Staring Into The Abyss, A Bit Before Cansec

I’m just going to come out and say it:  I miss packet craft.  Sure, we can always pull out Scapy, and slap amusing packets together, but everything interesting is always at the other layers.

Or is it?

For CanSecWest this year, I thought it’d be interesting to take a look at the realm of Deep  Packet Inspectors. It turns out we were doing a lot of this around 2000 through 2002, and then…well, sort of stopped.  So, in this year’s CanSecWest paper, “Staring Into The Abyss:  Revisiting Browser v. Middleware Attacks In The Era Of Deep Packet Inspection” (DOC, PDF), I’m taking another crack at the realm — and I’m seeing really interesting capabilities to fingerprint, bypass, and otherwise manipulate systems that watch from the middle of networks, using protocol emulation abilities that have been part of browsers and their plugin ecosystem from the very beginning.

Ah, but here’s where I need some help.  I’ve worked pretty closely with Robert Auger from Paypal, who just published his own paper, “Socket Capable Browser Plugins Result In Transparent Proxy Abuse”.  We independently discovered the HTTP component of this attack pattern, and as I describe in my paper, we’ve kind of forgotten just how much can be done against Active FTP Application Layer Gateways.

So, if I may ask, take a look, check out my paper, and if you have some thoughts, corrections, or interesting techniques, let me know so I can integrate them into my CanSecWest presentation.  Here’s the full summary, to whet your appetite:

DPI — Deep Packet Inspection — technology is driving large amounts of intelligence into the infrastructure, parsing more and more context from data flows going past. Though this work may be necessary to support important business and even security requirements, we know from the history of security that to parse data is to potentially be vulnerable to that data – especially when the parser is designed to extract context as quickly as possible. Indeed, companies such as BreakingPoint and Codenomicon have made their names building test tools to expose potential faults with DPI engines. But could anyone actually trigger these vulnerabilities? In this paper, we restart an old line of research from several years ago: The use of in-browser technologies to “tweak” Deep Packet Inspection systems.

Essentially, by controlling both endpoints surrounding a DPI system, possibly using the TCP (and sometimes UDP) socket code that plugins add to browsers, what behavior can we extract? We find three lines of attack worth noting.

First, firewalls and NATs — the most widely deployed packet inspectors on the Internet today — can still be made to open firewall holes to the Internet by having the browser trigger the Application Layer Gateway (ALG) for protocols like Active FTP. We extend older work by integrating mechanisms for acquiring the correct internal IP address of a client, necessary for triggering many inspection engines, we survey other protocols such as SIP and H.323 that have their own inspection engines, and we explore better strategies for triggering these vulnerabilities without socket engines from browser plugins. We also explore a potentially new mechanism, “Window Dribbling”, that allows an HTTP POST from a browser to be converted into a full bidirectional conversation by only allowing a remote sender to “dribble” a fixed number of bytes per segment.

Second, we (along with Robert Auger at Paypal) find that transparent HTTP proxies, such as Squid, will “override” the intended destination of browser sockets, allowing a remote attacker to send and receive data from arbitrary web sites. This allows (at minimum) extensive and expensive click fraud attacks, and may expose internal connectivity as well (HTTP or even TCP).

Third, and most interestingly, we find that active DPI’s — those that actually alter the flow of traffic between a client and a server — all seem to expose subtly different parsers and handlers for the protocols they manipulate. These variations of behavior can be remotely fingerprinted, allowing an attacker to identify DPI platforms so as to correctly target his attacks. This capability, understood particularly in light of Felix Lindner’s recent work on generic attacks against Cisco infrastructure, underscores the need for both DPI vendors to test their platforms extensively, and for IT managers to deploy critical infrastructure patches with at least as much vigor as desktop support receives today.

For remediation purposes, we recommend two lines of defense – one policy, one technical. As a matter of policy, we find the most important recommendation of this paper that industry reconsiders patching policies as they apply to infrastructure, especially as that infrastructure starts inspecting traffic at ever higher speeds in ever deeper ways. We are actively concerned that administrators have internalized the need to patch endpoints, but aren’t closely tracking the equipment that binds endpoints together – despite their ever increasing intelligence. This is as much a recommendation to vendors – to build patches quickly, and to code audit and fuzz with software from companies like Breakingpoint and Codenomicon – as it is a plea to IT departments to deploy the patches that are generated. Also from a policy perspective, while this paper does recognize the need for judicious use of DPI technology, systems that are deployed across organizational boundaries have particular need for correctness. There have been incidents in the past that have led to security vulnerability across entire ISPs.

On the technical front, we defend the existence of socket functionality in the browser, recognizing that constraining all networking to that which existed in 2001 is not leading to more stable or more secure networks. We explore a solution that potentially allow firewalls to integrate socket policies into their ALG’s, encouraging plugin developers to eventually join in with browser manufacturers and build a single, coherent, cross-domain communication standard. We also discuss more advanced transparent proxy caching policies, which will prevent the Same Origin Policy bypasses discussed above. Finally, we remind home router developers that browsers are still able to access their web interfaces from the Internet, and that this exposure can be repaired by tying default password effectiveness to either a button on the device or a power cycle.

The firewall fingerprinter should be online shortly, with source code for you to play with as well.  Thanks!

(Incidentally, yep, Source is this week, and I have something rather different in store for that event.  The times, they are busy.)

Steve Jobs' decision to skip the convention could mean the company doesn't have a hot new product to show off.

Everything you need to know to make sure you get a signal after Feb. 17.

In Pictures: 10 Tips For Switching To Digital TV

At the stroke of midnight on Feb. 17, 2009, the analog transmissions that have beamed free television over the air in the United States for over half a century will disappear for good. They will be replaced by digital signals, many of which are already broadcasting, in what will be the most significant change to television since the introduction of color.

The "digital switchover" brings with it higher image quality, better sound and a level of versatility and flexibility previously unattainable through free television. It also brings with it a number of significant headaches, as confusion over exactly who will be affected is inspiring panic in viewers fearful of being left behind in a haze of snow and static as the rest of the country moves into the future. Many of those who will be affected know that the deadline is fast approaching, but are unsure of how to prepare for it. Thankfully, a solution is simple, easily attainable and won't cost you a dime.

There are two major reasons for the switch from analog TV broadcasts to digital TV. First, digital signals offer superior image quality and allow for the transmission of high-definition signals over the air. This means that a properly equipped HDTV can receive local high-definition broadcasts that will look about as good as what you'd get from cable or satellite television.

In Pictures: 10 Tips For Switching To Digital TV

Second, switching from analog to digital frees up real estate on the broadcast spectrum for other uses, as digital signals are more efficient and take up less bandwidth. Telecommunications companies like Verizon (nyse: VZ - news - people ) and AT&T (nyse: T - news - people ) have spent nearly $20 billion to secure the rights to the frequencies that were previously occupied by channels 52 through 69, in the hopes of using that airspace to improve their wireless communication networks.

What the digital switchover is actually doing is changing the language that TV broadcasters use to communicate with your television. Since 1941, televisions in the U.S. have utilized a set of broadcast standards laid out by the National Television System Committee. Big broadcast towers sent out information over the air using these NTSC standards and were picked up by the television antenna in your living room. Inside your TV, an NTSC tuner interpreted the information and properly displayed it on screen.

The digital switchover is introducing a new language, a new set of broadcast standards, this one designed by the Advanced Television Systems Committee. On Feb. 17, those broadcast towers are going to stop speaking NTSC permanently and start speaking ATSC. But unfortunately, your old television set doesn't know how to translate ATSC into moving pictures and sound. Just about all televisions manufactured and sold after Mar. 1, 2007 feature ATSC tuners, but if you purchased a television any earlier than that, chances are your TV won't be able to pick up over-the-air broadcasts once the switchover occurs.

The solution: A digital converter box, essentially an external ATSC tuner that sits on top of your existing television and is linked between your antenna and your TV. The ATSC signals are grabbed by the same antenna you've always used, then passed to the digital converter box that translates the ATSC signals into something your NTSC television can understand. They are easy to hook up and available at a wide variety of stores, including big box stores like Best Buy (nyse: BBY - news - people ), Wal-Mart (nyse: WMT - news - people ) and Target (nyse: TGT - news - people ), as well as online retailers.

The rating agency Standard & Poor's assigned an "A-" debt rating to online auctioneer eBay Inc. on Monday, citing the company's well-established Internet brand as well as strong cash flow and liquidity.

The "A-" rating is investment grade but signifies that economic conditions may affect the company's finances.

The outlook is "Positive."

In a statement, Standard & Poor's analyst Philip Schrank said, "The rating on eBay reflects its well established brands in Internet e-commerce and payment segments, coupled with strong discretionary cash flow generation and ample liquidity."

Schrank cautioned that risks remain for the San Jose, Calif.-based company on a number of fronts: its performance relies somewhat on ongoing acquisitions, it faces rising competition from traditional retailers, entry costs in its market are low and consumer spending is being pulled back amid a credit shortage.

On the positive side, he said eBay's large customer base and low working capital needs should generate stable profits and cash flow even as the economy slows.

Schrank also predicts eBay's subsidiary PayPal - which processes online payments - will grow as more financial transactions move online. He added that eBay's recent acquisition of Bill Me Later, which allows online shoppers to pay without a credit card, should dovetail well with PayPal, and start generating a profit in the "near term."

The company's stock fell with the broader market Monday, sliding 51 cents, or 3.9 percent, to $12.62.

Wall Street headed toward a lower open Wednesday, as investors try to assess how bad the global economic slump is and worry about the trend in consumer spending.

The market, which fell for the second-straight session on Tuesday, will get an update from Treasury Secretary Henry Paulson on the government's financial rescue package at 10:30 a.m. EST. There are no major economic reports due to be released during the session.

There was fresh evidence that the financial crisis is causing consumers to tighten their purse strings.

Department store operator Macy's Inc. reported a loss of $44 million for the third quarter as results were weighed down by charges related to a consolidation of several divisions. The consumer electronics chain Best Buy Co. cut 2009 guidance on fears that consumer spending will erode even further.

A big drop in consumer spending is a major concern since it drives more than two-thirds of the U.S. economy. Investors are also awaiting the government's retail sales figures on Friday and earnings from Wal-Mart Stores Inc. on Thursday.

Battered shares of the top U.S. automakers might again come under pressure. House Speaker Nancy Pelosi wants Congress to support a financial bailout for the troubled U.S. auto industry, which is suffering under the weight of poor sales, tight credit and a sputtering economy.

President-elect Obama, when he met with President Bush at the White House on Monday, urged Bush to support aid for struggling automakers, and Democrats in Congress have begun drafting legislation that would give General Motors, Ford and Chrysler access to $25 billion of the rescue funds.

Dow futures shed 59, or 0.69 percent, to 8,578. Standard & Poor's 500 futures dropped 4.60, or 0.52 percent, to 888.40. Nasdaq 100 index futures stumbled 10.20, or 0.84 percent, to 1,212.80.

On Tuesday, the Dow fell nearly 180 points as it became clearer to investors that it's going to be hard to rely on the average consumer to pull the economy out of its downturn. The market also closed lower amid similar concerns on Monday.

Government bond prices, which did not trade Tuesday because of Veterans Day, moved higher as investors looked for safer investments. The three-month Treasury bill's yield fell to 0.21 percent from 0.22 percent late Monday, and the yield on the benchmark 10-year Treasury note fell to 3.74 percent from 3.76 percent late Monday.

Lower yields indicate stronger demand.

Crude slipped below $59 a barrel Wednesday on the growing realization that global economic growth next year will slow more than originally feared, cutting demand for crude products such as gasoline. Light, sweet crude was down 85 cents to $58.48 a barrel, after earlier falling as low as $58.55, in electronic trading on the New York Mercantile Exchange.

In corporate news, American Express Co. is said to be seeking about $3.5 billion from the U.S. government to help boost its balance sheet, according to a report in The Wall Street Journal citing people familiar with the situation. AmEx, the No. 4 U.S. credit card issuer, won approval Monday from the Federal Reserve to become a bank holding company.

Prudential Financial Inc. said late Tuesday its 2008 annual dividend will be roughly half of what it paid out to shareholders last year. The insurer said it will pay a dividend of 58 cents per share on Dec. 19 to shareholders of record at the close of business on Nov. 24. Last year, the company paid a dividend of $1.15 per share.

After the closing bell, semiconductor equipment maker Applied Materials Corp. and Computer Sciences Corp., an information technology outsourcing firm, are also set to report.

Overseas, Japan's Nikkei closed down 1.29 percent and Hong Kong Hang Seng fell 0.73 percent. In European trading, London's FTSE 100 was up 0.52 percent, Germany's DAX fell 0.22 percent, and France's CAC-40 added 0.11 percent.