The Security Skeptic

I've added a dozen or so articles to my VoIP Security Resources and have included a short list of books on this subject (including my own, with Alan Johnston). I am a little surprised that relatively few new articles have been published over the past six months, and that many of the recently published merely regurgitate what has been exposed for several years. Recent articles, however, appear in trendier online pubs and news portals. This suggests that the press has begun to campaign that VoIP Security is *the* most worrisome issue on every CSO's list. By February, Internet toll fraud and eavesdropping attacks will replace rootkits and key loggers as the most popular parlor talk among the (not so) techno-craties.

Apparently, Christmas has arrived early for VoIP security vendors and the 4^th estate. In an industry measured by FUD-ometers, these folks couldn't ask for better "proof" that Internet telephony is at the edge of the security abyss than finding VoIP server and phone security on the SANS Top 20 Internet Security Target List for November 2006.

Time to sing "The more things change, the more they remain the same" to the tune of a Christmas Carol. I think this works with Jingle Bells: "The more things change, the more things change, the more they remain the same...we innovate with plain text apps although we know they're lame."

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID572 by Dave Piscitello  

Early in 2006, a series of Distributed Denial of Service (DDoS) attacks victimized DNS root and Top Level Domain (TLD) name server operators. These attacks merit careful analysis because they combine several attack tools and methods to increase their effectiveness. The attacks also call attention to an operational problem that was solved long ago, yet most IT administrators and service providers have not implemented the most effective and appropriate response.

In my article, Anatomy of a DNS DDoS Amplification Attack, I describe the tools attackers use in DNS DDoS amplification attacks, the attack itself, and countermeasures that are generally considered best practices.

Variants of the attack I describe here continue to harass enterprises and service providers. Shortly after my article was published by Watchguard Technologies, I received the following comment from a subscriber:

I was targeted by this particular attack, captured screen shots and the works, and my ISP was worthless in their response - because they didn't see an unusual amount of traffic on THEIR side, but I was completely shutdown at my firewall. Thanks for confirming my assumptions about the attack - very validating!

While it's nice to help folks validate assumptions about attacks, it would be so much more rewarding if service providers would voluntarily adopt countermeasures such as source IP address validation so we can reduce the frequency and amplitude of not only DNS but many forms of DDoS attacks.

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID571 by Dave Piscitello  

Eric Garulay sent me a review copy of a chapter from Cisco Wireless LAN Security by Krishna Sankar, Sri Sundaralingam, Darrin Miller, and Andrew Balinsky, published by Cisco Press. The chapter covers all the important aspects of the WLAN access control authentication. I've asked Eric for a copy of the book, and Cisco Press has granted permission for me to offer you an HTML preview of Chapter 7 on my web site.

Let me know if you like what you read.

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID570 by Dave Piscitello  

Imagine that several centuries hence, anthropologists uncover a hoard of archived tapes containing terabytes of firewall log files recording events from the last decade of the 20^th century and into our present day (2006). Now imagine that they discover how to read the media and open the log files.

Initially, excited anthropologists will might rush to conclude that "gee, these early Internet folks were really committed to understanding how the primitive networks they used worked. Look at all the copiously maintained information!"

Much later, after considerable analysis and perhaps after correlating logged events with unearthed copies of newspapers containing articles about DOS attacks, Internet worms, spam and more, a young turk of an anthropologist will refute earlier conclusions in his Masters' thesis by suggesting an alternate theory.

"It really doesn't appear that early Internet people were able to derive much of value from all this 'log' information. At the very least, if they derived anything, they did not appear to apply it."

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID569 by Dave Piscitello  

On behalf of ICANN's Security and Stability Advisory Committee, and with the help of my colleague Suzanne Woolf, I prepared a short publication explaining the problems users and applications may experience when Top Level Domain registries make use of synthesized responses for domain names that are non-existent, not registered, or in DNS-speak "uninstantiated".

A name server that receives a query for a non-existent or unregistered name from a client should return a "name error." This error tells the requesting application that the name is not instantiated. When domain authority uses a single A resource record in its zone for all unregistered or non-existent names in its domain, and then returns a *positive* response (yes the name exists, and you can reach the host at this IP address) rather than an error (no, the name doesn't exist), the domain authority is said to have implemented a synthesized response-based or "wildcard" service.

Wildcard services can cause applications to behave in undesirable ways, and create security problems for email and other applications that need to know when a name can't be resolved. In the paper, SSAC explains several of these problems and re-iterates the reasons why TLDs should not use wildcard resource records.

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID568 by Dave Piscitello  

Anyone who's gone through TSA security at an airport recently knows that you are required to remove your footwear for X-Ray screening. We owe this inconvenience to a man who attempted to conceal two functional improvised explosive devices in his sneakers (why can't these folks just say "bomb"?)

While waiting on line to pass through security at San Diego airport, I began wondering, "At what point does searching for IEDs cross the lines of reason and propriety?" So I began considering what other apparel might be used to conceal IEDs of approximately the size one could conceal in the heel of a sneaker.

A padded bra! Apparently, certain bra manufacturers conveniently provide pockets so that women can add padding according to need. I'm not an IED expert, but it seems that it would be far simpler to pad a bra with explosives than a sneaker heel.

So the question that begs an answer is, "If Richard C. Reid had been Roberta C. Reid, and Roberta had concealed an IED in her bra, would TSA insist that all bras pass through X-Ray?" [For the record: I would not be comforted by a response claiming that the X-Ray machine I walk through is sensitive enough to detect an IED in a bra but not in a sneaker heel.]

Thanks to spam, I am now painfully aware that certain undergarments accommodate tush pads as well. Um... let's not go there.

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID567 by Dave Piscitello  

I received an email from a visitor to my blog asking about data breaches. Robert writes:

Since the Veteran's Administration (VA) laptop incident, there have been numerous other data breaches. However, I can not seem to construct a singular definition of what a data breach encompasses. In addition, I am in the process of writing a policy on the protection of Personally Identifiable Information (PII) and would like to include a clear definition of data breach.

Thanks for any assistance or pointers you any be able to provide.

I decided to post my email reply in my blog.

There are many ways to define "data breach". I hesitate to claim my own interpretation is *definitive* but I consider any act (malicious or unintentional) that discloses information to an unauthorized party a data breach.

I think we begin to complicate the basic definition when we try to sort out "sensitive" from "private" from "whatever". So you tell me which of these you consider a data breach:

• User behavior returned in an ad serving cookie
• A document delivered to the wrong email recipient because the sender used autocompletion but paid no attention to the pulldown
• user account and password transmitted by a keylogger to an attacker
• Medical records, identity information, financial information obtained by an attacker following a successful buffer overflow attack in a web server script
• Instant messages and IP telephony traffic captured off an open WLAN AP

I say "all of em". Which disclose sensitive information? Private information? What's the difference?

Perhaps if you have a working definition of PII in mind, you could extrapolate from my definition of data breach. Of course there are perhaps more definitions of PII than of data breach.

Opinions?

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID566 by Dave Piscitello  

I came across an interesting page at the Privacy Rights Clearing House entitled A Chronology of Data Breaches. The page lists major data breaches from 20 April 2005 to present, identifying date, victimized organization, type of breach, and an approximate number of "private" records compromised. What I found most sobering about this list is the frequency where the theft of electronic data was accomplished by physical rather than electronic means.

The incidents of course include web application attacks, social engineering, impersonation, and exploits of vulnerable software, but these are not as common as stolen laptops, recycled equipment, removable media, archive (backup) tapes, and printed material. This suggests that so much of our security mind share is diverted to "keeping hackers at bay" that we forget that data theft is ultimately *theft* and that many thieves are content to do business the old-fashioned way.

What should we learn from this list? If you manage sensitive data,

• Protect equipment that holds sensitive data from physical theft.
• Restrict and catalog copying of sensitive data to mobile devices and removable storage.
• Apply the law of least privileges and only allow users access to data their role requires.
• Define a secure disposal policy and implement it for electronic as well as physical copies of sensitive data.
• Define a secure archival policy and implement it.
• Consider an encryption strategy for data at rest in all forms.

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID565 by Dave Piscitello  

A transcript of Vint Cerf's Opening Remarks at the IGF is available at ICANN. While reading this speech, I took special note of several comments Vint made:

• "Its [The Internet's] ability to absorb new technologies and to support an increasing variety of applications are indicators of the power of its simple, clear and well-defined technical specifications and openly accessible capabilities at all layers of its architecture."

• "There are only an estimated one billion users on the Internet today. That number might actually be larger if one considers that some of the 2.5 billion mobiles in use are also Internet-enabled... We still have to provide several billion more users with access"

• "[After only 33 years] the Internet is already the largest, distributed collection of historical and current information ever in existence."

• "Steps are needed to assure that the information we accumulate today will be usable not merely decades but centuries and even millennia into the future."

Vint packed more insightful remarks in a 5 minute speech than most politicians manage in an hour. Sometimes I think Socrates was correct in claiming that the world would be best managed by philosopher kings.

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID564 by Dave Piscitello