The Security Skeptic

Comcast had its NET domain name hijacked Wednesday May 28^th. Attackers got their hands on the account credentials for Comcast's domain name management account at Network Solutions and altered DNS entries so that Comcast users landed on a defacement page when they attempted to use web mail and other Comcast services. According to a Network World News report, Network Solutions restored name service around 12:30 a.m., about 90-120 minutes of service interruption to Comcast customers.

This incident is remarkably coincident with ICANN SSAC's publication of a security advisory describing Registrar Impersonation in Phishing Attacks, causing some reporters and readers to immediately link the event with a phishing attack. Network Solutions and Comcast haven't completed their forensic analyses and haven't disclosed know how the attackers obtained Comcast's account credentials. Initially, some news reports speculate that the attackers used a brute-force password guessing attack while others suggest social engineering (which does include phishing). Two attackers now claim to have used a combination of social engineering and an exploit of Network Solutions' domain registration portal to take control of 200+ domain names in Comcast's portfolio, and the pair claim to have warned Comcast of their intent.

Only one security expert I know has called attention to the "data breach" potential of this attack; for example, if the attackers altered or added Mail eXchange records, they could have captured Comcast subscribers' emails. This particular incident appears to have been a malicious and retaliatory prank but if it had been perpetrated by a more motivated attacker, it could have been far worse. What will it take to convince companies that domain names are assets and lax management of these assets is a very large security risk?

Rather than speculate further, I would encourage any individual or organization who has registered a domain name(s) to contact the company you use to register and manage your domain name portfolio. Learn from Comcast's incident. Ask tough questions regarding authentication and registration information security. I'd ask:

• Do you monitor and record failed login attempts to prevent brute force attacks against domain name accounts?
• Do you take measures to assure that your customers use passwords that are difficult to guess?
• Do you enforce {minimum length, complexity criteria, maximum lifetime, re-use,...} policies on passwords customers create?
• Describe your incident response procedure in the event that an account is compromised?
• Do you offer a (premium) service that provides monitoring of registration information changes and actively monitors DNS changes?

Hmmm... that list suggests a rather interesting study to conduct.

Archived at http://www.securityskeptic.com/arc20080501.htm#BlogID692 by Dave Piscitello  

PFC and Army Medic Matt Spaulding of Bluffton, SC was awarded a Bronze Star with Valor for his bravery in combat in Afghanistan on June 9^th 2007. Wounded himself when his unit's patrol vehicle was struck by an improvised explosive device, Matt aided a severely injured comrade, reviving him using CPR and stabilizing serious leg wounds until help arrived. A recent article in the Island Packet provide a detailed account.

Matt was a Bluffton wrestling teammate of my own son, Matt. They wrestled at adjacent weight classes, and I watched both boys wrestle and mature for many years at dozens of matches and tournaments in High School gymnasiums across South Carolina and Georgia. Matt Spaulding never shied away from a challenge. As quarterback of a first-year HS team, Matt took everything more experienced defenses could dole out. As a wrestler, he took his lumps as an underclassman but endured to become a state qualifier in his senior year. His actions come as no surprise to those who knew and watched him as a HS athlete. We are proud of you, Matt, grateful that you are still with us, and pray you will remain so for many years to come.

Archived at http://www.securityskeptic.com/arc20080501.htm#BlogID690 by Dave Piscitello  

In an earlier blog, I described a form of phishing where the attacker impersonates a registrar, with the goal of gaining access to a domain name management account.

On behalf of ICANN's SSAC and with the assistance of colleagues at the APWG, I've written an Advisory on Registrar Impersonation Phishing Attacks.

Registrar impersonation targets domain name registrants. The phisher impersonates a domain name registrar and sends an expected or anticipated correspondence to a registrar’s customer regarding a domain name related matter. Like many e-businesses, domain registrars use email correspondence to remind customers when it's time to renew a registration, verify the accuracy of your registration (WHOIS) information, etc. The email lures the recipient to an impersonated registrar web site and in particular to a login page for the registrar's customers. The customer logs in and unwittingly discloses his account credentials. The phisher then uses the domain names in this customer's portfolio for other attacks.

In this Advisory, SSAC describes generic forms of this type of attack. We consider types and formats of information included in legitimate email messages that various registrars use when corresponding with customers. We discuss some of the current recommended practices to minimize or prevent phishing attacks employed by common phishing targets such as financial institutions and large corporations. Most importantly, we recommend measures that registrars can take to make their correspondences with registrants less "phishable” and identify ways for registrants to detect and avoid falling victim to this form of phishing.

Archived at http://www.securityskeptic.com/arc20080501.htm#BlogID691 by Dave Piscitello  

While reading a report on phishing, I came across the statement, "On March 2007, the .CN (China) registry operator, CNNIC, significantly reduced the annual cost of .CN domain name registrations to one yuan ($0.13 US). This price helped the .CN grow explosively, from 1.87 million domains in February 2007 to 9 million in December 2007."

The cost to register a domain is commonly quite different from the asset or speculative value of that registration. Visit certain registrars and you will not only find domains that can be registered for under $10 US but *opportunities* to have already registered domain names transferred to you for a fee? What kind of fees?

• You can pay $15-20 for a common mistype or variant of the name you submitted in an availability check.
• You can enter into an auction or search name for sale databases for names that contain a keywords you desire. For example, enter the word "scam" at DomainTools. You'll get a list of domain names containing that word and you can acquire these for as little as $5 US (westnilevirus.com), for $1750 US (scamfreeinternet.com) or even $10,000 (emailscammers.com).
• So called premium names are also available"for distribution using non-traditional allocation models" (search for this phrase and be amused, be very amused).

I find it fascinating that something that is not legally "property", that could cost as little as $.13, and that hasn't been buried for a thousand years could be so classified, don't you?

Asking how much a domain registration is worth is a lot like asking how much the human body is worth. Based on chemical and mineral composition, the average adult body is worth around $4.50 US¹. However, put a living body in the hands of a speculative market in a futuristic society gone wild, and you could sell DNA from that one body for $9.7M US, bone marrow at $23,000 US per gram, or two lungs at $116, 400 US per².

Free market economies. Love 'em and fear 'em.

Archived at http://www.securityskeptic.com/arc20080501.htm#BlogID688 by Dave Piscitello  

I met a field officer from the US Customs Department while speaking in Washington,DC. He showed me an Ironkey, a hardened and secure USB drive. Some of the Ironkey features that impress me include:

• Tamper resistant and waterproof casing. The device is "potted", i.e., the crypto chip and memory are encased in material that protectsthe electronics from water damage. At the encouragement of the USCD officer, I put mine in my jeans pocket and tossed it in the washer:-) and it works fine.
• Always-on AES encryption. The encryption keys are generated by the embedded crypto chip using a FIPS 140-2 compliant True Random Number Generator.
• Password protection, online password recovery and escrow. You can escrow your device password at a secure site. Access to the secure site requires you to to answer multiple authentication challenges. Authentication is multi-factor as well: you cannot complete authentication if your Ironkey is not connected to the PC when you attempt to log in.
• Antitampering measures. 10 incorrect passwords and the data are erased from the device or if someone attempts to remove the crypto or memory chip from the casing.
• On board password manager: you can encrypt and store all your passwords on the device.
• Secure applications. You can surf from a hardened Firefox browser that can be launched from the device, or you can use Ironkey's encrypted and anonymous proxy service.
• Secure (encrypted) backup from the device to an encrypted file on a PC.

Ironkey comes in personal and enterprise flavors and sizes. The devices are generally about 2-3 times the cost of an unsecured USB drive having the same storage capacity. This is a small price to pay for a more secure portable media solution.

The configuration software is currently for Windows PC only, but once configured, the device can be used on Mac OSX and Linux systems. I've asked about MacOS support for the config application and the company has plans to deliver in 4Q08.

Visit www.ironkey.com, watch the demo, read more about the device, and consider test driving one for yourself or your organization.

Archived at http://www.securityskeptic.com/arc20080501.htm#BlogID689 by Dave Piscitello  

I live on a part of Hilton Head Island that is cell service-challenged. We are several miles from the nearest tower, surrounded by towering pines. The architectural review board of my owners' association insists that antennae and towers of any kind detract from the island's beauty.

For years our cell reception is in the point-5 bar range, enough to receive Blackberry email and incoming call ringtone. If my family and neighbors actually want to accept an incoming call, we sprint out the door, down the driveway, towards an opening in the pine tree canopy.

I am now the happy user of a Blackberry Curve with a WiFi implementation that works with my IEEE 802.11 b/g access point and supports WPA2/AES with pre-shared keys. You can hear me now - and I don't need a horde of Ver1zon technicians trailing me and my cellie.

If you get a Curve's, bear in mind that the WiFi implementation tunnels voice service over an IPSEC connection. IPSEC (and IKE) may be blocked at firewalls as part of an egress traffic policy. This may affect you in the following scenarios:

1. You are in a hotel where you can't get good cell coverage BUT the hotel offers WiFi. You may have to choose the option "give me a public IP address" to get IPSEC to work (I won't bore you with the details, simply know that network address translation and IPSEC don't always play well together and that IPv6 should fix this:-)

2. You are visiting a company that offers you WiFi guest connectivity but blocks all but a limited set of PORTS. Some companies don't permit visitors to use IPSEC from their networks (it's an opaque tunnel and represents an information disclosure risk) so they may block your phone.

3. Like me, you run a very secure firewall in your home office. I only open TCP/UDP ports outbound for applications that fall within my household acceptable use policy and block all the rest. So, like me, you will need to create a policy at your firewall that allows IKE port 500 and IPSEC/AH/ESP to port 4500 outbound from your wireless LAN to the Internet. (Go ahead, be like Dave, experience what a firewall admin really deals with.)

Assuming you've configured your WLAN connection properly, you should be able to surf the net from your Curve without IPSEC. Thus, if you have WiFi signal and are able to browse, a "Call failed" popup on your phone is a solid indicator that your tunnel's being blocked.

A word about the service. The call quality over a 3 Mbps DSL connection is about the same as you'd get from Vonage VoIP: a bit tinny but tolerable. If you use the browser on your Blackberry, you'll notice much improved download times. I quickly glanced at the traffic the Blackberry generates while it is connected using the WiFi. I noticed that my proxy firewall was stripping 3^rd party cookies for hitbox.com. Grats to my firewall and bite me, Hitbox. The Bberry appears to work fine without them so if

you have HTTP proxy capabilities, a cookie blocker, or are willing to flog at your browser preferences, you might think about thwarting Hitbox, too.

Archived at http://www.securityskeptic.com/arc20080501.htm#BlogID687 by Dave Piscitello