Monday, May 26, 2014

Windows NCSI (network connectivity status indicator) - Annonying.

I noticed while reviewing my network traffic in Wireshark (analyzing packet headers studying for GIAC) I discovered my computer was connecting to a Microsoft domain with "ncsi" in it. Looked it up and is for a service called Network Connectivity Status Indicator. It pings Microsoft every so often to figure out if you are connected to the Internet or not. That's annoying useless traffic if you ask me, plus it's like big brother is watching. I figured out how to turn it off here:

http://www.itgeared.com/articles/1074-how-to-mange-network-connectivity/

It worked fine in Windows 7. In Windows 8 you get this screen that makes it look like it's not working when really it is - you connect to the Internet just fine but Microsoft reports that your wireless connection has "limited" connectivity.

When I turned this feature off it seems like my connection is faster. Not sure if just imagining. Didn't actually measure but really noticing a difference.

I also noticed this traffic was again on Edgecast CDN. As noted on Twitter (@teriradichel), Edgecast is a CDN therefore should be directing me to the nearest point to get the content which seems to be a point in Washington or Oregon. Instead they were sending HTTP traffic from my machine to Europe. That happened yesterday - didn't see that traffic today.

Sunday, May 25, 2014

UPnP - SSDP Protocol

Doing some protocol analysis for a security test and noticed a lot of SSDP traffic in Wireshark. Wondering what it was and the security implications so did some research.

This protocol is used for UPnP (universal plug  n play) which allows you to easily connect devices on your network. In theory. It is an HTTP like protocol which works with NOTIFY and M-SEARCH methods and has destination multicast IP address 239.255.255.250.

It may be a good thing - helping you connect to your printer, TV, etc.

Unfortunately it also has a long history of security flaws and can be used to carry out DoS attacks. Some research below.

What it is:

http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

Disable in Windows 7

http://en.kioskea.net/faq/20880-windows-7-disable-the-ssdp-discovery-service

US-CERT, National Vulnerability Database and Cisco report in January 2014 UDP-based amplification attacks may use SSDP as one of the protocols that facilitates Distributed Reflective Denial of Service (DRDoS) attacks:

http://www.us-cert.gov/ncas/alerts/TA14-017A
http://tools.cisco.com/security/center/viewAlert.x?alertId=28002
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5963

Denial of Service attack noted by FortiGuard:

http://www.fortiguard.com/encyclopedia/vulnerability/#id=38022

In a recent May 2014 post, CSO Online recommends disabling UPnP on home routers as part of secure configuration:

http://www.csoonline.com/article/2155342/data-protection/home-routers-broken-windows-to-the-world.html

Whitepaper from January 2013 discussing UPnP security flaws:

https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play

Another article on exposed devices from February 2014:

http://www.klocwork.com/blog/embedded-software/universal-plug-and-play-vulnerabilities-leave-millions-of-devices-exposed/

ThreatPost found 50 million potentially vulnerable machines responding to UPnP, exposing SOAP API that can allow access behind firewalls:

http://threatpost.com/50-million-potentially-vulnerable-upnp-flaws-012913/77465

A SANS report in 2002 discusses some UPnP flaws when it was released by Microsoft:

http://www.sans.org/security-resources/malwarefaq/win_upnp.php

Not completely disabled due to Windows Messenger Issue:

http://support.microsoft.com/kb/317843

Code - connecting to devices using SSPD

http://lewisbenge.azurewebsites.net/2012/11/13/device-discovery-ssdp-in-windows-8-and-winrt/