IP Address Spoofing
December 14, 2009 by Marcos Christodonte II
In everyday conversation, we tend to use language that is foreign to others around us. While people sometimes give us a head nod, or say “uh huh,” they don’t always know what we’re talking about. Frankly, their body language tells the true story, especially when they display the “thousand mile stare,” or confused facial gesture. I was recently talking about IP address spoofing when I saw someone giving me that look. I decided to give them a quick summary of IP address spoofing, but decided to provide a more elaborate version of that conversation below.
Spoofing is simply the act of pretending to be someone you’re not. With IP address spoofing, an attacker will change his or her IP address to appear to be someone or something else on the network or Internet. One might ask, “Why would someone want to spoof their IP address?” Well, if an attacker were remotely accessing an unauthorized network or system, they wouldn’t want that activity traced back to them. Instead, they will spoof their IP address so that the traffic shows a different source.
For instance, if a system provided access, or authentication, based merely upon IP address, an attacker could simply change their IP to an IP address of a privileged system and effectively gain unauthorized access.
Image source: Microsoft
So If I were an attacker, what would be my workaround? One way that an attacker could get around the three-way handshake roadblock is to use source routing. With source routing, an attacker can specify the path that a packet will take to get to its destination. This means that an attacker can direct the path for packets, to include each hop along the way. Since the attacker knows exactly where the packets will go, they can stand by for interception or simply place themselves somewhere along the directed path.
So for all my network security engineers out there, don’t allow IP source routing through your firewalls and routers!
Best practices for (small) botnets
December 3, 2009 by Marcos Christodonte II
Check out my new article at SearchSecurity.com where I outline Best practices for (small) botnets.
Short excerpt:
Recent large-scale botnet events, such as those used to disrupt Twitter and Facebook, have been highly publicized in the news. While these high-profile security events have been hard to miss, it’s the smaller, stealthier botnet attacks that may prove to be a greater threat to enterprises.
To take on evolving enterprise defense mechanisms, attackers look for weak spots, and have begun using smaller, less noticeable botnets to evade enterprise safeguards. In this tip, we’ll discuss why these so-called micro-botnets are proving successful, and how to identify and prevent them from doing damage.
CISCO to launch iPhone App
November 22, 2009 by Marcos Christodonte II
CISCO is preparing to launch a new security iPhone App. According to their website, the “Cisco® SIO To Go, an Apple iPhone application that puts the power of the Cisco Security Intelligence Operations (SIO) in users’ hands, giving them real-time access to a wealth of actionable global security information no matter where they are. The Cisco SIO iPhone application enables users to personalize alerts to show only those security threats that could impact their network and provides added assurance that they are being protected by their Cisco security solution.”
Some of their planned alerts include:
- Cisco Product Security Incident Response Team (PSIRT) Alerts
- Cisco Intrusion Prevention Systems (IPS) Signatures
- Cisco Applied Mitigation Bulletins
- Cisco Threat Outbreak Alerts
- And many others
Sounds like an interesting App…
Update: App is available now…
Source: cisco.com
Printer Diving
November 21, 2009 by Marcos Christodonte II
I had an interesting conversation this week. A gentlemen told me that he frequently sees things on printers that are of interest to him. It’s understandable that people often print new diagrams, Org charts, or special project material that others may find interesting. Nothing out of the ordinary there… However, he went further and said that many times he has no idea where the items come from or who they belong to, but if they sit on the printer too long he feels that the documents belong to him.
I found this statement quite humorous at first. Actually, I laughed for a few seconds because I thought he was kidding. As it turns out, he was very serious. I thought about it for a while and realized that this is likely going on all the time in large enterprise environments. A user could print out a sensitive document to a print station, someone grabs it by accident, and then the document owner shows up to nothing at the printer. Thinking that the printer may have malfunctioned, the document owner may re-print it and think nothing else about it. The other person that grabbed it by accident may eventually decide to return the document to the printer. At that point, the document just sits on the printer to be glanced over by anyone using that printer. Someone could then decide to go “Printer Diving” and pick up the sensitive document without a valid need-to-know.
While this may seem a bit trivial since only authorized employees should have access to print stations, let’s not forget about non-cleared visitors, disgruntled employees, competitors, or simply authorized users without a need to know. In that regard, printer diving can be compared to dumpster diving.
Gone Facebook Phishing?
November 4, 2009 by Marcos Christodonte II
The folks at Appriver recently reported that attackers have started a serious campaign against Facebook users. According to their reports, the botnet is sending over 500 phishing messages per second. And get this, along with stealing your Facebook credentials, the botnet prompts unsuspecting users to download what appears to be an “update.” What the user really gets is malware crafted to target bank account and other financial information.
For more information on this attack, visit the Appriver blog.
Source: Appriver
