| New User, Welcome! Login |
traffic analysis
Interestingly enough, OpenBSD uses a flavor of this PRNG for
another field, this time the IP fragmentation ID, part of the
OpenBSD kernel network stack. The analysis carries out quite
similarly to show that OpenBSD's IP ID is predictable as well,
which gives way to O/S fingerprinting, idle-scanning, host alias
detection, traffic analysis, and in some cases, even to TCP blind
data injection.
But it gets more interesting. Several other BSD operating systems
copied the OpenBSD code for their own IP ID PRNG, so they're
vulnerable too. This is particularly so with Apple's Mac OS X,
> Interestingly enough, OpenBSD uses a flavor of this PRNG for
> another field, this time the IP fragmentation ID, part of the
> OpenBSD kernel network stack. The analysis carries out quite
> similarly to show that OpenBSD's IP ID is predictable as well,
> which gives way to O/S fingerprinting, idle-scanning, host alias
> detection, traffic analysis, and in some cases, even to TCP blind
> data injection.
>
> But it gets more interesting. Several other BSD operating systems
> copied the OpenBSD code for their own IP ID PRNG, so they're
> vulnerable too. This is particularly so with Apple's Mac OS X,
‣ Improving Code with Destructive Data (Heikki Kortti and Jukka Taimisto)
‣ Security Audit and Hardening of Java based Software (Marc Schoenefeld)
‣ The Exploit Laboratory (Saumil Udayan Shah)
‣ Design and Implementation of Security Awareness Campaigns (Stefan Schumacher)
‣ Advanced Malware Deobfuscation (Scott Lambert)
‣ Protocol and Traffic Analysis for Snort Signature (Matt Jonkman)
‣ Secure Application Coding for Enterprise Software (Vimal Patel)
List of speakers with presentations:
‣ Achim Reckeweg ; Sun Microsystems ; Germany
‣ Improving Code with Destructive Data (Heikki Kortti and Jukka Taimisto)
‣ Security Audit and Hardening of Java based Software (Marc Schoenefeld)
‣ The Exploit Laboratory (Saumil Udayan Shah)
‣ Design and Implementation of Security Awareness Campaigns (Stefan Schumacher)
‣ Advanced Malware Deobfuscation (Scott Lambert)
‣ Protocol and Traffic Analysis for Snort Signature (Matt Jonkman)
‣ Secure Application Coding for Enterprise Software (Vimal Patel)
The DeepSec IDSC is sponsored by CERT.at, Cisco, Microsoft, Sec Consult, Global
Knowledge Austria/Germany and IronPort.
o Rootkit Development
o Code Analysis
o Forensics and Anti-Forensics
o Embedded Device Security
o Web Application Security
o Network Traffic Analysis
o Wireless Network Security
o Cryptography and Cryptanalysis
o Social Engineering
o Law Enforcement Activities
o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)
--- Intrusion detection/forensics analysis
- File system analysis & recovery
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique, vulnerability research)
- Intrusion detection and anti-detection technique
- Traffic analysis
--- Wireless & VoIP security
- 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
- PDA & mobile protocol analysis
- Palm, Pocket Pc
> --- Intrusion detection/forensics analysis
> - File system analysis & recovery
> - Real-time data structure recovery
> - Reverse engineering (malicious code analysis technique,
> vulnerability research)
> - Traffic analysis
> - Intrusion detection and anti-detection technique
>
> --- Wireless & VoIP security
> - 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
> - PDA & mobile protocol analysis
consequence of predictable TCP source ports, namely blind TCP attacks
(in all fairness, it appears that the object of your proposal is to
solve the blind TCP attacks, rather than the issue of predictable TCP
source ports; I look at it the other way around...). Naturally this is a
major outcome, but there are still other consequences, perhaps less
severe, such as traffic analysis. For example, the nave (and as
explained in your draft, flawed) algorithm in Fig. 1 of your IETF draft
advances next_ephemeral globally. Therefore, if the attacker can force
the target host to periodically establish a new TCP connection to an
attacker controlled machine (or through an attacker observable routing
path), the attacker can subtract consecutive source port values to
* Rootkit Development
* Code Analysis
* Forensics and Anti-Forensics
* Embedded Device Security
* Web Application Security
* Network Traffic Analysis
* Wireless Network Security
* Cryptography and Cryptanalysis
* Social Engineering
* Law Enforcement Activities
* Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)
--- Intrusion detection/forensics analysis
- File system analysis & recovery
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique,
vulnerability research)
- Traffic analysis
- Intrusion detection and anti-detection technique
--- Wireless & VoIP security
- 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
- PDA & mobile protocol analysis
> OpenBSD kernel
> > network stack. The analysis carries out quite similarly to
> show that
> > OpenBSD's IP ID is predictable as well, which gives way to O/S
> > fingerprinting, idle-scanning, host alias detection,
> traffic analysis,
> > and in some cases, even to TCP blind data injection.
>
> Can you expound upon the blind TCP injection allowed by IP ID
> prediction?
>
--- Intrusion detection/forensics analysis
- File system analysis & recovery
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique, vulnerability research)
- Intrusion detection and anti-detection technique
- Traffic analysis
--- Wireless & VoIP security
- 802.11x, CDPD, Bluetooth, WAP/TD-SCDMA, GSM, SMS
- PDA & mobile protocol analysis
- Wireless gateway
IETF has ongoing work on those issues. But I think the issues you
raise are well within the scope of our draft.
> Naturally this is a major outcome,
> but there are still other consequences, perhaps less severe, such as traffic analysis. For
> example, the nave (and as explained in your draft, flawed) algorithm in Fig. 1 of your IETF
> draft advances next_ephemeral globally. Therefore, if the attacker can force the target host
> to periodically establish a new TCP connection to an attacker controlled machine (or
> through an attacker observable routing path), the attacker can subtract consecutive source
> port values to obtain the number of outoing TCP connections established globally by the
> kept private or otherwise secret.
It's probably a good idea to deploy encryption *now*, and use it for
*everything*, and be ready for when (not if) they decide to be more draconian
in their logging requirements. And yes, encrypt *everything* - that way you
make it a lot harder to do traffic analysis. If only the "interesting" 10% is
encrypted, they know which 10% are interesting connections, which may be as
important as the actual content.
o Rootkit Development
o Code Analysis
o Forensics and Anti-Forensics
o Embedded Device Security
o Web Application Security
o Network Traffic Analysis
o Wireless Network Security
o Cryptography and Cryptanalysis
o Social Engineering
o Law Enforcement Activities
o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)
--- Intrusion detection/forensics analysis
- File system analysis & recovery
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique, vulnerability research)
- Intrusion detection and anti-detection technique
- Traffic analysis
--- Wireless & VoIP security
- 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
- PDA & mobile protocol analysis
- Palm, Pocket Pc
>> --- Intrusion detection/forensics analysis
>> - File system analysis & recovery
>> - Real-time data structure recovery
>> - Reverse engineering (malicious code analysis technique,
>> vulnerability research)
>> - Traffic analysis
>> - Intrusion detection and anti-detection technique
>>
>> --- Wireless & VoIP security
>> - 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
>> - PDA & mobile protocol analysis
I am pleased to announce the Open Source release of "Distack"
*** http://www.tm.uka.de/distack ***
Distack is a framework for local and distributed attack detection and
traffic analysis. It can run on live interfaces or traces files, as well
as in simulation environments. Therefore it provides easy ways to
develop attack detection mechanisms and evaluate them on a large-scale
in simulated networks.
Distack has been developed at the Institute of Telematics, University of
o Rootkit Development
o Code Analysis
o Forensics and Anti-Forensics
o Embedded Device Security
o Web Application Security
o Network Traffic Analysis
o Wireless Network Security
o Cryptography and Cryptanalysis
o Social Engineering
o Law Enforcement Activities
o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)
> Interestingly enough, OpenBSD uses a flavor of this PRNG for
> another field, this time the IP fragmentation ID, part of the
> OpenBSD kernel network stack. The analysis carries out quite
> similarly to show that OpenBSD's IP ID is predictable as well,
> which gives way to O/S fingerprinting, idle-scanning, host alias
> detection, traffic analysis, and in some cases, even to TCP blind
> data injection.
Can you expound upon the blind TCP injection allowed by IP ID
prediction?
--- Intrusion detection/forensics analysis
- File system analysis & recovery
- Real-time data structure recovery
- Reverse engineering (malicious code analysis technique, vulnerability research)
- Intrusion detection and anti-detection technique
- Traffic analysis
--- Wireless & VoIP security
- 802.11x, CDPD, Bluetooth, WAP/TDMA, GSM, SMS
- PDA & mobile protocol analysis
- Palm, Pocket Pc
o Rootkit Development
o Code Analysis
o Forensics and Anti-Forensics
o Embedded Device Security
o Web Application Security
o Network Traffic Analysis
o Wireless Network Security
o Cryptography and Cryptanalysis
o Social Engineering
o Law Enforcement Activities
o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)
- Application reverse engineering and related automated tools
- Database security & attacks
- Advanced Trojans, worms and backdoor technique
--- Intrusion detection/forensics analysis
- Traffic analysis
- Real-time data structure recovery
- File system analysis & recovery
- Intrusion detection and anti-detection technique
- Reverse engineering (malicious code analysis technique, vulnerability research)
|
|
|
