Over at TechTarget, Joel Snyder writes about configuring access control lists on your routers to maintain security in the network control plane.

Do you have SNMP enabled on edge devices? Fine… so long as you also have an access list saying that those SNMP packets can only come from your management station. Is the management interface, whether HTTP, HTTPS, SSH or (heaven forbid) Telnet running?

Fine … so long as no one outside our network can ever get there.

We call this the “control plane” or “management plane.” Think of it as a different network that runs in parallel to your data network, and is used to control, monitor and manage the data network. In huge networks, there is a true network control plane that is completely separate from the data that the device sees. But in many smaller networks, control plane, management plane, and data plane run on the same wire.

You can, and should, secure your network control plane in many ways, but they mostly come down to two techniques: access control lists and self-protection.

ACCESS CONTROL LISTS MANAGE TRAFFIC TO EDGE DEVICES
Access control list protections usually occur when you put a block of some sort in non-firewall devices at the edge and core of your network. A good example is SNMP. Let’s say you have an SNMP management station at 10.20.30.161. That represents the one valid flow to and from that management station to network and security devices. Now, any other SNMP traffic floating around on your network, or coming in from the edge, should be blocked. If you have intermediate routers in your network, and certainly if you have firewalls, you should use them to block SNMP traffic — and any other management traffic — to your security and network devices, except from authorized sources.

Good advice, and an excellent example of best practices for securing your network infrastructure.  To ensure that your network infrastructure remains secure, you will want to configure and enforce access control restrictions like these on all of your non-firewall devices.  Furthermore, you will want to routinely audit the network devices to ensure that they continue to follow these best practices.  When changes are made to a device’s access control lists, you will want to be notified when changes cause the device to fail to meet these practices.

Of course, auditing all of the devices in your network infrastructure can be a huge job.  The attention to detail required to make sure you get it right and don’t miss something takes a lot of time.  It’s difficult to perform the audits frequently enough to be effective without tools and automation to facilitate the process.  Fortunately, the security checks in Athena FirePAC provide a perfect vehicle for implementing these kinds of network best practices.

For example, FirePAC provides a standard security checks for SNMP that can be customized to ensure that the device policy allows SNMP messages from only the management station and to flag the check if any the policy allows any other source.  FirePAC provides other standard checks for various management protocols that can be similarly customized to check for restrictions to allow only access from the management station.  These kinds of customizations to the standard security checks in FirePAC will help you tailor the Security Audit report to your organization’s network policy and simplify the task of ensuring the security of your network.

The Wall Street Journal is reporting today that Shiite fighters in Iraq were able to capture video feeds from U.S. Predator drones using commercially available software.

Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.

[...]

The stolen video feeds also indicate that U.S. adversaries continue to find simple ways of counteracting sophisticated American military technologies.

[...]

Some of the most detailed evidence of intercepted feeds has been discovered in Iraq, but adversaries have also intercepted drone video feeds in Afghanistan, according to people briefed on the matter. These intercept techniques could be employed in other locations where the U.S. is using pilotless planes, such as Pakistan, Yemen and Somalia, they said.

[...]

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.

Most interesting was this comment about the difficulty in upgrading the drones to encrypt the video downlink.

Officials stepped up efforts to prevent insurgents from intercepting video feeds after the July incident. The difficulty, officials said, is that adding encryption to a network that is more than a decade old involves more than placing a new piece of equipment on individual drones. Instead, many components of the network linking the drones to their operators in the U.S., Afghanistan or Pakistan have to be upgraded to handle the changes.

Security has to be built in from the start, not added in as an afterthought.  Of course, you should never underestimate your adversaries either!

A new report released today from Verizon Business, “2009 Supplemental Data Breach Investigations Report: An Anatomy of a Data Breach,” takes a look the 15 most common types of security attacks. The report is drawn from data published in the “2009 Verizon Business Data Breach Investigations Report,” issued in April. That study reviews the cybercrime cases worked by Verizon’s Investigative Response team and analyzed more than 90 forensic investigations involving some 285 million compromised records.

The report identifies and profiles the most common attacks. For each type of attack, the report provides case examples, frequency of occurrence, threat sources, warning signs, controls that can deter or prevent threats, and commonly affected industries.

The report identifies and ranks by frequency the following top 15 types of attacks:

1. Keyloggers and spyware.
2. Backdoor or Command/Control.
3. SQL injection.
4. Abuse of system access/privileges.
5. Unauthorized access via default credentials.
6. Violation of Acceptable Use and other policies.
7. Unauthorized access via weak or misconfigured ACLs.
8. Packet sniffer.
9. Unauthorized access via stolen credentials.
10. Pretexting (social engineering).
11. Authentication bypass.
12. Physical theft of asset.
13. Brute-force attack.
14. RAM scraper.
15. Phishing (and variants).

It’s interesting to observe that 6 of the 15 list proper egress filtering as one method of mitigating the attack. That’s more than a third of the most common attacks that can be stopped by proper firewall configurations. Read the whole thing.

Kelly Jackson Higgins at DarkReading writes that a pair of German researchers have developed a set of tools that automate attacks on the Multiprotocol Layer Switching (MPLS) and Ethernet networking technologies used in some enterprise network service offerings.

The tools exploit similar inherent security weaknesses in the two networking technologies — namely in how they forward traffic.

[...]

To execute an MPLS or Ethernet carrier network hack, the attacker first must get into the network, either by hacking a router or a management tool. Then Rey and Mende’s MPLS hacking tool could be used: It modifies the labels that are added to packets in an MPLS network and determine how those packets get forwarded. This lets an attacker silently redirect traffic to other sites, such as a malicious DNS server or a phony authentication server, Rey says. “The victim doesn’t notice anything and the attacker has both directions of traffic” in his control, he says. “The whole VPN model of trust is violated,” he says.

The attack doesn’t target a specific vulnerabilty — just the way MPLS operates. The story is much the same for Ethernet. VLAN-tagging, for instance, helps carriers separate different customers’ traffic across their backbones. “But there’s no encryption and no additional security” with Ethernet, Rey says. “It’s just traffic separated by adding some more bits to the traffic, which brings us back to being able to modify those bits” with our hacking tool, he says.

The researchers plan to release the tools at Black Hat Europe next week.

The NYTimes is reporting that a “vast electronic spying operation” was discovered by researchers in Toronto.  They concluded that thousands of computers in government and private offices around the world were compromised.

The researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.

The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.

Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York.

The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.

[...]

The malware is remarkable both for its sweep — in computer jargon, it has not been merely “phishing” for random consumers’ information, but “whaling” for particular important targets — and for its Big Brother-style capacities. It can, for example, turn on the camera and audio-recording functions of an infected computer, enabling monitors to see and hear what goes on in a room. The investigators say they do not know if this facet has been employed.

The researchers were able to monitor the commands given to infected computers and to see the names of documents retrieved by the spies, but in most cases the contents of the stolen files have not been determined. Working with the Tibetans, however, the researchers found that specific correspondence had been stolen and that the intruders had gained control of the electronic mail server computers of the Dalai Lama’s organization.

The electronic spy game has had at least some real-world impact, they said. For example, they said, after an e-mail invitation was sent by the Dalai Lama’s office to a foreign diplomat, the Chinese government made a call to the diplomat discouraging a visit. And a woman working for a group making Internet contacts between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet, shown transcripts of her online conversations and warned to stop her political activities.

A separate group of researchers in the UK issued their own report, focusing on the technical nature of operation and possible countermeasures.

This event is significant for several reasons.  The scope of the operation is impressive.  It was a targeted surveillance attack for apparent political purposes intended to collect actionable intelligence by a repressive police state.  The capability of the malware to record sound and video from compromised computers poses a very real threat of illicit or covert electronic surveillance from any connected computer with a microphone and webcam.  The techniques of the attack, using socially targeted malware were highly effective.  Typical countermeasures for this type of attack involve mandatory access controls and intrusive operational security procedures, which are unlikely to be deployed outside of secure government or military organizations. Such threats are bound to proliferate into online criminal activities. The recent data breach at Heartland Payment systems involving targeted malware may indicate that this is already starting to happen.

Circle ID reports that major domain registrat Network Solutions has been expriencing a massive DDOS UDP/53 attack on their domain servers for the past 48 hours.  The Network Solutions blog confirms this: “There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack.  We are taking measures to mitigate the attack and speed up queries.”

A post on NANOG provides some additional detail:

A DOS where lots of people's dns servers around the world
are being queried with bogus sourced dns requests not from port 53 for
'NS? .'.  This then bounces back to their authoritative nameservers which
are getting traffic overload.

...

These are the result of a spoofed dns recursion attack against our servers.
The actual packets in question (the ones reaching your servers) do NOT
originate from our network as such there is no way for us to filter things
from our end.

If you are receiving queries from 76.9.31.42/76.9.16.171 neither of these
machines make legitimate outbound dns requests so an inbound filter of
packets to udp/53 from either of these two sources is perfect.

If you are receiving queries from 66.230.128.15/66.230.160.1 these servers
are authoritative nameservers. Please do not blackhole either of these IPs
as they host many domains. However, these IPs do not make outbound DNS
requests so filtering requests to your IPs from these ips with a destination
port of 53 should block any illegitimate requests.

An ACL similar to:
access-list 110 deny udp host 66.230.160.1 neq 53 any eq 53
access-list 110 deny udp host 66.230.128.15 neq 53 any eq 53
Is what you want.

This attack could potentially affect more than 7.6 million domain names.  Given the recent rapid spread of threats like the Downadup worm, I’m sure we’re going to be seeing more attacks like this in the not-too-distant future.

UPDATE: Network Solutions says DNS queries for web sites should be responding normally now.

News of the massive data breach at Heartland Payment Systems that may have compromised tens of millions of credit and debit transactions was all over the Internets today. It appears to have been a targeted attack involving malicious software installed on the company’s payment processing network that was designed to track and report the magnetic information stored on the back of a credit card as it was being sent for processing to Heartland by thousands of the company’s retail clients. Rich Mogul over at securosis observes that, “the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems.”

It’s worth noting that as a level 1 payment processor, Heartland is required to be PCI compliant. PCI requires that you segment your transaction data from other networks, that you have a firewall that restricts connections between public servers and cardholder data, and that you document and justify the services and ports necessary for business. The new PCI DSS Compliance report available in the recent release of Athena FirePAC automates the process of assessing firewalls for compliance.

All of which is well and good and will certainly provide reasonable protection from random hacking attempts. The trouble is that even though PCI is among the most advanced security compliance standards out there, passing a compliance audit won’t really protect you from targeted attacks such as this. You have to know what’s going on in your network and how your defenses really behave. A simple inspection of your firewall rules won’t identify the true exposures in your network or identify the data assets at risk. You need to know exactly which services and ports are allowed to connect to all of your IT and network assets. This comes from understanding how the ACLs, address translations, and the routing table all work together to control the traffic flowing through your firewall. Although difficult to get right, Athena FirePAC excels at this kind of policy analysis. It can identify exactly which assets are exposed to risky services and which rules cause the most problems. It can tell you what the impact of changes to the firewall configuration will be before deploying them to the device. This kind of information is invaluable when trying to track down and repair exposures in your network before the data thieves find their way in.

This is a little old, but I just came across a reference to it on the Security Metrics mailing list. Robert X. Cringely writes about a metric to predict emerging global leaders in technology (and presumably economic development and power) that is based on the number of Cisco Certified Internetwork Experts (CCIEs), broken down by country. Cringely writes:

Where I took a step further was to divide the number of CCIEs into each country’s population, then do the same for each country’s Gross Domestic Product and correct for widely varying populations and states of economic development. For a baseline, then, the U.S. has at present 5,863 CCIEs, which is 1.947 CCIEs per 100,000 population and $2.2 billion of GDP per CCIE.

The results for Europe and North America are not surprising, with Canada, the UK, and Ireland being relatively close to the US. What is more interesting are the numbers for Asia.

India has 0.036 CCIEs per 100K to China’s 0.22 per 100K — a 7X differential — while India has $10 billion in GDP per CCIE to China’s $3.3 billion. There is no doubt that there is plenty of network expertise in India, but these numbers show that expertise isn’t making it out of the technology centers to the rest of the country. China, on the other hand, is developing its IT infrastructure much more broadly. This also doesn’t take into account the simply huge numbers coming out of Hong Kong, where there are 3.3 CCIEs per 100K and $1.13 billion in GDP per CCIE — numbers that might properly be added to the rest of China in some accounts.

Japan has 1.23 CCIEs per 100K to South Korea’s 1.9, but the significant difference between these two countries is the $4 billion per CCIE in GDP for Japan compared to $1.28 billion in South Korea, which is clearly investing massively in network infrastructure.

Looking 30 years into the future I think it is clear that the regional leaders will be China and Korea, NOT India and Japan.

Thanks to Josh Stephens, Head Geek at SolarWinds, for mentioning Athena FirePAC on his blog.

“FirePAC is cool because it evaluates the ACLs on your Cisco PIX and ASA, Juniper NetScreen, and Checkpoint firewalls and tells you where you’ve left holes or where you’ve duplicated functionality…. Definitely something you should check out.”

SolarWinds offers highly affordable network management products that can be downloaded over the web and installed and running in minutes. Their Orion NCM tool is a great complement to Athena FirePAC, simplifying the process of acquiring firewall configurations for analysis.

I found it interesting that after building software to break CAPTCHAs, the software found application in scanning books. It’s obvious in hindsight (just like many other applications such as gramaphone for music) but nevertheless interesting. Read more here.