Sekiur My Thoughts

Without a doubt the whole security professional community have their eyes on the Conficker.C variant which is designed to do something on April 1st.

So what is that something? We’ll find out within 24 hours.

What we do know is that this variant of Conficker has become better at preventing removal and others from taking control of the network of worm infected computers.

The Conficker worm will begin to poll 500 different domain names every day looking for updates to download doubling its current rate.

Interestingly enough one of my most popular posts is on the removal of the Conficker worm from a network environment here and over the last couple of days visitors have exploded exponentially.

In my two other posts in which I talk about the Microsoft flaw and the Social Engineering components of the worm, I take a rather passive approach to the problem which is based on having contingency plans to prevent, contain and remove the worm from infected computers.

A more pro-active approach would be to look for infected machines without waiting for the symptons to appear by actively scanning the network for computers which have been infected.

Locating computers which have been infected with Conficker using a network scan has kept me up multiple nights, until the guys at Honeynet.org came up with the tool here. Thanks to DShield.org for linking to it in their article on locating Conficker.

http://blog.sekiur.com/2009/02/step-by-step-in-dealing-with-conficker/
http://blog.sekiur.com/2008/10/worm-takes-advantage-of-microsoft-flaw/
http://blog.sekiur.com/2009/01/worm-uses-social-engineering/

Related articles by Zemanta

• Your Quick Guide to the Conficker Worm (shankrila.com)
• With global effort, a new type of worm is slowed (infoworld.com)
• My Top Security and Maintenance Tools (idiomag.com)
• New Information Pages on Conficker (blogs.technet.com)
• Windows PC Worm Set to Activate on April 1st (littlegreenfootballs.com)

Over the last several months I have been hard at work on a migration which has been in the works for several years.

The goal is to move video conferencing transmissions from ISDN 128kbps bonded calls to 384kbps IP calls, in order to improve the quality of the video and cut long-distance phone costs.

Over 20 hours a week classes are transmitted from a lecture hall in Fort Worth, Texas to 20 sites across the United States. The equipment in place is a Polycom VS-4000 video conferencing unit which has input from multiple cameras, an Accord MGC-100 video conferencing bridge and 2 PRI lines coming into the bridge.

Tandberg and Polycom 128 units at the remote site dial bonded 64Kbps channels to achieve a 128kbps call.

The original plan called for fractional T1 circuits at every remote site all furbished by a single ISP in order to be able to assure quality of service from point to point. A fractional 512kbps T1 would provide sufficient bandwidth for a 384kbps call plus the overhead and the bridge would be connected to a fractional DS3 circuit (around 12Mbps).

The scope of the project grew and for one reason or another the remote site circuits became a full T1 (1.544 Mbps) circuit and the host became a full DS3 (45Mbps) circuit.

To complicate things further wireless network/Internet access, routed back to the hosting site would be provided for all the remote sites for future exam taking.

Network wise the host site will have a Cisco 7204VXR with a channelized DS3 card and each site would have a Cisco 1841 with T1-DSU card and a 4-port Ethernet card.

Quality of service would prioritize h323, rtp, rtsp and sip traffic over any other and wireless access points (Aruba Network AP-65) are every site would tunnel encrypted traffic back to a Aruba Network MMC-6000 Controller.

H323 traffic has always been tricky with firewalls and I anticipated that the problems encountered would be in that area as years of experience had taught me. I was pleasantly surprised this wasn’t the case.

The Aruba Wireless controller at the host site builds IPSec tunnels to all the network access points at the remote sites, allowing students to access resources at the host site securely while at the same time preventing ad-hoc users from having access.

Technical challenges actually came from this area of the project were the site routers provided the access points with DHCP options 60 with the value “ArubaAP” and option 43 with the value of the IP address belonging to the Aruba Controller.

In order for this communication to take place, several ports needed to be allowed from the remote site to the host site. TFTP (UDP 69) for downloading configuration files, PAPI (UDP 8211) Aruba Management protocol, GRE for the IPSec tunnel, syslog (UDP 514) for sending logs, ntp (UDP 123) for keeping time and FTP (tcp 21) for downloading firmware.

Routing was carefully examined and firewall rules were put in place but nothing happened. The access points would not connect successfully with the controller so it was time to crack out the sniffer and start looking at the packets sequence from a successful connection between the controller and an on-site access point and what the packets looked like from a remote site.

Lots of cups of coffee later I found that the Aruba Wireless Controller was receiving packets from the Access Points looking for its configuration, but the controller was answering on a different IP address to the AP.

An additional rule on the firewall allowing traffic from that second IP address on the controller (not the management IP) to the network the wireless access point was at using PAPI (udp 8211) fixed the issue.

Success! A very satisfying feeling.

Enter quality of service management which I am sure will be the next opportunity to excel.

The Rolling Stone Magazine ran a story on Meet the bankers and brokers responsible for the financial crisis and the officials who let them get away with it.

Rolling Stone: The Dirty Dozen
http://www.rollingstone.com/politics/story/26868968/the_dirty_dozen/print

What’s so amazing to me is how private sector left and right is being nationalized and people just don’t equate this to socialism. The U.S. Government has become so power hungry that the politicians we elected to represent us have become corrupt and forgotten who their real master is.

There is nobody to blame but elected officials for the mess that we are currently going through, from Democrats who held control of the house to Republicans who were in the Whitehouse to the newly elected president Barack Hussain Obama, that despite the fact that the government has failed miserably is on a path to massively grow the broken system.

Its been a while since I blogged as I have been spending a lot of time looking for an angle to take advantage of the current economic crisis. There is little doubt in my mind that this is a prime time to do something so I have been working on generating passive income targeting small businesses on reducing their operating costs and product development which I hope to have something solid within the next four weeks.

I really shouldn’t feed my ego this way, but I can’t avoid to mention that a specific post on the Conficker virus has brought my stats to over 100 visitors on a consistent daily basis to my blog.

With this in mind I intend to continue to blog about security as well as some demo/reviews I will be doing over the next following weeks on several products that I believe are industry leaders. Among these products are SSL VPN appliance from Juniper and its open source counterpart, Tipping Point Intrusion Presention System (IPS) and its open source counterpart, F5 Networks Link Controller & Local/Global Traffic Manager and Riverbed’s Stealhead Appliance for Application Acceleration and WAN Optimization.