Security Archives - Page 10 of 14

Archive for the ‘Security’ Category

Virtualization and the physical security boundary

Posted July 8, 2009 by Wolf Goerlich

There are several laws of information security. Ask ten InfoSec pros and you will likely get ten different lists of laws, but I wager every one of them will agree on a couple fundamentals. If an attacker can gain physical access to the computer, or if an attacker can modify the operating system, then the attacker can compromise the computer. The reason is physical access allows an attacker to bypass the OS and directly access the data, and bypass the security controls.

Now, switch gears and picture a virtual environment. The physical analog is the hypervisor. If an attacker can gain access to the hypervisor, he has the same abilities as if he had access to the physical computer. If an attacker can exploit the Windows or Linux server hosting Hyper-V or XenServer, then the attacker can compromise all virtual computers on the host.

It is a subtle shift in the way of thinking. In the past, only one server ran on one piece of hardware, and the security boundary was the server itself. Thus you would place a physical web server in the DMZ and physically wire it to the firewalls. Computers with different security postures (e.g., domain controllers) would be on separate physical hardware and wired into separate physical networks.

Thus the hypervisor should host servers that have relatively the same security posture. One should not, for instance, host domain controllers and public-facing web servers on the same hypervisor. Even if the public-facing web server is on a separate virtual network, you still run the risk of its compromise affecting the domain controllers.

The security boundary is the physical hardware, not the computer itself.

Egyptian Radio in the 1930s and Cybersecurity

Posted June 4, 2009 by Wolf Goerlich

Here is an interesting article that dovetails 1930s radio legislation with the Obama administration’s Cyberspace Policy Review:

“Seventy-five years ago today, on May 29th, 1934, Egyptian private radio stations fell silent, as the government shut them down in favor of a state monopoly on broadcast communication. Egyptian radio ‘hackers’ (as we would style them today) had, over the course of about fifteen years, developed a burgeoning network of unofficial radio stations. They offered listeners an unfiltered, continuous mix of news, gossip, and live entertainment from low-powered transmitters located in private houses and businesses throughout Cairo.”

Disposable end-point model

Posted May 26, 2009 by Wolf Goerlich

One project in my portfolio at the moment is building what I call a disposable end-point model. It is a low priority project, but an ongoing one. The goal is to deliver the best user experience at the lowest price-point.

Portability is a must. Think about the concerns over swine flu and the like. What is your pandemic plan? My pandemic plan, at least from a technology standpoint, is straightforward. People work from home over the vpn and run apps from Citrix. So the end-point devices must be portable and dual-use.

Yet traditional notebooks are expensive. My firm, like most, has an inventory of aging notebooks. These older computers are costly to maintain (studies show ~$1K per device per 2 years) and replace if lost or stolen (studies show ~$50K per incident).

The sweet spot are computers that are cheaper than supporting aging devices and disposable if lost or stolen. No local data means no security incident, which erases the risk exposure of stolen devices. These inexpensive computers should be light-weight and easily ported from office to home. So I am looking at netbooks, which run around $500.

I spoke with Jeff Vance, Datamation, about these ideas. He recently wrote an excellent article that summarizes the netbook market and how data center managers are looking to use the devices: Will Desktop Virtualization and the Rise of Netbooks Kill the PC?

HVAC Security Controls

Posted May 15, 2009 by Wolf Goerlich

I have received a few responses from my haiku idea. One came from a fellow, whose poetic skills I admire, and poked a little fun at me. He offered the following as an example:

The servers are hot!
The data center is warm!
What will happen now?

It made me smile and, actually, was rather timely. As data centers in the northern hemisphere move into the summer months, our attention turns towards air conditioning. HVAC (Heating, Ventilation, and Air-conditioning) falls under physical security. Returning to the haiku, the servers are hot. What will happen now? A denial of service.

Some basic controls can be built around HVAC systems to prevent a DoS. The first few revolve around redundancy. HVAC systems should be dedicated and spec’d with ample capacity to cool the room in question. Internal redundancy can be achieved by dual compressors and controllers. External redundancy can be achieved by dedicate n+1 power lines and dual intake vents. Speaking of intakes, these should be in a protected space to prevent tampering or build up of debris. The HVAC itself should be in a physically secure location.

In summary, here is a checklist of items for an InfoSec pro to audit with his facilities personnel:

Dedicated HVAC
n+1 tonnage capacity
Internal redundancy
External redundancy (power/air feeds)
Positive pressurization (vent the area of dust, debris, and possible smoke)
Physical security of the HVAC unit
Physical security of the HVAC intake vents
Clear supply and return vents

Regards and keep cool,

J Wolfgang Goerlich

How to gracefully lose control over computing assets

Posted May 12, 2009 by Wolf Goerlich

Cloud transition is about how to gracefully lose control over computing assets.

This is a good article. It traces the history of security from the military-minded security pros of yesterday, to the risk management security pros of today, to the great unknown of tomorrow. Given information security is about guarding information assets, InfoSec may shift toward vendor management and away from technological prowess. “For example, even in the case of stuff covered by compliance (you know, that critical Confidentiality stuff we’d never move to the Cloud), vendors will be quick to sell certified solutions (we’re already seeing this, actually).”

“Now in addition to worrying about measuring things like control effectiveness, A/V coverage, and risk, we’re going to have to understand things like: what level of Governance information are we going to require from which vendors? Once we have that Governance information, what are we going to actually do with it in order to make decisions?”

Referencing a post from https://securityblog.verizonenterprise.com/

InfoSec Poetry and Hacker Haikus

Posted May 11, 2009 by Wolf Goerlich

I just read “Hackers Can Sidejack Cookies” in The New Yorker. The hacker poetry made me smile and then made me think. Blogs are to ballads like tweets are to haiku. I have been wondering what best to post on Twitter. Perhaps I’ll start posting daily ‘hacker haiku’ that summarize InfoSec themes and ideas.

Here is my first stab at a hacker haiku. This is in regards to cloud service providers and the need to build controls and a perimeter-less security model.

Clouds form on the horizon

Redefine security
Perimeter-less

Apache Versus Internet Information Services Security

Posted March 29, 2009 by Wolf Goerlich

Fresh from a recent debate on Apache versus IIS security, I bring you this summary. I am not in a position to directly compare IIS versus Apache. When I build an IIS server, I am fairly confident in its security. If I were to build an Apache server, I would have little confidence due to my inexperience. So much depends upon the admin’s skill set.

Quantitatively, Apache has more known vulnerabilities and attacks than IIS. IIS5 on Windows 2003 has 4 vulnerabilities. IIS6 on Windows 2008 has 1 published vulnerability. By contrast, Apache 2.0.x has 23 vulnerabilities.

The counter-argument to these statistics is this: most of the 23 vulnerabilities were in Apache modules. The attack surface drops significantly if you disable these modules. (And, of course, if you know how to disable the modules.)

Another counter-argument is that the web server depends upon the operating system. A determined attacker goes around your defenses rather than thru them. Thus I would suspect the security would turn more on the OS and the Web applications.

Cross Site Scripting: eWeek

Posted March 28, 2009 by Wolf Goerlich

Cross Site Scripting (XSS) is a big concern these days. Below is an article that describes in more detail how XSS attacks work. Two ways to mitigate these is static code analysis and Web application firewalls. The first, code analysis, would be a good way for eWeek to scan and check their advertisers’ content.

A Web Developer’s Guide to Cross-Site Scripting
http://www.sans.org/reading_room/whitepapers/securecode/a_web_developers_guide_to_crosssite_scripting_988

At eWeek.com, malware was inserted into advertising on the web page. If a user clicked on the ad, it would “redirect the user to a malicious Web site through a series of IFrames. The new URL led to an adult Web site, which attempted to load a PDF that exploits a known Adobe vulnerability. The vulnerability affects versions 8.12 and earlier and has been patched” (B Prince 2009)

The company caught the problem and although indicating that it was not a problem of their own, they would take measures to see that this would not happen again. They did not state the measures that will be taken but some measures that can help prevent this are as follows.

Web Vulnerability Scanner which will scan for potential weaknesses on the page.
Encode output based on input parameters
Filter input parameters for special characters
Filter output based on input parameters for special characters
By filtering it allows you to remove special characters that may allow malicious scripts to run and URLEncodeing and HTMLEncodeing, you can prevent malicious script from executing

Although eWeeks webserver was not broken into I feel it should be responsible for the content it chooses to display. Therefore they should have checked the page and its advertisers content to make sure it was secure. By following some of the methods listed above would have been a proper step. CSS has been cited as one of the more prominent web attacks, so when doing business on the web the company should have been aware of this and made it a priority to scan the content for vulnerabilities. I should hope that eWeek implement some of the techniques mentioned in its process when presenting web content.

http://www.eweek.com/c/a/Security/Attackers-Infect-Ads-With-Old-Adobe-Vulnerability-Exploit/

VeriFace Facial Recognition

Posted March 22, 2009 by Wolf Goerlich

Some modern notebooks come with facial recognition. A face being something you have, of course. This can be paired with a Windows password (what you know) for two-factor security.

This is not strong two factor security as facial recognition, at least as currently implemented, is susceptible to a wide range of attacks. A presentation at Blackhat covered these vulnerabilities in detail.

J Wolfgang Goerlich

YouTube – Face Recognition Commercial Lenovo
http://www.youtube.com/watch?v=H2a0KYtG97E

BlackHat: Your face is NOT your password

Open Up and Lock Down

Posted March 13, 2009 by Wolf Goerlich

Today’s networks balance opening up with locking down. The model perimeter, with a single access gateway protected with a firewall, is quickly disappearing. All end-points should now run their own firewalls. All hosts (particularly high valued servers) should now be bastion hosts. Access across the network should be locked down by default, and then opened up only for particular services.

I think we see this change reflected in several trends. The ongoing focus on detection controls over defensive controls is because modern networks have a significantly broader attack surface. Last year’s focus on end-point security was about making computers bastion hosts. Risk management and governance is a hot topic now and it seeks to understand and protect business networks in their entirety, end-to-end.

I can only use my own firm as an example. We have some 17 dedicated connections coming in from partners and exchanges. We have five inter-office connections. We have 6 perimeter firewalls, or 7 if you include the Microsoft ISA server. All servers are running a host firewall and are locked down. All this so we can gain access to the resources of partners and vendors, and to provide resources to partners and clients. And this is in a relatively small company with less than 200 employees. Imagine the complexity of mid-sized and enterprise networks.

Open Up. Collaborate and succeed. Lock Down. Secure and protect.

J Wolfgang Goerlich
The eroding enterprise boundary: Lock Down and Open Up
http://www.theregister.co.uk/2009/03/12/eroding_enterprise_boundary/

IBM Security Technology Outlook: An outlook on emerging security technology trends.
ftp://ftp.software.ibm.com/software/tivoli/whitepapers/outlook_emerging_security_technology_trends.pdf