If you have looked into "The onion ring", or just "Tor", you have probably wondered if it would be wise to block access from these anonymous servers (or maybe just the exit nodes). I am not gonna talk about how the encrypted Tor network works, as a great deal of info can be found "out there". Main source should be: www.torproject.org - and perhaps WikiPedia.

As a security guy (or ISA administrator maybe), you ask yourself "why do these people want to be anonymous"? In this case "anonymous" means that "they" don’t want targets on the Internet to see the originating IP address (the source). A "target" is typically a web site or some other web service.

The answer? Well, first you gotta ask yourself: "who are they"? And there’s really no good answer to that question I guess - who really knows? All we can do is guess, so let me turn these questions around: if I were to try out a hack, or some new exploit, would I do it directly over my personal WAN IP? Or would I try to "hide" my originating IP? If you look at it in that perspective Tor networks are GREAT for hiding out - the whole idea is that it shouldn’t be possible to track the communication. What you don’t know can hurt you, right? I’m not saying all Tor users are hackers or anything, because they are not, but you have to look at the odds… What do you think? I cant help thinking, that if you hide from someone you have something (bad) to hide - but hey, it could be a Christmas present, right?

Anyway - you have to decide - do I want these people to be able to access my web sites and services or not? I’m not going to decide on your behalf - that’s politics!

So, what can we do about it if we want them out? Well, after reading Thomas Shinders Blog entry "HammerOfGod Computer Sets — Block and Log by Country" I got an idea. How about downloading a list of Tor servers, import it into a Computer Set (CS) and make sure that CS is an Exception on all of you Published services? This way hackers out there, behind Tor servers, won’t be able to poke around your IIS servers or whatever you have.

So, I started a search for Tor lists - the best thing would probably be to create it yourself dynamically - but that would take programming skills that I unfortunately haven’t got. I’m just a scripting kinda guy… The thing is, you would need to have a Tor client installed and from that extract the list once in a while - not possible for me (maybe you can do it easily - please post a "how to" then).

But, then I found a list on Proxy.org - this list it updated regularly - the only thing is, that this list is formatted for easy import on Apache servers, definitely not ISA. But hey, we can change the formatting in a script and then call the "AddComputersToComputerSet.vbs" script from Microsoft… Simple, all we have to do then, is to configure the CS exceptions on our ISA rules, schedule the script and never touch it again!

So, I created a simple script for:

a) Downloading the latest Tor server list from Proxy.org
b) After the download it creates a new file with the correct format (machine_name<tab>IP_address)
c) And then it calls the AddComputersToComputerSet.vbs with the correct parameters

You can download the script here - also download the script from MS (link above) and place them in the same directory. You will need a bit of VBS knowledge to "tweak" the script(s), but I’ve tried to make the code "easy understandable". Now, make sure you can run it from your ISA box (it downloads over HTTP), and then schedule the thing (oh, and remember to remove the Msgbox "Done!" line if you want this as a scheduled task).

If you want it to run from another machine, take a look at the link to the AddComputersToComputerSet I provided above (some changes are needed).

Please report back if you have any bug reports or ideas! It provided "As Is" - after downloading you’re on your own :)

The dynamically created/updated ISA Computer Set:

The ISA Rule/Publishing Exceptions:

What’s missing?
I can think of a lot of things I’d like to add in there - but the idea with this blog entry is to "spread the word" and a Proof of Concept.

Personally I want to add logging of script actions, email alerts if the list is unavailable or some other errors occur. Also, there’s a weakness in case the downloadable list is compromised somehow. Say someone adds Internal/Private/"not-Tor" IPs etc. to the list, it just might give some strange results for your users. So, we have to trust the list is OK secure - but it would be a good idea to put in some sort of validation on what IP addresses are put into this particular CS.

Hope you can use this :)

.

The recently reported flaws discovered in Reader and Acrobat tools urged Adobe, the developer of the vulnerable solutions, to release patches in order to protect the customers of the company. If you haven’t read the advisories, you should know the holes affected Windows XP users with Internet Explorer 7 installed because the attackers tried to exploit them using malicious PDF files. According to Adobe which confirmed the existence of the flaws, the vulnerabilities affect Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier, Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier.

In order to avoid a successful exploitation of the flaw, you have to update your technologies to version 8.1.1 as Adobe implemented the patches in this latest release. (more…)

adobe, adobe acrobat professional, adobe reader 7, adobe reader 8, attackers, email attachments, email spamming, exploit, flaw, instant messengers, internet explorer 7, mail, pdf, pdf files, professional 3d, reader, Security, Software, Windows

Security company BitDefender rolled out a new virus definition for its antivirus technology in order to discover the malicious files used by attackers to exploit the reported vulnerabilities in Apple’s iPhones. In case you missed the news, it was said that an attacker can use a dangerous TIFF file in order to exploit the flaws from iPhone’s Safari browser. What’s most interesting is that the security holes where then used by the iPhone owners to unlock their devices and remove the restrictions applied by the Cupertino company. This way, they would be able to install any software they want without any limitation.

BitDefender reported that the flaw affects only the version 1.1.1 of the Apple iPhone firmware. Because the consumers would be able to install anything they like, they all need an antivirus technology able to defend their device against viruses and other types of malicious files which might harm their handheld. (more…)

antivirus, antivirus technology, apple, apple iphone, bitdefender, exploit, firmware, iphone, iphones, isp gateways, Mobile, new virus, security company, viruses, virus definition, virus infections