http://securitythreat.info bringing you the latest internet security and computer security threat headlines and resources Fri, 18 May 2012 01:56:17 +0000 http://backend.userland.com/rss092 en http://securitythreat.info/online-security/feds-considering-allowing-dvd-encryption-cracking/ http://securitythreat.info/online-security/justice-dept-defends-public%e2%80%99s-constitutional-%e2%80%98right-to-record%e2%80%99-cops/ http://securitythreat.info/online-security/justice-dept-defends-public%e2%80%99s-constitutional-%e2%80%98right-to-record%e2%80%99-cops/
Anyone else see this kind of behavior?




Over the past week another couple of readers have written in reporting issues accessing the ISC web page. The SANS NOC reports that RFC-1323 timestamps were getting scrubbed by our firewall to prevent information disclosure, but the checksum wasn't being updated. The packet wassubsequently dropped by the end device.

This appears to be impacting users using Bluecoat web proxies. We will have more to post on this topic throughout the day.




RFC1323 describes TCP extensions used to improve performance over high delay networks and high speed networks

These include Scaled Window Options, Round Trip Time Measurement (RTTM), and protection against Wrapped Sequence Numbers (PAWS)

Scaled window options are implemented by bit shifting the 16bit window field into a 32 bit field by adding an option indicating how many placeholders to shift (or multiply by) to get the real window size. Recall the window size is how many bytes a node can buffer before it needs the transmitter to slow down.

TCPDump displays this option as WS=6 for a factor of 6 in the TCP options

Wireshark displays this option as for example: Window Scale: 7 (Multiply by 128)

Round Trip Time Measurement (RTTM), or TCP option 8 contains a Timestamp value or TSval set by the sender with its sending time, a 32 bit value, and Timestamp Echo Reply (TSecr) which is only valid if the accompanying ACK TCP flag is set. This 32 bit value echos a time stamp value set by the other or remote host in a TCP session. These values are tracked over time to estimate and adapt to changing traffic conditions.
PAWS provide a simple mechanism to reject old duplicate segments that might corrupt an open TCP connection. It uses the same timestamps in RTTM, The basic idea is that a segment can be discarded as an old duplicate if it is received with a timestamp less than some timestamp recently received on this connection.
Here is what Bluecoat has to say on the topic: https://kb.bluecoat.com/index?page=contentid=FAQ1006

PAWS is looking for the timestamp to be advancing and is used to keep as much data in transit as possible between communicating hosts.



The risk to data transport in this case is if two hosts or their intermediaries cant negotiate a common method of communicating with or without these options. This can happen with firewalls, as in our case, or incompatible endpoints. It is interesting to note that Windows implemented these options in Windows 2000, but did not enable them by default until Windows 2008.
Dan

SANS Internet Storm Center Handler
Update:

----------------------------------------------------------

Some References I used to look into this today:

The RFC: http://www.ietf.org/rfc/rfc1323.txt

http://www.networksorcery.com/enp/protocol/tcp/option008.htm

http://packetlife.net/blog/2010/aug/4/tcp-windows-and-window-scaling/

http://www.ecr6.ohio-state.edu/window-scaling.html

technet.microsoft.com/en-us/library/bb726965.aspx

technet.microsoft.com/en-us/library/bb878127.aspx

This is by no means an exhaustive article on this topic, it is just a beginning, I will look to other handlers to fill in the gaps as well as look into it more as time goes on.




(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> http://securitythreat.info/sans-internet-storm-center/odd-dns-replies-from-10-nets-and-rfc1323-impacting-firewalls-tue-may-15th/
Anyone else see this kind of behavior?




Over the past week another couple of readers have written in reporting issues accessing the ISC web page. The SANS NOC reports that RFC-1323 timestamps were getting scrubbed by our firewall to prevent information disclosure, but the checksum wasn't being updated. The packet wassubsequently dropped by the end device.

This appears to be impacting users using Bluecoat web proxies. We will have more to post on this topic throughout the day.




RFC1323 describes TCP extensions used to improve performance over high delay networks and high speed networks

These include Scaled Window Options, Round Trip Time Measurement (RTTM), and protection against Wrapped Sequence Numbers (PAWS)

Scaled window options are implemented by bit shifting the 16bit window field into a 32 bit field by adding an option indicating how many placeholders to shift (or multiply by) to get the real window size. Recall the window size is how many bytes a node can buffer before it needs the transmitter to slow down.

TCPDump displays this option as WS=6 for a factor of 6 in the TCP options

Wireshark displays this option as for example: Window Scale: 7 (Multiply by 128)

Round Trip Time Measurement (RTTM), or TCP option 8 contains a Timestamp value or TSval set by the sender with its sending time, a 32 bit value, and Timestamp Echo Reply (TSecr) which is only valid if the accompanying ACK TCP flag is set. This 32 bit value echos a time stamp value set by the other or remote host in a TCP session. These values are tracked over time to estimate and adapt to changing traffic conditions.
PAWS provide a simple mechanism to reject old duplicate segments that might corrupt an open TCP connection. It uses the same timestamps in RTTM, The basic idea is that a segment can be discarded as an old duplicate if it is received with a timestamp less than some timestamp recently received on this connection.
Here is what Bluecoat has to say on the topic: https://kb.bluecoat.com/index?page=contentid=FAQ1006

PAWS is looking for the timestamp to be advancing and is used to keep as much data in transit as possible between communicating hosts.



The risk to data transport in this case is if two hosts or their intermediaries cant negotiate a common method of communicating with or without these options. This can happen with firewalls, as in our case, or incompatible endpoints. It is interesting to note that Windows implemented these options in Windows 2000, but did not enable them by default until Windows 2008.
Dan

SANS Internet Storm Center Handler
Update:

----------------------------------------------------------

Some References I used to look into this today:

The RFC: http://www.ietf.org/rfc/rfc1323.txt

http://www.networksorcery.com/enp/protocol/tcp/option008.htm

http://packetlife.net/blog/2010/aug/4/tcp-windows-and-window-scaling/

http://www.ecr6.ohio-state.edu/window-scaling.html

technet.microsoft.com/en-us/library/bb726965.aspx

technet.microsoft.com/en-us/library/bb878127.aspx

This is by no means an exhaustive article on this topic, it is just a beginning, I will look to other handlers to fill in the gaps as well as look into it more as time goes on.




(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> http://securitythreat.info/sans-internet-storm-center/odd-dns-replies-from-10-nets-and-rfc1323-impacting-firewalls-tue-may-15th/ http://securitythreat.info/sans-internet-storm-center/isc-stormcast-for-tuesday-may-15th-2012-httpisc-sans-edupodcastdetail-htmlid2533-tue-may-15th/ http://securitythreat.info/sans-internet-storm-center/isc-stormcast-for-monday-may-14th-2012-httpisc-sans-edupodcastdetail-htmlid2530-mon-may-14th/ One of the areas that I've been looking at and following even more intently recently have been all the Exploit Kits. I refer to things like Incognito, Blackhole, Crimepack, and many more.
Let me give you a couple external references to go read in case you have no idea what I am talking about:
Brian Krebs has some blog posts here and hereabout some updates to it. But for a basic explanation of how the blackhole kit exploits you, the end user, I suggest this pdf here.
The Blackhole exploit kit in particular is very actively developed and changes rapidly to things that block its exploit methods. Trust me. As a person who follows all the particular versions of these exploit kits, they change just about weekly.
You can be exploited by various kit by simply going to a website where some injected code rests on the page (you'll never see it - this is what we call a drive by), receiving some spam (Linkedin, USPS, UPS, I've even seen fake Pizza Delivery emails delivering things like the Pheonix Exploit kit) that redirects you to a landing page, receiving spam with an html/htm email attachment.. The possibilities are essentially endless on how you can wind up on an exploit kit landing page.
Once on the landing page, there are lots of different ways that the exploit kit figures out how to take over your computer, but the basic point of the landing page is which piece of software didn't this user patch?. Vulnerabilities in browsers, java, even the delivery of a pdf to exploit a vulnerable version of Adobe Reader.
These kits are all over the place, and most likely, you are going to run into one of these (if you haven't already).
I basically have three pieces of advice for you.
1) Don't open spam, or click on links inside of spam, or generally just be careful of the sites you go to. If you are reading this webpage, you know there is a 'wild west' to the Internet. Be careful.
2) Patch. Everything. Java, browsers, OS, Adobe Reader, etc. Everything. I literally cannot stress the importance of this enough.
3) Run AV and if you are on a corporate network, run an IPS.
This is an evolving threat. Nothing is going to 100% protect you all the time, however, the more layers you have, hopefully the more insulated you are against the threat, and you can protect yourself and your users.
Good Luck!
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> http://securitythreat.info/sans-internet-storm-center/exploit-kits-are-a-mess-sun-may-13th/

]]> http://securitythreat.info/h-online-security/adobe-backs-down-will-release-patches-for-critical-holes/

]]> http://securitythreat.info/h-online-security/adobe-backs-down-will-release-patches-for-critical-holes/