HFX Forum

Security => Security Discussion => Topic started by: Uneek on April 07, 2003, 02:07:57 PM

Title: RFC3514: All security problems solved. A very technical article... ;)
Post by: Uneek on April 07, 2003, 02:07:57 PM
 ;D
Title: Re:RFC3514: All security problems solved. A very technical article... ;)
Post by: Metgod on April 07, 2003, 03:24:41 PM
damn you Neek ! I meant to post his when it first came out and forgot.. The funny thing is some actually fell for it..

take a look..

http://www.eweek.com/article2/0,3959,990617,00.asp

By Dennis Fisher
April 1, 2003

Several security-related April Fool's Day hoaxes began floating around
the Internet Tuesday, several of which ruthlessly satirized the
security industry and its denizens.

From phony vulnerability advisories warning that the end of the world
is upon us to a "product announcement" for a tool that automatically
strikes back at hackers, the hoaxes have become far more elaborate
than simple false virus warnings.

Perhaps the most clever—and certainly the most widely believed—of
these is a bogus RFC published by security and networking expert Steve
Bellovin, of AT&T Labs Research in Florham Park, N.J.

Titled "RFC 3514: The Security Flag in the IPv4 Header," the document
proposes utilizing an unused bit in the IP header to define whether a
given packet is "evil" or "benign."

Evil packets, e.g., those sent by attackers, must have this bit set to
1; benign packets must have the bit set to 0. The idea, Bellovin
writes, is to help intrusion detection systems, firewalls and other
security technologies to distinguish between malicious packets and
those that are simply odd.

Many members of the security mailing lists on which the document was
distributed appear to have fallen for the gag, mystifying Bellovin,
who has jokingly referred to the evil bit in IP headers for years.

"What can I say? It's clearly an April 1 joke," he said. "I finally
got around to writing it up. I've thought about doing it other years
and then realized that the deadline had passed. I've gotten a lot of
mail about it and people appreciate the joke."

The proposal is identical in layout and format to genuine RFCs, down
to the details of how applications might set the evil bit and list
technical references at the end.

Messages posted on some security mailing lists complain of having to
write patches to make applications compliant with Bellovin's RFC.

"If the bit is set to 1, the packet has evil intent. Secure systems
should try to defend themselves against such packets. Insecure systems
may choose to crash, be penetrated, etc.," Bellovin writes in the RFC.

Adding to the aura of believability around the document is a follow-up
message from Fyodor, the author of the popular port-scanning tool,
Nmap. In his message to the Nmap mailing list, Fyodor floats several
options for making his program compliant with RFC 3514.

"Perhaps an -evil option would be handy, or maybe a standard
environmental variable should be used (SCRIPT_KIDDIE=1) so that all
security programs run by the hacker set the flag appropriately?" he
writes. He also suggests that perhaps he could include a hard-coded
list of Unix usernames of known hackers.

An obviously fake, but still poignant, vulnerability advisory posted
to BugTraq Tuesday warns that "a distributed denial-of-service
condition is present in the election system in many polypartisan
democratic countries. A group of determined but unskilled and not
equipped low-income individuals, usually between 0.05% and 2% of the
overall population of the country, can cause serious disruptions or
even a complete downfall of the democratic system and its
institutions."

The advisory purportedly comes from a company called S.E.L.L., which
describes itself as "a number one provider of deep-insight security
strategies for maximizing ROI with state-of-the-art TCO management
customer-facing security philosophy. Founded in a garage in Latvia, we
soon became the realization of the American Dream, growing to an
extended family of 300. Then down to 15."

The fix for this vulnerability, according to the advisory, is for
affected parliaments to either "establish a convenient dictatorship or
a monarchy, or [become] the 51st state."

The bulletin also lampoons the discovery-to-disclosure timeline
included in a typical vulnerability report. The vulnerability was
discovered and tested by S.E.L.L. on Jan. 5, 1999; the company's
customers were notified the next day; the vendors were notified March
30, 2003; and the report was released April 1.

Not to be outdone, the folks at The Register, a U.K.-based IT news Web
site, created a security company and its product out of whole cloth. A
story on the site Tuesday announced the availability of Backfire
Security Inc.'s Payback 1.0, an application that supposedly is able
"to instantly and dynamically 'trace' the IP source address - no
matter how well masked - of the network attack/infection and respond
by launching either a Domain Name or mail server flood attack in the
direction of the attacker."

The software is allegedly the first of a new breed of anti-hacker
applications known as Intruder Retaliation Systems (IRS).