| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Sep | ||||||
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 31 | |||||
September 8, 2008 by dbarker.
A client of mine contacted me about a recent qualys vulnerability scan where they listed, UDP constant IP id field fingerprint vulnerability.
From the report they list the following explanation.
“Normally, the IP Identification field is intended to be a reasonably unique value, and is used to reconstruct fragmented packets. It has been reported that in some versions of the Linux kernel IP stack implementation as well as other operating systems, UDP packets are transmitted with a constant IP Identification field of 0.
IMPACT:
By exploiting this vulnerability, a malicious user can discover the operating system and approximate kernel version of the host. This information can then be used in further attacks against the host.”
Hmm.. how is this a vulnerability? The same scan shows OS fingerprint identification was successful for other TCP services. NMAP reveals that these tcp ports also return all zeros in the IP ID field. The OS is identified as linux in TCP scans, yet Qualys doesn’t classify this as a vulnerability.
Is it a vulnerability that an attacker may know that you’re running linux? This is information. I would define an actual vulnerability as something that can be exploited, i.e. buffer overflow, race conditions, man-in-the-middle, SQL injection.
This is information. Something that you can use to find vulnerabilities. In fact if the ip id field of all udp non-fragmented packets is always 0 then this is also information that can be used to secure the system. An IDS signature could be written that alert me when there are non-zero values in this field. This could be a sign that someone is using the ip id field to tunnel information, i.e. a covert channel. Now the vulnerabilty is a security feature.
Qualys fix your scan report, reclasify this as information, just like the OS identification TCP fingerprinting portion of your report, cause that’s all this is, information that an attacker already knows.
Posted in Security | No Comments »
September 5, 2008 by dbarker.
ssh is an evil of network security. I’m currently onsite at a customer that allows ssh outbound. Why? I’m not sure. But this is not the first customer that I’ve been to that did. Like many others they have sophisticated anti-spam, DLP, content filtering, proxies, firewalls, and ips in place. And then they screw the whole thing up with ssh.
Never allow this.
I’m currently circumventing their anti-spam, DLP, content filtering, proxies, firewalls, and ips by forwarding my traffic through an ssh tunnel I created to my home network. I’m using portable apps to do it, so there should be nothing left behind after I leave. And although my intent is not malicious it shouldn’t be possible. I’ve even got xwindows running from my ubuntu box. So the tunnel runs bi-directional. I could make it permanent. Earlier I was running metasploit through it. This is ridiculous.
Allowing ssh is too trusting. The should just eliminate the anti-spam, DLP, content filtering, proxies, firewalls, and ips and save their money.
Posted in Security | No Comments »
September 5, 2008 by dbarker.
I would have to say yes. I think this is partly a technology issue. As information security managers think we can design a system that can be managed by technology. We sit in front of consoles and we feel secure. Physical security requires work that involves people, and not just machines and technology. This process involves education, awareness, and training of actual people. This is something most people in information security don’t like to do. With so much emphasis given to DLP these days, I suspect that physical security will have to be stepped up as well. Most companies I consult with, have separate physical and network security departments. The physical security aspects are never thought about by most network security architects, and in the cases it is, it’s an afterthought. Something else that can be fixed with technology, e.g. video cameras and biometrics.
Posted in Uncategorized | No Comments »
September 5, 2008 by dbarker.
What the hell is wrong with the mainstream media? Does anyone believe Barack Obama? Barack Obama has voted with a majority of his democratic colleagues 96.0% of the time. They make a big deal about McCain voting with his party, 88.3% of the time. Obama is not for the change I believe in, he is for more of the same liberal spending and increased government and socialism. If elected, there would be change. A change for the worse . . . A change toward socialism. The media doesn’t care; they don’t expose his relationship with the Democratic Socialists of America (DSA). They don’t expose his record on abortion, Obama has not seen an abortion he didn’t like. He is ultra-liberal. He is pro-gay rights, weak on immigration, pro affirmative action, basically he’s for everything I’m against. Why do we need gay-rights laws? The laws of the land are for people. Sexual orientation should be irrelevant. When you give a section or subset extra rights, you make them special in the eyes of the law and in the opinion of the public. Take for example, “hate crimes” we already have criminal charges that protect people from “hate crimes” they have names like, assault, battery, manslaughter, homicide. Why is it worse to assault someone who is “gay” or “black” than it is to assault someone who is “white” or “straight.”
I’m appalled at the treatment they are giving to Sarah Palin, they never ask if Obama will be able to take care of the Presidency because he has two children. They are attacking her character? Obama has endorse an admitted racist preacher as his “spiritual leader” People stay in churches for 20 years because they agree with the philosophy that is being preached. There are hundreds of churches in Chicago. Obama is a liar, a fraud, and as immoral as they come. The mainstream media love him, and will not point this out.
Posted in Uncategorized | No Comments »
September 4, 2008 by dbarker.
I’ve been an ipod fan for years. I got my first one a 4 gig mini, at the Check Point experience a few years ago. I “won” it by giving a creative answer for the 10 to 1 question. That is, I’d try to recommend 10 crossbeam appliances for every 1 Nokia. That piece of fiction got me a free ipod. We sell more than 10 Nokia appliances for each Crossbeam for sure. After a few while, I gave the 4 gig to my wife and got a 60 gig ipod video. It was nice, now my son has it. Now I have the iphone. It is like a gameboy, ipod, gps, web browser, and phone in one device. It does all of these features pretty well. It does have a few drawbacks.
1) No voice dialing? C’mon phones have had this for years. It’s not very handsfree without it. My Motorolla Q had this, I used this feature alot. It was frustrating sometimes when noisy, but I still used it.
2) No flash? This needs to be fixed, soon. What good is fast internet if you don’t have flash.
3) None of my old ipod devices work with it. I have to go buy a new clock radio, a new car charger, a new car dock. One of the reasons I bought real ipods and not chinese fake ipods was because of compatibility. What gives? Couldn’t apple write some backwards compatibility into the iphone.
Anyway, the good news is that I can read a book or play a game while listening to music. That just rocks.
The iPhone has made flying and airport waits bearable again.
Posted in Uncategorized | No Comments »
August 4, 2008 by dbarker.
From time to time I’m asked to perform social engineering attacks as part of a vulnerability assessment or penetration test. So, I’ve been thinking about the types of social engineering attacks that could succeed on modern well protected networks. Have products evolved so much that these types of attacks can no longer work?
Posted in Uncategorized | No Comments »
January 21, 2008 by dbarker.
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
This is an interested tidbit. Most banks and financial institutions don’t realize that they fall under PCI DSS requirements. I was doing an audit for a credit union and this came up on a discussion. They issue credit cards, and take credit card payments, but these transactions are handled by a third party, passing the PCI DSS requirements onto the third party. However, the ATMs they have take credit cards and debit cards, and the Primary Account Number (PAN) (the credit card number) is transmitted and stored in their computers. Now they fall into PCI DSS requirements and subsequently PCI audits will be necessary.
Posted in Security | No Comments »
January 21, 2008 by dbarker.
Well, I’ve been working from home for the last two weeks. It’s been pretty rough. Not that my job is that physical, but you try sitting up all day with back muscles that have been traumatized by spinal surgery. It’s not easy.
It will be five weeks since the surgery tomorrow, and I told work that I’d be out for at least six. Customers are looking to get me back onsite. I’m not sure I’m ready as I can’t lift anything, and I tire out about 4 o’clock and I haven’t been starting until 9am.
Posted in dbarker's life | No Comments »
January 4, 2008 by dbarker.
I got the staples and stitches out today, it was a little late because the skin had started to grow over the stiches and staples. There is a small hole about the size of a dime where the skin hasn’t grown together. I have to watch this for a while until it scars over.
Posted in dbarker's life | No Comments »
January 1, 2008 by dbarker.
Although, I had previously said that I didn’t ever want to have back surgery again, I had a rather extensive one on my back on the 18th of December 2007.
There were two procedures involved, the first was called a posterior lumbar interbody fusion with instrumentation. They fused the L5-S1 and the L4-L5 together, and fixed the spine in place with screws and titanium rods and plates. They cut the back part of my spine away in a procedure called a laminectomy. The laminectomy is basically where they cut the back part of your spine out, exposing the spinal nerves underneath. They removed all the disc material from my degenerated spinal discs and replaced it with the bone from the laminectomy as the fusion material in addition they used OP-1 Putty from Stryker. OP-1 putty is recombinant human bone morphogenetic protein-7 (rhBMP-7), formulated with a purified Type I collagen carrier. Once implanted in the body, OP-1 stimulates natural bone healing by actively recruiting stem cells from the surrounding tissue and blood supply, initiating the bone formation cascade. The combination of the interbody fusion cage and fusion material should promote a successful fusion.
In addition, they performed a Sacral laminectomy. From that opening they removed the tumor that has grown in that space. According to the surgeon, he was able to remove all the tumor that he could see. Hopefully they got enough of it so that I will never have to worry about it again.
Posted in dbarker's life | No Comments »