Google and China, Internet Explorer and Aurora

Archive for January, 2010

Google and China, Internet Explorer and Aurora

Posted by

Google’s announcement that it is pulling out of China over continued hacker attacks has highlighted problems in Internet Explorer. Wired has an article in which Dmitri Alperovitch says of the Google attacks: “We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack.”

McAfee’s CTO blog breaks it down further and gives the name Operation Aurora to the attack. Technical details on “Operation Aurora” exploit and payload are on McAfee Labs Blog. McAfee will be hosting a webinar on Thursday to discuss the exploit and attack. Meantime, for those of us who like to play with Aurora, HD Moore recreated the exploit for Metasploit.

One concern that I have is script kiddies downloading and running the exploit across anything they can get their hands on, particularly in light of the press.

I wager many of you (like me) have to use Internet Explorer for business purposes. So please note that the current “Aurora” public exploits do not work if you are running IE8 with DEP enabled. If you are running older versions of IE, you might consider upgrading while Microsoft prepares the patch.

There is rumor that the exploit could be modified to bypass DEP. Such a modified exploit is currently not publically available. It will take some time before a modified exploit to be developed, which should give Microsoft time to patch.

Microsoft embraces and extends IPSec NULL

Posted by

IPsec provides authentication, integrity, and confidentiality. In IPv4, IPsec generates an AH (Authentication Header) that provides packet header integrity using a cryptographic hash. ESP (Encapsulating Security Payload) provides integrity using a hash and confidentiality using encryption. Both AH and ESP provide authentication thru key exchange (IKE).

The hashing is typically done with MD5 or SHA and the encrypting is done with 3DES or AES. As known attacks exist for MD5 and 3DES that renders them only slightly better than nothing. SHA-1 and SHA-2 are in a similar state. NIST is currently working on SHA-3. For now, the best is SHA-2 with a long key length and AES.

Interestingly, ESP can also be encrypted using NULL. (See RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec). “NULL does nothing to alter plaintext data.  In fact, NULL, by itself, does nothing.  NULL provides the means for ESP to provide authentication and integrity without confidentiality.” Put differently, ESP performs the key exchange and hashing only.

Microsoft’s version of IPsec NULL does not quite conform to the RFC. Rather than using a hashing algorithm in conjunction with a NULL encryption, Windows 7 and Windows 2008 skips it altogether. According to Microsoft’s IPsec setup guide, the NULL encapsulation “option specifies that no integrity protection is provided to each network packet in the connection. No AH or ESP header is used to encapsulate the data.” Embraced? Yes. Extended? Not so much.

Happy New Year and how I spent Y2K

Posted by

Happy New Year! Thank you for bringing in the new decade with me.

Ten years ago, we thought, just maybe, this Y2K thing would cause widespread computer system breakdowns.

I was with an IT consulting firm and was working on New Year’s Eve. (What!? It was a Friday. Cut me some slack.) I had my young son with me at the office. We had hooked up analog call forwarding to send incoming calls to the vice president’s house, and we had armed him with a stack of paper work-orders and an analog fax machine. The idea being, should pandemonium ensue, people would call firms such as ours. The VP would get a signed agreement and send in the techs. I was on-call for second level support.

Before I left, I shut down the network and PBX and disconnected power. You never can be too safe, right? After all, who knew how bad it would get. (Actually, we were doing much of this in a tongue-in-cheek fashion.)

My son and I drove home early. We picked up my wife, then very pregnant, and went to see a movie. It might have been Pokemon. It might have been Wild Wild West. None of us can quite remember and agree which movie it was now. Anyways, we were in the Krafft 8 movie theater standing in line when the first call came in.

I answered my trusty Nextel, fearing the worst. It was not even close to midnight but you never know. What had happened?

On the line was Thailand. My good friend had called to wish me a happy new year. Life was still going, he assured me, with no disruptions in Tokyo or Bangkok. We had a good laugh and chat.

My family enjoyed the movie. Then we dropped my son off at his grandmother’s. They had their party, and my wife and I had ours. The night passed quietly. Then the weekend passed quietly. Then my daughter was born and I forgot all about Y2K.

And before I knew it, it was 2010. Somewhere along the way, we hooked back up the firm’s computer and telephony equipment. Other bugs came and went. But Y2K, for me, was the dog that did not bark.