January 2013 – SWITCH Security-Blog

Analysing DNS traffic using PacketQ

Our authoritative only name-servers are every once in a while hit by strange DNS queries. To spot anomalies we use DSC (DNS Statistic Collector), which allows exploring many details of DNS requests and responses to and from our name-servers. Usually one can already get a good sense of what has happened with DSC. However often, deep packet inspection is needed to get the full picture.

DSC Statistic showing query-type MX and ANY traffic anomalies

DNS traffic heading towards our authoritative only name-servers is stored for a few days in PCAP. Should we have any need to analyse some of the data we can then easily do so. Analysing very large PCAP files may sound cumbersome but thanks to PacketQ this is actually very easy and fast. PacketQ was originally developed by IIS.SE and is open source. It is a command line tool to run sql queries directly on PCAP files. It exports some IP and UDP header fields and most importantly all DNS protocol fields.

Continue reading “Analysing DNS traffic using PacketQ”

IT-Security-Links #8

‘Red October’ is the Security buzzword this week. Kaspersky published a report about a large scale cyber-espionage network on monday. And they called it ‘Red October’ (after famous novel ‘The Hunt For The Red October’).
Interesting reading from the Citizen Lab Internet research group about the downside of network security and optimization products: “Planet Blue Coat: Mapping Global Censorship and Surveillance Tools“. And a corresponding article in the New York Times.
“Cybercrime and the Underground Market” is a quite detailed article about Cyber-attacks, malware, identity theft, phishing and spam – in the Infosec-Institute Blog by Pierluigi Paganini.
Also after the recent Java patch: A new exploit suggests to keep Java disabled.

German:

“Hacking macht Spass.” – Die NZZ berichtet über die israelische Hackerin Keren Elazari.
Staatstrojaner 2.0: netzpolitik.org und heise.de berichten über die neuesten Gerüchte.

IPv6 für (Security-)Manager – Teil 1

Über IPv6 – dem Nachfolger des Internet-Protokoll-Standards IPv4 – wird nun seit 15 Jahren gesprochen. In dieser Zeit ist das Thema jedoch ohne grössere Auswirkungen auf die produktive IT der meisten Organisationen geblieben. Daher wundert es nicht, wenn sich viele IT-Manager daran gewöhnt haben, IPv6 entweder zu ignorieren, oder als eine niedrigpriorisierte und vielleicht auch eher technische Angelegenheit einzuordnen.

Auch wenn dieser Umgang mit dem Thema in der Vergangenheit oft ohne grössere Risiken möglich war, kann man heute davon ausgehen, dass dies für die Zukunft nicht mehr in gleichem Masse gilt. Es lohnt sich also, einen frischen Blick auf den “Fall IPv6” zu werfen:

Continue reading “IPv6 für (Security-)Manager – Teil 1”

IT-Security-Links #7

29c3 “Not My Department”: Lots of Conference Videos of the 29th installment of the Chaos Communication Congress are available for download.
And Stefano Ortolani wrote a report on the Chaos Communication Congress (securelist.com).
The Georgia Tech Cyber Security Summit released their 9-page Emerging Cyber Threats Report 2013 (PDF), a digest can be found here.
Turktrust CA: krebsonsecurity and nakedsecurity work off the latest Certificate Authority incident
EC³: New European Cybercrime Centre based at Europol headquarters in The Hague launched today.
Java vulnerable: A new Java zero-day vulnerability has been found. Another good reason to disable Java in your browser. (German readers find our tips here!)
Now online: the latest SWITCHcert Security Report (german)

CH-Zone Opfer eines DNS-Amplifikations-Angriffes

Erst ein paar Wochen ist es her, dass wir über DDoS-Angriffe durch Reflektierende DNS-Amplifikation gepostet haben. Heute Morgen um 4 Uhr wurde nun erstmals auch die CH-Zone für einen solchen DNS-Amplifikations-Angriff missbraucht.

NetFlow Daten: Ein- und Ausgehender Datenverkehr der SWITCH CH-Nameserver

Die DNS-Anfragen lauten auf ‘CH’. mit dem Query-Type ‘ANY’. Zusätzlich wird die EDNS-Erweiterung aktiviert, was es ermöglicht in einer UDP-Antwort mehr als 512 Bytes zu erhalten. Ohne EDNS würde der autoritative DNS-Server mit dem gesetzten Flag „TC“ (Truncated) antworten, womit der Client aufgefordert wird, die DNS-Anfrage nochmals über TCP zu schicken. Bei gespooften DNS-Anfragen will man das natürlich verhindern, deshalb ist hier EDNS aktiviert. Wir sehen die DNS-Anfragen von mehreren Quell-Adressen, jedoch ist eine IP-Adresse besonders benutzt. Diese IP-Adresse, welches das Opfer des DDoS-Angriffes ist, empfängt alle Antworten.

Warum wird gerade die CH-Zone missbraucht?

Continue reading “CH-Zone Opfer eines DNS-Amplifikations-Angriffes”

Why you should treat passwords like your toothbrush

A Guest Article by Stefan Lüders.*

Your password is your entry token into the digital world. eBay, Amazon, Facebook, Twitter – your company accounts – all ask you for a password to authenticate and prove that you are you. And vice versa: If I know your password, I can impersonate you and use your money to buy from eBay or Amazon, post nasty messages on your Twitter or Facebook profile, or misuse computing facilities of your company or organization in your name!

Would you give me your UBS bankcard and its PIN number? Of course not! Please apply the same sensitivity to your digital credentials, i.e. passwords, SSH keys, certificates, etc. Beware of attempts to “steal” your password. Computing staff, including the Computer Security Team, will never ask for your password (nor will any other legitimate person at Facebook, eBay, etc.). So be wary of malicious e-mails, or other means requesting your password. Never send it via e-mail, and type it only into web interfaces you know and trust.

Remember: Your password should be treated like a toothbrush: do not share it, and change it regularly!

Continue reading “Why you should treat passwords like your toothbrush”

Welcome back!

Dear Reader!

Welcome to 2013 and welcome back to our IT-Security blog! We trust that you have all had a nice few days and hopefully have stayed safe.

Have you remembered all your passwords after the holidays? For me this is always a challenge. Which is good because this reminds me to change and renew them for the next period!

Talking about passwords: This week we start off with a guest article from Stefan Lüders who explains, why you should treat your passwords like a toothbrush! 😉

Enjoy it…

…and have a good start into 2013!

Your SWITCH Security Team