Computer Security Articles

Today’s state-of-the-art network security appliances do a great job of keeping the cyber monsters from invading your business. But what do you do when the monster is actually inside the security perimeter? Unfortunately, all of the crosses, garlic, wooden stakes and silver bullets in the world have little effect on today’s most nefarious cyber creatures. Here are the top 10 ways your network can be attacked from inside and what you can do to insure your business never has to perform an exorcism on your servers.

View full post on Network World on Security

Day 30 ends week four of the Cyber Security Awareness Month. First, a network team needs a a leader to who will serve as a point of contact and in most cases a Subject Matter Expert in networking and a project manager.
The Network Team is usually responsible for the network infrastructure and may need to evaluate, recommend, maintain and deploy security products on the perimeter and corporate network.
Some of the requirements might include:

Implementing, supporting and maintaining security and network infrastructure
Solid understanding of enterprise architecture
Have a broad knowledge of networking technologies and a sound understanding of TCP/IP
Ensure a reliable service for all corporate users
Identify and develop scalable network designs, solutions and policy recommendations

If you are part of a network team and would like to share some of your other roles, you can share them via our contact form.
———–
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
FOR 558: Network Forensics coming to Toronto, ON in Nov 2010

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

A small but nasty netblock hosting ZeuS C&C servers and Phoenix exploit kit attacks, GORBY-VPN-NET (registered to an Alex Gorbunov) seems to have no legitimate sites at all. There aren’t a lot of sites in this range (I see just 24) but there does seem to be quite a lot of malicious activity. I recommend that you block access to 195.226.197.0/24.

RIPE says:

inetnum: 195.226.197.0 –

View full post on Dynamoo’s Blog

AS25129 (89.187.32.0/19) features a lot of refugees from another evil network, Najada. There’s nothing of value in this netblock, sites seem to feature illegal software, fake anti-virus, criminal support infrastructure, fake pharma sites and phishing.

The IP range is allocated to:

inetnum: 89.187.52.0 – 89.187.55.255
netname: MD-ISP-MONITORING
remarks: INFRA-AW
descr:

View full post on Dynamoo’s Blog

Google has added notification for phishing URLs to its service that lets administrators know if their networks have been compromised.

View full post on Network World on Security

Another network worth blocking, Donstroy Ltd appears to be a Latvia entity hosting in Moldova, closely affiliate with Sagade Ltd who are one of the most scummy networks around at the moment.

The WHOIS details show a tell-tale link to Sagade in the email address:

inetnum:         194.8.250.0 – 194.8.251.255
netname:         Donstroy-1
descr:           Donstroy Ltd.
country:         LV
org:

View full post on Dynamoo’s Blog

Specialist Ltd is a fairly large netblock containing a small number of very bad hosts and nothing else. Registered to a company in Moldova, Specialist looks like another part of the Latvia / Moldovan / Bosnian black hat network which supports all sorts of organised crime.

inetnum:         194.28.112.0 – 194.28.115.255netname:         Specialist-ISP-PI2descr:           Specialist, Ltd.country:

View full post on Dynamoo’s Blog

Manufacturers really aren’t doing many of the home users any favours. Devices are sold with worse than lame default settings in the guise of usability. Personally I think that many manufacturers are underestimating the capacity of people to follow instructions, but then I guess Heinz Ketchup does have on the instructions put on food, so maybe Im wrong.
Manufacturers could make things easier for us and many of them kind of do. We now have external hard drives where the backup is a push of a button (even my mother knows how to drive that one) and many of the network devices come with one button configuration settings to secure the network. Personally I’ve had limited success with this, but maybe I’m buttonny challenged.
I know that your home network is as secure as you can possibly make it, but alas your neighbours, cousin, brother, parent, grandparent, etc, network is not up to the same specs. It has been or will be used in the future to spread evil such as Zeus, Stuxnet and even Kevins favourite, slammer. Securing the PC helps, but you do need to secure the network as well.

So lets get stuck into it.

Make sure that the device connecting to your service provider at least has some statefull filtering capabilities. They should only allow outbound traffic, but you may wish to check that.
Change the default Passwords. Many devices come with default passwords, typically admin or blank. Many people still have their internet facing devices with these default passwords.
Use long passwords. It will only be used infrequently, so it might as well be a long one. Youll want to write it down and keep it safe, use paper and not a file on the computer. Providing you dont staple it to your windows, keeping the passwords written down should be fine.
Control who connects. Whether you have a wired network or wireless make sure you know what is connecting to your network, your laptop, fridge, media centre, etc. You might want to consider using mac filtering. Not the best, but better than nothing.
If there are security settings available use them. Keep in mind that the security of your network is often dependent on the least secure device. For example I have a couple of older devices that can only use WEP 40 keys. So if I want to use it I either reduce the security of the whole environment, or as in my case, I have a second access point in a little DMZ off the main internet connection.
For wireless networks WPA-PSK is the minimum to use.
Harden devices. Just like corporations any device you connect to the network should be hardened. Many of the network connected printers have so many services open that will never be used, so shut them down.

Now unless you want to be the extended familys internet helpdesk (might be the only way you get to see them) I suggest that you write down down basic instructions for them, or set things up so they never have to touch it again.

Ive made a start feel free to add those things you do for your family to keep their network clean.

Mark H

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

MIT Computer Science and Artificial Intelligence Laboratory researchers will next week detail a system they say will make it easier for companies to recover from security intrusions.

View full post on Network World on Security

AFP – More than 60 people in an eastern European-based cybercrime network were charged in the United States for using computer viruses to infiltrate US bank accounts, prosecutors said Thursday.

View full post on Yahoo! News: Security News

AFP – US prosecutors on Thursday unveiled charges against more than 60 people in an eastern European-based cybercrime network using computer viruses to target US bank accounts.

View full post on Yahoo! News: Security News

The Trusted Computing Group and the National Institute of Standards and Technology Tuesday joined to give their blessing to the union of two technologies that each have championed: TCG with its network-access control standard called Trusted Network Connect, and NIST with its desktop-security configuration standard called the Security Control Automation Protocol.

View full post on Network World on Security

Facebook now has over 500 million registered users, which makes this social network (like many other social networks) a very attractive “fishing pool” for attackers. There are so many potential victims that could easily fall for any of the scattered bait. So, it does not come as a surprise that we see another scam campaign launched nearly every week.

read more

View full post on

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

HTML5 is an exciting technology with lots of potential. But one potentially insidious use has surfaced, and one group of privacy experts isn’t taking it lightly.

View full post on Network World on Security

A malware run in progress today using the arestyute.com domain made me look at VLine Ltd, a Moscow based host well-known for supporting criminal activities. The question is.. does VLine actually host any legitimate sites? The answer.. probably not.

An analysis of the netblock 109.196.128.0/20 (109.196.128.0 – 109.196.143.255) which forms AS39150 shows a collection of fake pharma sites, malware

View full post on Dynamoo’s Blog

Are you the only one enjoying your home network. Here’s how to detect trespassers and block them from sucking up your bandwidth.

View full post on PCMag.com Security Coverage

From screen scrapers to scareware, there’s no shortage of threats ready to compromise your business network, whether it’s wired or wireless. But if you follow my eight steps for SMB security, you’ll go a long way toward securing your business’ defenses against attack.

View full post on PCMag.com Security Coverage

Back in May they were called Maximus Hosting Services but I guess it’s always embarrassing  when you’re not number on in Google for your own name.. so now this outfit from Russia appears to be calling itself MAXHOSTING SERVICES. Note that it looks like there are several Russian businesses of a very similar name, presumably most of which are legitimate.

inetnum:        77.78.239.0 – 77.78.240.255

View full post on Dynamoo’s Blog

MAXHOSTING are a fairly prolific evil network that I profiled last month, so it isn’t a huge surprise to see that the evilness continues as normal.

But one thing that made MAXHOSTING stand out today was their involvement in an apparent compromise on the BBC’s website, as reported by The Register.  Google have labelled the BBC’s Radio 3 subsite as being potentially dangerous:

Safe Browsing

View full post on Dynamoo’s Blog

Trading under various names including Gogax, InterWeb Media and Exist Hosting , this Canadian company mixes some extremely dangerous sites with links to organised crime with legitimate businesses.

Gogax’s business model appears to be to delegate small chunks of its IP address range to third parties, while presumably hosting the servers for them.  In this case of this this $600,000 fraud the IP

View full post on Dynamoo’s Blog

Not a fully evil network, but AS49770 (owned by Serverconnect.se) has been abused by the bad guys for a long, long time. This particular /23 includes fake ad networks, counterfeit goods, torrents, pornography and a suspiciously large number of .ru domains for a Swedish web host.

Known bad domains currently hosted and in the past include:

Bellasinteractive.com [1]
Mazcostrol.com [2]

View full post on Dynamoo’s Blog

NewsFactor – Apple launched iTunes 10 with Ping, a new music-oriented social network, on Wednesday. Within hours, the site fell victim to spammers looking to make a quick buck from Apple’s unsuspecting 160 million music lovers exploring the new way to discover what music their friends are listening to.

View full post on Yahoo! News: Security News

Overview

This article discusses some essential technical concepts associated with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and business partners using the Internet and secures encrypted tunnels between locations. An Access VPN is used to connect remote users to the enterprise network. The remote workstation or laptop will use an access circuit such as Cable, DSL or Wireless to connect to a local Internet Service Provider (ISP). With a client-initiated model, software on the remote workstation builds an encrypted tunnel from the laptop to the ISP using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The user must authenticate as a permitted VPN user with the ISP. Once that is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as an employee that is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host depending upon where there network account is located. The ISP initiated model is less secure than the client-initiated model since the encrypted tunnel is built from the ISP to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is built with L2TP or L2F.

The Extranet VPN will connect business partners to a company network by building a secure VPN connection from the business partner router to the company VPN router or concentrator. The specific tunneling protocol utilized depends upon whether it is a router connection or a remote dialup connection. The options for a router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a secure connection using the same process with IPSec or GRE as the tunneling protocols. It is important to note that what makes VPN’s very cost effective and efficient is that they leverage the existing Internet for transporting company traffic. That is why many companies are selecting IPSec as the security protocol of choice for guaranteeing that information is secure as it travels between routers or laptop and router. IPSec is comprised of 3DES encryption, IKE key exchange authentication and MD5 route authentication, which provide authentication, authorization and confidentiality.

Internet Protocol Security (IPSec)

IPSec operation is worth noting since it such a prevalent security protocol utilized today with Virtual Private Networking. IPSec is specified with RFC 2401 and developed as an open standard for secure transport of IP across the public Internet. The packet structure is comprised of an IP header/IPSec header/Encapsulating Security Payload. IPSec provides encryption services with 3DES and authentication with MD5. In addition there is Internet Key Exchange (IKE) and ISAKMP, which automate the distribution of secret keys between IPSec peer devices (concentrators and routers).  Those protocols are required for negotiating one-way or two-way security associations. IPSec security associations are comprised of an encryption algorithm (3DES), hash algorithm (MD5) and an authentication method (MD5). Access VPN implementations utilize 3 security associations (SA) per connection (transmit, receive and IKE). An enterprise network with many IPSec peer devices will utilize a Certificate Authority for scalability with the authentication process instead of IKE/pre-shared keys. 

Laptop – VPN Concentrator IPSec Peer Connection   

1. IKE Security Association Negotiation 

2. IPSec Tunnel Setup

3. XAUTH Request / Response – (RADIUS Server Authentication)

4. Mode Config Response / Acknowledge (DHCP and DNS)

5. IPSec Security Association

Access VPN Design

The Access VPN will leverage the availability and low cost Internet for connectivity to the company core office with WiFi, DSL and Cable access circuits from local Internet Service Providers. The main issue is that company data must be protected as it travels across the Internet from the telecommuter laptop to the company core office. The client-initiated model will be utilized which builds an IPSec tunnel from each client laptop, which is terminated at a VPN concentrator. Each laptop will be configured with VPN client software, which will run with Windows. The telecommuter must first dial a local access number and authenticate with the ISP. The RADIUS server will authenticate each dial connection as an authorized telecommuter. Once that is finished, the remote user will authenticate and authorize with Windows, Solaris or a Mainframe server before starting any applications. There are dual VPN concentrators that will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of them be unavailable.

Each concentrator is connected between the external router and the firewall. A new feature with the VPN concentrators prevent denial of service (DOS) attacks from outside hackers that could affect network availability. The firewalls are configured to permit source and destination IP addresses, which are assigned to each telecommuter from a pre-defined range. As well, any application and protocol ports will be permitted through the firewall that is required.

Extranet VPN Design

The Extranet VPN is designed to allow secure connectivity from each business partner office to the company core office. Security is the primary focus since the Internet will be utilized for transporting all data traffic from each business partner. There will be a circuit connection from each business partner that will terminate at a  VPN router at the company core office. Each business partner and its peer VPN router at the core office will utilize a router with a VPN module. That module provides IPSec and high-speed hardware encryption of packets before they are transported across the Internet. Peer VPN routers at the company core office are dual homed to different multilayer switches for link diversity should one of the links be unavailable. It is important that traffic from one business partner doesn’t end up at another business partner office. The switches are located between external and internal firewalls and utilized for connecting public servers and the external DNS server. That isn’t a security issue since the external firewall is filtering public Internet traffic.

In addition filtering can be implemented at each network switch as well to prevent routes from being advertised or vulnerabilities exploited from having business partner connections at the company core office multilayer switches. Separate VLAN’s will be assigned at each network switch for each business partner to improve security and segmenting of subnet traffic. The tier 2 external firewall will examine each packet and permit those with business partner source and destination IP address, application and protocol ports they require. Business partner sessions will have to authenticate with a RADIUS server. Once that is finished, they will authenticate at Windows, Solaris or Mainframe hosts before starting any applications.

Network Planning and Design Guide is available at Amazon.com and eBookmall.com

Shaun Hummel is an author of various technical books and has a web site focused on information technology job search solutions and certifications.

http://www.networkjobsolutions.com