Posted on 30 Mar 2009 by Clay
Conficker is quickly becoming a mainstream news story as April 1 approaches, the date that the worm is programmed to “phone home” for further instructions. It has been discussed in various news outlets, even garnering a primetime spot on 60 Minutes this past weekend. The worm has been a great source of concern for IT execs the past couple of months, though the actual severity is yet to be determined. There are several mitigating factors that are supposed to minimize the chance for compromise, and a number of ways to detect and remove the virus. Another potential weapon against Conficker that should be considered is the use of OpenDNS to block the worm from communicating with command and control servers for further instructions.
In analyzing the virus, engineers have found that Conficker uses an algorithm to determine a number of different domains to contact for further instructions beginning on April 1. The algorithm was used to determine the exact list of domains that would be used. OpenDNS recently added a feature which would block access to these domains: “We’ve teamed with Kaspersky Lab to identify those domains, and stop resolving them. This means if you’re using OpenDNS, Conficker will do your network no damage“. From a management perspective, this is a much less intensive solution than attempting to block the domains on your local DNS servers and dealing with the overhead involved.
While using OpenDNS might not be feasible for larger enterprises, this is a great solution for SMB’s and home users. I’ve used it personally for some time now; the amount of centralized control available and ease of use makes it extremely attractive. A wealth of reporting features are also available, including one to specifically identify requests to known malware sites (like Conficker). Steps still need to be taken to ensure that Conficker is identified and removed from your network, but this is a good way to ensure that if any instances go undiscovered, they won’t be able to cause further harm.
Related Links:
OpenDNS
In depth analysis of Conficker
Subscribe to TechScrawl.com
Filed under: DNS, Security, Vulnerabilities | Tagged: Conficker, DNS, Downadup, OpenDNS, Security, Vulnerabilities, Worms | Leave a Comment »
Posted on 13 Mar 2009 by Clay
Microsoft’s NLB Clustering is kind of to High Availability Load Balancing what Natural Light is to the beer world. Both will basically get the job done, and on the cheap, but in the long run they might leave you with a wicked headache and wishing you spent a few extra dollars for a Sam Adams.
Read more »
Filed under: Networking, Windows | Tagged: failover, high availability, load balancing, MSNLB, multicast, network load balancing, NLB, unicast, virtual NLB | 1 Comment »
Posted on 20 Feb 2009 by Clay
Random Tech-Bits is a periodic roundup of interesting technology related links & news stories.
Filed under: Random Tech-Bits | Tagged: Conficker, Conficker B++, DNSSEC, Downadup, internal threats, Internet SAFETY Act, SSL, SSL Bypass, SSLStrip, TCP Security, TCP/IP Security | Leave a Comment »
Posted on 15 Feb 2009 by Clay
Question: If someone were to obtain your credentials for a “non-critical” web site, could they be used to gain access to accounts on critical sites such as email, online banking, etc? Many people would likely have to answer yes to that question, even security minded IT professionals.
Identity management can easily be a complicated subject. The average Internet user maintains dozens of accounts across an array of sites with varying levels of importance and security. Credentials for those accounts can be obtained a number of ways. Many sites still don’t use SSL login encryption, leaving passwords vulnerable to sniffing. Others store passwords in the clear, leaving them vulnerable to breach (like the recent Monster.com one). The most secure solution might be to maintain a separate password for every site, but that isn’t very user freindly. Maintaining security has always been a trade-off between security and usability. Greater minds than mine are working on this problem, trying to come up with solutions like the OpenID initiative. Until a better solution is universally adopted, here I’m presenting the technique I use for personal password management.
Read more »
Filed under: Security | Tagged: identity management, openid, password management, passwords, personal password management, Security | 2 Comments »
Posted on 22 Jan 2009 by Clay
Just a quick heads up related to disabling Autorun to protect against Downadup / Conficker. While the worm continues to spread and receive more media coverage, IT personnel are working to make sure their systems are protected. One of several ways this worm spreads is by taking advantage of the Autorun feature in Windows systems. Disabling this feature via Group Policy is a logical decision, but it turns out it may not actually work like it should.
Disabling Autorun via GPO currently only disables Autoplay on media insert. However, if there is an Autorun.inf file present on a CD, USB, or network drive, the program will still run when double clicking that drive in Windows Explorer. This vulnerability was announced by the U.S. CERT team on January 20, and later updated to provide patch details from Microsoft. Follow the links below for full details on the problem and where to get the patch.
US-CERT Alert
Microsoft KB953252
UPDATE: Microsoft released KB967715 on March 10 to address this autorun problem in all versions of Windows.
Filed under: Security, Vulnerabilities, Windows | Tagged: Autoplay, Autorun, Autorun.inf, Conficker, Downadup | 1 Comment »
Posted on 13 Jan 2009 by Clay
My previous post was an overview of DNSSEC and how it secures DNS transactions. This one covers how to enable DNSSEC on zones running on the BIND DNS server. Specifically, this example will involve setting up DNSSEC on a parent and child zone, and confirming successful operation.
An important concept to grasp is that BIND sort of takes on two different roles pertaining to DNSSEC. One is that of providing signed data for a zone for which it is authoritative. The other is that of a validating resolver for external zones. If you only want to set up your BIND server as a DNSSEC validating resolver and not sign any of your own zones, you can skip down to the “Resolver Validation” section.
Read more »
Filed under: DNS, Linux, Security | Tagged: BIND, chain of trust, DNS, DNSKEY, DNSSEC, DS, KSK, NSEC, NSEC3, RRSIG, SEP, SLES, SuSE, trust anchor, validating resolver, ZSK | 1 Comment »
Posted on 06 Jan 2009 by Clay
DNSSEC is something you’ve no doubt heard of, especially this past summer with the discovery of the Kaminsky DNS bug which led to a small panic and widespread patching from vendors. DNSSEC (sometimes called DNSSECbis) has existed as a proposal for about 10 years, but has undergone significant changes as recently as March 2008, and has only lately seen a major push to implementation. This post discusses both the need for DNSSEC and tackles the complex topic of how it works, as simply as possible. Though this really only scratches the surface, it should serve as a good intro for those who want to know more. A fundamental understanding of DNS is assumed.
Read more »
Filed under: DNS, Security | Tagged: BIND, chain of trust, DLV, DNS, DNSSEC, DNSSECbis, EDNS0, M08-23, NSEC, NSEC3, RRSIG, trust anchor, validating resolver | Leave a Comment »
Posted on 22 Dec 2008 by Clay
Filed under: Random Tech-Bits | Tagged: BackTrack, Best Of, Crash Dumps, ESX, Hyper-V, IDS, Information Security, IPS, IT, IT Security, Security, Snort, Top Posts, VMWare, WinDbg | Leave a Comment »
Posted on 19 Dec 2008 by Clay
Posted on 17 Dec 2008 by Clay
In this post I describe a recent investigation of suspicious network traffic on an organization’s network. Although the traffic ended up not being malicious, the hope is that the basic investigation methodologies described may be helpful to those in similar situations. The tools used include Wireshark network monitor, select Sysinternals utilities, and those built into the Windows OS.
Read more »
Filed under: Networking, Security, Troubleshooting | Tagged: msrpc, null session, packet analysis, Packet Capture, SMB, suspicious network traffic, Sysinternals, Wireshark | 1 Comment »
