Posts Tagged ‘Articles’

Odd bugs and the case of an aging database

Sunday, August 29th, 2010

I was doing some troubleshooting recently trying to fix some issues reported in the Captcha of a registration system. The Captcha wasn’t always properly displaying and wouldn’t recognize valid code entries intermittently. After tracing some of the PHP to find just how the Captcha’s were being generated and managed, I found my way to the MySQL database and the table storing the values.

It took only a glance at the last and only row  to determine what the problem was – The primary key for the Captcha table was defined as an INT and had reached the value 65535. With the key unable to increment, any non-valid attempt (be it a bot or someone who couldn’t read the Captcha properly), would cause the system to lock up until the 1 in 100,000 chance that the same value was re-generated and someone correctly matched the code.  The failure resulting from this oversight was essentially a Denial of Service on the registration system.  To temporarily solve the issue, I did a simple reset of the primary key[1], which should buy a few years of development time to resolve the core issue.

This situation possesses an interesting design consideration when building long-running applications, even when you aren’t planning on storing a large amount of data for a long time. Tables that are frequently populated with new data should have measures in place to either handle recycling over-used values or should be built in a way that avoids these sort of conditions.  In the case of the Captcha above, the primary key was hardly used and could have been factored out entirely without the application running differently.

Looks like it’s time to get this database a subscription to AARP and some Depends….

References:

[1] Resetting a Primary Key

Tags: , , , , , , ,
Posted in Articles | No Comments »

Thoughts on IPv6 Firewalling

Monday, August 9th, 2010

It is the on-coming storm. We’ve all heard about it; it’s big, scary, and new. Public IP addresses for all and tearing down those NAT-PT barriers excites and worries many. IPv6 is coming but it’s not as frightening as it’s made out to be; most concepts from IPv4 can be applied directly to it’s younger brother. One of the ideals that IPv6 was designed around is the restoration of end-to-end connectivity of all nodes on the Internet; this introduces a certain uncertainty to how we design our firewalls under v6. We have options now, from the completely open networks geeks would love, to NATesque heavily stateful firewalls, and everything in between.

With our current version of the Internet Protocol we use private addresses heavily on internal networks protected automatically by the one way nature of NAT-PT; it has given many of us the expectation that connections cannot venture into our networks without our explicit permission. These networks are often described as castles or walled gardens, analogies referring to the strong perimeters and minmally secured interiors. We feel comfortable and secure in our walled gardens and IPv6 seems like it may rip some of that security away but this need not be the case. Regardless, the IPv4 internet is running out of addresses and IPv6 is coming; as the boyscout motto goes, ‘Be prepared’.

The paradigm of NAT is no longer the default in IPv6, the default has become every node exposed to the entirety of the internet. One extreme of the new freedom in IPv6 would be to drop all perimeter firewalling and firewall at each node. This strategy is likely a bad one but not entirely without merit. The slightly less extreme strategy of doing minimal filtering at the perimeter, purely packets that simply should not be heading into or out of any network. Things such as neighbour discovery, multicast listener discovery, Windows netbios protocols, and others. With the detailed firewalling moved to the node much of the firewalling work is widely distributed (assuming an attack didn’t focus on a single host, in that case, throttling could be done at the perimeter). One of the problems with this approach is the host firewall which would be easily torn down if the machine was compromised, inbound and outbound would be at the mercy of whoever is in control of that node. In my opinion this strategy should be at least experimented with and is probably suited to networks populated by geeks and datacenters.

On the other extreme is the heavily fortified perimeter, a well known paradigm to anyone who’s been involved in network security to any degree in the past decade. We block and/or control everything at the perimeter. SIP gateways, web proxies, stateful NAT firewalls. All this can still be accomplished under the new protocol short of hiding internal network addresses, however this would break many innovations that depend on peer to peer access. On a well configured enterprise network internet scope multicast streams may make it through but on smaller less throughly configured networks under this paradigm it may not, at present I don’t know enough about multicast routing and firewalling to say anything even remotely conclusive. The slightly less extreme version of this setup would be the good old stateful outbound only behaviour that exists in so many consumer NAT gateways.

There exist in between these two extreme ends of the firewalling world a range of happy mediums. One strategy would be to allow a certain range of ports though the perimeter for peer to peer applications such as the shared white-board application in Windows Vista. IPSec also requires end to end connectivity in a certain way and provides a secure and authenticated way to allow connections into the perimeter as IPsec can authenticate traffic and provide privacy as well. Microsoft has integrated IPSec into a remote access technology that works in a similar way to a VPN and yet subtly different, built entirely on IPv6 and IPSec technologies Microsoft’s Direct Access is an excellent example of a happy medium in the permissiveness of a perimeter.

At the end of the day it all depends on what you want from your network. A business will probably a strong perimeter, security oriented geeks could probably benefit from a node oriented firewalling strategy to make their projects and servers more flexible, and everyone will want IPsec authenticated/encrypted traffic.

Update: The Internet Architecture Board is considering IPv6 NAT in RFC 5902 in July 2010 and is discussed in a blogpost by Jeremy Stretch

Files: I’m releasing a script I wrote to generate ip6tables rules as part of this blogpost. It’s only v0.1 but I hope it will prove usable and useful to others. Suggestions and patches welcome. carbfw6-0.1.tar

Tags: , , , , , ,
Posted in Articles | No Comments »

Defcon 18 – photos and followup

Monday, August 2nd, 2010

Another year, another Defcon has passed. This year I went with CarbonLifeForm (who helped out with this post) and we attended talks, mingled with fellow enthusiasts, spread the psych0tik word, and enjoyed general debauchery. I was asked to take some photos for some friends who couldn’t attend this year, so I’ve pulled those together with some comments and added them to this post.

This year was quite busy, with far more people than have attended Defcon before. Unfortunately, that meant needing to wait in lines during other talks, so I’ll be looking forward to getting the video and being able to watch some of the ones I missed. A large number of attendees also made for a shortage of badges. This shortage resulted in a the “Lamer skybox party” Friday night for all those who didn’t get a proper badge. For a last minute party, the guys who put it together did a great job. I’ll be looking forward to hitting it up again next year.

Of the talks I saw, I particularly enjoyed the nmap scripting engine talk by Fyodor and the Razorback[2] debut by the Sourcefire guys. As always, Fyodor has been scanning the internet and this time he aimed nmap and a few nmap smb scripts at Microsoft’s net-blocks and showed us the results.

Razorback is Sourcefire’s new open source project, that’s built to correlate and process security events. It allows ambiguous data types and provides a framework for events to be dissected and analyzed by modules. Each piece of data is passed around to the various “Nuggets” for processing. It’s a neat system and I’ll be looking at writing some Nuggets to add to the farm.

In support of Gregory Evans and Ligatt, I wore a HackerGearOnline shirt on Friday. I was happy to see the con shirts labeled “Worlds #1 Hacker (conference)”, also paying due tribute to Mr. Evans. I didn’t manage to pick up one of the shirts, so I don’t have a picture of it.

Outside of being a bit over-populated, this year’s con was great. We enjoyed a number of interesting and entertaining talks and of course participated in the Defcon/Vegas shenanigans. Our flights were early and we missed closing ceremonies, but the announcement was made that Defcon would be moving from the Riviera to the Rio for Defcon 19[3].

MEDIA

This year’s badge was much more interactive than in years past. Including a mini-USB port and multiple challenges[1]

The following are a few shots of vintage hardware. This room (and a good bit of the hallway outside the room) had that “data center” smell. Directly below is a picture of the PDP-11[4].

A shot of the wall-o-sheep, as always, lots of great pwnage.

Hackbus – enough said.

Here’s a picture from Fyodor’s talk. If you can’t tell, this is nmap output for a Microsoft IP address.

Rocking my HackerGearOnline (order #19!) t-shirt. Thanks Greg!

As much as I try to keep this blog away from advertising, I’ve got to give it to IOActive for throwing a great party Saturday night.

A (now) empty bottle that ended up covered in Defcon18 stickers. The official booze of Defcon?

This one turned out to be off topic. I found this sticker on the dresser in my hotel room. I figured it was something con-related, but getting home and looking it up, it turns out to be a punk rock band. A bit of promotion for them too I suppose

REFERENCES

[1]Defcon 18 Badge – Ninja access bruteforcer

[2]Sourcefire VRT Labs – Razorback project

[3]Wikipedia – List of Defcon Venues

[4]Wikipedia – PDP-11

Tags: , , , , , , , , , , , , , ,
Posted in Articles | 1 Comment »

CSI releases first in a new series of whitepapers

Wednesday, February 3rd, 2010

The Cyber Secure Institute (CSI), a group looking to raise awareness about cyber security, has released it’s first whitepaper in a new series about cyberwar. This whitepaper, written by retired USAF General Eugene Habiger, addresses the need for a new approach towards viewing cyberwar. Gen. Habiger goes on to validate his claims with real-world examples, showing that our “rotary-phone-era stratgies are not well suited for today’s digital world.”

One of the main focuses of this whitepaper is showing that our tried-and-true methodologies of preemption and deterrence aren’t well suited to digital warfare. While both shouldn’t be left out of the cyberwarfare playbook, General Habiger builds the case for needing an alternative that is more suited for the digital battle ground.

Preemption relies on being able to detect an attack before it happens and respond in a way that prevents the attack. In the physical world preemption is a game of “I spy” watching troop movements and gathering intelligence; then responding with force directed at the aggressor. When we look at a similar strategy in the digital world, it becomes much more difficult. Detection before-the-fact because a bit more of a guessing game. It’s very possible to create or recruit a botnet, discover an 0-day, or gather intelligence on a target without any visible or detectable signs. Beyond simply finding a cyberattack in order to preempt it, there also are issues inherent in the response. In many cases attackers may be distributed across various nations (including the one being attacked) making it very hard to deliver a decisive blow and stopping the attack all together.

Deterrence, on the other hand, has a lot to do with stopping an attacker in the planning stages of an attack. The idea is when an attacker looks to make a move, they have to take into account the repercussions of their decision. To take a page from the history books, the cold war is a perfect example of deterrence. Any nation foolish enough to launch an offensive nuclear weapon would be met in kind. When we try and map this concept to the cyberwar, we reach an interesting conclusion: we’ve got a lot more to lose than they do and as with preemption, we have to be able to know who did it.

General Habiger concludes the paper with a call to arms for inherent security – security that is built in, not an after thought. He goes on to suggest that security be made so inherent that the basics would be taught in school or shown as public service announcements. This “paradigm shift” to inherent security creates an environment where security is within every layer of the internet, from the end-user to the hardware an application runs on. While such a methodology provides no obvious offensive strategies, it does harden the infrastructure and provide a much more appropriate defense.

References:

Cyber Secure Institute home page

Cyberwarfare and Cyberterrorism: The need for a new U.S. strategic approach – Gen. Habiger

Summary of Gen. Habiger’s 10 main points

Tags: , , , ,
Posted in Reviews | 1 Comment »