Why The TCP Attack Is Likely Bad, But Not That Bad

There’s been a bunch of new information released over the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read are:

1. Fyodor’s discussion of either the same, or a similar issue.
2. Richard Bejtlich’s overview.
3. Rob Graham’s take on the potential attack.

Here’s what I think you need to know:

1. It is almost certainly real.
2. Using this technique, an attacker with very few resources can lock up the TCP stack of the target system, potentially draining other resources, and maybe even forcing a reboot (Could this trash a host OS? We don’t know yet.).
3. Anything that accepts TCP connections is vulnerable. I believe that means passive sniffing/routing is safe.
4. The attack is obvious and traceable. Since we are using TCP and creating open connections (not UDP) it means spoofing/anonymous attacks don’t seem possible.
5. Thus, I’d be more worried about a botnet that floods your upstream provider than this targeted attack.
6. This is the kind of thing we should be able to filter, once our defenses are updated.

From Securosis.com.

PCI DSS version 1.2 differences and updates

On October 1, 2008 the PCI SSC released version 1.2 of the PCI DSS requirements.  There are a number of changes as outlined previously in the update document.  The PCI SSC has established a life cycle process that will ensure the PCI DSS standard is revised and updated on a two year cycle.  What follows is a detailed outline of the differences between version 1.1 and 1.2 (some that have not been discussed previously) and the implications of those changes. (Unless otherwise noted, those items in quotations are taken directly from the PCI DSS or the update document linked above.)

Good dissection of the new reg from the PCI Blog.

Security metrics: more is not better

The shiny new version of SP800-55, renamed “Performance Measurement Guide for Information Security“, takes a rather different tack but is still quite long (80 pages in total, half of which are appendices).  I suspect the primary reason for its existence is to suport FISMA (the US Federal Information Security Management Act, essentially a set of information security policies mandated in law for US Government agencies) by imposing a standardized set of metrics that can be used to benchmark agencies and force the laggards to pull their socks up.  It remains a highly beurocratic and costly response to a genuine management problem.

Another draft NIST standard, SP800-80 “Guide for Developing Performance Metrics for Information Security“, emphasises the process of developing and implementing security metrics.  It includes a shorter list of STTCBM (‘candidate metrics’), but again takes a database approach with forms in the appendices characterising the metrics by ‘metric type’, ‘frequency of collection’ etc., details which, by the way, are organization and implementation-specific and really not that hard for grown-up security managers to figure out for themselves.

Read the full article on the (ISC)2 Blog.

TSOM 4.1.1 Available

Tivoli Security Operations Manager V4.1.1 is now available. To download this updated release support entitled customers should access the Passport Advantage Customer download site.

Tivoli Security Operations Manager V4.1.1 has been updated to include the following:

Additional Platform Support

* Added Windows 2003 SP2 64
* Added Red Hat Linux 5.x

Integration

* Tivoli Change and Configuration Management Database integration via Tivoli Application Dependency Database Manager
* IBM Tivoli License Manager Support
* IBM Support Assistant Support

New Capabilities / Enhancements

* IPv6 Tolerance
* LDAP Authentication
* Compliance Reports for PCI

Performance Measurement Guide for Information Security

NIST is pleased to announce the release of NIST Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security. This publication provides assistance in the developing, selecting, and implementing security performance measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs.

Click here to download the PDF.

The Internet is Broke – Check your DNS server to see if your vulnerable

Wow. It’s out. It’s finally, finally out.

Sweet!

So there’s a bug in DNS, the name-to-address mapping system at the core of most Internet services. DNS goes bad, every website goes bad, and every email goes…somewhere. Not where it was supposed to. You may have heard about this — the Wall Street Journal, the BBC, and some particularly important people are reporting on what’s been going on. Specifically:

1) It’s a bug in many platforms

2) It’s the exact same bug in many platforms (design bugs, they are a pain)

3) After an enormous and secret effort, we’ve got fixes for all major platforms, all out on the same day.

4) This has not happened before. Everything is genuinely under control.

I’m pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn’t get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely.

It was a good day.

CERT has details up, and there’s a full-on interview between myself and Rich Mogull up on Securosis.  For the non-geeks in the audience, you might want to tune out here, but this is my personal blog and I do have some stuff to mention to the crew.

Read more from the man of the hour, Dan Kaminsky.  You can check to see if your nameserver is vulnerable at DoxPara.  Word is he will be release details of this vulnerablilty at BlackHat in a few week.

Pass-the-Hash still works on XP SP3

Ok, so Windows XP SP3 is out.

With this new version:

whosthere-alt.exe still works without requiring any modifications.
whosthere.exe does not work because this is the more ‘gentle’ and ’stealth’ version of the tool and requires precise memory addresses.

But that’s why I released the passthehash.idc IDA script; so you can easily get these addresses yourself.

And that’s also the reason why the new version of whosthere.exe has a new -a switch that allows you to use specify these addresses without having to recompile the tool.

This new version is going to be released soon, but if you want it right now, email me (please, try to email me if you REALLY need it ).

I haven’t tested iam/iam-alt but the same thing observed with whosthere/whosthere-alt should apply to these tools.

In case you were wondering, the new addresses you need for Windows XP SP3 English are:

whosthere -a 75753BA0:7573FDEC:757D0C98:757D0CA0:757CFC60:757CFE54

From Hexale’s Blog.  Download Pass-the-Hash Toolkit.

Videos of Hacker Cons

Almost every security conference we’ve attended in the last year has uploaded videos from their speaker tracks. Explore the archives below, and you’re bound to find an interesting talk.

• Defcon 15, Las Vegas, NV
• ToorCon 9, San Diego, CA
• 24C3, Berlin, Germany
• ShmooCon 2008, Washington D.C.
  
• Notacon 5, Cleveland, OH
  
• LayerOne 2008, Pasadena, CA

Found on Hack-a-day.

IBM releases FISMA add-on for Tivoli Compliance Insight Manager (TCIM)

IBM has released a module for its IBM Tivoli Compliance Insight Manager that watches traffic for compliance with the Federal Information Security Management Act. The FISMA Compliance Management Module includes automated log collection, a compliance dashboard, regulatory compliance reports and report distribution. Agencies can generate FISMA-specific reports using the module’s policy and report definition engines. It can be used as a part of an agency wide program to ensure FISMA compliance, according to the company.

Government Computer News picked this one up.

'Unbreakable' BD+ Blu-ray protection cracked

A software firm reckons it has definitely cracked the forthcoming BD+ copy protection on
Blu-ray discs even though
Sony says it has beefed up the protocols involved.

Confident developer
SlySoft
says it has the ability to get round the Blu-ray camp's latest security
protocol – despite its latest AnyDVD software only cracking Blu-ray's
older security system, AACS (Advanced Access Content System).
Currently, Blu-ray disks are digitally encrypted using that system,
also used by the HD DVD camp. But BD+ is a new layer of security that
is exclusive to Blu-ray.

Blu-ray: not so tough

“We
already found a way to crack BD+ and we have just turned to
fine-tuning,” said James Wong, SlySoft's head of development in a
statement. “I should really think about hiring a bodyguard now, since
this product won't please everybody.”

Read the full article on Tech.co.uk.