November 2014 – SWITCH Security-Blog

IT-Security-Links #66

./lets-encrypt: Mozilla, Akamai, Cisco, the EFF and IdenTrust announced a new Certificate Authority (CA) which will launch in May 2015. The Let’s Encrypt project is aiming to reduce complexity, bureaucracy, and cost of the certificates that HTTPS requires. A short Demo-Video.
Citadel Update: IBM researchers have found signs that the well-known trojan is now being used to attack widely used password managers.
Stuxnet: Even though Stuxnet was discovered more than four years ago, Kaspersky revisited the subject and published new technical information about some previously unknown aspects of the Stuxnet attack.
CryptoPHP: is a new threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. Fox-IT published a 52-page whitepaper (PDF).
PWC published their Global State of Information Security Survey 2015. According to the survey total financial losses attributed to security compromises increased 34% over 2013. Here you can download a paper with the key findings.
Maybe the coolest exploit of the year: Space Invaders on a Cisco Catalyst Switch.

German:

Anonip: Die Swiss Privacy Foundation veröffentlicht Tool zur Anonymisierung von Logfiles (für IPv4 und IPv6).

DNSSEC signing your domain with BIND inline signing

Update Dez 2020: We made an update for users with BIND 9.16.

Update Nov 2017: DNSSEC zone signing as described here is outdated. We strongly recommend against the method described in this blog post. Newer BIND versions or other DNS software have greatly simplified DNSSEC signing.

With BIND 9.9, ISC introduced a new inline signing option for BIND 9. In earlier versions of BIND, you had to use the dnssec-signzone utility to sign your zone. With inline signing, however, BIND refreshes your signatures automatically, while you can still work on the unsigned zone file to make your changes.

This blog post explains how you can set up your zone with BIND inline signing. The zone we are using is called example.com. In addition, we look at how to roll over your keys. In our example, we do a Zone Signing Key (ZSK) rollover. We expect that you are already familiar with ISC BIND and have a basic understanding of DNSSEC. More specifically, you should be able to set up an authoritative-only name server and have read up on DNSSEC and maybe used some of its functions already.

Architecture

Before we set up inline signing with BIND, let us look at a typical network architecture. We will set up inline signing on a hidden master name server. This server is only reachable from the Internet via one or more publicly reachable secondary name servers. We will only cover the configuration of the hidden master as the secondary name server configuration will not differ for the signed zone (assuming you are using DNSSEC-capable name server software).
Continue reading “DNSSEC signing your domain with BIND inline signing”

The November 2014 issue of our SWITCH Security Report is available!

A new issue of our monthly SWITCH Security Report has just been released.

The topics covered in this report are:

The «long tail» effect of Shellshock, Heartbleed & co.
Malvertising: hackers learning from advertising professionals
Legitimate defence of the right to protection versus opening Pandora’s box
Taxing the Net: a Hungarian posse gets serious
The Clipboard: Interesting Presentations, Articles and Videos

The Security Report is available in both english and german language.

»» Download the english report. »» Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.

Retefe with a new twist

A few months ago, we blogged about the banking trojan Retefe (Blog post in German) that was and still is targeting Switzerland. First off, Retefe is different because it only targets Switzerland, Austria and Sweden (and sometimes Japan). Contrast this to many other banking Trojans, which have a much more global and dynamic target list. Not only that, but the Retefe infrastructure also prevents computers from not affected countries to connect to its systems by using geo-location aware access lists and filters. The second unique property of Retefe is the fact, that it only modifies the operating system by adding a fake root certificate and by changing the DNS server for domain name resolution. After infection, the installer removes itself, which makes life hard for anti-virus software trying to detect a malicious Retefe component or activity.

Since a few days, Retefe is back again with a new twist. It still targets the same countries and the same banks. Not too exciting, the spam campaign has changed. However, in this wave Retefe is picky and only installs itself on selected computers. And some icing to the cake, it also installs another malware called DOFOIL. In this blog post, we give a technical analysis of the new Retefe.
Continue reading “Retefe with a new twist”