Information Security all in one place!

Network Security News

Continue to Network! Always…


Exciting information to share!! KrowTen Security is proud to announce its affiliation with WildPort Security. WildPort is an Information Security firm that delivers top-notch support and services to match. They specialize in network assessments and measuring security performance. Check them out http://wildportsecurity.com

Big things coming from these two companies. Stay tuned…..

Advertisements

Back in Action


KrowTen has been off for awhile. Getting established and learning new things. Stay tuned! Lots of info on the way.


Kaspersky Labs: New Generation of Ultimate PC Protection; for Home


Kaspersky Lab, a leading developer of secure content and threat management solutions today announced a new version of its flagship product for at-home PC protection — Kaspersky PURE 2.0 Total Security. Using Kaspersky Lab’s award-winning anti-malware protection and an array of additional security tools, Kaspersky PURE 2.0 Total Security is the easiest way to keep multiple PCs secure, irreplaceable digital assets protected, and children safe and responsible online.

Central Home PC Management

Ideal for households with multiple computers, including families with children, Kaspersky PURE uses Home Network Management to easily protect, manage and monitor every PC in the household from a single machine.

From one PC, you can:

— Run all scans, updates, and backup tasks on every PC in the house automatically or on-demand

— Fix security issues without getting up from your desk

— Manage parental controls from anywhere in the house, so your kids are protected even when they’re out of view

— Conveniently update the Kaspersky PURE licenses throughout your home

Total Package of Security Tools

Kaspersky PURE also includes everything you need to secure your online identity and protect your irreplaceable digital property. When you install Kaspersky PURE, our extra layers of security mean you can say good-bye to overpriced and inefficient niche products.

This is great work. I am demoing the product now and will post my review shortly. Very excited about how this will shape the home and small business central management landscape. Will vendors pile on?

 

More on this breaking news can be found here: http://www.marketwatch.com/story/kaspersky-lab-announces-new-generation-of-ultimate-pc-protection-for-your-home-2012-03-26


NSA: Ultimate Internet Spy Center


The NSA‘s new spy center will see everything

Imagine a massive supercomputer in the desert, watched around the clock by armed guards, capable of intercepting and decrypting virtually every piece of information in the world. Sounds like science fiction doesn’t it? Well, according to Wired, the NSA is in the process of building just such a place, and they’ve madeleaps and bounds of progress at breaking the standard AES encryption algorithm that keeps your emails and other private information secure.

This new surveillance center is being constructed in the Utah desert, near a town called Bluffdale. When it’s finished, you’ll be able to fit five US Capitols inside, and most of that space will be occupied by supercomputers capable of storing more data than you can even imagine (you can imagine a lot, can’t you?). Your private emails, Google searches, receipts, travel information – pretty much ever scrap of data generated – will be stored here, while sophisticated software sifts through it in search of anything remotely suspicious.

More on this interesting story here: http://www.neowin.net/news/the-nsas-new-spy-center-will-see-everything


Network Scanning: Concerns and Countermeasures


 

Network Scanning Concerns and Countermeasures

Daniel Saucier (Student of the InfoSec Industry, March 2012) – Network vulnerability scanning can not be more important than it is, right now in this day and age of internet computing. As technology grows the architectures are not catching up quite as fast as most would like. This article written below assumes you have basic networking knowledge, and assumes no responsibility for actions taken from this article. It’s sole purpose is to educate the savvy portion of the internet community with different protection types and threat preventive measures for today’s networking environments.

Different IP network scanning methods allow you to test and effectively identify vulnerable network components. Here is a list of effective scanning techniques and there applications: These options can be found in most advanced configuration options on most downloadable network scanners.

ICMP scanning and Probing:

>| By launching an ICMP ping sweep, you can effectively identified poorly protected hosts ( as security conscious administrator such as myself, filter inbound ICMP messages) and perform a degree of OS fingerprinting and reconnaissance by analyzing responses to the ICMP probe.

Half-open SYN flag TCP port scanning:

>| A SYN port scan is often the most effective type of port scan to launch directly against a target IP network space. SYN scanning is very fast, which allows large networks to be scanned rather quickly.

Inverse TCP port scanning:

>| Inverse scanning types (particularly FIN, XMAS, and NULL) take advantage of idiosyncrasies in certain TCP/IP stack implementations. This scanning type is not useful for large networks. Use this scan type for testing individual host or small network segments‘ security. Make sure your code is as up to date as possible and apply any manual workarounds to protect gear from this type of scan. Some if not all of these type of scans identify weak components because of the cost of business.

Third-party TCP port scanning:

>| Using a combination of vulnerable network components and TCP spoofing, third-party TCP port scans can be effectively launched. Scanning in this fashion has two benenfits: hiding the true source of the TCP scan and assessing the filters and levels of trust between hosts. Although time-consuming to undertake, this can be proved to be very effective when applied correctly.

UDP port scanning:

>| Identifying accessible UDP services can be undertaken easily, only if ICMP type 3 Code 3 (“Destination port unreachable”) messages are allowed back through filtering mechanisms that protect target systems. UDP services can sometimes be used to gather useful data or directly compromise hosts (the DNS, SNMP, TFTP, and BOOTP services in particular). Make sure you are locking these down!!

IDS evasion and filter circumvention:

>| Intrusion detection systems and other security mechanisms can be rendered ineffective by using multiple spoofed decoy hosts when scanning or by fragmenting probe packets using Nmap or fragroute. Filters such as firewalls, routers, and even software (IPsec) can sometimes be bypassed using specific source TCP or UDP port, source routing, or stateful attacks.

Using the different scanning methods mentioned above you can harden you network pretty well, however. Change is always a factor, what if you need to undertake a major network overhaul and start exposing different types of protocols to the network. The following list will help you when considering modifications to your components and minimize risk of re-exposing vulnerable services.

>| This list could be used as a baseline, guideline in some cases on any network configuration.

  1. Filter inbound ICMP message types at the border, or perimeter if you DMZ any servers on any routers and firewalls. This will force an attackers to use full-blown out TCP scans against all of your IP addresses to map effectively.
  2. Filter all outbound ICMP type 3 “unreachable” messages at the edge routers and firewalls to prevent UDP port scanning and firewalking from being effective. Firewalking – process of identifying firewalls in the scanning enumerations
  3. Consider configuring Internet firewalls so they can identify ports scans and throttle the connections accordingly. You can configure such as Check Point, NetScreen, and Watchguard appliances to name a few to prevent fast port scans and SYN floods from being launched against your network. However, this can back fire if the attacker is using a spoofed source address, resulting in DoS. PortSentry as an Open Source option is pretty effective as well in identifying scanns against your network.
  4. Asses the way that your network firewall or IDS devices handle fragmented IP packets by using tools such as fragtest and fragroute. Such devices can be taken down by being flooded with high volumes of fragments being processed. Bring your findings to the vendors attention……
  5. Ensure that your routing and filtering appliances (both routers and firewalls) can’t be bypassed using specific source ports or source routing techniques.
  6. If you run FTP services; ensure that your firewalls aren’t vulnerable to stateful circumvention attacks relating to malformed PORT and PASV commands
  7. If a commercial firewall is being used, ensure the following:
  • Latest code is installed, consider replacement is you can not comply
  • Antispoofing rules have been correctly defined so that the device doesn’t accept packets with private spoofed source addresses on its external interfaces

8.  Investigate the use of reverse proxy services if high security is a must. Fragments and malforms are not getting  by these guys, thus mitigating low level recon.

Wrapping up this article I would like to mention; be aware of your own network configurations and its publicly accessible ports by launching TCP and UDP port scans along with ICMP probes against your own IP address space. It really is surprising how many companies large and small still do not undertake proper scanning exercises.

Happy Hardening!

-DS


Adobe: Out of Band Flash Player Fixes


From SophosLabs: on March 6, 2012 

Adobe has released a critical update for Flash Player versions 11.1.102.62 and earlier for Windows, OS X, Linux and Solaris and versions 11.1.115.6/11.1.111.6 and earlier for Android.

The patch addresses two CVEs in Flash Player, CVE-2012-0768 and CVE-2012-0769, both reported to Adobe by Google researchers.

Chrome users should restart their browser as soon as possible as Google has automatically provided the fix in the latest Chrome update.

Non-Chrome browser users can get the latest version (11.1.102.63) by surfing to http://get.adobe.com/flash and running the installer for your platform.

Android users should visit the Android Marketplace and search for Adobe Flash Player. iOS users don’t need to worry as Apple devices don’t work with Flash :)

CVE-2012-0768 is a memory corruption vulnerability that could lead to remote code execution by exploiting a flaw in Matrix3D.

CVE-2012-0769 is an information disclosure vulnerability as a result of integer errors in Flash Player.

As always we recommend deploying these updates as soon as possible. While we do not have any evidence of these flaws being exploited in the wild, past patterns indicate it won’t be long.

More Here: http://nakedsecurity.sophos.com/2012/03/06/adobe-ships-critical-out-of-band-flash-player-update/


Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers


Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless
LAN functions, such as security policies, intrusion prevention, RF
management, quality of service (QoS), and mobility.

These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP) and the Control and Provisioning of Wireless Access Points (CAPWAP) protocol.

The Cisco Wireless LAN Controller (WLC) product family is affected by
the following vulnerabilities:

* Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability
* Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability
* Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability
* Cisco Wireless LAN Controllers Unauthorized Access Vulnerability

Cisco has released free software updates that address these vulnerabilities. Workarounds are available that mitigate some of these vulnerabilities.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc

Affected Products

The Cisco WLC product family is affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability.

Vulnerable Products

Each of the following products is affected by at least one of the vulnerabilities covered in this Security Advisory:

* Cisco 2000 Series WLC
* Cisco 2100 Series WLC
* Cisco 2500 Series WLC
* Cisco 4100 Series WLC
* Cisco 4400 Series WLC
* Cisco 5500 Series WLC
* Cisco 500 Series Wireless Express Mobility Controllers
* Cisco Wireless Services Modules (WiSM)
* Cisco Wireless Services Modules version 2 (WiSM version 2)
* Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco Catalyst 3750G Integrated WLCs
* Cisco Flex 7500 Series Cloud Controllers

Measures to mitigate these risks can be found here: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-wlc