Outsmarting that malicious document

Most of us would be familiar with the injunction not to open executable attachments. Executable attachments are those files which are sometimes attached to email messages and can be run directly by clicking on them. These days most people have stopped sending executable files via email. A majority of Internet service providers filter out such files. Attackers have now adapted to use documents as a vector of attack. The objective of the attacker as always is to gain control of at least one machine in your network. Once he does that, he is easily able to go through the network and gain control over other machines. Yes, it is possible to have defenses in place and isolate the machine the moment it is infected but that is the topic of another post. Here, I would like to tell you how to avoid getting trapped by malicious documents.

We need to step back and understand why documents work as a vector of infection. Today’s word processors and file readers are very sophisticated applications. They can render almost any kind of file in whatever fancy format you wish. More importantly, they can execute bits of programs as they open. This capability helps you submit things like forms in PDF files, use macros in Microsoft Office applications et cetera. It is this capability that malware authors have begun to exploit. Let us take Adobe Acrobat Reader as an example. Acrobat Reader is a powerful application that can render a variety of PDF files. These files can not only contain text and graphics but also multimedia content. Moreover, you can have forms and other objects embedded in PDF files. Over the years, Adobe has done a significant amount to ensure that malware does not break out of the Acrobat Reader sandbox. However, it sometimes does and this is where the problem starts. As of this writing, there is no way to disable executable content in Adobe reader. The only thing you can do is mitigate the effects of the malware.

In Microsoft Office, from version 2007, Microsoft has made the primary word document format such that it cannot contain executable code. Any file with a docx extension cannot contain word macro code. You need to use a special kind of file which is known as a Word macro enabled file if you want to use macros in your Word documents. The same applies across Microsoft Office.

I am not going to debate which approach is better. Things can and do go wrong. Here are the steps you need to take to mitigate the impact of malicious documents.

  • If you do not expect an attachment, do not open it. The usual caveats about spam apply. Remember, there are no free lunches.
  • As far as possible, do not run with administrator privileges. As long as you run with restricted privileges, even if malware breaks out of the Adobe sandbox or otherwise infects your computer, it will be limited to the privileges assigned to the current user. Malware can escalate its privileges but it needs a hook and that hook is harder to get when you are running as a nonprivileged user.

    Note

    I use the term hook in the loosest possible context. Any programmers reading this post should not mistake the term hook for the hook that is used when dealing with Windows messages.

  • Ensure that you keep your systems and applications fully patched. Companies are quick about patching vulnerabilities that are found in their programs.
  • As with any malware mitigation strategy, keep backups handy in case the worst happens.
  • Use services such as open DNS on your Internet infrastructure so that it is harder for malware to phone home.
  • Keep anti-malware applications updated.

Filed under: commonTasks,networking — Tags: , , , , , — security-writer @ December 30, 2013 20:51

Routers for the small business

Routers

Introduction

A router is a device which communicates data between two networks or network segments (subnets). Routers form a key part of our network infrastructure. Without routers, we would not be able to move data between networks and, in all probability, the Internet would not exist the way we know it.

Routers are layer 3 devices; that is, they use Internet protocol addresses to forward packets of data. This is different from devices such as bridges that use media access control (MAC) addresses to move packets. This article will focus primarily on Internet protocol routers since they are the most common ones. Routers can handle any protocol, but MPLS routers, for example, are mainly found in very large offices and Internet service providers. So, you need to know how these devices scale since they form the heart of your network. If you are just starting your company, you would probably only need a small soho router.

A summary of network traffic flow

All data in your network flows in the form of packets. These packets resemble courier packages; they have a source address and a destination address. These addresses are part of your internal network and routers send those data packets out of your network. As your company grows, you will split your network into subnets, or portions of your single internal network, for efficiency and security.

Working

Routers store address information in routing tables. You can see these tables by issuing relevant commands at the routers console. A console is a boring “old-fashioned” software that gives instructions to a router. These tables record which traffic has to been sent to which destination. All unknown traffic, by rule, is sent to the gateway Interface. The gateway interface is the place through which all traffic leaving your network must go to get to another external network. Most soho routers have one such interface which is used to connect to the Internet. All routing takes place based on these rules.

In large installations such as Internet service providers, many routers use what are called dynamic routing protocols; that is, they discover where to send traffic on their own. In many cases, however, entries are added to the routing table manually. If these routing tables are corrupted, then traffic can be misdirected. This is something that can happen if you are hacked or, more commonly, if your system administrator makes a mistake in configuring the routing rules. For example, traffic destined for marketing can go to customer service, but the customer service computers will not know what to do with it and so will reject it. Alternatively, administration employees may end up being able to access marketing data, which is not something you would want to happen.

When a packet of data reaches the router, the following takes place:

1. The router checks the source and destination address.

2. While checking the address, it performs binary anding to determine the subnet (section of network) to which the packets should be sent. Binary anding is one of the most efficient forms of computation for determining which subnet the packet belongs to.

3. If a match is found in the routing table, then the packet is forwarded to the interface bound to that network. If network address translation (NAT) is in effect, then the source and destination addresses are duly altered before the packet is sent.

4. If a match is not found in the routing table, then the packet is either dropped or it is usually sent further on via the gateway of the router. Where the undefined packet goes depends on whether the default route is defined.

The above high-level description assumes that the device is just a router. Today, routers are diverse appliances and also contain firewalls. A firewall is a filter that allows only authorized packets to go in or out of a router. Firewalls operate on rules. A rule is a small routine that tells the router what to do if a packet with a particular set of attributes is encountered. There are five default groups of rules. Each set is called a chain. The five basic chains are input, prerouting, forward, output and postrouting.

1. The input chain

All packets that enter the router having a destination IP address belonging to the router pass through this chain.

2. Prerouting

This chain is used to translate packets before any routing takes place. Destination NAT operates in this chain.

3. Forward

This chain processes packets that pass through the router. This is where binary anding takes place. In some home routers, NAT also takes place in this chain. This is particularly true of routers where you cannot disable NAT.

4. Output

Packets that originate from the router are processed by this chain.

5. Postrouting

NAT operates on packets in this chain after the destination of the packet has been determined.

The packets are source natted before they hit the WAN interface.

Home versus enterprise class Routers

Most of us are used to our home routers which are those little boxes into which we plug our desktop computers, netbooks and DSL modems. These routers also frequently provide wireless connectivity. When you start your company, you too will probably start your network with such a device. However, these devices are actually a combination of a router and switch. More importantly, they only have two network interfaces; that is, they can only connect to networks.

For a home setup, this is not a problem since the most frequent use of a router in the home is to connect our home network to the Internet. Large network setups such as with businesses are a completely different story. Several subnets need to be interconnected. For example, the finance department needs to be connected to the marketing department and the CEOs office will likely want to be connected to all departments. Enterprise class routers have several network interfaces and many routing rules in the routing tables define which packet goes to and from which interface. These routers do not provide any other function such as natting or firewalls. These are dedicated devices.

Why would you need a dedicated device when the humble home router can do so much? The answer lies in the load; that is, the quantity of packets a router can handle. If you download a number of Torrent files, open a series of social networking websites and start watching videos, everything slows down because there is a limit to how much your home router can handle. Enterprise class router limits are significantly higher. Companies also have dedicated devices such as firewalls and load balancing servers to manage network traffic and decide who can communicate with whom.

Types of Routers

In enterprise class setups, it is crucial to place routers carefully. The below classification is based on network topology which in turn determines what the routers do.

Type

Definition

Core router

This router moves traffic between different network segments. It does not communicate outside the network.

Edge router

This device is placed on the network perimeter and moves traffic between it and other networks.

Router internals

Just like a computer, a router is driven by software. It has a firmware which is akin to the pc bios as well as an operating system. Common router brands include Cisco, Mikrotik, Netgear, D-Link, Buffalo and DrayTech. Many custom router operating systems are variants of the Linux operating system. Cisco routers run IOS. This is not to be confused with IOS that runs on Apple devices. Most of the user interface is via the commandline using a program such as Tera Term or HyperTerminal. You connect to the assigned IP address of the router, enter the credentials and start configuring. Most routers for the home user also come with a web interface which can be accessed via a browser.

Out-of-band access

There are situations when a router will not have an IP address. This is usually the result of misconfiguration or some other kind of error. In this case, you need to use out-of-band access where you access the router using a serial cable with a terminal emulation program. This feature is available on all enterprise class devices. Most home users have to reset the router to factory defaults if this happens.

Which router to buy

It really does not matter in the initial stages of your business. It is better to get a third party to maintain your network infrastructure once it grows, say, over 100 computers. Buy whatever router meets your needs. These needs could relate to support, stability of the hardware and cost. Future network expansion is also something you need to take into account. If you know that you will be investing in a significantly large amount of office space in the coming year, then size your routers accordingly and buy ones which can handle large amounts of traffic and allow you to divide your network into multiple sections.

If you are going to be using external service providers, then you may want an integrated device that is a router plus firewall. Alternatively, you need to check legislation since you may be subject to computer logging requirements such as CALIA in the USA. Once bought, contrary to popular belief, you need to maintain your routers such as the application of patches. Good maintenance leads to lesser network outages and provides high network security since many patches fix programming flaws that were present in earlier versions of the router’s operating system.

Conclusion

Routers are here to stay. They have become progressively less expensive and more powerful. Since they are the backbone of your network, you need to choose carefully for your business. Keep factors such as network capacity, the scale of your network and maintenance requirements in mind while choosing the appropriate router for your business.

Glossary

Term

Definition

IP Address

A number that uniquely references a device on a network.

MAC address

A number that uniquely references pieces of hardware on a network. MAC addresses are usually assigned to LAN cards. They do not cross network boundaries and are not routable. They are unique to every device.

Network address translation (NAT)

A mechanism where a number of devices are placed behind a single IP address. NAT was created when the Internet began running out of IP version 4 addresses.

Layer 3 addresses, layer 2 addresses.

This refers to the OSI model for understanding network protocols.

Binary anding

An operation of Boolean algebra that takes two inputs and one output. The inputs to a binary and are 0 or 1, the same applies to the output. (You only need to know this if you are dividing your network into sections.)


Filed under: networking — Tags: , , , — security-writer @ July 20, 2013 12:00

MikroTik, enterprise functionality at home prices

Most of us, who purchase routers, go with “established” brands such as Cisco, NETGEAR and D-Link. There is not too much of a difference amongst these brands. Face it; routers are just boxes with wires and lights. However, these little boxes govern how we access the Internet and in many cases, play a role in determining whether the average attacker is able to break into our computers. MikroTik is not something that usually features on the home or small business user’s technology choice. However, the prospective CTO and or home buyer should consider this company carefully. Some of the features of their boxes are as follows.
1.    CALEA compliance.
2.    Support of scriptable firewall rules.
3.    The use of a proprietary mac-telnet protocol that allows you to access the router even if the IP setup is malfunctioning.
4.    A fail secure configuration upon firmware upgrade or on improper shutdown.
5.    Support for protocols such as SIP, IP v6, OSPF and RIP.
6.    A variety of means to access the router namely, Ssh, the web (both http and https), winbox (a proprietary application) and telnet.
7.    A means of programmatically controlling the router.
8.    Very low power consumption.

The routers do take some configuring and if you want manufacturer support beyond the first month, you need to pay. There are active support forums though where members are quite helpful even to new users.

For more information see the MikroTik website.


Filed under: networking — Tags: , , — security-writer @ August 17, 2012 22:52