3.1 C
Sunday, November 19, 2017
Home Tags Point-to-Point Tunneling Protocol

Tag: Point-to-Point Tunneling Protocol

At a time when the size of distributed denial-of-service attacks has reached unprecedented levels, researchers have found a new attack technique in the wild that allows a single laptop to take down high-bandwidth enterprise firewalls. The attack, dubbed BlackNurse, involves sending Internet Control Message Protocol (ICMP) packets of a particular type and code.
ICMP is commonly used for the ping network diagnostic utility, and attacks that try to overload a system with ping messages—known as ping floods—use ICMP Type 8 Code 0 packets. BlackNurse uses ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) packets instead and some firewalls consume a lot of CPU resources when processing them. According to experts from the Security Operations Center of the Danish telecom operator TDC, it would take from 40,000 to 50,000 ICMP Type 3 Code 3 packets a second to overload a firewall.

This is not a large number of packets and the bandwidth required to generate them is 15Mbps to 18Mbps, which means that BlackNurse attacks can be launched from a single laptop. “The impact we see on different firewalls is typically high CPU loads,” the TDC Security Operations Center (SOC) said in a technical report. “When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the internet.

All firewalls we have seen recover when the attack stops.” TDC SOC tested the attack successfully against Cisco Adaptive Security Appliance (ASA) firewalls in default configurations.

Cisco’s own documentation recommends that users allow ICMP Type 3 messages. “Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic,” the company warns in its user guidelines. Some firewalls from Palo Alto Networks, SonicWall and Zyxel Communications are also affected, but only if they’re misconfigured or if certain protections are not turned on. “Palo Alto Networks Next-Generation Firewalls drop ICMP requests by default, so unless you have explicitly allowed ICMP in a security policy, your organization is not affected and no action is required,” Palo Alto said in a blog post in response to TDC SOC’s report. Customers who need to allow ICMP requests can follow best practices for DoS protection to mitigate this attack, the company said.

This involves enabling ICMP Flood and ICMPv6 Flood in their firewall’s DoS protection profile. Denial of service attacks are typically about generating more traffic than the target’s internet bandwidth can take.

BlackNurse is unusual in this respect, because it cannot be stopped by provisioning additional bandwidth. “On firewalls and other kinds of equipment a list of trusted sources for which ICMP is allowed could be configured,” the TDC SOC experts advise. “Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack quite easily.

This is the best mitigation we know of so far.” That said, there are many devices out there that are configured to accept ICMP traffic from the internet.

The TDC SOC has identified 1.7 million of them in Denmark alone.
A vulnerability in the implementation of Point-to-Point Tunneling Protocol (PPTP) server functionality in Cisco IOS Software could allow an unauthenticated, remote attacker to access data from a packet buffer that was previously used.The vulnerability ...
Take precautions – like using a strong passphrase Microsoft software still leaks usernames and password information to strangers' servers – thanks to an old design flaw in Windows that was never properly addressed. These details can be used to potentially unmask VPN users and commandeer Windows accounts.

They can be obtained simply by tricking victims into visiting malicious websites or opening dodgy emails.
It still works even on the latest builds of Windows 10 – Microsoft is unlikely to fix this any time soon. The infosec world has known about this shortcoming for years; if it's news to you, read on. Whenever Redmond's software encounters a link to an SMB network share, it attempts to log into it using the user's credentials.
Imagine accidentally clicking on an smb://cool.domain.bro/receipe.pdf link in an Outlook message, or using Internet Explorer or Edge to visit a webpage with a hidden image that has an smb:// URL: Microsoft's software will follow the address, reach the SMB file server, and try to log into it using your credentials to fetch whatever file is needed. In doing so, it automatically hands over your computer's login name and an NTML hashed password, which can be cracked in seconds if you have a weak passphrase.

This could be bad news if the file server is malicious and simply wants your details to compromise your gear. You can check out the kinds of information leaked by your computer – including any login details – by visiting this test site with Internet Explorer or Edge (obviously, use at your own risk). Oops ... What the above test site looks like if you leak an NTML hashed password This design flaw was highlighted in March 1997 and again at Black Hat last year [PDF].
It wasn't considered a big deal for most people because it wasn't possible to log into their PCs over the internet even if you knew their local username and had cracked their password hash.
It was mostly a problem for IT departments: you could, from their connecting IP address, deduce where a victim worked, and if they had a weak password, crack it and try using it to log into other corporate services – such as their email or VPN. People love reusing passwords. Then Windows 8 encouraged people to use their Microsoft cloud accounts to sign into their PCs, and Windows 10 made it the default.

That means when Outlook, IE and Edge fetch an smb:// URL, they hand over your Microsoft account username and hashed password.

That username is usually your email address, so if you're hiding behind a VPN or some other anonymizing service, you'll give away your registered contact info. If you're able to crack someone's Microsoft account login, you can potentially drill into their OneDrive cloud storage, Office account, Xbox Live account, Bing search history, any associated Windows Mobile device, Outlook inbox, and Skype account. It gets worse: if you use Windows' built-in VPN software – such as IPsec or PPTP – with MSCHAPv2 authentication, your PC will send not your local login details but your VPN service username and hashed password to potentially malicious SMB servers. "The old security issue which was considered harmful only for business now can be easily used on home users," said security researcher Valdik, who goes into lots more detail about the design blunder here. He blogged about it in Russian, too.
Valdik, who published his research on Monday, said he successfully exploited the flaw on three Windows 10 machines. Here's a video of him receiving hashes after using Internet Explorer and Yandex webmail to open a message that contains a file:// URL to an SMB share on the internet.
IE fetches the file, handing over his login information in the process. Youtube Video VPN provider Perfect Privacy has blocked SMB port 445 on its network and updated its software to stop the handover of VPN credentials.
It also warns against using Microsoft's software over the 'net and to not use a Microsoft cloud account to log into your machine. You should also, as always, use strong passwords that cannot be easily cracked. The biz explained: This was not considered a big problem when the attack only leaked local Windows login information (as in most cases you cannot connect remotely with those credentials).

But since Windows 8, Microsoft allows to login to your computer with your Microsoft Live account and since Windows 10 this is the default.

As result, this compromises every single service you signed up with your Microsoft account, including email, Skype and- XBox Live. While this is not a VPN related issue, it also affects VPN connections: when using an IPSec VPN connection, a successful attack will not reveal your Windows credentials but the username and password of your VPN connection. While this does not affect the security of the encryption of the VPN tunnel, it may compromise the anonymity of the VPN user.

Also VPN login credentials of company VPNs (e.g. for external service agents) may fall into the hands of an attacker. Even if VPN would not be affected, we still feel it is our responsibility to protect our users from such blatantly open security holes. Microsoft had no comment at time of publication.

This design cockup affects Redmond's software.

Chrome and Firefox do not normally cough up your credentials, although if you cut'n'paste a malicious file:// URL into Chrome's address bar, it can be fooled into fetching from an SMB share.

Essentially, any application that calls URLDownloadToFile() to an SMB server, friendly or not, will hand over your information. ® Sponsored: 2016 Cyberthreat defense report
You're Putin me in a tough spot, here Poll Security intelligence firm ThreatConnect thinks it has found a smoking gun that links the leaked US Democratic Party emails to Russian hackers. The biz has analyzed the communications methods used by Guccifer 2.0, which is thought to be a team of miscreants who obtained the somewhat embarrassing internal emails and gave them to WikiLeaks.

The documents were published this week by the Julian Assange-run website. ThreatConnect has revealed its findings in full, allowing you to decide for yourself whether this is decent proof or another Sony "the North Koreans did it" Pictures moment. The French connection We're told Team Guccifer used AOL France's webmail to exchange messages with journalists; these messages, sent from guccifer20@aol.fr, were stamped with a French IP address – – by AOL's infrastructure, meaning the sender was using that network address at the time.

The metadata on Guccifer's Twitter account – specifically, its language settings and followers – suggest it was also operated from a French address.

Guccifer also used a mail.com address to converse with one reporter, again from that French IP address. That address belongs to French server hosting biz DigiCube, meaning a box provided by this outfit was assigned that IP address and used by Guccifer to access the AOL France account.
Scanning that DigiCube-hosted box revealed open SSH and Point-to-Point Tunneling Protocol services. Let's go further down the rabbit hole: the box's SSH server fingerprint – 80:19:eb:c8:80:a1:c6:ea:ea:37:ba:c0:26:c6:7f:61 – is unique to its SSH public key.

This fingerprint can therefore be used to find other machines on the internet that share the same public key. Dusting for prints A search on Shodan revealed computers behind six other DigiCube-owned IP addresses all sharing the same fingerprint.

DigiCube just provides the underlying systems; another organization will have rented its boxes and provided proxy services on top.

The shared fingerprint suggests each server is a clone. One of those IP addresses,, resolves to fr1.vpn-service.us.

The domain vpn-service.us was registered in 2004 using a Russian email address, sec.service@mail.ru. vpn-service.us is alive today as Elite VPN, a Russian-language proxy service that offers connectivity from France – using DigiCube-hosted machines. When you log into Elite VPN, and choose a French point of presence, you're offered a list of IP addresses in DigiCube's range to connect through.

These IP addresses belong to machines that share the same aforementioned fingerprint. So, it appears, Elite VPN rents DigiCube servers, hosts a proxy service on them, and Team Guccifer used that service to connect from somewhere else in the world to AOL France to send those messages. The mystery IP address Here's where it gets weird: the specific IP address used with the AOL France webmail account is not available to normal Elite VPN customers, but seems to be part of Elite VPN's network due to the presence of the shared key. "Based on this information, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN Service, and is able to leverage IP infrastructure that is not available to other users," said ThreatConnect's research team, noting that the IP address may not be exclusive to Guccifer. "We cannot identify whether the IP address is used exclusively by the individual(s) behind Guccifer 2.0, and consequently any activity associated with the IP address may not be indicative of Guccifer 2.0 activity," said ThreatConnect "It is important to note that the IP address seen in the Guccifer 2.0 AOL communications – – is not listed as an option within Elite VPN Service, although it has an identical SSH fingerprint and has the exact same port (1723, PPTP) open as the listed options.

This demonstrates the server was cloned from the same server image as all the Elite VPN servers but may be a private or dedicated version of the service." ThreatConnect also notes that the IP address has been used in a few swindles, including a Russian mail-order bride scam in 2014 and attacks against WordPress blogs last year.

The IP address also crops up in a Russian-language text message proxy service and a node list for crypto-currency EDR. From this they deduce that Guccifer is closely linked to Russia.

That's pretty much where the trail runs out, in Russia.
So that's where the finger of blame points. "Our research into Guccifer 2.0's infrastructure further solidifies our assessment that the persona is a Russia-controlled platform that can act as a censored hacktivist," the intelligence biz said. "Moscow determines what Guccifer 2.0 shares and thus can attempt to selectively impact media coverage, and potentially the election, in a way that ultimately benefits their national objectives." Convenient That certainly fits the conventional narrative that the Russians are behind the hack.

But the clumsy steps taken by Guccifer stand in contrast to the results of two investigations into cyber-intrusions at the US Democratic Party: two groups with links to Russian intelligence carried out highly sophisticated penetrations for over a year, it was claimed. ThreatConnect suggests the information was stolen by the Russian government and then passed to a less-technical hacking group for dissemination to Western media.
It's an interesting take.
It is certainly believable that Guccifer 2.0 is not the DNC hacker, but a pawn in a larger game to get borderline embarrassing memos out into the open. Establishing proof of a hacker's identity is notoriously difficult – indeed impossible in some cases. People can connect through systems all over the world and use tools and tricks to hide their origins and motivations. Using a Russian VPN service shouldn't necessarily mean an operation was carried out in or for Russia. There are worrying similarities between this case and the supposed hacking of Sony by the North Koreans. Many in the security industry feel that there's little proof that Best Korea staged that hack, other than the US government saying so and, as we've seen in the case of missing weapons of mass destruction in Iraq, those sorts of claims are not bulletproof evidence. Meanwhile, Guccifer 2.0 claims he is a lone hacker with no Russian government ties; ThreatConnect thinks that's a classic denial and deception tactic to throw people off the scent. As for the Russian government, they are denying any involvement – although, in the words of Mandy Rice-Davis, they would, wouldn't they. Russian foreign minister Sergey Lavrov gave a simple reply when asked about the matter by the press. "I don't want to use four-letter words," he said. ® JavaScript Disabled Please Enable JavaScript to use this feature. Sponsored: 2016 Cyberthreat defense report