Monthly Archives: November 2012

Overlapping IPv6 Fragments

Antonios Atlasis is an independed IT security analyst who just recently joined the Centre for Strategic Cyberspace + Security Science non-profit organization. This year he released a paper called “Attacking IPv6 Implementation Using Fragmentation“. If you are interested in the security issues that arise from IP packets fragmentation then you should read it. It describes how it can be used by attackers to elude intrusion detection systems. It also includes PoC produced with Scapy tool. Eventually, one of the results of this research is the fresh CVE-2012-4444.

Worth to note is that IETF released a standard RFC number 5722 about this topic back in December 2009. On this RFC, Suresh Krishnan from the IPv6 working group, clearly states that IPv6 specification should prevent overlapping fragments. We should clearly see adoption of this RFC by the security industry in the future.

Attacks via IP packet fragmentation are not new and they were very well documented in January 1998 by Thomas Ptacek and Timothy Newsham on the landmark paper on this topic called “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”. Based on this paper Dug Song released a tool called fragrouter and later fragroute which implemented the techniques described in that paper. But that’s a different story and It’s my intention to write more about this topic in a near future because it’s still being discussed today.

Tagged , ,

Start with 334

Effective and reliable security monitoring that produces actionable information is one of the toolset’s that can help us adjust to today’s complex threat landscape. One of the existing mechanisms under security monitoring is the use of real time blacklists (RBLs). These blacklists keep track of IP addresses that are considered malicious or offensive and will help people and organizations keeping track of IP addresses that they own. For example, you can monitor and potentially detect if your public IP address space is being blacklisted ; or one of your systems has been compromised and is communicating with a blacklisted IP (e.g. sending intellectual property overseas or receiving command and control commands with malevolent instructions).

The information available is mainly public and is a contribution of well-known individuals – like Roman Hussy from or Steven Adair from Shadowserver Foundation –  to the security community. I have reasons to believe that when combining information from reliable and trustworthy blacklist data source with the defense mechanisms in place – traditionally blacklists are used at perimeter due to the volume of data – we have a straight forward method which will accurately identify signs of dangerous, reduce our exposure to today threats and provides actionable intelligence.

From the available data sources of blacklist, three of them worth to remark (description taken from their respective websites): is one of the best public resources that you can use to track botnet command and control domains and IP addresses. At the moment is contains three trackers:

  1. Zeus tracker is a list of all ZeuS C&Cs as well as Fake URLs which are currently known to the ZeuS Tracker. You can browse the ZeuS Tracker to get a list of ZeuS C&Cs and FakeURLs in a specified Country or AS number. Additionally the ZeuS Tracker provides a feature which allows to filter the ZeuS C&Cs for specified Nameservers, Level, Status and many more.
  2. SpyEye Tracker is another project by It is similar to the ZeuS Tracker with the slight difference that SpyEye Tracker tracks and monitors malicious SpyEye Command&Control Servers (and not ZeuS C&Cs). SpyEye Tracker provides blocklists in different formats (eg. for Squid Web-Proxy or iptables) to avoid that infected clients can access the C&C servers. Additionally, SpyEye Tracker should help ISPs, CERTs and Law Enforcement to track malicious SpyEye C&C servers which are their responsibility
  3. Palevo tracker is a list of Palevo infections. Palevo is a worm that spreads using instant messaging, P2P networks and removable drives (like USB sticks). It is being sold in underground forums like ZeuS. The worm (also known as Rimecud, Butterfly bot and Pilleuz) made big press in 2010 (see Trend Micro: “Clipping Mariposa’s Wings” / Symantec: “Symantec: The Mariposa Butterfly“).

Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware. You might have heard about them on their collaborationw with Microsoft on taking down the Waledac botnet.

Emerging Threats is an open source community for collecting Suricata and Snort rules, firewall rules, and other IDS rulesets. The open source community still plays an active role in Internet security, with more than 200,000 active users downloading the ruleset daily.

Other than those three, the following picture illustrates a compilation of data sources of blacklisted IPs with the amount of addresses they provide and the respective site to download the blacklist. Most of them are free for private use.

Block Lists

All these lists contain a sum of 16749 IPs (type = address) from which 95.4 % are unique. The amount of IPs for Shadowserver is not mentioned because their monitoring service works based on the information that is provide to them by you about the ASN or CIDR ranges that you own.

Besides that, you can search through these block lists to get valuable information, which at the same time it can be time consuming. Nonetheless, online services like the Anti-Abuse Project automatically checks IP addresses and domains against 60 Real-time blacklists and would give you actionable information. For example if the IP address is listed in more than 10 block listed is positively malicious.

Well, after all this text, the name of this blog entry is 334 due to the fact that at the moment of writing this is the number of IP addresses that you should certainly monitor. This 334 IP addresses are the sum of the IP addresses on the lists provided by : Zeus, Spyeye and Palevo tracker from Abuse repository (+) RBN (Russian Business Network) Frequent Malware Advertisers from Emerging Threats repository.

If you use any of these blacklist, you should updated them at reasonable intervals. These blacklists will definitely help you creating a list of prohibited events and build procedures for remediating them. Use them as you see fit.

Tagged , ,

Tavis Ormandy strikes again!

For those of you who might not know who Tavis Ormandy is, you might have heard about his name back in June 2010. At that time, he published his research about a vulnerability and PoC code on how to exploit the Microsoft Help and Support Center application that could be exploited on Microsoft Windows XPSP3 with Internet Explorer 6,7 or 8 (CVE-2010-1885). After the disclosure the vulnerability was rapidly introduced into Metasploit framework and some controversy was made around his responsible disclosure approach. Microsoft released a patch for this vulnerability on 13th July 2010. Additional research was made using this vulnerability and results were found on how to bypass AV due to the fact the vendor’s products allowed the execution of code before detecting the malware. This resulted in CVE-2010-3496, CVE-2010-3497, CVE-2010-3498 and CVE-2010-3499 affecting McAfee, Symantec, AVG and F-Secure respectively. Other than that Tavis Ormandy has more than 120 vulnerabilities disclosed between 2004 and 2010.

Conversely, what I wanted to mention here is that he just recently published the second part of a great research about the Sophos AV. The first paper released on this topic named “Sophail: A Critical Analysis of Sophos Antivirus” can be found here. On this second part, you can find very technical detailed explanation and detailed analysis on how typical Sophos antivirus deployments are exposed to several attacks like integer overflow, local privileged escalation, XSS and many others. A summary of the vulnerabilities can be found on Sophos website. The vulnerabilities found affect the latest version of Sophos at the time of the published paper. If you are using Sophos you should consider patching it.

One thing to note other than this great research it’s the good cooperation and collaboration that was done between Tavis and Sophos to release this information in a responsible approach. Further details and a timeline of the events can be looked at section six of the document. According to Sophos the majority of the  vulnerabilities have been addressed. The ones still not fixed, a patch is expected to be released on 28th November.

Tagged , , , , ,

Common Criteria Information Technology Security Evaluation

The ISC Handlers from SANS Internet Storm Center made a series of diaries called Cyber Security Awareness Month trough out October. The goal was to promote standards and security. Once again they made very good diaries and you can see a list of the published diaries here.

Considering this, I decided to write a small article also on this matter. The idea is to promote the knowledge about Common Criteria Standard. This is an international standard which specify security requirements and defines evaluation criteria to measure the security of a system product (hardware and software). I also briefly write a small background on what existed before this this standard.

Among others Common Criteria has the goal to be the world standard for security specifications and evaluations. To accomplish this, the different national organizations that constitute the Common Criteria consortium worked with the International Organization for Standards (ISO) in order for the standard to be accepted by them. This was a step in the right direction and Common Criteria version 2.1 is formally recognized as ISO 15408.

But let’s get back 30 years ago where at the National Computer Security Center (NCSC), at that time a branch of the National Security Agency (NSA). The center was established and was responsible for the United States government trusted computer program known as TCSEC (Trusted Computer System Evaluation Criteria). The center was also responsible to evaluate commercial security products, publish and sponsor research and promote technical guidelines. In 1985 the NSCS published the famous “Orange book”. The book goal was to define security requirements giving the security industry an instrument to measure the security of their system. This the book which specifies the well-known Class C2 rating. It can be downloaded here.

The Orange Book got this name basically due to its cover which was orange. This book was part of the Rainbow series, a set of security requirements and guidelines documented named after its colorful covers. All books were produced by National Security Agency and all products were tested by them. Over time, the TCSEC security evaluation lost interest by the security industry because there was little return on investment, it only covered US market and it was a time consuming process that caused products to gain the assurance certification levels when they were already end of life.

The next step made by government intuitions was the evaluation criteria known as ITSEC. It was created by Canada, UK, France, Spain, Germany and United States. These security evaluation criteria addressed some of the limitations of the TCSEC, it covered integrity and confidentiality but the process didn’t last long.

After that, discussions started in order to develop a common set of standards that could be agreed by an association of countries. The necessity of having a program that would evaluate and quantify the assurance levels of a security product which would be recognized across different countries was needed and Common Criteria was born. The goal of the program was to establish a high degree of assurance that products would consistently perform the security function safely and securely when handling data and, that failures would not result in the compromise of sensitive information. The expansion of the program also provided a broader market for those products completing the evaluation process by allowing international sales to the nation participating in the program. Some participating nations mandate the use of these products in their information systems. This mandate has translated into requirements for the system under development.

So, this is where we are today in terms of security evaluation criteria for IT systems. The CC philosophy is to provide assurance based on an evaluation (active investigation) of the IT product that is to be trusted. Evaluation is the traditional means of providing assurance and is the basis for prior evaluation criteria documents. The CC propose to use expert evaluators to measure the validity of the documentation and the resulting IT product with increasing emphasis on score, depth and rigor [Common Criteria part 3, 2006]. The score, depth and rigor increases along with the levels of assurance known as EALs (Evaluation Assurance Levels). There are seven hierarchically ordered evaluation assurance levels defined in the CC to rate a TOE (Target of Evaluation) which could be a software application, an operating system, a software application in combination with an operating system, a smart card integrated circuit, a database application etc.

The list of EALs is as follows:

Evaluation assurance level 1 (EAL1) – functionally tested
Evaluation assurance level 2 (EAL 2) – structurally tested
Evaluation assurance level 3 (EAL 3) – methodically tested and checked
Evaluation assurance level 4 (EAL 4) – methodically designed, tested and reviewed
Evaluation assurance level 5 (EAL 5) = semi formally designed and tested
Evaluation assurance level 6 (EAL 6) – semi formally verified design and tested
Evaluation assurance level 7 (EAL 7) – formally verified design and tested

The intent of the higher levels is to provide higher confidence that the system’s principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.

The CC evaluated products begin the process by being evaluated in a certified laboratory. These commercial laboratories are approved by the National Information Assurance Partnership Program (NIAP) members. The National Voluntary Laboratory Accreditation Program (NVLAP) provides third-party accreditation to testing and calibration laboratories. NVLAP accreditation is the primary requirement for becoming a Common Criteria Testing Laboratory.

How to configure your IT systems using CC is provided by the vendors for example, there are Microsoft operating systems or Red Hat Operating systems or Checkpoint Firewalls among several others with EAL4 certification. The CC program provides you with a wealth of information that can help enable higher security in their implementation and deployment of evaluated products.

Windows Server 2003 Common Criteria Configuration Guide.
Windows Server 2003 Common Criteria Administrator’s Guide.
Checkpoint R7x Installation Guide for Common Criteria Evaluated Configuration.
Checkpoint R7x Administrator Guide for Common Criteria Evaluated Configuration.
Cisco ASA 7.0.6 Installation and Configuration Guide for Common Criteria Evaluated Configuration.

The list of certified products can be accessed on the Common Criteria Portal.

 References :

Official (ISC)2 Guide to ISSAP CBK
Common Criteria for Information Technology Security Evaluation Part 1 : Introduction and General Model, version 3.1 Revision 4
Common Criteria for Information Technology Security Evaluation Part 3 : Security Assurance Requirements, version 2.3

Tagged , ,

Day one for Count upon Security

I am very excited about this new project. It will allow me to contribute to the IT security community with material about multiple security disciplines. My goal is to share comprehensive information, increase awareness and provide illustrations about security matters. Optimistically it will allow you to learn new skills, reinforce current ones or just read for fun and pleasure.At the moment I have lots of ideas on my mind about topics that would like to share and discuss with you and just need to start putting them on paper.

One of the main reasons I’m starting this blog is because I work on the security field and based on my experience I have reason to believe that information security industry will continue to grow in size, density and specialization. Therefore the demand for qualified security professionals who possess knowledge and skills will increase substantially. One of my aims is to help you grow your security expertise and awareness, that doesn’t mean you will find a job here but IT security career is a very interesting one to take.

Just recently, this article illustrates this job demand. As you could read, the Homeland Security Department from United States created a new fellowship program designed to attract recent college graduates into cyber security careers. Also they said that its cyber workforce increased by 600 percent over the last few years. Furthermore, the last search I made with keyword security on JobServe for IT & Telecommunications industry in the UK it shows 1429 jobs. On the Swiss job portal the last query I made with the same keyword gave 448 results – quite amazing considering the size of the country.

Tagged , , ,