Good Disclosure...

I think that Konstantin Gavrilenko from Arhont Ltd.- Information Security did an outstanding job of documenting a Cisco PIX TCP Connection Prevention vulnerability. Cisco's response to this vulnerability announcement is here. He has documented what could be termed a resource attack on the PIX; forcing the Firewall to expend unnecessary resources reacting to a scripted packet. This attack could potentially slow user connections through the Firewall and in the extreme worst case possibly cause the Firewall to reload but does not expose the protected network. Gavrilenko has done an excellent job of communicating this issue that his work uncovered. I think even novice PIX Admins will be able to understand his findings.

I'd strongly suggest that all PIX Admins read the report and also go over the Cisco response. This is the first response that I've seen since PIX OS v7 came out. Cisco PSIRT present work arounds for both the v6.x and v7.x PIX operating systems. The vulnerability can best be exploited by an attacker on a inside interface.

One caution after reading the Cisco response; the first work around suggests that issuing a "clear xlate" or "clear local-host " will allow the PIX to pass connections again. I hope that most PIX Admins will appreciate that "clear xlate" will affect all connections going through the PIX were "clear local-host ..." only clears a single connection. Admins should use the "clear xlate" with caution on production networks.

Updated SANS top Twenty Vulnerabilities

The folks over at SANS.org released version 6 of their Top Twenty List of Critical Security Vulnerabilities today. When SANS started publishing their lists I always advised security analysts and in particular Firewall admins to strongly consider these vulnerabilities when creating and maintaining Firewall rules. Some time back the folks that compile the list started breaking out Windows vulnerabilities from others. Something that is new to the list this year is that the SANS team has further structured the list so as to look at Windows, networking, and cross platform ( or web application) vulnerabilities.

Black Hat no more?

I don't know if anyone saw this coming; Black Hat was acquired by CMP Media for about $10 million dollars. I know that when you look at the web site Black Hat lists consulting services available but I had never actually read anything about work they might have done. The Black Hat conference is the premiere annual security event. I think everyone is asking the question will Black Hat be able to maintain it's edge as part of a much larger (and seemingly much more conservative) media company? What's next, Ozzie Osbourne's music library being acquired by the Osmonds?

Linksys Default Number of IP Addresses

When setting up a Linksys router; and by that I mean any Linksys router you may notice that by default the setup program turns on DHCP and allows the DHCP server to allocate up to 253 IP addresses. For many folks this number should be in the range of 1 to 3. I have 8 PCs, two network printers, two wireless access points, and a network storage device and I manage to use only 8 IP addresses (OK, some of those devices are behind another Firewall and others are behind a VPN router). Things to think about here are if you have any non PC type devices that might attach to the Linksys. For example I have the family Tivo box set up with a wireless network interface and that uses an address. IP phones might also fall into this category.

About Resetting that Linksys Router

If you find that you have to reset your Linksys router on a weekly basis you really need to check to make sure that it is running the latest firmware.

Using your web browser enter "www.linksys.com". (Note to Linksys) Be patient as sometimes this page takes up to a minute to load even on the fastest broadband connections. Look under the "Support" drop menu and select "Downloads". There you will find a drop down menu were you select the type of Linksys router you have and then click on "View Downloads". Once completed you'll be looking at the support page for your model of router. Select "Firmware" to view the specific firmware files that are available. If there is a version of firmware that is more recent than that running on your router, select and download it. Be careful as sometimes the different options on these pages look like different versions of firmware (each says "Download Firmware" below the item). I noticed for my router that the 3 files were #1 - the firmware, #2 - a firmware install utility, and #3 - the release notes for that version of firmware.

You can install the firmware on your router from a PC that is connected to the Linksys device. If you use the install utility from the Linksys website you can push the new firmware onto the device. You can also use the "Firmware Upgrade" choice off of the Linksys Administration menu to pull the new firmware file from that same connected PC.

How to Reset a Linksys Router

If you ever find yourself locked out of your Linksys router don't worry. Resetting a Linksys router back to it's default factory configuration is easy.

#1 - Prepare for the reset by removing any Ethernet connections attached to the router.

#2 - Locate the reset button on the back of the router. If you press and release the reset button the router restarts.

#3 - Press and hold the reset button while you count to 10. At "10" continue pressing the switch and turn off the power to the router (turn off the switch or pull the power plug). Count to 10 again. Turn the power back on. When any of the LEDs (lights) on the front of the router turn on (the power LED should turn on first) then let go of the reset button.

#4 - Connect one PC back to the Linksys router via the Ethernet. This PC should be set up to acquire an IP address via DHCP. After connecting the PC it should have an IP address with 30 seconds. You can check to see if the PC has an IP address using the command "IPCONFIG" at a DOS prompt. By default the Linksys will set it's IP address to 192.168.1.1. You can verify this by typing "IPCONFIG" and looking at the IP address of the default gateway (it should be 192.168.1.1).

#5 - Open a browser and enter the URL "http://192.168.1.1" (without the quotes). If asked for a username leave that field blank. If asked for a password enter "admin".

# 6 - The first thing you should do is to change the default password on the Linksys router. The next thing is write the new password down. If you've lost or forgotten the password for your router let me suggest taping the new password to the bottom of the unit. This is not the most secure means of recording this information; but if your router is locked inside your house you have already removed much of the associated risk.

#7 - The next thing you should do is check the Linksys web site to find out if you are running the latest version of Linksys firmware.

Under attack Linux Lives Longer?

Just a few days after the release of the USA Today / Avantgarde study about how long an unprotected PC might survive on a network before experiencing a variety of un-targeted attacks; the folks at the Honeynet Project released the results of a similar study that looks at the "time to live" for various Linux distributions. The study finds that Most Linux PCs are much less vulnerable to attack than PCs running Microsoft operating system products. The study suggests that a Linux PC could last up to 3 months on the Internet without being compromised.

I don't think there is any "me too" factor here. The folks over at the Honeynet Project have been doing their work and producing good results for several years. Even though these latest results were published a couple of days after the USA Today study there are clear differences in the work.

The title of the Honeynet Project report is "Know Your Enemy - Trend Analysis". The Honeynet folks did a much more thoughtful job of looking at the various Linux distributions that were out there and talking about where the problems are. The reality seems to be that the older Linux distributions that #1 turned on more services by default, and #2 have more documented vulnerabilities simply because they have been around longer are more vulnerable to un-targeted attacks.

An interesting note (#2) in the section of the "Know Your Enemy" or KYE study titled 'Reasons" was the rise in network based phishing (social engineering) attacks where the target isn't the asset (the PC) but the personal data on the PC or the personal information of the user.

How long can a PC survive on the Net?

USA Today recently sponsored some testing to determine how long various types of unprotected PCs could survive on the Internet. In at l;east one instance an unprotected PC running Windows XP was broken in to within 4 minutes of being started and attached to the Internet. It should be clear to all that this type of research is valuable in a couple of ways.

First off for USA Today it sells lots of papers and results in many, many hits at their web site. When a news outlet like USA Today gets behind a study like this many, many people will be able to get to the results.

Avantgarde, the Marketing and Design company that published the results of the "Time to Live on the Network" study did a first rate job. The published results of the joint study that were published at the Avantgarde website show that they did a very reasonable tests and they didn't suffer from any predetermined Windows bias. A Linux distribution (OK, but not one that I'm familiar with or would have suggested) was also used as part of this study. With that said the folks over at Avantgarde should also see much more traffic at their web site and probably more business.

Lost in the noise about the study results is the fact that Kevin Mitnick is credited as having participated in this study as one of the principal investigators. Many folks in the computer security business take issue with hackers who have been convicted of a crime later making there way back into the security business. I'm glad to see that Kevin put his skills to good work here and produced good solid work without making it all about a former hacker.

It should be noted that the PCs that did the best in this study had some sort of Firewall installed.

So where is the beef here? Hopefully the most important result of this study will be all the folks who see the headline and read the article in USA Today who are going to learn something about how bad the security of an unprotected PC really is. This work is another data point that highlights the problems of untargeted attacks over the Internet. It's up to users of PCs and developers of PC operating systems and security products to put the data together to realize the size and scope of the problem and work harder to it's resolution.