News

Wednesday, June 11, 2008

ARP Attacks and Hosted Services

WIN_SECURITY UPDATE_
A Penton Media Property
June 11, 2008


If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914872-0-0-0-1-2-207

----------------------------------------
ADVERTISEMENT
Symantec

How-To Protect Yourself from Top Security Threats

In an IT environment where there are increased threats in data theft and
data leakage, as well as the creation of malicious code that can be used
for financial gain, IT managers need to ensure that the controls they
put in place to protect their critical assets are functioning as they
should. In a changing threat landscape technology needs to keep pace.
View this web seminar to learn some key techniques to successful
protection.

http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914873-0-0-0-1-2-207
----------------------------------------

IN FOCUS

--ARP Attacks and Hosted Services
by Mark Joseph Edwards, News Editor
Maybe you heard about the Web attack levied against Metasploit.com last
week. The attack made a few waves in news circles, particularly since HD
Moore--creator of Metasploit--is well known for his security expertise.
In short, the attack allowed someone to create the impression that the
Metasploit Web site itself was hacked when in reality no such thing ever
occurred.

What did happen was that the site was indirectly attacked using Address
Resolution Protocol (ARP) poisoning. For those of you who aren't
familiar with such a tactic, ARP poisoning is the processing of spoofing
the direct relationship between MAC addresses and IP addresses. So in
short, if you can convince a network device to update its ARP tables
using data that you provide, then you can control where network packets
go on a network--which is how the attacker made it appear that
Metasploit.com was hacked. People who tried to visit the Metasploit Web
site had their traffic transparently redirected to another site that
hosted a Web page with a simple message that said the site was hacked
"just for fun."

ARP traffic is broadcast on local subnets and typically does not
transmit segments or routers unless ARP traffic is being proxied, in
which case it should traverse only select interfaces. What this means in
the case of Metasploit.com is that whoever launched the attack most
likely had some sort of access to the local network where Metasploit.com
is hosted.

When a site comes under ARP poisoning attack sometimes it's not
immediately obvious. Because such attacks can redirect traffic it's not
very difficult for an attacker to launch man-in-the-middle attacks. An
attacker can simply poison the ARP cache, thereby redirecting traffic to
their own system, gain access to all traffic passing through their
system, and pass that traffic on to its intended destination. That
attack would be somewhat difficult to detect, and during the attack all
your data would be readily available to the attacker.

In the case of what might appear to be a Web site defacement, an
administrator's first impressions might lead him or her to think that
someone compromised a server. In the case of a Web site, that line of
thinking can lead to a lot of rapid investigation. For example, any
number of areas might need to be checked to determine if the site was
somehow breached. Web files would be checked for alteration and the Web
server platform configuration would also be checked. If no traces were
found then one might think that there was unwanted data injected into
databases, and then time would be spent digging around to see if
anything turned up in any number of databases and tables.

If all that investigation failed to turn up any clues, then it should
cross the administrator's mind that maybe someone launched an ARP
poisoning attack. If such an attack happens on your own network, then of
course you have a decent level of control to investigate further. But
what if your services are hosted? In that case you're at the mercy of
the hosting company, which can sometimes be a really bad situation,
particularly if the company doesn't consider it a top priority to
protect innocent site users, as well as the reputations of both the
company and its customers.

If you're using hosted services for anything, including Web mail, Web
sites, databases, file storage, collaboration, etc., then you'd be well
advised to check into the potential security at your hosting providers
as well as their potential response to ARP attacks. Better routers and
switches have built-in security features that can usually mitigate ARP
poisoning. Unfortunately, some hosting companies can't--or
don't--expense such equipment or don't realize such features are useful
until a problem develops. Another problem is hosting companies' policy
and practices: If their equipment proves vulnerable to ARP poisoning,
will they employ static ARP entries to stop the attacks, even if only
temporarily? You might be surprised to learn that some hosting providers
won't do that for you unless you make some really big waves about it.

It's probably a good idea to investigate your hosted services providers,
and it's also probably a good idea to figure out whether your in-house
network gear can mitigate ARP attacks. Also, you might want to get a
copy of the Cain & Abel tool (at the URL below) and give its ARP
poisoning features a whirl on your network to see how your gear
responds--but be aware that doing so could break your network
connectivity if you fail to understand your network topology and the
hardware you have in use.

http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914874-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914875-0-0-0-1-2-207)

----------------------------------------
ADVERTISEMENT
Alert Logic

Guide to Log Management: Comparing On-Premise and On-Demand Solutions

In the last five years both governmental and industry specific
regulations have included log management as a required control within an
infrastructure. This white paper examines and compares two methods to
log management. Choosing a solution for something as complex and
critical as log management is difficult and requires careful
consideration. Read this paper today!

http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914876-0-0-0-1-2-207
----------------------------------------


SECURITY NEWS AND FEATURES

--Researchers Discover New Way to Contain Worms
By analyzing worm behavior researchers discovered that it's possible to
use certain worm characteristics to contain its spread.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914877-0-0-0-1-2-207

--Steganography Moves Into VoIP
A team of researchers at Warsaw University of Technology released white
papers that explain ways to use steganography over VoIP and SIP
protocols and how to build covert routes for steganographic
communication to travel.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914878-0-0-0-1-2-207

--Beware the Trojan
If you've been on the Internet very long, you've probably come into
direct or at least indirect contact with some kind of virus or Trojan.
Several years ago here at Windows IT Pro, we had an editorial assistant
who unknowingly opened an email attachment that was in fact a worm. We
soon had numerous files missing from the network, and our IT folks were
scrambling to minimize the damage.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914879-0-0-0-1-2-207

--Spammers Turning to Free Web Services
According to data published by MessageLabs, spammers have turned away
from file attachments and more toward spam embedded into hosted Web
services, including Google Docs and Calendar as well as Microsoft
SkyDrive.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914880-0-0-0-1-2-207

--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at

http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914881-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914882-0-0-0-1-2-207)


GIVE AND TAKE

--SECURITY MATTERS BLOG: Guide to General Server Security
by Mark Joseph Edwards
The National Institute of Standards and Technologies published a draft
guide intended to help people install, configure, and maintain secure
servers. Learn more and get a link to download a copy in this blog
article on our Web site.
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914883-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914884-0-0-0-1-2-207)

--FAQ: Windows Server 2008 Cluster Quorum Concepts
by John Savill
Q: What is a Windows Server 2008 failover-cluster quorum?

Find the answer at

http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914885-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914886-0-0-0-1-2-207)

--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions.
Email your contributions to r2r@windowsitpro.com
(mailto:r2r@windowsitpro.com). If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


RESOURCES AND EVENTS

Unauthorized Applications: Taking Back Control

Take back control of unauthorized applications in your organization.
Learn why it's important to control unauthorized applications and read
about the various approaches you can use. This white paper explains how
to integrate blocking of unauthorized applications into your existing
anti-malware detection and management infrastructure.
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914887-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914888-0-0-0-1-2-207)

Creating Data Storage Systems that Meet Regulatory Guidelines

Ensure that your data storage systems meet regulatory guidelines.
Regulatory compliance is often a major bugaboo for the storage
administrator. For small businesses without IT staff focused
specifically on compliance, managing storage for compliance can be
extremely complex. In this podcast, David Chernicoff helps IT pros
easily and efficiently meet regulatory guidelines with an inexpensive
solution that isn't resource-intensive.
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914889-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914890-0-0-0-1-2-207)

Implementing VoIP for your Enterprise

VoIP technology can make your business more efficient, so you can't
afford to ignore it. A number of technologies simplify VoIP
implementation, and application capabilities in a unified communications
solution can make having VoIP a technological competitive advantage.
View this Web seminar to learn how to implement VoIP technologies and
leverage them in your Windows Server environment.
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914891-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914892-0-0-0-1-2-207)


FEATURED WHITE PAPER

Insider Threats--Who Can You Trust?

Organizations often think that once they hire an employee or a
contractor, they can trust that person implicitly. Mass-media hysterics
about external security threats have caused many of us to temporarily
forget the most important rule of thumb about security: 80% of the
threat to any organization comes from inside. Read this paper to
identify the key business processes in your organization that must be
secured.
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914893-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914894-0-0-0-1-2-207)


ANNOUNCEMENTS

Get It All with Windows IT Pro VIP

Stock your IT toolbox with every solution ever printed in Windows IT Pro
and SQL Server Magazine, plus bonus Web-exclusive content on
fundamentals and hot topics. Order today to receive the VIP CD and a
subscription to your choice of Windows IT Pro or SQL Server Magazine!
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914895-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914896-0-0-0-1-2-207)

Rev Up Your IT Know-How with Our Recharged Magazine!

The improved Windows IT Pro is packed with trusted content and enhanced
with a fresh new look! Subscribe today to

--Stay ahead of industry trends with comprehensive coverage of topics
such as
Vista and virtualization

--Solve tough technical problems with advice from veteran IT experts
such as Guido Grillenmeier and Mark Minasi

--Find real-world solutions easily with fast facts and quick tips

store.pentontech.com/index.cfm?s=1&promocode=EU2085R1&
(http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914897-0-0-0-1-2-207)

Windows IT Pro Is Your Definitive Source for BI Tools

--Learn from the top BI experts such as Derek Comingore, Dan Holme,
Michelle A. Poolet, and Rodney Landrum.

--Build the best platforms and reports with help from SQL Server
Magazine.

--Master data-delivery with front-end solutions in Windows IT Pro.

--Get how-to information, industry trends, and commentary by experts:
Subscribe to the Essential BI UPDATE e-newsletter.

Choose the resource that's right for you at

http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914898-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914899-0-0-0-1-2-207)


CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914900-0-0-0-1-2-207

http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914901-0-0-0-1-2-207

You are subscribed to this newsletter as boy.blogger@gmail.com

Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914902-0-0-0-1-2-207.

To unsubscribe:
http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914903-0-0-0-1-2-207&list_id=803&email=boy.blogger@gmail.com&message_id=9035

Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.

To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914904-0-0-0-1-2-207

About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://ct.email.windowsitpro.com/rd/cts?d=33-9035-803-202-62923-914905-0-0-0-1-2-207

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2008, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive