T.J. Maxx Security Breach

The Massachusetts attorney general is leading a probe into the security measures parent company TJX took to protect its consumer-related information from data leaks and hacker attacks.

By Sharon Gaudin
InformationWeek

Feb 9, 2007 01:00 PM

The Massachusetts attorney general is heading up a multistate civil investigation into the recently disclosed security breach at TJX.

The Consumer Protection Division of the Attorney General's Office is investigating the breach, which was revealed last month by the Framingham-based company. The state is looking specifically at what security measures the company took to protect consumer information

"TJX has been very cooperative with the Attorney General's Office, and we are interested in continuing to work closely with the company so that we can protect Massachusetts consumers and the marketplace from credit card and other fraud," Attorney General Martha Coakley said in a written statement.

TJX, whose properties 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods stores, was victim to a hacker who accessed the company's computer systems that process and store information related to customer transactions at its stores in the United States and Puerto Rico, as well as for some stores in Canada, and potentially Canada and Ireland.

The stolen information may include credit and debit card sales transaction data from 2003 as well as data from mid-May through Dec. 2, 2006.

Since taking office last month, Coakley has said that addressing identity theft and credit card fraud will be one of her administration's top priorities.

"The recent TJX date breach demonstrates that Massachusetts citizens do not have all the necessary tools to protect themselves against identity theft or credit card fraud," Coakley said in her statement. "There are several proposals pending, including those that would require notification of consumers when their data was stolen or released, or that would give consumers the right to place a security freeze on their credit reports, which we are interested in reviewing. I look forward to working with the Legislature to determine the best ways to help consumers protect themselves and their credit."

Tips To Protect Yourself

The Massachusetts AG's office is recommending people who have shopped at any of the TJX stores should take these precautionary steps:

· Call one of the three major credit bureaus and place a one-call fraud alert on your credit report. Call either Equifax: at 800-525-6285 , Experian at 888-397-3742 , or TransUnion at 800-680-7289 .

· Order a copy of your credit report, and look for unauthorized activity.

· If there is unexplained activity on your credit report, place an extended fraud alert on your credit report.

· You may want to contact the fraud department of the credit card company or bank that you used when you made purchases at the TJX stores. These financial institutions can monitor your account for suspicious activity.

TJX has established a toll-free customer help line. Callers from the United States can call 866-484-6978 . In addition, the company has posted information on its Web site under Important Customer Alert.

Hacker Defaces Nuclear Site With Exploding Bomb Photos

Dynamic Security could have stopped this hacker!

The security breach hit the Canadian Nuclear Safety Commission Wednesday afternoon. No critical information was reportedly affected.

By Sharon Gaudin
InformationWeek

Feb 9, 2007 02:58 PM

Hackers penetrated the Web site for the Canadian Nuclear Safety Commission this week, replacing text and graphics with photos of a nuclear explosion.

The organization, which acts as a nuclear safety watchdog in Canada, reports that there was a security breach on Wednesday, Feb. 7 during the afternoon. Aurele Gervais, a spokesman for the commission, says they had the Web site down within five minutes of being alerted to the attack. He adds they are not sure when the hacker broke into the site or how long he or she was there.

Gervais would only say that the news release section of the site was replaced with graphic images, but would not describe them. It was widely reported in the Canadian press that the images were of a nuclear explosion. The Ottawa Citizen newspaper published a color photo of one of the pages that had been tampered with, but the photo is not shown online.

The Web site is not linked to the commission's internal computer network so no critical information was in danger of being tampered with or stolen, according to Gervais, who adds that this is the first time their Web site has been hacked into.

The Web site is back online. Gervais says the Royal Canadian Mounted Police are investigating.

How Does The Hacker Economy Work?

Just because you are paranoid, doesn't mean everyone is not out to get you. A whole industry is out to get you in fact.

It's a murky world of chat rooms, malware factories, and sophisticated phishing schemes. Here's a look inside.

By Larry Greenemeier, J. Nicholas Hoover, InformationWeek
Feb. 10, 2007
URL: http://informationweek.com/story/showArticle.jhtml?articleID=197004939

When retailer TJX disclosed Jan. 17 that the computer systems that store data related to credit card, debit card, check, and merchandise return transactions had been broken into, it said it had discovered the hack in December. But security officials at Visa had been seeing an increase in fraudulent activity on credit and debit cards related to TJX properties, such as T.J. Maxx, Marshalls, and HomeGoods stores, since mid-November. That means it's possible the purloined consumer data has been floating around the Internet, available for purchase on black market Web sites and chat rooms, for at least two months, maybe longer.

Hacking isn't a kid's game anymore. It's big business. Online black markets are flush with stolen credit card data, driver's license numbers, and malware, the programs that let hackers exploit the security weaknesses of commercial software. Cybercriminals have become an organized bunch; they use peer-to-peer payment systems just like they're buying and selling on eBay, and they're not afraid to work together.

While the independent hacker still exists (pardon us, but in this story, we'll refer to "hacker" in the layman's sense), the FBI sees true organized crime in parts of the hacking community, particularly in Eastern Europe, says special agent Chris Stangl, who works in the bureau's cybercrime division, the agency's third largest behind counter-terrorism and intelligence. "You'll have hackers cracking the machines, individuals collecting the data, and individuals selling for profit," Stangl says.

Getting a clear picture of the hacker economy isn't easy. It's a murky underground about which few people are willing to talk on the record. But the general outlines can be gleaned from inside and outside sources.

It's not a crime to point out vulnerabilities on the Net, making malware hard to prosecute, says eEye's Maiffret.

Direct Approach
Some hackers take the direct approach. Ransom scams--in which a criminal infects a company's systems with malware that encrypts data and then demands money to provide the decryption key--are common in Russia. Uriel Maimon, a researcher with the consumer division of RSA, a security vendor now owned by EMC, says he's seen a half-dozen of these scams over the past five months.

But in the scheme of things, those kinds of scams aren't all that common because they're risky--they require "a direct financial connection between the victim and the author or proprietor of the malware," says David Dagon, a researcher with the Georgia Tech Information Security Center. More omnipresent is the thriving black market in data. Online sites abound where credit and debit card numbers, cardholder names, and the card verification value, a three- or four-digit code that's used to verify a card's authenticity, can be bought and sold. Jeff Moss, who goes by the handle "The Dark Tangent" and is the founder of Black Hat, a security research and training firm (owned by InformationWeek parent CMP), says he knows of one European cyberattacker who makes nearly a half-million dollars annually buying and selling databases and customer lists.

The Black Market $980-$4,900 Trojan program to steal online account information $490 Credit card number with PIN $78-$294 Billing data, including account number, address, Social Security number, home address, and birth date $147 Driver's license $147 Birth certificate $98 Social Security card $6-$24 Credit card number with security code and expiration date $6 PayPal account logon and password Data: Trend Micro

Direct Approach
Credit card information is mostly sold in bulk. "You don't just buy one Amex card with no limit; you typically buy a set because any one could be canceled or entered into fraud claims," Dagon says. Though some sites have list prices, basic card information can go for as low as $1 a card, and prices often depend on the quality of the data, says Johannes Ullrich, CTO of the SANS Internet Storm Center.

Credit card thieves, who call themselves "carders," often ply their wares through IRC chat rooms, private and public forums with names like CardersMarket and Carder.info, and even conventional-looking e-commerce sites. The experienced hackers and carders stick to private, encrypted, password-protected IRCs, Ullrich says.

One forum, CardingWorld.cc, has more than 100,000 posts from 13,000 registered members, most of whom write in Russian. The site's English section includes offers for Bank of America, Fidelity Bank, and PayPal logons; credit card information from around the world; valid gift cards; and services for the safe transfer of large amounts of money. Most sellers and buyers on the forum request that purchases or offers be taken to private messages on the bulletin board system or to ICQ instant messaging.

A site called Dumps International appears to provide credit cards and equipment for reading and encoding credit cards, as well as Social Security numbers, dates of birth, mothers' maiden names, PINs, and batches of credit card "dumps" that contain card numbers, cardholder names, and expiration dates. The cost for U.S. credit card numbers on the site ranges from $40 for a standard credit card up to $120 for a "signature" card, one step above platinum and corporate cards. There are even specials--buy 100 cards in a mixed batch and the price drops to $30 a card.

The average life expectancy for such sites is about six months before they're rerouted through a new proxy server to throw off law enforcement. TalkCash.net, which functioned until last summer, even offered a list of "rippers," those who'd used the marketplace but were unreliable, and "verified vendors," those who had proved that they could deliver on their promised goods.

Cybercriminals close their deals using peer-to-peer payment systems like PayPal and e-gold, which lets people exchange electronic currency backed by the value of gold bullion rather than a particular national currency. Some use Western Union wire transfers to make payment. E-gold says it "in no manner condones" the use of its service for criminal acts, and PayPal chief information security officer Michael Barrett says the company regularly works with law enforcement when it identifies usage patterns that indicate criminal activity.

Moving money around can be dangerous for hackers, since transactions over $10,000 must be reported by banks and wire transactions can be easy to track. Georgia Tech's Dagon says large transactions can be split up, with some in the hacker gang taking payment in plasma TVs, large numbers of compromised iTunes accounts, World of Warcraft credentials, and even access to compromised routers.

Malware For Sale
Another valuable commodity in the hacker economy is malware such as viruses, worms, and Trojan horse programs. These so-called exploits provide hackers entrée into corporate systems.

A recent report by Internet Security Systems (acquired last year by IBM) warns of the emergence of an "exploits-as-a service" industry, with sophisticated manufacturing and distribution networks similar to the computer industry's legitimate production channels. "Managed exploit providers are purchasing exploit code from the underground, encrypting it so that it cannot be pirated, and selling it for top dollar to spam distributors," the report says.

As with any market economy, the most valuable commodities command the highest prices. In December, a flaw in Microsoft's new Windows Vista operating system was found for sale on a Romanian Web forum for $50,000, says Raimund Genes, CTO of security vendor Trend Micro, who contends that the malware industry commands more revenue than the $26 billion that legit security vendors generated in 2005.

Serious money like that has attracted an equally serious criminal element. Zero-day exploits--which take advantage of security vulnerabilities as soon as they're discovered, before vendors can patch their products--were selling late last year for as much as $20,000 to $30,000 each, Genes says.

However, despite the danger zero-day and other security vulnerabilities pose to companies and their customers, there's little law enforcement can do to prevent someone from writing a program that exploits one of these vulnerabilities. It's not a crime "to point out an unpatched vulnerability on the Internet," says Marc Maiffret, founder and chief hacking officer of eEye Digital Security.

Phishing Pays Off
Phishing scams are also a thriving underground business, often employing groups of people who bring different skills to the table, says a Web application security consultant who goes by the name RSnake. The "spammer" scours the Web for e-mail addresses that can be sold to "hackers," who look for security vulnerabilities to exploit, create phishing sites, and tell the spammers where to send the phishing e-mails on their behalf. Meantime, "carders" buy the information stolen by hackers to create the fraudulent credit and debit cards they use to steal money or sell to other criminals. Of course, the same cybercriminal can multitask, RSnake adds.

The Anti-Phishing Working Group, a cooperative of public and private organizations, says the tools used by phishing fraudsters are getting a lot more sophisticated. The group's report for December cites 340 new variants in the keyloggers and Trojan horses used by phishers that month alone--a record high. That increase is mostly because of "better use of software tools to automate the creation and testing of new variants," the report says.

	Hackers hope businesses hold onto their data, Kaminsky says.

Chances are, those tools were spawned by tech-savvy Eastern Europeans known for creating automated phishing programs and spam engines, RSnake says. "The people I've spoken to in Eastern Europe are actually pretty young guys, in their 20s," he says. "Some have formal educations, but some don't. Some live in countries like Romania, where houses have more Internet throughput than some businesses in the U.S. They've grown up on the Internet for the past 10 years, and the laws in their countries are less stringent than in other places, like the U.S."

Sophisticated technology isn't the only tool of the phishing trade. It seems unbelievable, but Nigerian "419" scammers continue to fleece gullible e-mail users. These are the e-mails that usually begin, "I need your help," and describe a situation where a large amount of money needs to be rescued or transferred from one country to another. They're known as "advance fee" solicitations because they ask the victim to send money to help free up the funds, with the promise of a lucrative payoff. The 419 designation refers to the section on fraud in the Nigerian criminal code.

Last month, the former treasurer for Michigan's Alcona County was arrested and charged with embezzling $1.2 million in public funds, at least some of which he sent to a notorious Nigerian e-mail scammer. The Federal Trade Commission posts this warning on its Web site: "If you receive an offer via e-mail from someone claiming to need your help getting money out of Nigeria--or any other country, for that matter--forward it to the FTC at spam@uce.gov."

Pump And Dump
On Jan. 25, the Securities and Exchange Commission charged a 21-year-old Florida man with breaking into numerous online brokerage accounts, then liquidating their portfolios. Investigators say Aleksey Kamardin of Tampa, during a five-week span last summer, made more than $82,000 by using funds in multiple compromised accounts at Charles Schwab, E-Trade, JPMorgan Chase, TD Ameritrade, and other online brokers to buy shares in lightly traded companies. Those purchases gave the illusion of increased legitimate trading, which raised the stocks' price. Kamardin then sold the shares he had purchased earlier, and other legit investors saw the stock price fall sharply, investigators say.

It's a variation on the old "pump-and-dump" stock scam. In these scenarios, the thief will have invested in cheap, or penny, stocks using accounts based in the Cayman Islands or elsewhere offshore, where the accounts can be established anonymously. Once the thief buys or steals identity information, he can set up fraudulent accounts--or break into other people's accounts, as in the case of Kamardin--and buy large quantities of those penny stocks, driving up the price.

This presents a tricky situation for financial services firms. "They don't want to prohibit people from trading, so the creation of these fraudulent accounts becomes part of the financial services firms' risk of doing business," asserts Marc Gaffan, director of marketing for RSA's consumer solutions division. Also, it's difficult to scrutinize trade orders because they're time-sensitive, Gaffan says. Delays cost investors money and discourage them from doing business with a given company. E-Trade experienced this dilemma last year when a compromised computer opened the door for cyberattackers to run pump-and-dump scams on E-Trade clients, resulting in fraudulent activity that contributed to the $18 million in fraud losses the company reported for its third quarter.

What's To Be Done?
The Secret Service's New York Electronic Crimes Task Force made one of its biggest busts in 2002 when it charged former Prudential Insurance database administrator Donald McNeese with identity theft, credit card fraud, and money laundering. McNeese stole records from a Prudential database that contained information on about 60,000 employees. When he tried to sell the stolen info over the Web, Bill Moylan, a 25-year veteran of Long Island's Nassau County Police Department who was working undercover for the task force, spotted it and contacted him. McNeese sent Moylan about 20 of the employees' identities and encouraged him to use the stolen records to create fraudulent credit cards, with a portion of the proceeds to be sent to McNeese's home in Florida. McNeese was ultimately sentenced to three years probation and ordered to pay $3,000 in restitution.

The Secret Service is the federal agency primarily responsible for investigating cybercrime, and it continues to make progress against the hacker economy. In 2004, agents arrested a group of hackers running a site called Shadowcrew.com, and the following year six of those men pleaded guilty in federal court to trafficking in stolen credit and bank card numbers and identity information. Last March the Secret Service announced the arrests of seven suspects, for a total of 21 in three months, as part of Operation Rolling Stone, an investigation of identity theft and online fraud "through criminal Web forums."

Despite these successes, the hacker economy continues to flourish. At the RSA Security Conference in San Francisco last week, RSA president Art Coviello told the audience that the market for stolen identities has reached $1 billion, according to IDC research, and that malware has risen by a factor of 10 in the last five years, according to the Yankee Group.

"The fundamental issue is that we have a law enforcement model that's geographically based, but there's no geography on the Internet," says Dan Kaminsky, a security researcher with DoxPara Research. Says RSnake: "They can't do wiretaps overseas or raid someone's house in Romania without local cooperation. There just isn't enough talent in our federal agencies to keep on top of this efficiently."

As a result, law enforcement has come to rely heavily on cooperation from the private sector, such as financial institutions, Internet service providers, and telcos. Also, there are about a dozen electronic crime task forces operating in local law enforcement agencies around the country, many of which have access to FBI InfraGard, an information sharing system between the FBI and the private sector. InfraGard began in the FBI's Cleveland field office in 1996 as a local effort to gain support from IT pros and academia for the FBI's cyber-related investigations.

Vendors must take some responsibility for opening the door to the mercenary market for malicious code and stolen data by shipping software with security flaws. IBM's ISS reported that last year a total of 7,247 software security vulnerabilities were reported, up nearly 40% from 2005, with Microsoft, Oracle, and Apple the biggest offenders.

Businesses and end users must shoulder some of the responsibility as well for lax security measures and for simply storing too much data. In the case of TJX, it turned out the retailer was storing credit-card data contrary to Visa's rules. "It just feels wrong to people to throw away data," says DoxPara's Kaminsky.

Companies need to give careful thought to the data they're managing and realistically assess their ability to protect it. If they don't, they just might see it show up on a black market site.

Weak passwords help hackers - How to enforce Password Policy?

Dynamic security can enforce password policies.

Study: Weak passwords really do help hackers

Four computers left online for 24 days were hit by 270,000 hacking attempts

Todd R. February 06, 2007 (Computerworld) -- Left online for 24 days to see how hackers would attack them, four Linux computers with weak passwords were hit by some 270,000 intrusion attempts -- about one attempt every 39 seconds, according to a study conducted by a researcher at the University of Maryland.

Among the key findings: Weak passwords really do make hackers' jobs much easier. The study also found that improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer.

The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems -- and what they do once they gain access.

Using software tools that help hackers guess usernames and passwords, the study logged the most common words hackers tried to use to log into the systems. Cukier and two graduate students found that most attacks were conducted by hackers using dictionary scripts, which run through lists of common usernames and passwords in attempts to break into a computer.

Some 825 of the attacks were ultimately successful and the hackers were able to log into the systems. The study was conducted between Nov. 14 and Dec. 8 at the school.

Cukier was not surprised by what he found. "Root" was the top guess by dictionary scripts in about 12.34% of the attempts, while "admin" was tried 1.63% of the time. The word "test" was tried as a username 1.12% of the time, while "guest" was tried 0.84% of the time, according to the experiment's logs.

The dictionary script software tried 43% of the time to use the same username word as a password to try to gain entrance into the affected systems, Cukier said. The reason, he said, is that hackers try for the simplest combinations because they just might work.

Once inside the systems, hackers conducted several typical inquiries, he said, including checking software configurations, changing passwords, checking the hardware and/or software configuration again, downloading a file, installing the downloaded program and then running it.

For IT security workers, the study reinforced the obvious. "Weak passwords are a real issue," Cukier said.

At the University of Maryland, users are told that passwords should include at least eight characters, with at least one uppercase letter and one lowercase. The school also recommends that at least one character be a number or punctuation symbol, Cukier said. All passwords should be changed every 180 days, according to the university's recommendations.

"That's really reasonable," Cukier said of the guidelines. "It's not helpful if the password is so complicated that people don't remember it and [therefore] write it down on a sticky note next to their computer."

Users can use the title of a favorite book for a password or even the first letters from a memorable sentence, he said. "They'll be easy for you to remember because you'll be able to remember the sentence ... without having to write it down," Cukier said.

Excel vulnerable to new attack

There is always another way for hackers to get in. Dynamic Security can help keep them out.

________________________________________________________
Excel vulnerable to new attack

A critical flaw in Excel is attracting malware writers, says Microsoft,
and the problem may affect other Office components as well.

http://cwflyris.computerworld.com/t/1247867/6626861/49955/2/

Virtual Private Network Security Threat

Dynamic Security can dry up the reserve of passwords that hackers use to penetrate VPNs.

---

Michael Thumann

Breaking into a VPN

Sloppy configurations make for unsecured VPNs

The IP extension IPSec is generally considered the most secure VPN technology. But it also has its weak points that special tools can find and exploit. Prudent administrators therefore test their own network – before the hackers do.

Virtual Private Networks (VPNs) can save a lot of money by using the Internet to transport data instead of expensive dedicated lines, and modern encryption and authentication methods can ensure the confidentiality of data sent across such public networks. Currently, the most important protocol for the implementation of VPNs is IPSec, which is unfortunately also the most complex. IPSec can not only be used to link complete enterprise networks to the Internet, but also to connect mobile users to their company's email and database server.

At the same time, this complexity can itself become a security risk. You need expertise and experience to configure IPSec-based VPNs correctly -- two requirements that an astonishing number of administrators do not sufficiently meet. In combination with lazy use of default settings in many devices and programs, underskilled administrators create preventable weak points that leave open dangerous points of entry for hackers.

Last stop: security

VPN encryption is almost impossible to crack itself, so the best place to try to get into a VPN are the two end points. On the one hand, we have VPN gateways, a company's central dial-in point; on the other, the VPN client of mobile users, such as notebooks.

The most common target of hackers is generally notebooks, starting from theft to entry via security holes in the operating system or applications running on it. Wireless networks in hotels and airports offer hackers promising opportunities because in such places it is very probable that they will find someone setting up a VPN tunnel to their company to exchange data.

While most vendors of VPN solutions offer special client software with an integrated firewall to prevent access to the computer, not all of them actually install and enable the software. Once VPN access has been set up, hackers are able to move around within the enterprise network via the hacked device and get access to confidential information -- if they haven't already found it on the local hard drive.

But the company's gateway may also offer hackers a few entry points. And unlike mobile devices, it is of necessity constantly reachable via the Internet, making it directly exposed to attacks.

Footprints

In preparing for an attack, hackers first collect all available information. A VPN gateway is relatively easy to identify. All you need is a port scanner like nmap, which will produce output such as the following:

# nmap -sSUV -O 10.1.1.254 

Starting nmap 3.70 (Interesting ports on 10.1.1.254: 

PORT      STATE         SERVICE

256/tcp   open          fw1-secureremote   

257/tcp   open          fw1-log service 

259/udp   openfiltered firewall1-rdp 

500/udp   openfiltered isakmp 

1701/udp  openfiltered L2TP 

Device type: firewall 

Running: Checkpoint Windows NT/2K/XP 

OS details: Checkpoint SecurePlatform NG FP3 

The characteristics of the port reached shows that the firewall is from Checkpoint. The fingerprinting that nmap uses and the service discovery (not shown above) also suggest that a Firewall-1 NG was just detected on the SecurePlatform. The UDP Port 500 is a clear sign that this firewall also runs as a VPN gateway. VPNs use this port to process the protected exchange of keys via IKE (Internet Key Exchange), an essential part of IPSec.

Fingerprints

Special tools can even detect the cryptographic methods and parameters that the gateway uses, providing even more indications of the vendor. The free program IKE-Scan [1] handles this task:

#ike-scan 10.1.1.254 --trans=5,2,1,5 -o 

Starting ike-scan 1.2 with 1 hosts  

10.1.1.254 

IKE Main Mode Handshake returned (1 transforms) 

IKE Backoff Patterns: 

IP Address   No.     Recv time               Delta Time 

10.1.1.254   1       1092956328.817392       0.000000 

10.1.1.254   2       1092956330.923392       2.106000 

10.1.1.254   3       1092956332.885392       1.962000 

10.1.1.254   4       1092956334.833392       1.948000 

10.1.1.254   5       1092956336.836392       2.003000 

10.1.1.254   6       1092956338.835392       1.999000 

10.1.1.254   7       1092956340.844392       2.009000 

10.1.1.254   8       1092956344.875392       4.031000 

10.1.1.254   9       1092956348.882392       4.007000 

10.1.1.254   10      1092956352.866392       3.984000 

10.1.1.254   11      1092956356.902392       4.036000 

10.1.1.254   12      1092956360.883392       3.981000 

10.1.1.254   Implementation guess: Firewall-1 4.1/NG 

The option "-trans=5,2,1,5 " indicates the parameters to be tested: 3DES, SHA, Preshared Key, Diffie Hellman group 5. The message "IKE Main Mode Handshake returned" indicates that the VPN gateway accepts these parameters, and the name of the vendor is displayed immediately. But these tools can only be used successfully if the VPN gateway is configured in a certain way and supports certain parameters. Here, it often helps to try out the IKE and IPSec parameters manually or by means of a script.

Too fast

It is perhaps a matter of opinion as to whether the disclosure of such information should be considered a security problem. The operator of a VPN has a real problem if hackers manage to crack authentication and log in at the gateway. Under certain circumstances, however, this may not even be difficult -- for example, if a pre-shared key (PSK) is used for authentication and the gateway is working in "aggressive mode." Aggressive mode shortens the IKE handshake for the exchange of keys to speed things up. Instead of the six packets used in the conservative main mode, only three are transmitted. But speeding things up this way comes at a price: the aggressive mode is vulnerable to targeted attacks.

For authentication, the gateway transmits a hash value derived from the PSK through the network. As this hash is not encrypted, it may be possible to reconstruct the pre-shared key in dictionary attack or brute-force attack [2]. Depending on the quality of the keys, the attack may be successful in just a few minutes, a few months, or a few years. It is not especially hard to get the hash: the VPN gateway transmits it through the network in the aggressive mode during an attempt to contact a VPN client.

Script kiddy

The IKEProbe developed by ERNW scans VPNs for weak spots and can be used to find such holes in IPSec VPN Gateways [3]. To do so, the tool simulates a VPN client and attempts an IKE handshake in the aggressive mode. It tests all of the IKE parameters supported and checks whether the gateway transmits the PSK hash. As soon as a response comes, the gateway is vulnerable. A scan of a vulnerable gateway with IKEProbe might look like this:

#ikeprobe 10.1.1.254 

IKE Aggressive Mode PSK Vulnerability Scanner 

Supported Attributes 

Ciphers              : DES, 3DES, AES-128, CAST 

Hashes               : MD5, SHA1 

Diffie Hellman Groups: DH Groups 1, 2 and 5 

IKE Proposal for Peer: 10.1.1.254 

Aggressive Mode activated ...   

Attribute Settings: 

Cipher DES 

Hash SHA1 

Diffie Hellman Group 1 

0.000 3: ph1_initiated(00443ee0, 00384708)   

0.010 3: < ph1 (00443ee0, 244)   

0.030 3: > 40   

0.030 2: sx_recv_notify: invalid doi   

2.532 3: < ph1 (00443ee0, 244)   

5.537 3: < ph1 (00443ee0, 244)   

8.541 3: ph1_disposed(00443ee0) 

(...) 

Attribute Settings: 

Cipher 3DES 

Hash SHA1 

Diffie Hellman Group 5 

64.551 3: ph1_initiated(00443ee0, 00384708)   

64.662 3: < ph1 (00443ee0, 340)   

64.692 3: > 328  

64.842 3: ph1_get_psk(00443ee0) 

System is vulnerable!! 

Hash cracked

It is astonishingly easy to attack such a vulnerable VPN gateway. Cain & Abel, a password sniffing and cracking tool, can monitor whilst IKEProbe is running and extract the hash with its IKE parser [4].

Cain sniffs the hash value during the IKE handshake between IKEProbe and the gateway

But Cain & Abel can do more: it uses its password cracker to get the right key for the hash, either by means of a dictionary attack or a brute-force attack depending on the configuration. In principle, a good key cannot be cracked within a reasonable timeframe. However, good pre-shared keys are surprisingly rare in practice.

One reason for this is that people still think that such attacks are harder than they actually are. For instance, it takes less than one minute to try out a list of one million words. Even a somewhat old PC with a 1.2GHz processor would only need around two hours to try out all combinations of lowercase letters for a six-character key. Adding two more characters would mean the computer needs 55 days. If uppercase letters and numbers are allowed, the operation would take 148 years.

Cain has succeeded in calculating the pre-shared key

All you need to get a cracked key to enable a connection to a VPN gateway is a normal VPN client, such as PGPNet in PGP or Sentinel [5]. To get actual access to the enterprise network, hackers still have to guess the right IP subnetworks behind the gateway -- but that is just a matter of time. A firewall behind the gateway would, however, limit access to network resources. VPN gateways are therefore often placed in a separate, demilitarized zone (DMZ) so the unencrypted connections to the LAN can be filtered again.

Safety net

Whether a VPN gateway uses the risky aggressive mode depends on the settings. In some products, it is even the standard setting, such as in some Cisco equipment and old versions of Checkpoint's Firewall-1. In contrast, other implementations such as FreeS/Wan do without it altogether and restrict IKE to the conservative main mode, which all IPSec implementations have to support.

The easiest way to prevent the security risks described here is to forego pre-shared keys completely and use Smartcards, HardwareTokens, and X.509 certificates instead. If you have to use PSKs for authentication because your network budget gives you no option and it would be too much trouble to switch, use keys that are at least 20 characters long and consist of letters, numbers and special characters. And be sure to stay clear of aggressive mode. (dab)

References

[1] IKE-Scan

[2] Brute Force - Attacks on passwords in Windows networks

[3] IKEProbe

[4] Cain & Abel

[5] PSK Cracking using IKE Aggressive Mode

[6] Cisco Security Notice: Response to BugTraq - Internet Key Exchange Issue

Anti-Phishing toolbars don't work

Study shows antiphishing toolbars are ineffective (November 20 2006, 12:00AM)

The new study, Finding Phish: An Evaluation of Anti-Phishing Toolbars, was conducted by researchers at Carnegie Mellon University in Pittsburgh and found that no toolbars performed well.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005253