It was of course inevitable that once Dan Geer found a vulnerability in DNS, someone else would find it too, even if Dan asked people not to publicize it. It was also inevitable that someone would quickly write a metasploit plugin for it. What amazes me is the fact that despite all the fuss over this, everyone who was security conscious should have had this problem fixed years ago. Yes, I know it was only “discovered” recently, but what people are failing to highlight is that to exploit this against a DNS server, you have to allow recursive queries from third parties. I’ve been telling my clients for years to turn that off (the ones that had it on that is). This falls under the old security rule of “if you don’t need it, turn it off”, which is perhaps the single most important, and yet often ignored, security rule there is.

Since cache poisoning became a worry it has been well known that leaving recursive queries on was allowing an attacker an avenue to force your DNS server to make specific and known queries. This is a necessary step in almost any poisoning attack. In 2007, a study found that about half the DNS servers on the net still allowed recursive queries. Even after repeated warnings and previous DNS vulnerabilities, you would think that most people would have disabled recursive queries, but it doesn’t look like that’s the case. (Furthermore, the response has universally been to patch, rather than to turn off recursive queries). The solution to this and almost all other cache poisoning attacks is very simple:

If you don’t use it, TURN IT OFF!

I don’t want to spend a lot of time bashing airport security, if only because it’s a little bit like shooting fish in a barrel. Every security expert, regardless of background, knows it too.  However, should I be worried that George Carlin is making more sense than TSA?

In general, when people try to use the legal system to prevent free speech, they fail.

The DoJ wants private corporations to more openly disclose cybercrime when it occurs. This is one of the major differences between the way government works and the way private industry works. (I’ve got information security in both, and it’s something I’d noticed a long time ago). In government, there is a strict procedure and a chain of reporting for everything, and one of the main focuses is openness. Individuals in government are rarely accountable as long as they follow the correct procedures. (In other words, the “I was just following orders” argument has worked countless times inside the beltway). In the private sector, the main focus is profit, and people are held accountable for what occurs, even if they feel they did nothing wrong. Reputation loss is a serious concern, and corporations are loath to report information breaches. This is one of the reasons data breach laws have been necessary – without them private entities would rarely disclose when something bad happened. Now the DoJ and FBI want corporations to disclose even more so that it can allocate it’s crime fighting abilities correctly. While this is clearly a laudable goal (and crime fighting is one of the major responsibilities of a modern government), private entities will not comply unless they are either required to by law (like the breach notification laws), or have a compelling financial interest (as in the case where they believe the authorities can help recover lost assets).

Jeremiah Grossman has an article in CSOonline wherein he calls the current web application security methods (review code, find flaws, fix) insane and proposes web application firewalls as the better alternative.

It is unreasonable to expect publishers, enterprises and other site owners to restart and reprogram every website securely from scratch. Nor can we fix the hundreds of thousands (maybe millions) of custom Web application vulnerabilities one line at time. The very thought sounds insane to me. It would take too long (probably never finish), cost far too much (billions per year), and the bad guys are already ahead of us.

…..

We have to be able to detect flaws, react faster, and adapt better on an Internet-wide scale. Web application vulnerability assessment solutions like those provided by WhiteHat Security are able to do this and then inform businesses of where the problem spots are. To address identified issues quickly Web application firewall (WAF) technology is getting a serious look. Recent technology advancements enable vulnerability assessment results to pipe straight into a WAF as virtual patches.

Honestly it sounds good (really it does), and I know many entities which have been forced to dos omething similar (most didn’t call it a WAF at the time) when faced witht his problem. (That being too many applications and too little time).

My general feeling on WAFs is that the centralization and tremndous time savings can be a boon to many enterprises, but that signature systems will always have flaws, and need to be constantly maintained and updated. To use a metaphor, think of traditional port filtering firewalls and IDS/IPS. Imagine an admin who has only an IPS, and must constantly be on the lookout for new attacks so that he can write new signatures and block them. Then there is thefirewall with a default deny. That admin knows that only specific ports are allowed through because only those services are needed and on which machines they reside. His life is a lot easier (although admittedly he still has to worry about application vulnerabilities). Once again however, Jeremiah has beaten my thought process to the punch.

To implement default-deny Web Application Firewalls (WAF) must know everything about a website at all times, even when they change.

What we need to do for web applications is do what we did for networks in the past – learn everything. We need to know which applications do what, and what inputs and outputs they should have. Hard? yes. But ultimately it will be better than the alternative.

Piggybacking on something I wrote about earlier, with the proliferation of WoW credential stealing bots, WoW is now offering two-factor authentication to its users. It makes sense frankly. WoW needs to keep their customers happy to keep their bottom line, and they’ve begun to realize that all passwords are inherently weak.