2011/08/29

Apache Killer again


Regarding interim fixes for protecting against Apache Killer (Range Exploit), many system administrators are frustrated whether to ban range completely or to allow a certain number of range.  Last Friday, I took the approach of banning HTTP Range Header completely.  After discussions with some system administrators, they were of the view that the method of 5 ranges restriction is recommendable. The reason is that Microsoft IIS allows not more than 5 ranges in header and IE browsers are in strict conformance with IIS. That is to say, IE browsers will not send out HTTP headers with more than 5 ranges.

This is sound and reasonable and so I decided to follow the approach.

It might be argued that why not care Firefox, Chrome, Safari, Opera and mini-browsers in smartphones. The situation is so complicated. There is no perfect answer.

2011/08/28

two partitions in ASUS notebook


A friend got a new ASUS notebook but he disliked two partitions on it.  He wanted to merge the two partitions to make a bigger C drive.  I cautioned him not to do so.

The use of two partitions on a notebook PC is a good operational practice. The first partition is for holding system files where the other partition is for files of user applications and data.  If Win 7 system crashes  due to viruses, spyware or inadvertent corruption of system files, the recovery disk containing the factory default image can be dumped back to the first partition while keeping the user data unaffected as far as possible. This might be complicated in the event that only one partition is used for holding all kinds of files.  For Linux system, multiple partition requirement is more important not just for backup, recovery but also for scalability and expansion.

2011/08/27

Rescue Windows XP Again


My son’s desktop PC crashed on 6 April 2010 and it was restored by fixboot to repair the boot.ini program.  After 14 months, it crashed again.  This time the master boot record was corrupted. The rescue method was to run FIXMBR at the System Recovery Console. 

I wonder why XP boot up process gets into trouble so easily.  Or else the hard disk in question is not so reliable ?

2011/08/26

Apache Killer

Some friends alerted me of the “Apache Killer” bug which can be viewed at the URL below:

http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@minotaur.apache.org%3E

This bug exploits Apache's flaw in handling the RANGE field in HTTP request header. By sending a crafted request with a large number of fields within the Range header, the attacker is amplifying the request as each byte range field forces Apache to make separate copies of the requested resource which eventually consumes all CPU and memory resources.

The bad news is that system administrators need to wait for another 48 hours for Apache Foundation to release the patches. In the mean time, they can apply interim measures such as not allowing the use of Range headers.

This bug was first found in 2007. Wonder why Apache Foundation did not pay attention to it.

2011/08/19

XP Security 2012 Malware

My office desktop PC was infected with a malware called "XP  Security 2012". This malware stopped all the three browsers and running any executable files resulted with the error message "Application not found".

2 hours were  spent to remove the malware by using malwarebytes to scan the whole hard disk. Next, the failure of running executable files was due to corruption of .exe file association in the registry. Running the Windows File Association Fixes for .exe extension would bring the machine back to normal.

This is a deadly malware since it kills browser function and disable all executable programmes. I guess I would not have contracted the malware if I were using Chrome for web browsing.



2011/08/13

HKEx attack incident

When asked for comments onf HKEx hacking incident, the Financial Secretary Mr John Tsang said he disagreed with suggestions that the website was not secure enough and added that many large organisations around the world have had their sites hacked into.

Oh my God, this is a poor attitude. If top Hong Kong government official has such view or mindset, there is no hope for Hong Kong to maintain a higher cyber security standard.  HKEx runs some mission critical systems for the finance market, it should have emergency plans and backup measures to minimize the impact of large scale cyber attacks. Besides, these plans and measures should have been drilled on a regular basis to test system and human responses. HKEx should disclose what actions they made after discovering the hacking.

What the fuck has Hong Kong learnt from the HKEx attack case.

TSIG-based zone transfer and clock sync

For a long time, I was puzzled why accurate time sync is needed between master and slave nameservers in Transaction Signature (TSIG) based zone transfer. I finally got the answer.

 To recap on the concept of TSIG, we must recognize that slave server trusts a master server based on IP in the config file.  But IP address can be spoofed and there is a likelihood of attackers passing hacked zone file to the slave server.  A better approach is for master and slave to use a common key.  Master server would generate signature of hash while slave will decrypt the signature and get back the hash and compare with the received zone file.

When signature is generated, there is a times tamp in particular field.  The time stamp is useful to avoid replay attack later on as the time stamp is far deviated from the current system clock.  If I still remember correctly, the tolerance for time stamp is 5 minutes in Bind. Only if the attacker can do the replay attack within the next 5 minutes, otherwise the zone file together with signature will be ignored.  By same logic, if the difference of system clock in master and slave is more than 5 minutes, the legitimate TSIG-based zone transfer will also fail.

That is why the master and slave must sync with a NTP server in a more frequent manner.