|
|
Packet Life has a great reminder why we shouldn’t automatically accept “conventional wisdom” and “best practices” in our work, using the long-held conventional nugget that VLAN 1 and user traffic don’t mix because it leaves the network vulnerable to VLAN hopping attacks as a prime example.
Specifically, network engineers have been preaching for years that allowing user traffic on VLAN 1 could lead to a scenario where a malicious attacker could send traffic to (or capture traffic from) VLANs he wasn’t supposed to have access to. We all know the evils of malicious traffic captures including: stolen passwords, personal information, and compnay secrets. Using his trusty Catalyst 3550, Wireshark, and a few other simple tools, Stretch shreds that chestnut:
If the VLAN hopping attack theory is valid, we should observe our frame exiting S1’s FastEthernet0/13 onto the trunk with an 802.1Q tag specifying VLAN 10. However, by monitoring eth1, we can observe that this frame is not switched out onto the trunk. Rather, because S1 detected an 802.1Q-tagged frame ingress on an access port, the frame was discarded. (Interestingly, though, the receipt of such a frame does not increase any interface error counters.)
I’ve tried crafting the malicious frame in several ways, including swapping the order of the headers and sending only one header, but none of my attempts were successful in getting a tagged frame onto the trunk in any VLAN, even the native (untagged) VLAN. Only by transmitting the frame without any 802.1Q header was it successfully switched onto the trunk (untagged). These observations suggest that VLAN hopping attacks are not effective against modern switches (or at least the Catalyst 3550 running 12.2(44)SE2), in contrast to the findings of an @stake security assessment (PDF link) performed in 2002.
As has been pointed out subsequently by others, this vulnerability is still present in older versions of IOS, but a good workaround would be to force tagging of all traffic on trunks using the command:
vlan dot1q tag native
If your SmartNet has lapsed, this is a possible workaround. But if you have an active contract for your gear and you use trunks with VLAN 1 untagged (which includes “user” traffic) you need to upgrade as soon as possible.
The Czechs were the first ones to notice the network of infected devices that became known as the Chuck Norris bot-net. What makes this bot-net noteworthy for us networking types is not the number of devices infected (although the number is astonishing) but rather which devices are being targeted, compromised, and used to nefarious purposes, chiefly routers, firewalls, and gateway devices.
And that is unique: Most bot-nets attack workstations, compromise them, and use them to send spam, conduct DDoS attacks, or commit other crimes, and that’s about the extent of it. Chuck Norris uses network devices not only to commit crimes, but to compromise workstations on your private network and prime them for infection with other malware.
That’s right folks, Chuck Norris has gone berserk–he’s no longer just a butt-kicking Texas Ranger who beats up the bad guys, makes the ladies swoon, and wears a very expensive hat, now he’s after your firewall!
Continue reading Chuck Norris (Bot-Net) Karate Chopped Me in the Firewall
GMail and Google Apps users please take note: Google Buzz may have already revealed what you’re reading to any Gmail user you’ve ever contacted through your Google account, and has definitely already created a “Social networking” profile–whether you like it or not.
If this seems like deja vu from the Facebook debacle last year, you’re not alone–the parallels are clear: A big organization gets users to entrust it with an array of personal information, then changes the “terms of service” quietly and begins sharing that information with others, without your informed consent.
To disable Google Buzz and permanently remove your “Google Public Profile” follow these steps:
- Login to your Google account.
- Click “Settings” in the upper-right hand corner.
- Click the “Buzz” tab.
- Click the “Disable Google Buzz” link on the lower third of the page.
Just in time for traditional fall pranking-season comes word of a zero-day exploit affecting all current versions of Windows (Vista, 2008 Server, and 7) that can cause the traditional “blue-screen of death” (BSOD) on any of the affected platforms–without credentials, physical access, or complicity by the victim.
In fact, this little hole is so nasty that it can be triggered using only one solitary TCP/IP packet.
Although easily prevented (by blocking Port 445 with a firewall) its yet another exploit–a black-eye for Microsoft who has been marketing Server 2008 and 7 as the penultimate releases of Windows, each containing oodles of new security features to shield users from the modern perils of life on the tubes.
Continue reading 1-Packet Borking of Vista, Server 2008, & 7
Every Friday at 11am sharp the County tests out the Disaster Warning Sirens near World Headquarters here in Indianapolis. You know–the painfully loud sirens that will theoretically warn you moments in advance of the coming tornado (if the green sky and twilight at noon didn’t clue you in) so that you might have time to bend over and kiss your butt good-bye.
Since my desk is conveniently located just one block from the siren, and we rely on the good graces of mother nature to cool the office in Indiana summer, not much gets done during this two minute “disaster drill” every Friday morning because the noise-level is… distracting. At best.
Despite enduring this diligent preparation, week-in and week-out for 12 of the last 15 years (that I’ve lived in Indiana) I have yet to experience one actual natural disaster. My eyes have not as yet drunk in the sight of a big fat F-5 tornado, for example, coming to get its “$5 Footlong” before smashing the Subway sandwich shoppe across the street to rubble–possibly in protest of its failure to honor the traditional “ducks eat free!” policy.
Continue reading Teach Us, Oh Great Doomsday Whistle!
|
|
