Tuesday, May 5, 2009

Three Dimensions to Protect your Computer

First - Strengthen the defense of your computer

- Install Firewalls
"Firewall" is an isolation technology to separate the internal network and the Internet. The firewall carries out some filtering when two networks communicate. It lets the data/person that you "agree" to enter your network, and also block the data/person you "do not agree" from your network. It can prevent they changes, copy, or destroys your material. To ensure the firewall get into work, you must keep it update.

- Install Anti-virus software
The key on computer virus is not "Kill" is "Prevent". You should install the Anti-virus software and start the real-time monitoring process and keep the software and the virus definition file updated. To guard against the newest virus, you should set the update process in a daily mode. Also, in every week, you should scan the computer completely for the virus.

- Guard against Spyware
Spyware is a program that is installed without the user authorization. It can get the information and send to a third party. Spyware can attached in software, executable image and break into the user computer. They are used to track the computer usage information, record the keyboard hits, or take a screen capture. To get rid from spyware, you can
- raise the security level of your browser
- install software to guard against from spyware
- verify with the official website about the software plan to install

Second - Against from attacks

- Refuse unknown software, emails and attachments
Don't download unknown software. Save all downloaded softwares into one single directory and scan it before install. Don't open any unknown email and its attachments. Many viruses are spread through by using email. Don't open unknown emails, especially those with interesting headline.

- Don't go to hacker and pornographic website
Many virus and spyware are come from these websites. If you browse this website and your computer is not secure enough, you can imagine what will happen next.

- Avoid share folders
Share folder is risky and outsider can surf around your folder freely. When you want to share folder, remember to set a password. If you are no need to share the folder any more, remove the sharing immediately. It is extremely danger to share the whole drive. If someone removes the system file, your machine may be down and cannot start up again.

Last - Keep Checking/Update

- Set different and complicate password
In Internet, there are thousand needs to use password, like e-banking, login account, email. Try to use different password for different operation, this can limit the loss if one of the passwords is broken into by someone. Avoid using meaningful password, like birthday, telephone number. You should use password with letter and number. One more thing is do not choose "Save Password" option.

- Beware of defraud
The number of defraud case in Internet is keep increasing. Build up a fake bank website, send out an email to ask for password. Before take any action, try to verify it is real or not. You can phone to bank hotline to ask, go to the bank to contact directly.

- Backup
Backup is the last step to guard against the attacks. If your computer is hacked, the operating system and softwares can be reinstalled. But the data can only be restored if you frequently make a backup.

Sunday, April 12, 2009

Seven Common DoS Attack Methods

Hackers have an armory of methods to pass Denial of Service (DoS) attacks. The following seven sections emphasize the degree of the quandary faced by organizations trying to battle the DoS threat. TippingPoint provides solutions to battle these common methods of DDoS attacks:

� Vulnerabilities
� Zombie Staffing
� Attack Tools
� Bandwidth Attacks
� SYN Floods
� Established Connection Floods
� Connections-Per-Second Floods

Method 1 � Vulnerabilities

Attackers can effort to collide a service or fundamental operating system in a straight line through a network. These attacks immobilize services by exploiting shock absorber spread out and other accomplishment dodge that exist in defenseless servers. Vulnerability attacks do not want widespread resources or bandwidth to commit; attackers only need to know of the survival of a susceptibility to be able to develop it and cause widespread injure. Once an attacker has control of a vulnerable service, request, or operating system, they abuse the opening to immobilize systems and in the end crash an whole network from within.

Method 2 � Zombie Conscription

The same vulnerabilities used to collide a server allow hackers to change vulnerable PCs into Distributed Denial of Service zombies. Once the hacker develop the susceptibility to increase manage of the system, they plant a backdoor into the system for later use in commiting DDoS attacks. The Trojan or similar disease provides a trail into the system. Once the attacker has the path, they tenuously control the network, making the server a �Zombie� that waits for the given attack authority. Using these zombies, attackers can send a huge number of DoS and DDoS attacks with secrecy. Viruses can also be used for Zombie conscription. For instance, the MyDoom bug was designed to convert PCs into Zombies that attacked SCO and Microsoft at a prearranged time programmed into the virus. Other viruses fit backdoors that let hackers to open coordinated attacks, rising the sharing of the attacks across networks around the sphere. The following figures detail how attackers make and begin these attacks against a network.

Method 3 � Attack Tools
Through zombie recruitment, hackers use secret communication channels to contact and manage their zombie military. They can choose from hundreds of off-the-shelf backdoor programs and tradition tools from websites. These tools and programs begin these attacks to penetrate and control networks as zombie armies to pass additional attacks from within. Once they have the zombie systems, they can use other tools to send a solitary command to all zombies concurrently. In some cases, commands are carried in ICMP or UDP packets that can go around firewalls. In other cases, the zombie �phones home� by making a TCP link to the master. Once the relation is created, the master can manage the Zombie.

The tools used to attack and control systems comprise:

� Tribe Flood Network (TFN) � Spotlight on Smurf, UDP, SYN, and ICMP reverberation apply for floods.
� Tribe Flood Network 2000 (TFN2K) � The updated version of TFN.
� Trinoo � Focuses on UDP floods. Sends UDP packets to chance purpose ports.
The size is configurable.
� Stacheldraht � Software tool that focuses on TCP, ACK, TCP NULL, HAVOC, DNS floods, and TCP packet floods with random headers.

DDoS Protection tools are growing both in terms of covert channel completion and in DDoS flooding methods. New tools exploit random port numbers or work across IRC. Further, smarter tools cleverly mask flooding packets as lawful service requests and/or bring in a high degree of chance. These improvements make it more and more hard for a port-filtering device to divide attack packets from lawful traffic.

Method 4 � Bandwidth Attacks
When a DDoS attack is opened, it can often be detected as a important change in the arithmetical work of art of the network transfer. For example, a typical system might consist of 80 percent TCP and a 20 percent mix of UDP and ICMP. A change in the arithmetical mix can be a signal of a new attack. For example, the Slammer maggot resulted in a rush of UDP packets, whereas the Welchi worm shaped a flood of ICMP packets. Such surges can be DDoS attacks or so-called zero-day attacks � attacks that develop secret vulnerabilities.

Method 5 � SYN Flood
One of the majority common types of DoS attacks is the SYN Flood. This assault can be launched from one or more attacker equipment to put out of action access to a target server. The attack use the device used to found a TCP connection. Every TCP link requires the conclusion of a three-way handclasp before it can pass data:

� Connection Request � First packet (SYN) sent from the supplicant to the server, preliminary the three-way handclasp
� Request Acknowledgement � Second packet (SYN+ACK) sent from the server to the requester
� Connection Complete � Third packet (ACK) sent from the supplicant back to the server, implementation the three-way handshake

The attack consists of a flood of unacceptable SYN packets with spoofed source IP addresses. The spoofed source address causes the target server to react to the SYN with a SYN-ACK to an unwary or absent source machine. The aim then waits for an ACK packet from the source to total the link. The ACK never comes and ties up the connection table with a awaiting connection ask for that by no means completes. The bench will rapidly fill up and devour all obtainable capital with invalid requests. While the number of link entries may differ from one server to another, tables may fill up with only hundreds or thousands of requests. The result is a denial of service since, once a table is full, the target server is unable to service lawful requests. The difficulty with SYN attacks is that each request in separation looks benign. An unacceptable ask for is very difficult to differentiate from a lawful one.

The complexity with SYN assault is that each request in separation looks caring. An invalid request is very hard to differentiate from a lawful one.


Method 6 � Established Connection Flood

An Recognized Connection Flood is an development of the SYN Flood attack that employs a array of zombies to commit a DDoS attack on a aim. Zombies found apparently lawful connections to the end server. By using a large number of zombies, each creating a large number of connections to the target, an attacker can make so many connections that the aim is no longer able to believe to lawful link requests. For example, if a thousand zombies make a thousand connections to a end server, the server have got to run a million open connections. The result is similar to a SYN Flood attack in that it devour server funds, but is even more difficult to sense.

Method 7 � Connections Per Second Floods
Connections Per Second (CPS) Flood attacks flood servers with a high rate of connections from a apparently valid source. In these attacks, an attacker or army of zombies attempts to drain server resources by rapidly setting up and ripping down TCP connections, perhaps begining a request on each link. For example, an attacker strength use his zombie army to frequently obtain the home page from a target web server. The resulting load makes the server tremendously lethargic. visit DDoS Protection

Monday, February 2, 2009

MikroTik RouterOS SNMP Security Bypass Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

http://felinemenace.org/~andrewg/MikroTik_Router_Security_Analysis_Part2/

The MikroTik Wireless Router is a Linux embedded wireless router, focusing on various functionality such as bandwidth management, Firewalling, VPN server/client, and various other things. As with all embedded linux based software, it is interesting to pull it apart :)

It has been around for a while now… a couple of years ago when I analysed the software / pulling it apart, it had drivers/firmware to turn standard Orinoco wireless cards into an Access Point (which as far as I know isn't possible otherwise, at least not when I was looking at it.)

For the purposes of this article, I am looking at mikrotik-2.9.46.iso (MD5sum: 65aa908dd748ccf72ad9f588613dfe31, SHA1sum: 5e5ed13498db8d9745a701f75e58da3ef6701e58). For the most part, I have used QEMU to emulate the hardware/software environment to install it on. This has several advantages, such as being able to edit the "disk" it's using easily, amongst other things.
Performing active analysis of MikroTik router components

As with any analysis of potentially hostile software, you should be careful to take adequate security precautions when running untrusted software.

To perform more active analysis of the MikroTik components, we could copy the applicable binaries and associated libraries to another linux platform. This would allow us to strace the binary, debug it (which is incredibly useful for exploit development), and monitor the activities it performs in general. Furthermore, we can copy the kernel and applicable modules to perform further analysis on them, and to allow the environment to be replicated a lot better.
The analysis environment / setup

For this article, I have done a basic network install of Debian 4rc1. After performing the installation and installing a bunch of generic tools (strace/gdb/gcc/ltrace/openssh-server/nasm/etc), I then extracted the Mikrotik kernel and modules, and put the applicable files into their place.

Sunday, August 31, 2008

Security issues and solutions in multicast content distribution: a survey





Abstract
Multicast enables efficient large-scale content distribution by providing an efficient transport mechanism for one-to-many and many-to-many communication. The very properties that make multicast attractive, however, also make it a challenging environment in which to provide content security. We show how the fundamental properties of the multicast paradigm cause security issues and vulnerabilities. We focus on four areas of research in security for multicast content distribution: receiver access control, group key management, multicast source authentication, and multicast fingerprinting. For each we explain the vulnerabilities, discuss the objectives of solutions, and survey work in the area. Also, we briefly highlight other security issues in multicast content distribution including source access control, secure multicast routing, and group policy specification. We then outline several future research directions.

Tuesday, August 26, 2008

Network Security

Comparison with computer security

Securing network infrastructure is like securing possible entry points of attacks on a country by deploying appropriate defense. Computer security is more like providing means to protect a single PC against outside intrusion. The former is better and practical to protect the civilians from getting exposed to the attacks. The preventive measures attempt to secure the access to individual computers--the network itself--thereby protecting the computers and other shared resources such as printers, network-attached storage connected by the network. Attacks could be stopped at their entry points before they spread. As opposed to this, in computer security the measures taken are focused on securing individual computer hosts. A computer host whose security is compromised is likely to infect other hosts connected to a potentially unsecured network. A computer host's security is vulnerable to users with higher access privileges to those hosts.

Attributes of a secure network

Network security starts from authenticating any user, most likely a username and a password. Once authenticated, a stateful firewall enforces access policies such as what services are allowed to be accessed by the network users.[1] Though effective to prevent unauthorized access, this component fails to check potentially harmful contents such as computer worms being transmitted over the network. An intrusion prevention system (IPS)[2] helps detect and prevent such malware. IPS also monitors for suspicious network traffic for contents, volume and anomalies to protect the network from attacks such as denial of service. Communication between two hosts using the network could be encrypted to maintain privacy. Individual events occurring on the network could be tracked for audit purposes and for a later high level analysis.

Honeypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to further tighten security of the actual network being protected by the honeypot.[3]


Security management

Security Management for networks is different for all kinds of situations. A small home or an office would only require basic security while large businesses will require high maintenance and advanced software and hardware to prevent malicious attacks from hacking and spamming.

Small homes

* A basic firewall.
* For Windows users, basic Antivirus software like McAfee, Norton AntiVirus, AVG Antivirus or Windows Defender, others may suffice if they contain a virus scanner to scan for malicious software.
* When using a wireless connection, use a robust password.

Medium businesses

* A fairly strong firewall
* A strong Antivirus software and Internet Security Software.
* For authentication, use strong passwords and change it on a bi-weekly/monthly basis.
* When using a wireless connection, use a robust password.
* Raise awareness about physical security to employees.
* Use an optional network analyzer or network monitor.

Large businesses

* A strong firewall and proxy to keep unwanted people out.
* A strong Antivirus software and Internet Security Software.
* For authentication, use strong passwords and change it on a weekly/bi-weekly basis.
* When using a wireless connection, use a robust password.
* Exercise physical security precautions to employees.
* Prepare a network analyzer or network monitor and use it when needed.
* Implement physical security management like closed circuit television for entry areas and restricted zones.
* Security fencing to mark the company's perimeter.
* Fire extinguishers for fire-sensitive areas like server rooms and security rooms.
* Security guards can help to maximize security.

School

* An adjustable firewall and proxy to allow authorized users access from the outside and inside.
* A strong Antivirus software and Internet Security Software.
* Wireless connections that lead to firewalls.
* CIPA compliance.
* Supervision of network to guarantee updates and changes based on popular site usage.
* Constant supervision by teachers, librarians, and administrators to guarantee protection against attacks by both internet and sneakernet sources.

Large Government

* A strong strong firewall and proxy to keep unwanted people out.
* A strong Antivirus software and Internet Security Software.
* Strong encryption, usually with a 256 bit key.
* Whitelist authorized wireless connection, block all else.
* All network hardware is in secure zones.
* All host should be on a private network that is invisible from the outside.
* Put all servers in a DMZ, or a firewall from the outside and from the inside.
* Security fencing to mark perimeter and set wireless range to this.

Antivirus software

Antivirus software are computer programs that attempt to identify, neutralize or eliminate malicious software. The term "antivirus" is used because the earliest examples were designed exclusively to combat computer viruses; however most modern antivirus software is now designed to combat a wide range of threats, including worms, phishing attacks, rootkits, trojan horses and other malware. Antivirus software typically uses two different approaches to accomplish this:

* examining (scanning) files to look for known viruses matching definitions in a virus dictionary, and
* identifying suspicious behavior from any computer program which might indicate infection.

The second approach is called heuristic analysis. Such analysis may include data captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach. Although some people consider network firewalls to be a type of antivirus software, this categorization is not correct.