, missing valuable weeks on the newsstands, or have to pay thousands of dollars more to jump the line, expedite the printing, and stay on schedule. We have a similar problem with the new 2600 book, due out by the HOPE conference in July but which needs to have key decisions made now, all of which is in jeopardy due to these communication issues. We’re doing everything we can obviously to communicate via other means (telephone, personal visits, even Facebook), but it’s impossible for us to know who’s trying to send us an urgent message via email when we can’t see the email.

Clearly there are a number of things we could have done differently to limit the damage Verizon’s actions (or inactions to be more accurate in this case) could cause us. Redundant systems, communicating through Google or some other corporation instead of running our own mail server, or simply not keeping our machines in our own possession. All of these options require investments of time and/or money or the act of compromising something we strongly believe in, namely the ability of the end user (us) to run things themselves in their own facilities. By moving our machines to someone else’s facility as we’re now forced to do, we no longer have complete control over them. If an injunction is filed against us, action could be taken against our servers before we even know what’s happening, whereas before we’d at least get a knock on the door. We honestly don’t expect this to be an issue but it’s a step we were hoping never to have to take.

We apologize for all of the disruption this has caused, not only to all of our users and the many coordinating mailing lists that we operate on our site, but to our readers and customers who have been cut off as well. It should be noted that Verizon offers no compensation for such outages, despite what many of us believe. We can only imagine how many other people have to live with Verizon’s horrible business ethics, people who don’t have the means to communicate through alternate means to such a large and technically adept audience. If there’s any good to come out of this, perhaps other victims can feel empowered to also speak out and gain a forum where their stories might be heard and action taken to prevent this sort of thing from recurring.

Please guide people to this story and/or repost it in other places if you feel compelled to do so. Also, please keep checking back here to find out when our service was finally restored. In fact, we will post that info right here.

Verizon service outage on February 22, 2010, finally restored on February 25th at 6:00 PM EST.

Source

Cryptome, the whistleblower site that serves as a repository for “documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance”, has been taken down on Wednesday afternoon by its hosting provider, Network Solutions, which also had the domain “legally locked”.

What it means is that domain information can’t be modified and the domain name transferred – only the registration can be renewed. This action from Network solutions was motivated by a Digital Millennium Copyright Act (DMCA) complaint filed by Microsoft against Cryptonome and its owners, regarding the publication of their Global Criminal Compliance Handbook, a document that reveals to users things that Microsoft would not like to become common knowledge.

In it you can find information about what records are retained and for how long, and what information can and will be given to law enforcement and intelligence agencies if requested by subpoena. Microsoft is not the only company whose “spy guide” has been published by Cryptome, but it’s apparently the one with the most clout.

ReadWriteWeb reports that once the complaint was filed and they requested of Paul Young, one of the owners of Cryptome, to take the document off the website, he refused. So the ISP intervened with a warning that said that if the document wasn’t removed by Thursday, they would disable the site. And so they did – one day before the imposed deadline.

In the complaint, Microsoft states as the reason for their request an infringement of copyright laws. The Electronic Frontier Foundation (EFF), the well-known international digital rights watchdog group, spoke up: “We find it troubling that copyright law is being invoked here. Microsoft doesn’t sell this manual. There’s no market for this work. It’s not a copyright issue. John’s copying of it is fair use. We don’t do this anywhere else in speech law.”

Cryptome has been active since 1996, and this is the first time that someone has succeeded in their mission to shut it down. Young has filed a counter-notification, and we probably won’t have to wait long for the next installment of this story. If Microsoft doesn’t forward a notice of litigation, Network Solutions will reactivate the Website and unlock the domain in no more than 14 business days. In the meantime, the website is temporarily available here.

If you want to read Microsoft’s “spy guide”, you can download it at Wikileaks, who has also offered to to host Cryptome on their multi-jurisdictional network-outside the US.

Source

The web site cryptome.org is currently online at http://cryptomeorg.siteprotect.net/ until the domain can be transferred away from Network Solutions. The following is from the temporary site:

This is temporary Cryptome address until the Cryptome.org domain is transferred. Network Solutions shut Cryptome.org and has placed a “legal lock” on the domain name, preventing its transfer, until the “dispute” is settled. Some recent files are available now and the full collection is being transferred.

The Obama administration gets a chance to demonstrate its cybersecurity leadership as three top guns from the executive branch – Homeland Security Secretary Janet Napolitano, White House Cybersecurity Coordinator Howard Schmidt and FBI Director Robert Mueller – address the RSA conference in San Francisco next week. It’s sorely needed.

What Napolitano and Schmidt – late additions to the roster of keynote speakers at the IT security conference – as well as Mueller say could signal the direction the White House will take to lead the nation in securing federal digital assets and the America’s critical IT infrastructure. Though the White House is working hard to fine tune its cybersecurity agenda, it’s been doing so in relative silence.

What these leaders need to demonstrate in their speeches are precise actions the administration will take in the coming weeks and months to protect America’s key IT systems. Visible leadership is required at a time when most news about protecting government and key private IT systems is terrible:

* Former Director of National Intelligence Michael McConnell, at a Senate hearing Tuesday, said the United States would lose a cyber war if one were held now.
* Bipartisan Policy Center held a simulated a cyber attack that disrupted smart phone service to 20 million customers, shut down an electronic energy trading platform and crippled the power grid along the Eastern seaboard.
* The month-old discussions about attacks from China on Google and other companies has not abated.
* Security firm Symantec issued a survey of IT managers that identified cyber attacks the most significant risks they face: 42 percent vs. 17 percent for traditional criminal activity and brand-related events, 14 percent for natural disasters and 10 percent for terrorism.

Meanwhile, the odds of significant cybersecurity legislation reaching President Obama’s desk this year are seen, at best, 50-50. Word circulating the Capitol is that cybersecurity legislation has stalled in the Senate partly because the White House has remained mute – at least in public – on these measures.

In Schmidt, the administration has one of the most respected cybersecurity experts whose excellent communications skills should be exploited to help drive its IT security agenda. It would be interesting to hear from him at RSA what the administration would like to see in legislation emanating from Congress.

As for Napolitano, she often spoke of cybersecurity challenges in the past year, but a press release from her office suggests her remarks will not be specific but will address the “broad mission to protect the nation’s cyber infrastructure, systems and networks, and the responsibility of all Americans in maintaining cybersecurity and resiliency.”

Let’s hope Napolitano, Schmidt and Mueller provide in their RSA speeches specific administration actions that will demonstrate a government leading on this all important matter.

Source

The Cloud Security Alliance (CSA) and IEEE are joining forces to ensure that best practices and standards are developed and available to provide security assurance for cloud computing. As a result of this collaboration, CSA and IEEE have been conducting a survey to identify and define the most critical security concerns surrounding enterprise cloud computing.

The survey was completed by hundreds of IT professionals who are actively involved in implementing cloud-related projects. CSA and IEEE will announce their findings at the RSA Conference.

“Since founding the Cloud Security Alliance, our members have been committed to defining a set of best practices that will enable their organizations to embrace their cloud initiatives without compromising their security posture,” said Jim Reavis, founder of the Cloud Security Alliance. “As one of the world’s oldest and most respected computing organizations, the IEEE and their global membership will help us gain valuable insight into which cloud security concerns are most pressing. Once we fully understand these priorities, we will be able to better define new standards that will improve all aspects of cloud security.”

“The true promise of cloud computing will only be realized if all aspects of security are addressed and communicated in a truly open and collaborative manner,” said Judy Gorman, Managing Director, IEEE-SA. “Both CSA and the IEEE bring a unique and informed perspective to the table and this survey will help set the agenda for developing a comprehensive set of cloud security standards.”

Source

Where computer security is involved, it’s always good to understand the kinds of breaches that companies have suffered and what the actual or suspected vulnerabilities were that allowed the breaches to occur. It is in this spirit that the members of SpiderLabs, the advanced security team within Trustwave, have published their Global Security Report of 2010. The report is based on more than 200 forensic studies and almost 1,900 penetration tests conducted by SpiderLabs in 2009.

For the most part, SpiderLabs’ report is fairly consistent with security breach reports published by other security consultants and investigative agencies. By this I mean that thieves tend to target high-value information such as credit card data, Social Security numbers and other information that can easily be sold in the underground economy. In SpiderLabs’ investigations, point-of-sale software systems were the most frequently breached systems.

Another consistency with other security reports is the fact that many breaches can be traced to known vulnerabilities that had been left unpatched. This further emphasizes the importance of a consistent patch strategy within your organization.

I recently talked with Nicholas Percoco, senior vice president of SpiderLabs, to get his recommendations of strategic initiatives for every organization. If you follow Percoco’s top 10 recommendations, you should vastly improve your company’s risk of a security breach.

1. Perform and maintain a complete asset inventory, and decommission old systems. Knowing precisely what you have is the first step to securing it. Percoco says his team’s investigations frequently find devices that the customer organization doesn’t even know about. In addition, the investigations often turn up old systems that have a planned decommission date. The customers often aren’t concerned about keeping such systems up to date with patches because they are due to be taken off-line soon. Percoco says that in 75% of the cases, those systems slated for decommissioning are still in use a year later –unpatched and more vulnerable than ever.

2. Monitor your third-party relationships. In 81% of the cases the SpiderLabs team investigated, third-party vendors and their products were responsible for introducing vulnerabilities, mostly stemming from insecure remote access implementations and default, vendor-supplied credentials. Percoco advises that you discuss your security policies with your vendors and ensure they adhere to them.

3. Segment your network into as many zones as feasibly possible. If you’ve got a completely flat network, and one device on that network can see or talk to any other device, you’ve got a problem. A hacker gaining entry to this network has easy access to everything. Percoco tells a story about using a network connection in a hotel conference room. From there he was able to see the hotel’s reservations system. Uh oh.

4. Rethink your wireless implementation. Wireless security is a fast-moving target that companies often struggle to keep up with. Percoco recommends you never place wireless access points within your corporate core network; rather, place them outside your network and treat them like any other remote access medium. Your perimeter security should help keep unwanted visitors out.

5. Encrypt your sensitive data. In their investigations, the SpiderLabs team has found clear-text sensitive data quite easily. Best practices dictate that you should understand where data is located, purge what isn’t needed and encrypt the rest, including data in transit.

6. Investigate anomalies — they could be warning signs. Excessive login attempts, server crashes, “noise” from a device: All of these could be signs that someone is doing something unusual and unwanted on your network. At the very least, investigate the anomaly with a suspicious eye as soon as you detect it. Doing so might prevent or limit the damage from a breach.

7. Lock down user access. Most employees do not need the high level of access that they are given. Having too many privileges allows them to do harmful things, either inadvertently or intentionally. Perform an analysis of role and access privileges and lock down as much as you can.

8. Use multifactor authentication everywhere possible. Percoco says we’re too dependent on simply using passwords for authentication. This isn’t good enough anymore. He recommends you deploy multifactor authentication where possible. There are lots of new techniques and technologies to choose from.

9. Implement and follow a formal Software Development Life Cycle (SDLC). SpiderLabs’ experience with penetration testing has shown that many organizations don’t provide enough checks and balances in their software development process. A comprehensive SDLC process is vitally important in the development of secure applications.

10. Don’t forget to educate everyone. IT security is everyone’s responsibility. Percoco says organizations need to implement a mandatory security awareness training program that every employee must attend annually.

Source

It’s an observation a lot of IT security practitioners are making of late: That companies are so obsessed about compliance and getting through a list of checkboxes that security technology is being haphazardly implemented — in ways that actually increase a company’s risk.

At the recent ShmooCon security conference in Washington D.C., CSO Senior Editor Bill Brenner asked Ontario-based CISO and security consultant James Arlen for examples of the problem. Here is what he has seen, and what — if anything — we can do about it.

There are a lot of tech-heavy talks going on at ShmooCon this year. As a CISO, what are your biggest technological concerns?
James Arlen: We need to be focusing more on the quality of security technology implementation. It’s no longer enough just to buy the thing; to have that technological doo-dad. When you get through all your PCI security checkmarks and get through your SAS70 requirements that’s great, but are you really getting the value that you’re supposed to be getting?

And you don’t see that happening?
Arlen: In a lot of cases there really is no way to get that value because of the implementation. You buy it, you turn it on, the red light is blinking and it’s making the peeping sound. But it’s not doing anything for you. You’re not getting any risk reduction. You’re not increasing your situational awareness. We need to find a way to get better at that stuff faster.

Given an example of where, in your business travels, you see this sort of problem unfolding.
Arlen: In my long, sordid history as a security consultant I see it all the time. You’d see these firewalls implemented with hugely long rule sets and all kinds of effort put into them. But then you go down to the bottom of those rule sets and discover that somebody slipped in an “any-any” rule because it would make testing easier or allow them to get something into production faster. So it’s an example of taking all this hard work you’ve done and undoing it in the name of expediency.

The flip side of that is that, in being a security operational person, you go out and get the tool, and you train one or more people to use it, and because the security industry is as fast paced as it is — fast paced being another way of saying “high turnover,” — you end up in a situation where three to six months down the line you’re in a position where you don’t have that practitioner excellence and you have a tool that has essentially been shelved because there’s no one who knows how to pick it up and use it.

Source

BOSTON, MA – Feb. 16, 2010 – Core Security Technologies, provider of CORE IMPACT Pro, the most comprehensive product for proactive enterprise security testing, today announced that it has created a fully supported technical integration between its flagship software solution and the Metasploit open-source exploit framework.

With today’s organizations using penetration testing to strategically test their vulnerabilities and IT defenses, Core Security now offers both professional penetration testers and operational security staffers who use IMPACT Pro the ability to tap directly into the open-source functionality of Metasploit to carry out vulnerability analysis.

By providing the opportunity to use Metasploit in concert with IMPACT Pro, penetration testers will now be able to appreciate all the benefits of Core’s commercial-grade, automated solution – with its massive library of professionally developed exploits, efficient and easy-to-use interface and in-depth reporting capabilities – alongside the well known open source project.

Through the integration, testers will now be able to:

* Bring a system compromised during testing with Metasploit into the IMPACT environment and deploy an IMPACT Pro Agent. The Agent is a patented, syscall proxy payload that allows users to:

1. Launch IMPACT Pro’s full range of automated penetration testing capabilities from the compromised system.
2. Leverage IMPACT’s broad selection of commercial-grade exploits, plus multiple pre- and post-exploitation capabilities for in-depth, comprehensive attack replication.
3. Pivot penetration tests to other systems, mimicking an attacker’s attempts at identifying and exploiting paths of weakness to backend systems and data.

* Use IMPACT Pro’s automated Rapid Penetration Test (RPT) to exploit vulnerabilities, then launch Metasploit’s db-autopwn feature and subsequently upload the results back into IMPACT Pro. This allows users with less training and expertise to view Metasploit testing information within the IMPACT environment.

“We’ve long respected the work of H.D. Moore, his team and the community of Metasploit contributors in creating a rich exploit framework that offers experienced testers a range of capabilities, and we wanted to make it easier for those who want to use Metasploit alongside CORE IMPACT Pro to do so,” said Fred Pinkett, vice president of product management at Core Security. “By offering professional testers and security staff greater ability to centralize their assessments and incorporate their Metasploit efforts into their IMPACT Pro deployments, we feel that we’re providing the market with an expanded opportunity to carry out even more inclusive and valuable penetration tests.”

The IMPACT Pro-Metasploit integration will officially arrive in the next version of CORE IMPACT Pro, due to ship from Core Security in April 2010.

“As someone who utilizes both CORE IMPACT Pro and Metasploit, it’s invaluable to see Core moving towards integrating in this way,” said Steve Shead, Director of IT & Information Security Officer and at CafePress.com. “It will give testers more scope for comprehensive testing and assessment, and another avenue of cross checking by importing Metasploit test results back into IMPACT Pro. It’s gratifying to see Core targeting their development efforts into providing automated penetration testing capabilities that are as flexible and dynamic as humanly possible; ultimately this means they listen to the needs of their customers and, more importantly, take action.”

“The integration the Metasploit framework with IMPACT Pro will define a new era for vulnerability confirmation,” said Chris Nickerson, CEO of Lares Consulting. “Professional penetration testers and enterprises alike will now benefit from the exploits of Metasploit while being able to leverage the powerful technology and reporting of IMPACT Pro. The most reliable commercial tool blended with the bleeding edge research of the open source community will surely be a hit for all.”

Source