The Internet Corporation for Assigned Names and Numbers (ICANN) has terminated its Registrar Accreditation Agreement (RAA) with EstDomains.com after the President of the company was convicted for credit card fraud, money laundering and document forgery.

This comes as welcome news by the cyber security community as EstDomains.com has been used by cyber criminals for years to hide their identities and conduct various malicious activities such as using domains for bot command & control servers, drive-by downloads as well as spamming.

Here are some links of interest that provide more information on this story:

1. F-Secure Weblog - “Case EstDomains” 
2. The Washington Post Company – “ICANN De-Accredits EstDomains for CEO’s Fraud Convictions”
3. Notice sent to EstDomains.com by ICANN (pdf)

Share / Save

Metasploit team has published two modules that exploit the recently announced DNS flaw. These are named “DNS BailiWicked Host Attack” for injecting individual uncached host records into the target nameserver’s cache, and “DNS BailiWicked Domain Attack” for replacing a target domain’s nameserver records in a target nameserver’s cache.

The above two modules require you run Metasploit Framework from the “trunk” development branch which is currently only supported on the Linux platform.

Here’s more from the official blog:

The first flaw is that since DNS (over UDP) is connectionless, it can easily be spoofed. The original primary mitigation against this was to make use of a 16-bit transaction ID which is used to correlate requests and replies that the attacker would have to guess in order to correctly spoof a reply packet. This makes spoofing harder, but not an insurmountable task; you just need to be able to send a whole lot of packets to eventually get one right at match the transaction ID chosen for the request packet.

The second flaw was that additional records would be inserted into the cache which were included in replies from another nameserver. This is core protocol functionality, however the original problem was somewhat mitigated by creating the in-bailiwick constraints that essentially limits the domain space for additional records that could be sent in the replies to hostnames from a given domain. Sounds reasonable; this prevents nameservers from doing malicious things to records in domains that they weren’t queried for or aren’t authoritative for, while still allowing nameservers who are authoritative for a domain to update the records they need to.

When you combine the attacks for these two flaws however, and introduce nameserver query recursion, an attacker can essentially cause the target nameserver to make as many queries as the attacker wants while also pretending to be the authoritative nameserver and spoofing the responses, achieving the birthday attack against the transaction ID and successfully updating the nameserver record for a domain to point to a malicious nameserver address. You can also use this trick to inject cache entries for individual hostname records as long as those hostnames are both not already cached, and also in-bailiwick.

(more…)

Share / Save

ISACA today introduced ITAF: A Professional Practices Framework for IT Assurance targeting the IT Auditing and Assurance professionals. The official release states:

ITAF^TM consists of compliance and good practice setting guidance:

• Provides guidance on the design, conduct and reporting of IT audit and assurance assignments
• Defines terms and concepts specific to IT assurance
• Establishes standards that address IT audit and assurance professional roles and responsibilities, knowledge, skills and diligence, conduct, and reporting requirements

Figure 1: The ITAF Structure

More info here

Share / Save

Assessing security posture of network devices like routers and firewalls can become a nightmare when a security practitioner is faced with tens of devices with hundreds (sometimes thousands) of lines of configuration data to go through. Manually going through the entire configuration data may not always be the right course of action especially when faced with tight deadlines.

There is help available and it comes in the form of automation tools that can make our life easier. I will discuss a couple of tools that I have worked with and how they can support in auditing and vulnerability assessment activities. (more…)

Share / Save

Damac Properties, the “largest private real estate developers in Middle East”, saw their customer database go up for sale on eBay UK for £750. This was confirmed by Damac who have since launched an investigation in to the matter.

The seller, “dubaigoods1” appears to be persistent about selling as many copies of the database; the item was reposted on eBay as “DUBAI PROPERTY/DEVELOPER INVESTOR DATABASE” without mention of Damac Properties, after the original item was removed by eBay. The below screenshot was taken a few minutes ago:

(more…)

Share / Save

Paglo, a totally free “world’s first search engine for IT”, is a web-based service that lets IT professionals search their own IT infrastructure assets. I signed up for the beta in November last year but only received the invitation earlier this month.

Information about the target network is gathered by a software agent, Paglo crawler, which installs on a standard computer connected to the network. The crawler can put together an exhaustive set of information about network hosts with information such as device type, device name, IP address, installed software, disk space usage and so on. The crawler uploads the information to Paglo’s data center for storage and indexing. This information can later be retrieved through a web-based interface. (more…)

Share / Save

Port scanning is carried out by both hackers and information security professionals alike to probe network hosts and discover active services. Port scanning is often instrumental in exploiting potential vulnerabilities that exist in services running on a host; hence the reason for stealth port scans that try to evade firewall/IDS devices.

Although today’s IDS can pick up almost any type of traditional stealth scans, IDS or firewall evasion does exist and is commonly performed by using packet fragmentation or by using proxy hosts. This article looks at how these basic tcp stealth scans work. (more…)

Share / Save