September 8, 2008 by dbarker.

A client of mine contacted me about a recent qualys vulnerability scan where they listed, UDP constant IP id field fingerprint vulnerability.

From the report they list the following explanation.

“Normally, the IP Identification field is intended to be a reasonably unique value, and is used to reconstruct fragmented packets. It has been reported that in some versions of the Linux kernel IP stack implementation as well as other operating systems, UDP packets are transmitted with a constant IP Identification field of 0.
IMPACT:
By exploiting this vulnerability, a malicious user can discover the operating system and approximate kernel version of the host. This information can then be used in further attacks against the host.”

Hmm.. how is this a vulnerability? The same scan shows OS fingerprint identification was successful for other TCP services. NMAP reveals that these tcp ports also return all zeros in the IP ID field. The OS is identified as linux in TCP scans, yet Qualys doesn’t classify this as a vulnerability.

Is it a vulnerability that an attacker may know that you’re running linux? This is information. I would define an actual vulnerability as something that can be exploited, i.e. buffer overflow, race conditions, man-in-the-middle, SQL injection.

This is information. Something that you can use to find vulnerabilities. In fact if the ip id field of all udp non-fragmented packets is always 0 then this is also information that can be used to secure the system. An IDS signature could be written that alert me when there are non-zero values in this field. This could be a sign that someone is using the ip id field to tunnel information, i.e. a covert channel. Now the vulnerabilty is a security feature.

Qualys fix your scan report, reclasify this as information, just like the OS identification TCP fingerprinting portion of your report, cause that’s all this is, information that an attacker already knows.

Posted in Security | No Comments »

September 5, 2008 by dbarker.

ssh is an evil of network security. I’m currently onsite at a customer that allows ssh outbound. Why? I’m not sure. But this is not the first customer that I’ve been to that did. Like many others they have sophisticated anti-spam, DLP, content filtering, proxies, firewalls, and ips in place. And then they screw the whole thing up with ssh.

Never allow this.

I’m currently circumventing their anti-spam, DLP, content filtering, proxies, firewalls, and ips by forwarding my traffic through an ssh tunnel I created to my home network. I’m using portable apps to do it, so there should be nothing left behind after I leave. And although my intent is not malicious it shouldn’t be possible. I’ve even got xwindows running from my ubuntu box. So the tunnel runs bi-directional. I could make it permanent. Earlier I was running metasploit through it. This is ridiculous.

Allowing ssh is too trusting. The should just eliminate the anti-spam, DLP, content filtering, proxies, firewalls, and ips and save their money.

Posted in Security | No Comments »

September 5, 2008 by dbarker.

I would have to say yes. I think this is partly a technology issue. As information security managers think we can design a system that can be managed by technology. We sit in front of consoles and we feel secure. Physical security requires work that involves people, and not just machines and technology. This process involves education, awareness, and training of actual people. This is something most people in information security don’t like to do. With so much emphasis given to DLP these days, I suspect that physical security will have to be stepped up as well. Most companies I consult with, have separate physical and network security departments. The physical security aspects are never thought about by most network security architects, and in the cases it is, it’s an afterthought. Something else that can be fixed with technology, e.g. video cameras and biometrics.

Posted in Uncategorized | No Comments »

September 5, 2008 by dbarker.

What the hell is wrong with the mainstream media? Does anyone believe Barack Obama? Barack Obama has voted with a majority of his democratic colleagues 96.0% of the time. They make a big deal about McCain voting with his party, 88.3% of the time. Obama is not for the change I believe in, he is for more of the same liberal spending and increased government and socialism. If elected, there would be change. A change for the worse . . . A change toward socialism. The media doesn’t care; they don’t expose his relationship with the Democratic Socialists of America (DSA). They don’t expose his record on abortion, Obama has not seen an abortion he didn’t like. He is ultra-liberal. He is pro-gay rights, weak on immigration, pro affirmative action, basically he’s for everything I’m against. Why do we need gay-rights laws? The laws of the land are for people. Sexual orientation should be irrelevant. When you give a section or subset extra rights, you make them special in the eyes of the law and in the opinion of the public. Take for example, “hate crimes” we already have criminal charges that protect people from “hate crimes” they have names like, assault, battery, manslaughter, homicide. Why is it worse to assault someone who is “gay” or “black” than it is to assault someone who is “white” or “straight.”

I’m appalled at the treatment they are giving to Sarah Palin, they never ask if Obama will be able to take care of the Presidency because he has two children. They are attacking her character? Obama has endorse an admitted racist preacher as his “spiritual leader” People stay in churches for 20 years because they agree with the philosophy that is being preached. There are hundreds of churches in Chicago. Obama is a liar, a fraud, and as immoral as they come. The mainstream media love him, and will not point this out.

Posted in Uncategorized | No Comments »

September 4, 2008 by dbarker.

I’ve been an ipod fan for years. I got my first one a 4 gig mini, at the Check Point experience a few years ago. I “won” it by giving a creative answer for the 10 to 1 question. That is, I’d try to recommend 10 crossbeam appliances for every 1 Nokia. That piece of fiction got me a free ipod. We sell more than 10 Nokia appliances for each Crossbeam for sure. After a few while, I gave the 4 gig to my wife and got a 60 gig ipod video. It was nice, now my son has it. Now I have the iphone. It is like a gameboy, ipod, gps, web browser, and phone in one device. It does all of these features pretty well. It does have a few drawbacks.
1) No voice dialing? C’mon phones have had this for years. It’s not very handsfree without it. My Motorolla Q had this, I used this feature alot. It was frustrating sometimes when noisy, but I still used it.
2) No flash? This needs to be fixed, soon. What good is fast internet if you don’t have flash.
3) None of my old ipod devices work with it. I have to go buy a new clock radio, a new car charger, a new car dock. One of the reasons I bought real ipods and not chinese fake ipods was because of compatibility. What gives? Couldn’t apple write some backwards compatibility into the iphone.

Anyway, the good news is that I can read a book or play a game while listening to music. That just rocks.

The iPhone has made flying and airport waits bearable again.

Posted in Uncategorized | No Comments »