SecTor event highlights holes in DNS, databases

The wild world of the web

The Web was originally designed for housing public content, but the fact that it's now used to build applications housing private data make it a ripe platform for malicious attacks, according to one speaker at the SecTor 2007 conference in Toronto this week.

"The Web is where the wild things are nowadays," said Dan Kaminsky, director of penetration testing at Seattle-based security consultancy IOActive, during a session on Domain Name Server (DNS) rebinding attacks.

Essentially, DNS translates human-readable computer hostnames into IP addresses. The DNS rebinding attacks subvert the DNS same-origin policy that assumes information stemming from the same origin must be trusted identically, said Kaminsky, but the reality is, the translations during this process can change at any time.

DNS rebinding attacks take advantage of this fundamental Web design flaw, breaking the Internet's security policy and converting browsers into open network proxies, said Kaminsky, adding that this ultimately exposes every corporate network. "Corporate firewalls are bypassed via lured browsers."

One of the contributing issues is people tend to use DNS TTL (Time to Live) -- which defines how long records should live before getting discarded -- as a security technology, he said, when in fact overriding the TTL can be "quite trivial".

Considering that in DNS, multiple IP addresses can be transmitted besides the genuine one, it's possible to create a VPN (virtual private network) into a corporation, said Kaminsky.

Kaminsky acknowledged the challenge facing organizations given the wide variety of DNS rebinding mechanisms out there, but he did share some suggestions that might help corporations, including configuring corporate servers to not transmit valuable information back to unrecognizable host systems.

Also, he said, it's useful to perform external to internal routing checks to stop sites on the Internet from routing to internal targets on the corporate Intranet.

Also at SecTor 2007, challenges around corporate database attacks and methods to perform forensic investigation on SQL Server 2005 systems to determine possible data breaches were discussed.

The database has become a critical asset to organizations because of the critical information it holds, like financial, healthcare and human resources data, said Kevvie Fowler, manager of managed security services at Longueil, Quebec-based healthcare and financial technology provider Emergis Inc. "All this critical stuff that organizations need to share, maintain, process."

Besides that, there is an industry trend toward scaling down to fewer consolidated systems, given the high cost of maintenance of databases, said Fowler.

Given these single mission-critical systems are often targeted by attackers, he said, it's important for organizations to secure and log underlying database transactions upon which to perform forensics.

However, traditional forensic investigations typically exclude the plethora of evidence housed in databases probably because people fear what they don't understand, he said.

Furthermore, most organizations' database servers, said Fowler, are ill-equipped for potential forensic investigations, but there are available methods that can be applied "without the dependency on shiny appliances, logging appliances, or apps."

Internal IT staff can take advantage of certain repositories -- like transaction log files and volatile database data files -- within the database that contain valuable evidence of potential breaches, he said.

The transaction log files, for instance, he said, aren't so complex to be useful as most people think. Each transaction can have up to 101 different data elements logged, he said. "That's 101 different chances to have critical data that you need to support an investigation that you're working on."

But before collecting this data, organizations should first determine the scope of the investigation and how much information is required to be collected, said Fowler, adding they should factor in the "relativity of the data based on the investigation you're investigating."

Join the PC World newsletter!

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stephanie Lau

ComputerWorld Canada

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?