April 2008

Q: Cisco Site to Site VPN

New week a new question, in this case the question is a bit more generic and I believe raises a few dilemmas, feel free to take a shot at it:

Hi Experts,

Is it secure to just configure Cisco IPSEC/GRE site to site tunnel without firewall/IPS/IDS. The argument here is although it is internet facing, there is only a host to host routing between the routers and the default route goes to the tunnel. Am I right to say that it is technically secure since the router only route traffic between the designated routers?

Thanks in advance.

Regards,
J. O.

Q: Outlook attachments

Another one for you this week, we especially liked XenoMuta’s answer to our previous one.
Lets go:

Dear SecuriTeam,

i am not sure if you are able to help us to find a solution for a special problem but i’ve tried everything and spent a lot of time in the internet without any achievement.

we want to export the content of multiple exchange servers from our branch offices into personal folders (.pst files) and import these informations into our exchange mail system. the main problem why we are not yet able to do this is that we want to scan the content for viruses, worms (if possible with multiple virus scanners) and for unwanted content like videos, music, executables and so on and this in a way that a real content scan would be done instead of just checking against the file extension. also all attached archives (zip, rar etc.) should be opened (if possible) and scanned for its content. if an attachment is found which cannot be scanned because of password protection or encryption or whatever reason this attachment or the complete mail should be deleted or moved to a quarantine area.

Thank your very much for your support

Best regards
J. B.
Germany

Arrested for security research?

Anyone who has ever done serious security research reached the line that separates good from evil. If you are working with phishing emails you get links to kiddie porn. If you research security holes you deal with exploits. If you are researching botnets you are up to your neck in sensitive information that was obtained illegally.

I’m sometimes asked if we ever get ‘tempted’ to cross over. The answer is simple: we may think like criminals and sometimes emulate their work, but it never ever enters our mind to do something malicious. Finding an SQL injections that gives you full access to the database is fun; using this information to steal money or order items for free is light years away from what we do.

But not everyone understands that, and that’s scary. A member of the THC got pulled over at Heathrow airport by the UK government. The story has a happy ending, but it must have been scary, not to mention frustrating. My good friend Zvi Gutterman found weaknesses in the Windows and Linux PRNG. Breaking the PRNG has consequences – while top-secret crypto systems will not use the standard Windows or Linux random number generators, who knows if there is a simple Linux based basic communication device used in one of the governments? An applicable weakness in the PRNG may have a serious impact and they might decide that shutting up Zvi is easier than replacing all their units.

If you think the previous paragraph is a paranoid conspiracy theory, lets talk about kiddie porn links. These pop up whenever we deal with botnets, phishing and malware. The police is trying to demonstrate zero tolerance for kiddie porn, usually by arresting anyone who has visited such an illegal web site. How will you explain to your family, when they see you on the 8 o’clock news arrested for kiddie porn charges, that you are not a dangerous paedophile but you had no idea the link you clicked was to a kiddie porn site?

There will be more incidents like the THC one. We can all tell the difference between a proof of concept device to show how vulnerable GSM encryption is and an illegal wiretapping device. But the law officials can’t, and often don’t seem to care about the difference. Some of the time it’s not even law officials: Fyodor had his site shut down to prevent spreading his nmap ‘hacking tool’. Dmitry Sklyarov was arrested in Las Vegas for breaking the PDF encryption. In the Fyodor incident the decision was made by godaddy. In the Dmitry Skylarov case it was Adobe who got the court order.

I wouldn’t want to see security research being a licensed profession (like a private detective license or a license to carry a firearm) – I’ve seen brilliant teenagers who think out of the box and find vulnerabilities no one else can, but are not old enough to drive a car. So what else can we do to make sure we hold a ‘get out of jail’ card?

Q: THC PPTP Bruter

Once again – another security question from our readers to the security experts who read this blog:

I ran across your site looking for information regarding the security of PPTP. I then found the PPTP bruter program from THC. I am a small business owner. I am a VAR (value added reseller) of POS (point of sale) equipment. My POS equipment is usually windows PC’s running POS software. I install a SOHO router that is also a PPTP endpoint so I can VPN in and remotely administrator my clients systems.

I’m trying to find out how easy it would be for someone to hack my PPTP endpoint. Can you help me figure out how to test my router?

Thanks,

K. L.