I-BLOG

Oh well, if you’re more used to IPTables than any normal firewall software, then of course you’re gonna need that for your Windows machine as well. Nothing wrong about that, the interesting stuff here is about the technology, really and not who made it – if it works well.

Windows IP Firewall (WIPFW) is an open source project that gives you exactly that;

Checkout their page here

WHAT IS WIPFW?

WIPFW is a MS Windows operable version of IPFW for FreeBSD OS. You can use the same functionality and configure it as only you work with IPFW.

IPFW is a packet filtering and accounting system which resides in the kernelmode, and has a user-land control utility, ipfw. Together, they allow you to define and query the rules used by the kernel in its routing decisions.

There are two related parts to ipfw. The firewall section performs packet filtering. There is also an IP accounting section which tracks usage of the router, based on rules similar to those used in the firewall section. This allows the administrator to monitor how much traffic the router is getting from a certain machine, or how much WWW traffic it is forwarding, for example.

As a result of the way that ipfw is designed, you can use ipfw on non-router machines to perform packet filtering on incoming and outgoing connections. This is a special case of the more general use of ipfw, and the same commands and techniques should be used in this situation.

And one more important piece of info would be;

Q: Whats the difference between WIPFW and IPFW?

A: Now WIPFW is unable to change packets content, so it is impossible to redirect packets. Also WIPFW has no traffic shaper. In the future WIPFW will be using ndis driver which will allow all abilities.

As I mentioned before, my site was tagged for malware’s by Google and I had to put quite some effort to get it cleaned. I got a JavaScript injection attacks named ‘Yahoo! Counter Starts”, this seems relatively new and not much of authentic information is available at this moment. But there are a lot of forums/blogs that got affected by it and tagged by Google as well.

Seems that this thing basically has a redirection to an ip address residing somewhere in Russia and eventually takes the username/password details from the site/visitors etc. Pretty Scary if we look for the real meaning of this. Couple of sites helped me in cleaning it up and am consolidating here for the sake of others.

The script looks something like this;

<script language=javascript><!-- Yahoo! Counter starts
if(typeof(yahoo_counter)!=typeof(1))eval(unescape('|/#/@.~.!.................[keeps going]
<!-- counter end --></script>

Checkout this thread [ Click Here ] Also it may be possible that your actual php/html files are neat, since this kinda stuff can go into the base DB as well. It is a nasty one to fix. Check all your permissions on the files, is the best thing to do.

1. Google.com (Google webmaster tools)
   1. If you own a site, you can add your site address and a full sitemap here and Google will analyze the site for anything that is found wrong. [Click Here to Go] More information can be found [Here]
2. BadwareBusters.org
   1. These guys have a facility where you can provide your web address, they’ll scan and let you know the issues found. There is also an option for looking deep and to have a complete scan report (comes quite fast, 24 hours maximum)
3. BlacklistDoctor.com
   1. Again these guys have the facility to scan your website by giving the URL will let you know of any found scripts
4. UnmaskParasites.com
   1. It was in beta stage and when I tried wasn’t working. Lately it is seen to be working fine. Does scanning of your sites and also gives you an impression on whether it is black marked or not.
5. MalwareBytes
1. They have a utility to check your computer to see if there are any remnants of trojan files or affected file streams in your local system. This is very important since you cleaning up the site is ok on one hand but what if you reinfect it by yourselves again?
6. WP Security Scan
1. If you own a wordpress web site like me, this plugin is a good one to use. It does check this following.
1. -passwords
   
   -file permissions

   -database security

   -version hiding

   -WordPress admin protection/security

   -removes WP Generator META tag from core code

7. Also Read this [ Click Here ]

Once you do the cleaning, go back to Google Web Masters and/or other sites mentioned above for a reevaluation and they’d take off the malware warning tag from your blog once they verify the contents again.

Now this is something not new and in today’s world, if it takes you to block a country itself to avoid issues in your network then you’d have to go down that path. I read an article lately on SecurityFocus on blocking based on Countries. The author basically blocked the whole of China and his spam hits came down to 80% it seems.

For sure if the business I’m running has nothing to do with a country then I think it is not a bad idea considering the fact that you can’t let bad guys come in and do the damage, then you take an action on it. While this has mixed reviews I believe it is justified for the sole reason that it is my network and I choose what to come in here.

One of the commenter posted this site, http://www.countryipblocks.net/index.php

Beauty is that you can choose the entire ip data pertaining to a country. For example;

This is the list of IP range of IRAN. Just select and country and click to get the list of that country.

However, it still remains a challenge for your router/firewall to take a list of all rogue ip addresses and start blocking it for the mere horsepower that is required to process through it. Attributed to this if people start doing away by only allowing the country they are in (nowadays you can see every business have an internet connection, and the business is only to that country), then internet would be not be the internet we perceived in the first place!

Say an interior decorator working in a small state, doesn’t have to allow everybody in the world to see his site/resources, does he?

So in the coming weeks, we can see WPA a joke too (just like its predecessor WEP)!

To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference’s organizer.

This is in a way good to know in this way rather than the algorithm broken by the ‘bad guys’. So I welcome it

[Read the Full Story]

I’m sure a lot of enterprise is now looking or in the process of moving to WPA from WEP, this is going to stall some of ‘em.

Does DHCP provide any kind of security? NOPE! It is an admin’s job to use supplemental devices/software’s to prevent it.

2 attacks to look at;

1. DHCP Flooding :- Think about if someone keeps flooding the DHCP requests and the server keeps assigning until the pool is exhausted (Now, how difficult is that?) A tool which can generate random mac addresses in the requests, then it is done!

2. DHCP Serving :- Think of a rogue server giving away IP addresses causing service disruption. Better still, I can have the hosts send packets to choice of his/her Default Gateway and sniff the contents Or hand out incorrect DNS server IP, so that the connections can be redirected to incorrect/forged web sites? Simple enough (a Google search would give out the tools).

So how does one prevent these attacks from happening;

1. Situation 1 (DHCP Flooding) – Modern switches come up with DHCP snooping capabilities where one can restrict the number of mac addresses that can come into a specific ingress port of the switch. Also there are processes to watch over the spurious DHCP requests that seems unusual. The best part is, if you restrict to ONE mac address per port on port security, it can still be circumvented. An attacker can use a tool to use the same mac address, but in the DHCP request packet there is a field to mention the mac address and which is what the DHCP server assigns the IP for (not the original frame mac). So keep changing it and Voila, you’re done!

2. Situation 2 (DHCP Serving) – This is fairly simple to stop, configure switches to make sure “DHCP OFFER” message types do not come out of normal host access ports (Only allow the “DHCP OFFER” to come out from the DHCP server port, normal hosts have no business sending a “DHCP OFFER” message, isn’t it?).

Port Security has more value to it, since if compromised at layer 2, everything up is at stake!

When we speak about MAC flooding, almost everyone with Information Security insight knows about what it is. What do one achieve with MAC flooding? There are various ways of looking at it.

Take an enterprise class switch, and see the spec’s as to how many mac addresses can the switch store in its cache. It is very interesting to understand the already known fact (but less thought about), that a switch cannot learn mac address indefinitely, the simple reason is that it is impossible! A Cisco Catalyst 6500 switch can store ~130,000 mac cache entries. What would happen if all of them are filled up? The switch cannot store any more of newly learned MAC address thus stops to add it to the cache, which in turn floods traffic across all the ports if a traffic meant for that mac address comes in!

Such a massive switch, everyone obviously does VLAN on it. So in theory, a traffic in one VLAN is not seen by the other VLAN. However if we were to think about the lines above, if a MAC flooding happens in VLAN 1, hosts in VLAN 2 would be able to see all traffic in that VLAN 2 (in spite of having a 5 digit/6 digit valued switch). Reason ? Simple;

MAC Cache values defined in Switches are not VLAN specific, that is for the entire Switch Fabric. So if the MAC Cache Value is 10 entries, after 10 entries, broadcast flooding would happen in all other VLANs too for the newly learned MAC address.

Example;

Take a switch which can hold 10 MAC Cache Entries; There are 3 VLANS having 4 ports each in each VLAN, we call it VLAN1 VLAN2 VLAN3.

So from VLAN1, port 1, if we were to flood and fill all the 10 entries, Then the traffic flooding happens not only in VLAN1. Reason, if a new host comes on port 1 of VLAN 2, the switch cannot store the MAC address since the cache is full and is going to broadcast it, when a traffic for that MAC comes around.

Bottom line, if the mac cache is filled, everyone connected to the switch suffers and VLAN’s do not HELP! At that point; $50,000 SWITCH = $10 HUB

Of course the VLAN 2 doesn’t see anything from VLAN 1 however, every port in VLAN 2 sees everything that is happening in VLAN 2 (communication happening for all the 3 other ports).

That calls in for Layer-2 Security, for one aspect.

Well, Google for it and you can get N number of tools to do it, so I’m not going to write it down here.

How do you prevent it? MAC Security. Simple fact is to bind just 1 mac address per port. Well, it is easier said than done. In earlier switches, you have to manually do it. Now consider doing it for 348 ports? How much ever you pay, the guy ain’t gonna do it unless it is his head at stake

Good news is that, newer switches can dynamically learn one MAC address and then lock it down. Now if that happens, only the problems that arise due to change in port needs to be addressed. However with technology changes (think of IP Phone + Desktop plugged in 1 port), it kinda gets a bit ugly though! Some switches do offer to learn a limit of MAC addresses instead of just 1. All this comes with some cost obviously, the CPU load!

Google’s passive web security assessment tool is made available – open source.

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.

Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Download Page…

The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components with an estimated retail value of more than $3.5 million, the F.B.I. said in a statement.

Not that this is news, we’ve always had this planted in the head about James Bond and his gizmo-gadgets and then the story about Government placing some backdoor’s in network security gears for them to get access whenever needed – Yeah, I dunno – its a nice story to keep floating…

But look what is this man? US Military having Counterfeit gears?

Read Full Story { Redirect }

The other day I was talking to my colleague about how fast the wireless technologies have grown for data communications and almost every IT professional (at least) is having the power of WiFi at their homes, since it doesn’t cost more than 50 dollars to buy a cheap wireless router. Along with that we were also discussing about how easy now-a-days it is to get connected to somebody else’s wireless connections While it is a good growth in technology terms, users aren’t careful enough to protect their bandwidth – they just leave their AP open to others.

So was just Googling around and found this free product – Easy Wifi Radar

The tool basically does an analysis of the spectrum to see if there is an AP available and if there is a hole, it just connects to it providing instant *free* Internet access! Now people don’t even have to know how to search, just click to go on the tool and it will connect.

However, we’re looking at serious legal issues, if one were to use this tool to steal bandwidth.

Disclaimer : I do not hold any responsibility for issues that one might encounter if he/she were to misuse this tool. It is only for technical knowledge sharing.

Well I do have corporate solution for AntiVirus on my work laptop, however I got hit by a worm (regsvr.exe – typical Google lookup) while my AntiVirus software sat happily there! Eventually I got it on my cell phone as well

Removing that was no-brainer anyway’s; but my time! Not gonna spend time explaining how to remove this (just Google for regsvr.exe and you have ton’s of solutions).

Second; a guy approaches while I was happily watching TV, telling me that he can get me GAS (took a name of a well known GAS agency) with out having Ration Card (something that Indian’s would understand   ). I went to that store to see there is no guy by that name in the shop! Luckily I didn’t give any money to him as booking charges or so.

Then I receive this hoax letter – International  property disposition offering me a 2008 Land Rover or equivalent cash (about 1.8 Million Rupees) and all I have to send is 1000 Rupees in cash – couldn’t stop laughing. Then I thought may be there are guys who’re hit with this and so I did a Google search on ‘International Property Disposition + hoax’, Voila! First post, there are guys who had actually send that money twice and still waiting for the gift???? Whatz wrong with these people man? I do not understand, you just get 1.8 Million for just 1000 Rupees – then you can as well start printing money on your own…

That reminds me of an incident, one of my friend sold his DVD player – the buyer came while he wasn’t there and gave money, got change only to find later in the evening that the money given was a high quality photo copy!

Great Place to live – IT hub of India (Bangalore) – Come to get cheated…. (Last year at this time I got robbed). Yeah – they’re all onto me!