Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: Linux, Macs hijacked by infected Windows PC

On Dec 8, 2:41 pm, 7 <web_has_em...@xxxxxxxxxxxxxxxx> wrote:
> ness...@xxxxxxxxxxxxxxxxxxx wrote:
> > <Quote>
> > Researchers have identified a new trojan that can tamper with a wide
> > array of devices on a local network, an exploit that sends them to
> > impostor websites even if they are hardened machines that are fully
> > patched or run non-Windows operating systems....
>
> > The scenario plays out something like this:
>
> >     * Jill connects a PC infected by the new DNSChanger variant to a
> > coffee shop's WiFi hotspot or her employer's local network.
>
> >     * Steve connects to the same network using a fully-patched Linux
> > box, which requests an IP address.
>
> >     * Jill's PC injects a DHCP offer command to instruct Steve's
> > computer to rout all DNS requests through a booby-trapped DNS server.
>
> >     * Steve's Linux box can no longer be trusted to visit
> > authoritative websites. Although the address bar on his browser may
> > show he is accessing bankofamerica.com, he may in fact be at an
> > impostor website.
> > </Quote>
>
> >http://www.theregister.co.uk/2008/12/05/new_dnschanger_hijacks/
>
> Typical variants of man in the middle attack.

I could quibble on that, mostly because there's no man
in the middle until Steve's PC has responded to the
DHCP request by rewriting /etc/resolv.conf (the standard
response).  This feels more like an injection attack, somewhat
a la an old NFS hack, only far more effective (the NFS hack
was pretty dicey and required that the erstwhile blackhat have
a machine that responds more quickly than the main NFS server,
as seen from the victim's link; it also requires a little
knowledge of what Steve, the NFS client, wants to execute,
plus an IT department ignorant/dumb/lazy enough to allow
execution of files directly from remote-mounted volumes).

Mind you, this DHCP mimic attack is a bad attack
regardless, and does expose a system weakness in the dhcpcd
daemon, or perhaps the entire DHCP process -- ideally,
dhcpcd could be configurable to only accept broadcast
requests from certain systems.  Perhaps the switch needs
to be configurable somehow to only accept DHCP responses
from a trusted uplink.  I'd frankly have to look around
for the details on all this....

One can also firewall Steve's PC if necessary, blacklisting
known blackhat clients.  The efficacy of this method looks
rather limited, but it is an option, especially if IT is
monitoring network traffic for oddball anomalies, and can
remotely administer Steve's unit.

One of course can also simply upgrade every desktop unit on
the LAN (laptops such as mine have their own issues; I use
it both at work and at home) to have a unique, unchangeable
IPv6 128-bit address, with no need for dhcpcd at all.
This is arguably the best solution.

Longer term, one might contemplate something along the
lines of small removable SIM [*] cards for each and
every NIC, if the already-extant MAC addr isn't sufficient
(since some NICs can mimic any MAC addr).
http://en.wikipedia.org/wiki/SIM_Card

Note that Steve might detect the anomaly by doing a
certificate check (Tools->Page Info on Mozilla Firefox).
However, that's a manual verification step, and I doubt
many will bother.

>
> Micoshaft The Great Quarantined OS.

The black hat need not use Microsoft; he just attaches
a laptop and broadcasts a certain packet, presumably.
This laptop can run any OS capable of tossing
raw packets out onto the LAN (that includes Linux
and Windows).  Mind you, it is a little easier for
the black hat to simply fool Jill, if he can; that
way he gets away clean whereas Jill gets the headaches
of having to deal with IT folks coming in with their
metaphorical vacuum cleaners...

>
> Don't trust any windummy osen crap with networking and infrastructure
> related products. Quarantine and route all their traffic through separate
> quarantined networks.

I'm not sure detection of their traffic is all that easy.

[*] strictly speaking, these are only available for
    GSM mobile devices; CDMA has R-UIM and UMTS has UICC.


[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index