I’ve been listening to Patrick Gray’s coverage of the AusCERT security conference, and I walked away with two major takeaways, one for security professionals and one for everyone.
Everyone first: Use SSL (https) everywhere you possibly can. Generate superfluous https traffic if you can.
Network professionals: Block as much UDP at the firewall as you can.
Read on for more.Regarding SSL, the idea is that nation-states can defeat it, but if everyone’s doing it, then decoding all of the SSL traffic in order to see what’s going on becomes impractical. SSL traffic also becomes less valuable when larger percentages of it are protecting worthless information. There’s no reason why the traffic needs to be encrypted when I’m checking baseball scores, but if my baseball scores traffic is encrypted, then it becomes harder to isolate my e-mail and social media traffic.
The easiest thing you can do is install the HTTPS Everywhere plugin, which works with Chrome, Firefox and Opera. Many websites that offer https don’t make it the default or make it easy; this plugin forces as much https as it can.
Security professionals have generally accepted that if a nation-state is attacking an individual, the nation state wins, but we can raise the cost of the attack to the point where it becomes impractical.
So what about UDP?
UDP is the forgotten fundamental protocol of the Internet. It’s a fire-and-forget protocol, which means it’s fast, but there’s no way to verify that the receiver actually got the traffic. That makes it terrible for downloads, but better for things like voice and video, where the occasional dropped packet is a good trade-off for better speed.
But some UDP protocols can be used for amplification attacks. If I tell an NTP server that you just asked it what time it is, I can send you 8 times as much traffic as I sent.
I’ll tell you a story that makes it worse. A decade ago, I was a sysadmin. I always sat next to the network admin. When we needed a port open, he’d ask TCP or UDP? But he was always overwhelmed with work, so eventually he quit asking and just opened both. Chances are, that firewall had a lot of UDP ports open that were unnecessary. They’re probably still open, because who has time to audit all of the open ports and make sure they’re actually still necessary? Nobody, that’s who.
And that’s likely to be catching up with us.
The way to tackle it is one port at a time, the same way a good sysadmin tackles a computer system inherited through acquisition that hasn’t been patched since Bush was president. George Herbert Walker Bush. (You think I’m exaggerating. It happens sometimes.) Start with the highest-risk port, see what, if anything, is using it, and if you can’t close it down, close it down to any systems that you can. If it takes a month to get the final word, then after a month you’re in a little bit better place. Slow, methodical progress, no matter how unsteady, is better than paralysis.
Need some suggestions? CERT has a list. I would start with DNS and NTP, since those are in active use, or chargen (port 19), which has tremendous potential and limited actual real-world use. Close those ports down to keep yourself from being an unwilling accomplice to an attack, and follow CERT’s mitigation suggestions to help you not be a victim to those attacks.