Malware Can Spread Through Software Updates

We have seen exploits in plug ins & apps are helping hackers to find vulnerabilities & intrude inside a secured system or a network, I came across the news from cnet.com which says that two researchers from Israeli security firm Radware have found out a way which gives access to a computer by updating any software mostly affects the Skype &  other applications.

This is terrible, It raises a question that we should download an update or not ? according to these two geeks named Itzik Kotler and Tomer Bitton more than hundred applications can be targeted from cnet.com downloads, which is one of the most trusted downloading site for all  Internet users.

The tool is named as ippon (Means ‘Game Over’ in the game of Judo), It gives 3d View pf user who is trying to connect to the update server.

It scans the local Wi-Fi Network & checks whether any victim is trying to check updates through HTTP requests, it detects the victim & try to reply before the update server & gains command over the updates.

According to the makers the Microsoft browser is not vulnerable to this Malware attack as it uses digital signature to check for update. And they are yet to test Firefox & other major browsers which could possibly go under this Malware threat. What is more important that they have shown a security companies another hole to secure for.

Software basically sends message that ‘Updates are available’, when user accepts request they send infected piece of code to that Vitim, which gives them command over  any PC.

So folks, think twice before using a public wi-fi (specially the unsecured one)

The Importance Of Using A Vulnerability Scanner For Security


One aspect of network security that is often overlooked is checking a network for issues using a vulnerability scanner. Vulnerabilities are issues, weaknesses or misconfiguration in software that an attacker can exploit to gain unauthorized access to his victim’s system. Through the use of a vulnerability scanner, these issues are pinpointed and reported to the administrator.

Perhaps the primary reason why vulnerability scanning is taken for granted is because vulnerabilities are considered to be issues which are fixed through patch management. It is a common misconception that with a patch management strategy, the vulnerabilities found on the network are also being taken care of. This is partially true when considering how a chunk of vulnerabilities are in fact software issues that are fixed by patching, however it is not always the case. Vulnerabilities can be caused by mis-configurations, software that is inherently problematic or even software issues for which the vendor has not yet released a patch.

What can we do about vulnerabilities?

The first step is to see if your system does in fact have any vulnerability. For this you need to use a vulnerability scanner or, although not recommended if your budget is limited, you can run a vulnerability scan manually.

Running a vulnerability scan manually:

It is possible to do a vulnerability assessment without the use of any software, although this will have an intrinsic amount of inaccuracy and will be very time consuming. In order to determine if there are vulnerabilities on your network through a manual vulnerability scan, you should first get a list of applications / services installed on your network. Once the list is available, check each software’s official site to see if there are any issues / insecurities reported by the vendor. Some vendors will also offer guides on how their application should be configured securely. Generally, such guides will also contain information on what configuration options to avoid. This information is very useful and it is definitely a good idea to read them. The next step is to check vulnerability database sites for the latest lists. Sites like the National Vulnerability Database and Bugtraq are a central location for known vulnerabilities – checking these sites regularly in relation to what software is running on your network is highly important.

Running a vulnerability scan using a vulnerability scanner:

A more effective way to do vulnerability scanning is through the use of a vulnerability scanner. These scanners will have a database of vulnerabilities that is automatically updated by the vulnerability scanner vendor whenever a new vulnerability is discovered. An administrator can set up the scanner to automatically scan the network periodically and issue reports when a new vulnerability is detected. It might also offer remediation options or a detailed description of what is causing the vulnerability and what should be done to fix that vulnerability.

Regardless of whether you run a vulnerability scan manually or using a vulnerability scanner, your network should be monitored for vulnerabilities.  Most vulnerabilities will lead to a system compromise of some degree which in turn can result in serious consequences for the business.  Vulnerability scanning is a preventive measure that can potentially save your business’s reputation and assets.

 

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI vulnerability scanner

*All product and company names herein may be trademarks of their respective owners.

 

 

Unobtrusive Mapping of Network

Networks are generally mapped with almost no knowledge, from far much away from the actual network we gather information and interpret the network topology is known as Black Box. In this case, cracker initiate with IP address of server or URL of the website of victim organization.

Ethical hacker must aware of Zone Transfer detailing, mail headers reading and some Denial of Service Attacks.  From the passive information that is gathered about network is well formatted and records of zone transfers, Route Tracing by breaking mail headers and reverse lookups one can map the topology of network.

Following information gets exposed through such enumerating:
IP addresses of Web servers
IP addresses of Mail servers
IP addresses of DNS servers

Many secure networks create sub-nets their information which is also called as masking IP addresses, which reduces direct exposure of these IP addresses.

Any simple secure gateway of network can be made of following

Secure gateways.
Web services.
FTP services.
Mail services.
Secondary security systems, such as IDS.
And Backup servers.

By simply examining the host and network, there are many design characteristics associated with different types of technology which makes it easier for attackers and also ethical hackers to create a perfect network map. Unobtrusive Mapping of Network gives out much information about servers and IP addresses.

Hope you have liked this article, to know more about Zone transfers, mail headers & reverse lookups ask your questions here in comments.

Purpose of Scanning the Network: Stealth Attacks

Examine the purpose of network scanning is to gather the information about the victim’s network. Various network mapping tools and techniques are there which an ethical hacker has to go through for performing network scanning.

Every cracker (Criminal Hacker) first surely wanted scan any network, and every intelligent one first think about ‘How his attack will go unnoticed by the Network security administrator’ He wanted to hide himself. (of course if he is committing a crime he don’t wish to go to jail)

Reducing suspicion on Network   – If because of attacker any kind of alert has been announced each and every network activity will be traced more strictly, which makes it harder for attacker to intrude further. (But Not Impossible)

Remaining unnoticed through out the attack – Cracker’s attack can be done successfully and easily only if his every activity is remained unnoticed. Any intelligent cracker will therefore certainly use the stealthiest tools and techniques
available to minimize the likelihood of discovery.

To increase the stealth he can use wide range of attack techniques which are as follows:
Log files can be inspected manually.
Scanning and enumerating over a long period of time. (Means should not be frequent)
Avoiding programmed thresholds in security tools.
Advanced operating mode of tools provides different level of stealth.

A very visible intrusion technique is considered as High Risk technique, where as a technique subjected to discovery by a skilled administrator or well configured security device is considered as Medium Risk Level. Attack which can not at all be detected is termed as Low Level attack.

So, this is how stealth attacks are done by crackers. Knowledge of such techniques can surely help any Network Security Administrator and Ethical hacker to protect network by scanning.

Packet Sniffing Attack & Vulnerable Ethernet Communications – II

Continues From Last Post  . . .

So each machine has unique identification to send and receive data and avoid the confusion. This doesn’t happen with dial-up modems; because it is assumed that any data you send to the modem is destined for the other side of the phone line. But when you send data out onto an Ethernet wire, you have to be clear which machine you intend to send the data to.

In many cases we can analyze today that mostly to machines make communication to each other and few scenarios are like a conference But Ethernet is designed to share plenty of machines to covers together. This is accomplished by putting a unique 12-digit hex number in every piece of Ethernet hardware.sniffer

This is so important from the aspect of data and information security. Ethernet was designed to carry other traffic than just TCP/IP, and TCP/IP was designed to run over other wires (such as dial-up lines, which use no Ethernet).

NETBEUI is something that many home users use to share files or data. This does not use TCP/IP protocols to transfer the data. It makes harder for intruders to hack the data.  Raw transmission and reception on Ethernet is governed by the Ethernet equipment. You just can’t send data raw over the wire; you must first do something to it that Ethernet understands. In much the same way, you can’t stick a letter in a mailbox, you must first wrap it in an envelope with an address and stamp. This is what used in traditional TCP/IP Architecture.

So this is how sniffing attacks get vulnerable to Ethernet.  There are many techniques which gives internet and networks a flexibility through Ethernet is exploited by the use of packet sniffing.

This is not just a dark side, all packet sniffers can be detected even if they have stealth inside them. Also Non promiscus mode conversion can be a great way to stop all types of  packet sniffing attacks.

Packet Sniffing Attack & Vulnerable Ethernet Communications – I

A wire-tap device that plugs into computer networks and eavesdrops on the network traffic is known as the Packet Sniffer or protocol analyzer. Same as we tap any phone call this sniffing allows us to listen to communication between two or more computers.

Computer conversations consist of apparently random binary data. Therefore, network wiretap programs also come with a feature known as “protocol analysis”, which allow them to “decode” the computer traffic and make sense of it. We don’t directly need to break in to actual communication, we can install device on network and tap other network’s conversation which is the other advantage of packet Sniffer.

This shared technology is known as promiscus mode in sniffing, but bad news for black hats is this shared technology is getting transferred to Non-promiscus mode which is making it harder for intruder to install the sniffing programs.Internet is place where no place is available to see the all communication. Means we need to concentrate on single communication at a time. This architecture of internet prevents any single point of packet sniffing.

Packet Sniffing
Packet Sniffing

If we have two machines in our own office talking to each other, and both are on the Internet. They take a direct route of communication, and the traffic never goes across the outside public portion of the Internet. Any communication anywhere in the net follows a similar “least-cost-path” principle.  Ethernet was built around a “shared” principle: all machines on a local network share the same wire.

This scenario implies that all the machines are able to “see” all the traffic on the same wire. Therefore, the next Ethernet hardware is built with a “filter” that ignores all traffic that doesn’t belong to it. It does this by ignoring all frames whose MAC address doesn’t match their own. A wiretap program effectively turns off this filter, putting the Ethernet hardware into “promiscuous mode”. MAC works on non promiscus mode and so only that traffic can be heard who is on same Ethernet wire. Like victim and intruder should share same Ethernet wire to make any attack possible.

To be Continued in Next Post . . .

Detection of Network Responses Through Various Symptoms

We may receive following four types of states which can allow us to read response of the network connection, that whether it was accepted or why and where it was rejected, dropped or lost.

No Response – If no packet is received, then there is a chance that original packet have not reached its predefined destination IP address. Other chance is any security devices planted in between my have securely dropped the packet.

RST/ACK – If a RST/ACK packet is received, the packet was either rejected by the IP stack installed on the host, or by an security device (e.g. a Checkpoint reject) installed on host.

SYN/ACK – If a SYN/ACK is received, then the port from which the response was received may be open for connection.

ICMP type 13 – If an ICMP type 13 packet is received, then administrator on host has prohibited this type of connection. (High Level of Security) often a router will use this response to implement it’s ACL security policy.

  
So when we hping some FTP or TCP on any host we should receive ICMP or RST/ACK response. But if we are getting flagged RA response over hping, then it must be noted that any kind of security device is installed on in-between the port and intruder.

Such responses are very cleverly analyzed by ethical hackers to perform further scan and secure their systems with a black box.

IP Spoofing Attack

Internet Protocol i.e IP addresses are unique and used for digital data communication for internet. Any mailing system or website technology works on the same principle of digital communication.

IP Spoofing
IP Spoofing

Every computer connected to Network have its unique IP address.

When Person A sends an email  to person B, The mail is assigned with the header which contains the IP’s of sender and Reciver so that mail can go to the same person B and not to some one else.

Now in a private network for security reasons limited mails are accpeted from reserved IP’s.

In Simple word only internal communication can be worked. Person from outside can’t send mail in that network.

So if attacker wants send the mail inside, He will spoof the IP.

He first will sniffs the data packets in the internal communication adn steal some internal email.

Then he will perform changing in header of the mail. he will change content of the mail and send this mail to network again.

System cant provide security against this because it have internal fake IP.

This is how fake IP  is created and attack of spoofing is done.

Thank You all For Reading.

Security with Data Encryption

You might have heard this term many times before but what it is actually? I am trying to explain it here in a small funny scenario.

 

Person A has to send message to B. and some person wanted that message too we name it Mr. X.

 

A wrote the letter and send it B by mail. Now Mr. X get this message by any ways. He reads message and secret in it is revealed.

 

Next time A writes massage in secret words (Encryption) and if now Mr. X gat that message he can not understand what is written. Or get fooled by wrong message and the secret is saved.

 

Ok. Let me explain now data encryption with above scene.

I have a message, I encode it with some key which is known to A and B both.

 

How key works?

Well these are the normal words we use.

ABCDEFG

I encrypt it with Key 2. Now the words become. CDEFGHI

A-> C , B ->D and so on…

 

By this way data get encrypted and third person can’t read if he don’t know the key.

 

By same encryption method, on the networks data get transferred with secured communication. Even if data loss takes place, the data is of no use without decryption.

 

In figure, you can see data first get encrypted with key. The encrypted data is known as Cipher Text. Then with same key, receiver decrypts data and secure transfer takes place.

 

This encryption and decryption is done with the help of programs or clipper chips generally. And they have to be installed on both senders

And receiver end.

 

Hiding Your Computer on the Internet

When you use internet, you are connected to millions of PC’s out there. And each PC have its own unique address known as Static IP Address. This gives your identification by locality.

Without a firewall, on a typical computer, even if well maintained, a remote person will still be able to know that the communication effort has reached some computer, and perhaps some information about the operating system on that computer. If that computer is handled well, the remote user will not be able to get much more information from your computer, but might still be able to identify also who your ISP is, and might decide to invest further time in cracking into your computer.
With a firewall, you can set the firewall so that any communication effort from remote users (in the better firewalls you may define an exception list) will not be responded at all. This way the remote user will not be able to even know that it reached a live computer. This might discourage the remote attacker from investing further time in effort to crack into your computer.

Again there is one more security confirmation you can do is running is  operating behind proxies. It is the safest method but sometimes all web pages can not be surfed So selecting a firewall can be a good idea.

Amol Wagh