Security Archives - Page 13 of 14

Archive for the ‘Security’ Category

Prevent the computer screensaver from locking the console

Posted November 8, 2007 by Wolf Goerlich

A “clean screen” policy is a common control. The risk is of people gaining unauthorized access to systems and information by shoulder surfing or popping onto a computer that someone left logged in. To mitigate, a screensaver can be set to lock the computer after so many minutes of inactivity. Ideally, people work on the computer and the screensaver does not kick in. They stop, the computer locks, and the screen is clean.

The challenge for employees is that the screensaver may come on at inopportune times. For example, when giving presentations or when watching a training video. During these situations the person is using their computer but not actually causing activity.

Not surprisingly, people have started finding hacks to prevent the screensaver from coming on. WiebeTech, for instance, sells a Mouse Jiggler. “Prevents a computer from going to sleep while you work or play. Constant mouse activity prevents sleep mode and screen savers (and their password prompts).”

The workaround for the workaround is to disable device drivers. But this requires configuration management software that may be beyond the budget of many IT/InfoSe teams.

Anyone have other ideas of how to mitigate Mouse Jiggler?

Wolfgang

PS: Also, check out WiebeTech’s HotPlug. This allows someone to switch a running PC or server from a power outlet to a battery pack. They pitch it for forensics as a way to confiscate a running computer. “We created this product for our Government/Forensic customers … allows hot seizure and removal of computers from the field to anywhere else on the planet.”

Celebrating ten years of watching my back

Posted April 8, 2007 by Wolf Goerlich

♫ It was ten years ago today, Monkey.B taught the Wolf to play. We’ve been going in and out of style. But we’re guaranteed to raise a smile… ♫

Ten years ago, my company’s — and our client’s — computers were infected with the Monkey.B virus. I suppose you could say it was my first incident reponse experience. It took us a little over three weeks to clean the mess up. The incident sparked in me the desire to a) learn as much as I could about malware; b) learn as much as I could about computer security; and c) never again let this happen to a client. From that day on, I have considered security a functional requirement of every project. It was a tough lesson.

But, it set me on the right path, so thank you Sgt. Pepper.

jwg

A couple tokens from the situation …

Newsgroups: comp.virus
From: Wolfgang A Goerlich
Date: 1997/04/08
Subject: Unknown boot virus (PC)

I’m at my wits end with this one. On accessing the a: drive, characters of both the file names and the files themselves are randomly replaced. I run McAfee, and it reported no virus activity. I then replaced the floppy, yet the corruption of files continued. I was also having problems with Win95, so I attempted to reinstall it from the CD-ROM. However, it got past the initial hardware scan, then reported a boot virus and locked up. So I borrowed a copy of Dr Solomons, but it also reported no viruses. Finally, in desperation, I reformatted the drive. Only now, the format command reports there is a virus, and quits. Also, the same floppy drive corruption continues. Anyone have any ideas of what I could try next? I even replaced the hard drive, but my other one was also infected.

Newsgroups: comp.virus
From: Wolfgang A Goerlich
Date: 1997/04/17
Subject: Unknown Boot Virus – Last Words (PC)

> I’m not sure as to what your a: drive is doing, but as for your boot
> sector “virus”, go and turn off boot sector virus checking in your BIOS.
> That will solve your hard drive problems anyway…

Thank you. It turned out that we did have a undetectable boot virus (which we removed using F-Prot). However, the BIOS virus checking was still giving us errors. After reading this, we turned it off and everything has been running smoothly since.

Viewing cached credentials, clearing cached credentials, preventing cached credentials

Posted February 26, 2007 by Wolf Goerlich

Microsoft Windows caches domain credentials. This article applies to Windows 7 and 8. Click here for the Windows 10 version of this article.

Windows caches domain credentials (usernames and passwords). See Microsoft article KB913485 for details. These credentials are stored on the local computer’s registry.

Viewing cached credentials: In the registry, grant your user account full permission to HKEY_LOCAL_MACHINE\Security. By default, only the System account has permission to the Security key. Refresh Regedit (you may need to close and relaunch Regedit.) Then open the key. You can view the cached credentials under HKEY_LOCAL_MACHINE\Security \Cache. Up to ten credentials can be cached, and these are stored in the values NL$1 thru NL$10.

Clearing cached credentials: Zeroing out the NL$x binary value will clear the cached credential.

Preventing cached credentials: Deleting the NL$1-NL$10 binary values will prevent credentials from being cached.

Designing CyberSecurity | Weekly Blog Series

Designing and architecting security? Join our weekly conversation on what hackers can learn from artists and designers.

Baking in security with a technology, practices, projects approach

Posted September 22, 2005 by Wolf Goerlich

How can we keep our IT systems secure?

It comes down to baking in the security from the beginning. Each new technology initiative is an opportunity to increase our overall security.

So we get a new project. In the beginning phases, while evaluating projects, we push to ensure that security is a consideration and that the vendors are asked about the security features as well as the functional features. Once the technology is selected and purchased, we work with the project team to ensure that security steps are included in the project plan. We pull the software in-house, install it, beat up on it, and assess for any vulnerabilities. When the project completes and the system is released to the end-users, it goes out the door in a secure state.

Such a secure state comes in part from experience, in part from training, and in part from industry practices. Proven practices such as deployment guides or NIST publications are excellent sources of information security. As part of any project or as part of securing any technology, such practices should be tried and evaluated. The goal is to apply not only what we know works, but also what the industry has found to work.

Researching and applying proven practices needs to be a task in every technology project. Take a Linux or a Windows server, install the new software for the project, and apply best practice guidance to it. At the very beginning of the project, lock down files and registry keys. Work thru any issues that the security may cause early on in the project before other departments get involved. The result is a system as tight and neat as is possible. By baking these steps into the project plan, we ensure that new systems come online securely.

Security is technology, practices, and project-centric.

Load balance SSH

Posted June 29, 2005 by Wolf Goerlich

Load balance SSH without “Potential Security Breach” or “Someone Is Doing Something Nasty”

You setup a couple servers with SSH and load balance these. Then, Linux users start reporting they are seeing “It is possible that someone is doing something nasty!” Windows users say that PuTTY is complaining “Warning – potential security breach!” Why?

SSH uses a RSA private/public key pair. The public key is saved on the client as the SSH server fingerprint. Linux users can find these keys under ~/.ssh/known_hosts and ~/.ssh/known_hosts2. Windows users can find the keys in the registry under [HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHo stKeys]. The errors occur when two (or more) SSH servers use the same FQDN but use different private keys.

This is the same thing we see when we load balance Web servers. The workaround there is to export the private/public certificate from one computer, and apply it to all computers in the load balanced set. The clients then receive the same certificate regardless of which computer they connect their Web browser to.

The same workaround applies to load balanced SSH servers. Take the certificate from one, and apply it to all other SSH servers in the set.The files are/etc/ssh/ssh_host_rsa_key (private) and /etc/ssh/ssh_host_rsa_key.pub (public). You may also want to copy /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_dsa_key.pub if you are supporting DSA encrypted sessions.

A word of caution in regards to the security and validity of the private keys. We had the same discussion with Web servers. The idea behind private/public encryption is that one (and only one) entity has the private keys. This guarantees to the end-user the identification of the remote end-point. Copying the keys reduces that guarantee. Given it is one entity (your organization) that controls the keys, and given you are applying them only to a single DNS hostname backed by a single load balanced set, you should rest easy. Just take care not to copy the SSH keys to anything other than these servers.

OpenSSH client (4.1) error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message.
Offending key in /home/me/.ssh/known_hosts:xx
RSA host key for hostname has changed and you have requested strict checking.
Host key verification failed.

PuTTY (0.54) error message:

WARNING – POTENTIAL SECURITY BREACH!

The server’s host key does not match the one PuTTY has
cached in the registry. This means that either the
server administrator has changed the host key, or you
have actually connected to another computer pretending
to be the server.
The new key fingerprint is:
ssh-rsa 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
If you were expecting this change and trust the new key,
hit Yes to update PuTTY’s cache and continue connecting.
If you want to carry on connecting but without updating
the cache, hit No.
If you want to abandon the connection completely, hit
Cancel. Hitting Cancel is the ONLY guaranteed safe
choice.

Load balance SSH without “Potential Security Breach” or “Someone Is Doing Something Nasty”

Posted June 29, 2005 by Wolf Goerlich

The same workaround applies to load balanced SSH servers. Take the certificate from one, and apply it to all other SSH servers in the set.The files are /etc/ssh/ssh_host_rsa_key (private) and /etc/ssh/ssh_host_rsa_key.pub (public). You may also want to copy /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_dsa_key.pub if you are supporting DSA encrypted sessions.

A word of caution in regards to the security and validity of the private keys. We had the same discussion with Web servers. The idea behind private/public encryption is that one (and only one) entity has the private keys. This guarantees to the end-user the identification of the remote end-point. Copying the keys reduces that guarantee. Given it is one entity (your organization) that controls the keys, and given you are applying them only to a single DNS hostname backed by asingle load balanced set, you should rest easy. Just take care not to copy the SSH keys to anything other than these servers.

OpenSSH client (4.1) error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message.
Offending key in /home/me/.ssh/known_hosts:xx
RSA host key for hostname has changed and you have requested strict checking.
Host key verification failed.

PuTTY (0.54) error message:

WARNING – POTENTIAL SECURITY BREACH!

Spot problem Windows Servers (automatic updates)

Posted May 7, 2005 by Wolf Goerlich

If the Windows Server uptime is more than 30 days, then the server is a problem child. That’s a basic rule of thumb.

Windows Updates come out every month. Every month, a Window Server should be updated and rebooted. If it is not, then there is a problem.

One way to check for this is to match the current crop of updates to the applied updates on the server. This can take a bit of time and gives a better indication of the server state. A quicker way is to scan for Servers with uptime >= 30 days.

Below is a basic script that checks and reports the uptime. It’s trivial to modify into a problem child scanner.

Bonus tip: reboot your servers both before and after the updates. This minimizes problems applying the updates that may occur when files are open or processes are hung.

Happy patching.

‘—————————————————————–
‘
‘ Name: uptime.vbs
‘
‘ Author: J Wolfgang Goerlich
‘ Date: 2005-05/07
‘
‘ Description: Report uptime and possible concerns
‘
‘—————————————————————–

Option Explicit

‘ Dimension variables

Dim wmi ‘ SWbemServices, WMI interface
Dim wns ‘ WMI namespace
Dim wql ‘ WMI Query Language
Dim computer
Dim oShell
Dim results
Dim os
Dim D, H, M, S

‘ Get the computer name

Set oShell = WScript.CreateObject(“WScript.Shell”)
if WScript.Arguments.UnNamed.Count >= 1 then
computer = Trim(LCase(WScript.Arguments(0)))
else
computer = LCase(oShell.ExpandEnvironmentStrings(“%ComputerName%”))
end if

‘ Get the uptime

wns = “winmgmts:\\” & computer & “\root\cimv2”
wql = “Select SystemUpTime From Win32_PerfFormattedData_PerfOS_System”

Set wmi = GetObject(wns)
Set results = wmi.ExecQuery(wql)

For Each os in results
S = os.SystemUpTime
Next

‘ Report the uptime and status

M = S \ 60 : S = S Mod 60 : H = M \ 60 : M = M Mod 60 : D = H \ 24
Wscript.Echo “Computer: ” & computer
Wscript.Echo “Uptime: ” & D & ” Days, ” & H Mod 24 & ” Hours, ” & M & ” Minutes”
If D >= 2 then Wscript.Echo “Problem child!”

Encrypting private circuits (VPN over Frame Relay and MPLS)

Posted May 8, 2004 by Wolf Goerlich

This is a summary of a debate I recently had with a network engineer. The question is whether or not to run a VPN over a private circuit.

Let’s start with a quick definition of terms.

Private circuits are provided by the telcos to sites that companies own. So say you have a site in Detroit and Chicago. Way back when, the way to connect the two was to run a dedicated line. A dedicated line provides dedicated bandwidth and constant latency at a price. This was rather expensive. For redundancy, you purchased separate lines.

Frame Relay was the telcos solution. You can think of Frame Relay as a virtual dedicated line. The connection relays network frames (layer 2 or data link) over several physical networks to create a logical end-to-end line. The Detroit-Chicago traffic crosses any number of devices and circuits, but the link is presented to your layer 2 switches like a dedicated line. This cuts down the cost. The trade-off is varying bandwidth and latency because Frame Relay is a shared resource. Like dedicated lines, you needed to purchase separate circuits for redundancy.

MPLS (Multi-Protocol Label Switching) aims to provide performance of dedicated circuits at the cost of frame relay. MPLS adds traffic management and in-network redundancy. Detroit-Chicago over MPLS is still a shared resource, but now the link can more effectively shape the traffic and utilize the networks of circuits. Redundancy is baked into the circuit.

In terms of cost, it goes redundant dedicated lines, redundant Frame Relay, and MPLS. All three are rather expensive. Meantime, the Internet reliability has increased and cost has decreased. Strictly from a costing perspective, you might build the Detroit-Chicago link with a VPN (Virtual Private Network) over the Internet. Like MPLS and Frame Relay, VPN is a logical end-to-end line that builds on top of a physical network.

Now to dive into the confusion.

Telcos sell dedicated lines as private circuits. Telcos sell Frame Relay and MPLS as virtual private circuits. The argument you will hear is that security is built-in because these are private circuits. There is also the operations efficiency of not having to deal with routing infrastructure and possibly even IP infrastructure. (Novell administrators love Frame Relay as they can run IPX/SPX over it.) A private circuit is private, right? Not exactly.

First, all the telco equipment between Detroit and Chicago have visibility into the IP traffic. A truism of network security is that a network is only as secure as the people who have access to the equipment. In this case, that could be any number of telco support technicians. They can read your packets.

Second, the privacy of the private circuit depends upon the correct configuration of the equipment. Your packets and some other organization’s packets are streaming down over the same routers. The only difference is the tags in the packets and the how the routers treat those tagged packets. When improperly configured, the circuit fails open. I have seen situations where new IP subnets suddenly appear on the LAN switch, and are traced back to a misconfigured frame relay. Whose packets were they? Did the owner of those packets know he was broadcasting onto our network? Probably not.

My recommendation.

Treat dedicated lines, Frame Relay, and MPLS circuits the same as you would untrusted Internet circuits. Encrypt all internal traffic that travels over these circuits.

Virtual private circuits are not the same as Virtual Private Networks. One is clear text and the other is encrypted. The first ensures availability and integrity. The second ensures confidentiality. For best results, run a VPN over a virtual private circuit.

What about bandwidth and latency? With decent gear, the bump in thru put should be no more than 10%. Look for routers or firewalls that advertise encryption and line speed.

What about packet shaping? Use the QoS preclassify features of your gear. This reads the DSCP/TOS from the unencrypted packets, and writes it to the encrypted packets. The MPLS gear can then handle the encrypted packets properly.

What about complexity and cost? The trade-off is security for operational complexity. You may need to purchase more gear. You will need to implement IP routing. These add to the overall cost of the solution. Given the increases in security of encryption over clear text, the trade-off is worth it.

Essential Insecurities Part 6 — Conclusion

Posted November 22, 2002 by Wolf Goerlich

When you add functionality, you add vulnerability. This is true whether your network powers a small business, or a Fortune 500 company. This is true whether you are looking at a single Lan, or a world-wide Wan. Every piece you add brings with it risk.

We use controls to mitigate risk. Mainly these are directive, preventative, and detective controls. Directive or policy controls define appropriate use of the system. Sometimes people will follow these policies, sometimes they will not. Of course, technology allows us to set permissions and therefore implement preventative controls to keep people from doing certain things. For the times when people do not follow policy and the system does not (or cannot) stop them, detective controls are there to leave an audit trail.

When we add functionality, we need to consider these controls. Now let us work our way from cables to computers.

When deploying a network switch and cabling, ask, how could this break? What can we do to protect it? Consider fault-tolerant designs such as full-mesh for connecting multiple switches and cabling with Fibre instead of copper. Consider directive controls to specify who can access the switch and how. Consider preventative controls such as locked rooms and climate controls. Consider detective controls such as check-in forms and electronic monitoring.

What are Ethernet’s risks and what controls are available? Directive controls could include specifying how a computer gets connected to the Ethernet Lan. It could also specify who is allowed to run sniffers. The preventative controls would be locking down the switch ports to specific Mac addresses, thereby making it difficult to connect a computer without first following procedure. Consider enabling the switch manufacturer’s protection against ARP cache poisoning, such as Cisco’s Dynamic ARP Inspection. Detective controls enabling the switch’s audit logs, and regularly scanning for network cards in promiscuous mode with tools like Sentinel.

What about IP’s risks and controls? Design IP networks to address concerns about addressing and fragmentation. Use directive controls to specify who can access what IP and Internet resources, and who is responsible for addressing and naming. Preventative controls include securing Dhcp address servers and Wins/Dns name servers. Detective controls include auditing and logging. Monitor for IP address and name conflicts, and excessive traffic to Wins/Dns.

Good design along with proper controls will protect integrity and availability. All along, we have been assuming that there is no confidentiality. We have suggested that the place for this is in applications (application, presentation, session, transport layers). Ask your vendors for recommendations on how to securely run their applications. First build a solid network infrastructure, and then turn your attention towards securely delivering applications over it.

Essential Insecurities Part 5 – IP

Posted November 15, 2002 by Wolf Goerlich

The Internet Protocol or IP is what makes the World Wide Web go around. IP packet is divided up into the header and the data.

The IP header has fields such as the source and destination IP address, and fragment offset. What can go wrong here? We’ll use the typical Alice and Bob for two people on a network.

Take the example of Alice’s computer talking to Bob’s. Alice’s will use a name service to look up the IP address, like DNS or WINS. If all is well, then this name service sends back an IP address. Alice’s computer builds a packet with this address as the destination. But can you trust the name service? No, of course not. An attacker can poison these services with incorrect information. Alice’s packet could be sent to the attacker’s machine.

But let us suppose that we are using only IP addresses, without any names or name services. This makes more work for the Alice and Bob, of course, but remembering a few IP addresses is a small price to pay for security. Right? Ok, to prevent poisoning we skip the name lookup and instead send a packet to Bob’s computer’s IP address.

When the response arrives, Alice looks to see if it came from Bob. From the source address alone, can she be certain who sent this packet? No. Attackers can falsify or spoof their IP addresses. Now if the attacker is outside the network, he could pretend to be a computer on the inside. This might fool a router or firewall into allowing the connection. The packet with Bob’s address could really be from anyone inside or outside the network.

The fragment offset field can also be misused. The idea here is networks have a maximum size for the packets transmitting packets. When a packet exceeds this maximum transmission unit (MTU), the router fragments the packet. The offset is the number of bytes into the packet. The destination computer then uses the offset field to reassemble the packet. Just like IP addresses, an attacker can falsify the fragment offset.

Fragmentation can be used to hide data or attack availability. For instance, say you are watching the router for some bad command (like format C:). At attacker could send this in two fragments, “form” and “at C:”. Other ways are to send fragments with offsets that overlap or send only the initial fragment without the rest of the packet. These can confuse the OS, chewing up memory and eventually make the computer unavailable.

This is significant because to spoof Bob’s computer, the attacker will first have to knock Bob off the network. An IP address has to be unique on a segment and hence only one computer can use the address at a time.