HZRN.COM
welcome to my space
X
Economics | Home Improvement | Ezines and Newsletters | Crockpot Recipes | Hardware | Cosmetics | Vans | Careers | Related articles
Welcome to:hzrn.com
Search:  
NAVIGATION: Home >>

Flaw Uncovered in TCP

Published by: rose 2010-03-19
A security hole in one of the Internet''s most basic protocols -- discovered by security consulting firm Guardent, Inc. -- leaves the door open for potentially devastating network attacks that would be difficult to defend against, detect, or trace.

Guardent senior research scientist Tim Newsham discovered a weakness in the Transmission Control Protocol (TCP) which allows computers to communicate with each other. Specifically, the flaw lies in the sequence of TCP Initial Sequence Numbers (ISN), used to maintain session information between network devices. Malicious users could utilize the hole to hijack TCP-based sessions on the Internet or on corporate networks.

TCP is supposed to generate random ISNs each time it enables a link between two computers. But according to Guardent, while testing a new piece of networking equipment for a client, Newsham discovered that the numbers are not as random as experts thought.

"It is now known that these numbers are guessable on many platforms, with a high degree of accuracy," Guardent said Monday. "The ability to accurately guess sequence numbers, combined with readily available session information, allows for a variety of sophisticated attacks on computer networks. These attacks can cause significant harm and would go undetected by current security software."

Dr. Bill: The Computer Curmudgeon 2008 July :: Dr. Bill Bailey ::
on DNS giving us the real address (TCP/IP Address) for an easy-to-remember posted details about a DNS flaw uncovered by security researcher Dan Kaminsky
http://www.drbill.cc/2008/07HOME
Dr. Dobbs | News & Views | August 1, 1998::
uncovered what it claims is a flaw in Microsofts Point-to-Point Tunneling (PPTP) and maintain a virtual private network (VPN) over a TCP/IP network.
http://www.ddj.com/184410649HOME
Guardent said attacks exploiting the weakness could take multiple forms, including:

  • Launching new forms of Denial of Service (DoS) attacks that cut individual Web server connections and make applications and networks appear unreliable; this type of DoS attack is far more subtle than DoS attacks like those which brought down eBay and Yahoo! last year because it does not rely on overloading networks by flooding them with traffic
  • Information poisoning attacks which insert false information into data streams intended for publication, i.e. bogus news reports or fraudulent stock prices
  • Session hijacking -- taking over a user''s connection to a computer system, thus allowing the hijacker to operate under the user''s identity in applications to which that user has access, like financial applications, Internet infrastructure management, etc.

According to Jerry Brady, vice president of Research and Development at Guardent, the weakness stems from the age of the protocol and also from vendors choosing to emphasize performance over security.

"The kinds of problems that you face in security protocols like that change over time," Brady said. "There was a point in time where weaker security techniques were chosen, purely on the basis of performance."

Brady also said that the increasing speed of networks has contributed to the problem because networks are asked to generate more ISNs in a shorter period of time.

Guardent took the unusual step of releasing the information to the public before a fix for the flaw had been created. However, while it has publicized the existence of the flaw it has also taken steps to ensure that its research on the subject does not fall into the wrong hands. The firm is keeping the details of the research confidential and is only making it available to legitimate network equipment vendors, operating system vendors and government agencies which sign non-disclosure agreements. The firm has also shared the information with the Computer Emergency Response Team (CERT) based at Carnegie-Mellon University.

Cybertelecom :: Reliability::
Finns find Internets fatal flaw, Inquirer 11/15/2005 Firms Raced to Fix Internet Hardware Flaw, Wash Post 7/23/03 Flaw Uncovered in TCP, InternetNews 3/12/01
http://www.cybertelecom.org/security/reliability.htmHOME
"There''s always been a great deal of controversy on disclosure," Brady said. "What we tried to take is a fair middle ground where we disclosed all the information necessary to fix the problem to all vendors that could fix the problem."

Dan McCall, co-founder and executive vice president of Guardent, added that the company faced a different situation in this case because it wasn''t the product of a single client that was affected by the flaw but rather a flaw that affected the entire industry.

"We published a widespread public media advisory that contains no technical information," Brady said. "What the general public got probably wouldn''t bring them any closer to building an attack tool."

However, a fix for the problem is likely to take some time, as software on each machine susceptible to the flaw -- from Web servers and e-mail servers to routers and workstations -- will require patches. In many cases, though, vendors already have fixes that are readily available -- they just need to be implemented.

"There are clearly ways to fix this," Brady said. "The problem is probably around how much energy people put towards this. It''s a problem that could be large if nobody handles it."

Brady also suggested that organizations concerned about security should employ encryption and Virtual Private Networks.




Transmeta Opens Mobile Linux
Domain Systems CEO Explains BulkRegister.com E-Mail

PRINT Add to favorites
#If you have any other info about this subject , Please add it free.#
Your name:
E-mail:
Telphone:

Your comments:


If you have any other info about Flaw Uncovered in TCP , Please add it free.
  • how to prepare for science and maths olympiads
  • as messiah don 039 t you think obama is going a bit below the loin cloth by putting his face into video games
  • how do you meet the jonas brothers at a concert
  • i divorced my wife i was angrey and drunk am muslim she is taleq now
  • if you were to meet the jonas brothers what should you say i would be so scared
  • did you get a pic with avril when you did a meet and greet
  • wedding advice what to give my fiance on wedding day
  • is it unethical for a celebrity to expect payment for an autograph or meet and greet
  • bound for glory what happened
  • how can i meet the jonas brothers without paying big bucks
  • wooh i just found out i am related to a famous poet
  • celebrity autograph meet and greet
  • my wedding is gonna have 3 bridesmaids is thata a bad idea

  • why is acorn being sued under the ohio corrupt activity act
  • i need help with a group of bullies
  • anyone here ever meet hanson did you go to a meet and greet
  • how can i meet the jonas brothers but i have no money for concert tickets
  • catholics how many puppeteers does it take to operate the pope
  • is mccain 039 s story getting old and tired
  • would tonight 039 s debate be better if bob schieffer says you two have 90 minutes to hash things out
  • what do you do special after sunday church
  • how do i get motivated to study for a certification
  • dark brotherhood quest line information oblivion
  • is there any way i can meet the jonas brothers
  • what is the greatest need of mankind
  • my wedding is gonna have 3 bridesmaids is that a bad idea
  • if you had an opportunity to meet greet a wrestler for an hour by yourself
    •  Homepage | Add to favorites | Contact us | Exchange links | LOGIN | Site map | 
    Copyright© 2008 hzrn.com        Site made:CFZ