Wednesday, April 7, 2010

Active Directory Domain Controller Hacked Through Remote DNS Management?

This is my initial reaction to Microsoft's Security Advisory 935964, and should be correct to the extent the advisory is complete and correct.

Through a buffer overflow attack on the RPC port of a Windows server an anonymous user can execute code in the DNS. Since the Windows DNS Service is integrated with Active Directory and often run on a domain controller, this means the attack has the opportunity to compromise a Windows domain controller, which is a great start towards
  • Compromising other domain controllers (DCs)
  • Compromising computers in the forest, attacking non-forest computers in the zone of trust accessible to the DC
  • Escalating any kind of privilege that is controlled by groups, accounts or other objects in the Active Directory
  • Intelligence gathering
  • Doing mischief with DNS against anything that uses the DNS
No information has been released yet on how Microsoft found out about this targeted, undercover exploit and what was compromised – maybe they saw the vulnerability for sale out in hacker land, but there could be some very unhappy security departments out there that aren’t talking about this publicly!

And the auditors should be asking questions – how does your organization know this couldn’t have happened to you, that it didn’t happen, that it didn’t compromise regulated environments.

I find this to be a very significant advisory because it demonstrates some important concepts my colleagues and I have been writing about
  • Risk aggregation in Active Directory forests (first written about by us circa 2000) – don’t integrate sensitive environments with a single forest that contains lower surety elements
  • Targeted attacks and undercover exploits – this doesn’t look like a worm put out for show, this is going after the money
  • The need for a perimeter layer of security (network IDS and firewall traffic control) to serve as a preventive or detective control for vulnerable hosts that perform critical functions
No patch yet. The workaround is to lock down the RPC port on the host (so it can’t be managed remotely) and/or through firewalls (so the RPC port is blocked). The trouble is, organizations actually need to be able remotely manage DNS and other things on the DC. They can shut remote management down temporarily while waiting for the patch, but the longer they have to wait, the more painful this get for network and security support.

Organizations that have implemented what we call a “control zone” – where domain controllers and other sensitive infrastructure are firewall protected so the ports used for remote management are either blocked (if unneeded) or restricted to authorized IP addresses or IPSec authenticated hosts. Microsoft has provided some documentation on how to run domains and forests within firewalls by tunneling DC to DC traffic through IPSec http://www.microsoft.com/downloads/thankyou.aspx?familyId=c2ef3846-43f0-4caf-9767-a9166368434e&displayLang=en but I haven’t reviewed this in depth yet. There is also some good information in the blog entry http://blogs.zdnet.com/Ou/?p=469.

Finally, I want to say that these kinds of exploits can happen to any operating system. Microsoft is to be commended for its responsible disclosure of the problem so that organizations can undertake workarounds. Microsoft also warned about risk aggregation years ago when identified that the domain is not a security boundary when included in a forest. But many customers still persist in creating large forests, not protecting their control zone and may be including things in the forest that they shouldn't.

Saturday, April 3, 2010

Appalacian Identity Management at Myspace

What do you think about when you hear the word Appalachia? Beautiful mountains and trails? Poor, inbred communities? Its all there. And weirdly, it all relates to this blog entry. Sort of.

This post is actually about poor (shall we say, inbred?) identity management on Myspace.com. But it starts on the Appalachian trail.

My cousin's son Mason is taking the summer off to hike the Appalachian trail. As I write, he and his friend "Swamp Yankee" are somewhere in Tennessee. They are posting accounts of their travels whenever they reach a suitably high peak or civilized valley boasting cell phone signal. The trail is beautiful, but what they find most interesting about the hike is the community of people out there. (Isn't it great how everything always comes back to people, to identity?)

Mason's posts are on myspace.com/skhikers - another strange community. To send Mason a message, my wife (Ginny) had to join myspace too. But when she typed in her email address, myspace said somebody already had it! Her proprietary instincts aroused, Ginny clicked on "forgot password" and sure enough myspace sent the password. Ginny used it to login and found she had become "Amanda" - a Pennsylvania girl with a lot of rapper talk in her profile.


Amanda's gone now. Ginny took control of the account keyed on her email address. Fortunately, the account had hardly been used and there was only one friend named "Tom" (who seems to be everyone's friend.) Most likely Amanda forgot her password and could never get it back because she had (accidentally?) misappropriated Ginny's email address and could not successfully invoke "forgot password." But it could have been much worse. There could have been a lot of information there, and ethical vagueness about who owns the account and what should happen to it.

The real fault lies with Myspace's inbred identity management, and this could have turned out worse. Myspace has failed to fully protect the identity and privacy of their customers.
I know because I also created an account with Myspace. While I did get email from myspace, they do not verify that had access to the email address I claimed.

Myspace has already been ravaged by the Samy worm, and judging by the quality of its identity management, there are more problems ahead before that community gets out of the woods.

Friday, April 2, 2010

Haiti, Urns, and Non-Quantifiable Risks

I've been too busy to post lately because I went on a mission trip with our church to Haiti. They was a fantastic experience, so I started another blog about it at http://global-mission-trips.blogspot.com. Please check it out and let me know what you think!



There are definite lessons from the security perspective, though. It is no secret to professionals in the field that we tend to over-estimate the risks of what is unfamiliar and novel, and under-estimate other risks.

Concerning Haiti, much has been sensationalized in the press about gang kidnappings. However, our mission group drove all over and almost everyone was friendly and there were no gangs in sight. In fact, the UN and the police have been cracking down on the gangs, with some success. We definitely worried about the risk way too much.

At the same time, I kept emphasizing to our group that we should not get complacent. Everyone was starting to relax as we kept going places and nothing happened. For example, one day we got lost and were driving through unnamed alleys and streets, rocky dirt roads, the driver didn't speak English, was lost, we had no interpreter and though this wasn't a bad area, it wasn't far from one. I took our team leader to task, insisting that we must always take "reasonable and prudent measures."


I told the group Bob Blakley's story about the Fallacy of Induction, that he wrote about in his Burton Group report "Managing Non-Quantifiable Risks." Imagine that you have an urn and are told it is full of red marbles and blue marbles. You can draw one marble at a time out of the urn; blue marbles are good but red marbles are very, very bad. And you can't see into the urn, so you don't know if it is full of one color marble, or mixed and what the proportions are and if they random or how they are distributed.

So, you could draw a long string of blue marbles and go on without a care in the world, let your guard down, and then draw a red marble. Oops! So let's not let familiarity make us complacent.
There could even be an evil child sitting above the urn, watching someone draw blue marbles, and waiting for the perfect time to drop a red marble on you. Kidnap risk, insider IT risk, and even some external hacker risks could be like that enigmatic urn.

Well, I didn't talk about security the whole time on the mission trip. We did a lot of good work, putting solar panels and water pumps into a combined church, clinic and school. And it was great trip. I'm still writing all about it at global-mission-trips.blogspot.com.

Peace,
Dan