Posts in Secure IT Practices

Using DNS for first-level spam filtering

Monday, February 20, 2006 by Adam Hammer in General, Secure IT Practices,

We have had some success using domain name system lookups to block incoming mail messages that are likely to be junk mail. While many people (including us) use DNS real-time black lists, the checks below are done against values returned by regular forward and reverse lookups on the connecting IP address. We've stopped a large amount of traffic based on the name of the connecting host or due to "poorly" configured DNS without many complaints. The number of false positives, while non-zero, have so far been at levels acceptable to us. The first test is a sanity check of sorts on the name of the connecting host. If no reverse lookup can be done on the IP address of the host, the message is blocked. A forward lookup is then done on the just-returned host name. If the forward and reverse lookups do not match, the message is blocked. Then the hostname is checked against a regex that tries to match dial-up or home cable/DSL addresses. If it matches that, the message is blocked. The expectation is that this will help block the spam zombies on less than ideally maintained home machines out there. These checks do generate false positives. There are some domains where outgoing mail comes from hosts with no name in DNS or all hosts of the domain have names of the form ip-NNN-NNN-NNN-NNN.domain. Some smaller companies or individuals are given addresses from their net providers of that form and are unable to change them. Apparently many net providers think it's a good idea to do a reverse lookup on an IP address but then not have a valid forward lookup for the just returned name. To help with these cases, the SMTP rejection message includes a URL where one can request that their addresses be added to an exception list. Now to numbers. During the average day last week our SMTP server got 8719 connection requests. The previously mentioned DNS tests resulted in the blocking of 4463 messages, or about 51% of all our incoming traffic. Since this happens before any virus scanning or spam scanning on the content of the messages, it saves quite a bit of CPU and IO time on the server. While this system isn't perfect, it is so effective as a first pass filter that we put up with the few false positives that have been reported so far.

Didn’t we learn anything from WarGames?

Friday, February 17, 2006 by Ed Finkler in Kudos, Opinions and Rants, Secure IT Practices,

My s.o. and I watched WarGames last night, and I enjoyed it not only for the kitschy nostalgia of an 8-inch floppy disk, but for some of the lessons of good information security practices that we still have trouble remembering:

Don't write down your password. Matthew Broderick's character is able to break into his high school's computer system and alter his grades because he reads the password off the secretary's desk every couple weeks.
Don't make high-security systems publicly accessible. The W.O.P.R. computer (wasn't that a great name?) that controls the launch of the US nuclear arsenal is accessed over a public phone line. Firewalls, anyone? Bueller?

It does seem like folks are generally getting a lot better with #2, but #1 seems to be a tougher nut to crack. It's understandable, because it's much more of a human behavior issue, but sometimes you just wonder, have we learned nothing in 20 years? :)

Mambo worm highlights security problems in web app dev

Saturday, December 10, 2005 by Ed Finkler in Infosec Education, Secure IT Practices,

Christopher Kunz reports on the existence of another web app worm, this time exploiting in the widely used Mambo portal/CMS system. Like the Santy worm that attacked phpBB, Elxbot identifies vulnerable installs via Google, but goes way beyond simple site defacement. Jeff Moore discusses this as a good example of why web apps need better installation/update systems. He's absolutely right. Wordpress, one of the most popular open-source web apps, has a fairly decent installer, but is a nightmare to upgrade. The developers don't even release "upgrades" per se, but give users some minimal instructions on what files to overwrite and what to skip. Even though the XML-RPC vulnerability that hit Wordpress and many other PHP-based apps a few months ago was patched immediately, it seems likely that there are large numbers of Wordpress users that are unaware of the problem and have not installed (it's difficult to find sources for stats on this, though). Beyond that, this underlines the need for both educating developers on secure coding practices, and developing freely available tools to help developers audit their applications. This is particularly important for the open-source web applications that drive a large portion (a majority?) of dynamic web sites. An Information Week article from a couple weeks ago that discusses how malicious coders are now targeting applications (including web apps) quotes Howard Schmidt:

In an e-mail, Howard Schmidt, a noted cyber-security expert and former CSO for both Microsoft and eBay, said the SANS report highlights the utility of hardening the presentation and application layers as a means to reduce cyber security events. "The first stop on the way to fix this is through secure coding and better QA of development processes, penetration testing on compiled code as well as vulnerability testing of integrated deployed applications via Web front ends," he wrote.

Hopefully more people will start to realize this before the problem gets worse.

An open source command-line Cassandra!

Monday, November 28, 2005 by Pascal Meunier in General, Secure IT Practices,

I am pleased to announce the availability of the first beta of my_cassandra.php, which can be downloaded from my home page (change the extension from phps to php after you download it). Because you get the source code and the custody of your profiles, this version of Cassandra should not generate the privacy concerns that the online version did. As it is under your control you can also run it at the intervals you choose. It is made available under an open source license so you can modify it. It runs under PHP so it should run on almost any platform by changing the path to PHP (from "#!/usr/bin/php -q" for MacOS X). Enjoy! P.S.: I already received a patch from Benjamin Lewis from Purdue ITSP, improving robustness while reading a profile. Thanks Ben!

Managing Web Browser risks with the NoScript extension

Thursday, November 17, 2005 by Pascal Meunier in Kudos, Opinions and Rants, Reviews, Secure IT Practices,

It is very risky to enable all client-side scripting technologies when browsing the web (plugins/ActiveX/ JavaScript/Flash etc...). I installed the "NoScript" extension for Firefox, which allows JavaScript to run only on some whitelisted sites. It is a wonderful idea, except that it comes with a list of pre-enabled sites with some that you can't delete (the arrogance of dictating unerasable sites!), and the defaults are to not block Flash and other plugins. Moreover, it's only as secure as DNS, unless you require the "full addresses" option through which I presume you could require an https (SSL) url. Unfortunately there is no way to enable "base 2nd level domains" *and* require SSL, to say for example that I want to trust all *.purdue.edu sites that I contact through SSL and that have valid SSL certificates. It is better than nothing, but needs SSL support to be really useful. Most people don't understand the limitations and vulnerabilities of DNS, and the need for SSL, and will therefore have an unwarranted feeling of security while using this plugin.

Recent Blogs

Blog Archive

Posts in Secure IT Practices

Page Content

Using DNS for first-level spam filtering

Recent Blogs

Blog Archive