Systems Engineering Archives - Page 3 of 5

Archive for the ‘Systems Engineering’ Category

Hard Link Shell Extension

Posted August 4, 2010 by Wolf Goerlich

Hermann Schinagl has a new version of his hard link shell extension online. Get it while it’s hot.

http://schinagl.priv.at/nt/hardlinkshellext/hardlinkshellext.html

“Link Shell Extension (LSE) provides for the creation of Hardlinks , Junctions , Volume Mountpoints , and Vista’s Symbolic Links, (herein referred to collectively as Links) and a Folder Cloning process that utilises Hardlinks or Symbolic Links. LSE, as its name implies is implemented as a Shell extension and is accessed from Windows Explorer, or similar file/folder managers. The extension allows the user to select one or many files or folders, then using the mouse, complete the creation of the required Links – Hardlinks, Junctions or Symbolic Links or in the case of folders to create Clones consisting of Hard or Symbolic Links. LSE is supported on all Windows versions that support NTFS version 5.0 or later, including Windows XP64, Vista and Windows7. Hardlinks, Junctions and Symbolic Links are NOT supported on FAT file systems, and nor is the Cloning and Smart Copy process supported on FAT file systems. “

Locking down USB flash drives in Windows 7

Posted February 12, 2010 by Wolf Goerlich

There are two ways that USB storage drives are commonly misused. The first is people transferring confidential data on their personal drives. These drives are then lost, stolen, or damaged. Second, the USB storage drive becomes a way to transmit malware. People then end up bringing infected drives into clean networks, which then spreads the malware. (See the end of this post for one such example.)

We read about this all the time in information security magazines. Some pentest company or another is always loading up USB sticks and leaving them in parking lots. Creating such drives is trivial with Metasploit with Meterpreter. USB drives are clearly a weak link.

Windows 7 has a couple new system policies to address these threats. Start with an administrative control mandating corporate approved USB storage drives. (IronKey are my favorite here due to encryption, high quality, and near indestructible design.) Turn off autorun which, just by itself, will thwart most malware. Turn on Device Installation Restriction and limit the USB drivers to just the corporate approved drives. Push out the group policy and, bingo, USB just became that much safer.

Details:

Open Group Policy Management and edit the applicable GPO in your Active Directory.

Disable autorun
Computer Configuration \ Administrative Templates \ Windows Components \ AutoPlay Policies
Turn off Autoplay: Enabled

Limit to approved devices
Computer Configuration \ Administrative Templates \ System –>Device Installation \ Device Installation Restrictions
Allow installation of devices that match any of these device IDs: (add the corporate device)
Prevent installation of devices not described by other policy settings: Enabled

Example threat vector:

Google Case in China Reveals Growing Holes in Security

Often, malware infections are a result of high-tech twists on old fashioned cons. One scam, for example, involves small USB flash drives, left in a company parking lot, adorned with the company logo. Curious employees pick them up, put them in their computers and open what looks like an innocuous document.

In fact, once run, it is software that collects passwords and other confidential information on a user’s computer and sends it to the attackers. More advanced malware can allow an outsider to completely take over the PC.

Microsoft embraces and extends IPSec NULL

Posted January 8, 2010 by Wolf Goerlich

IPsec provides authentication, integrity, and confidentiality. In IPv4, IPsec generates an AH (Authentication Header) that provides packet header integrity using a cryptographic hash. ESP (Encapsulating Security Payload) provides integrity using a hash and confidentiality using encryption. Both AH and ESP provide authentication thru key exchange (IKE).

The hashing is typically done with MD5 or SHA and the encrypting is done with 3DES or AES. As known attacks exist for MD5 and 3DES that renders them only slightly better than nothing. SHA-1 and SHA-2 are in a similar state. NIST is currently working on SHA-3. For now, the best is SHA-2 with a long key length and AES.

Interestingly, ESP can also be encrypted using NULL. (See RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec). “NULL does nothing to alter plaintext data. In fact, NULL, by itself, does nothing. NULL provides the means for ESP to provide authentication and integrity without confidentiality.” Put differently, ESP performs the key exchange and hashing only.

Microsoft’s version of IPsec NULL does not quite conform to the RFC. Rather than using a hashing algorithm in conjunction with a NULL encryption, Windows 7 and Windows 2008 skips it altogether. According to Microsoft’s IPsec setup guide, the NULL encapsulation “option specifies that no integrity protection is provided to each network packet in the connection. No AH or ESP header is used to encapsulate the data.” Embraced? Yes. Extended? Not so much.

WatchGuard 11.1 and HTTP headers

Posted November 25, 2009 by Wolf Goerlich

WatchGuard 11.1 firmware came out recently and it features a new security option: replacing HTTP headers. The firewall admin can maintain a set of approved HTTP headers. As web traffic flows thru the WatchGuard proxy, it inspects the packets, and removes header not in the list.

Certain websites may have an issue with this, such a websites that rely on non-standard HTTP headers. If that happens, the firewall admin has two choices. The non-standard headers can be added to the approved list. Alternatively, the website can be added to a proxy bypass list. Then the web traffic from this site bypasses the proxy rule altogether.

What risk is this control mitigating? Several HTTP attacks rely on host header manipulation or header injection. There are also web attacks that cram two or more HTTP responses into one TCP packet (HTTP response splitting). Both are thwarted by configuring the HTTP proxy in 11.1.

Is it worth the effort? Time will tell.

Pentetration testing Microsoft Office Communication Server

Posted November 22, 2009 by Wolf Goerlich

Pentesting your Microsoft Office Communication Server? Need a tool? Viper Labs updated their OAT (OCS Assessment Tool) to v2.0 this month. OAT automates testing OCS with: online dictionary attack, domain user enumeration, presence stealing, contact list stealing, domain IM flood, communicator call DoS, and domain call walk. Like SimWitty, OAT is written in C# and available under the BSD license.

“VIPER Lab created OAT because OCS and other Microsoft products are frequently being used as part of a unified communications infrastructure in many enterprises. Our mission is to help IT manager and security practitioners evaluate the security architecture of their deployments and ensure that their mission-critical communications and systems are protected.”

http://voat.sourceforge.net/

The pack is not online — Diskpart errors on some file systems

Posted November 21, 2009 by Wolf Goerlich

VDS returns the following when you select a partition format that it does not recognize:

C:\> Diskpart

DISKPART> list disk
DISKPART> select disk (id)
DISKPART> list part
DISKPART> select part (id)

Virtual Disk Service error:
The pack is not online.

The pack is not online error (VDS_E_PACK_OFFLINE 0x80042444L) is returned when Diskpart attempts to get the file system properties on, say, an ext3 or hfs+ file system. Diskpart works only with Fat and Ntfs file systems. If the goal is to delete the non-Microsoft partition, use the clean command.

DISKPART> list disk
DISKPART> select disk (id)

DISKPART> clean

Building our own cloud

Posted November 6, 2009 by Wolf Goerlich

I have been thinking a lot about IT service architecture. After all, my theme this year is “Security is Design”. How can we maximize the benefits of new technologies while minimizing the security risks?

Take cloud computing. The buzz is that cloud computing reduces costs and increases scalability. Cloud computing, specifically with cloud hosting, does this by putting our servers in a multi-tenant environment and then charging based on utilization. So organizations get pay-as-you-go pricing that is shared across scores of customers (tenants). Add self-service and rapid provisioning, and you get a fast and flexible solution.

That makes the IT operations side of my brain happy. But then my IT security side chirps up.

Multi-tenant increases security risks as we no longer have end-to-end visibility and control coverage. Think of the property security of an apartment versus a private home. Multi-tenant decreases responsiveness, too, as the service provider must balance the needs of his organization against the needs of yours. Think the customer service you get from your telephone utility versus your in-house telecommunications specialist. Above and beyond that, simply by being a new architecture, cloud computing will bring an entirely new set of risks that can only be identified with time.

So how can we balance the benefits and risks of cloud computing? One way is to bring the cloud computing technologies in-house. The basics are readily available: virtualization, rapid provisioning, self-service, resource pooling, charge back. A data center built on the cloud computing model, but leveraging the best of an internal IT team: responsiveness, responsibility, and business domain knowledge.

My team has been using the terms “in-house cloud” or “private cloud” to describe our efforts to achieve this balance. This week, vendors led by EMC launched www.privatecloud.com as a resource building such beasts. Check out their definition of private cloud. While the blog is VMware and EMC based, I wager it is only a matter of time before Microsoft and Compellent come out with comparable information.

Done right, private clouds or cloud computing built in-house will provide a smooth transition for organizations to get the benefits of this new architecture.

Making and mounting Vss snapshots in Windows Server 2008

Posted September 25, 2009 by Wolf Goerlich

Tech tip: Volume Shadow Copy Services (Vss) on Window Server 2008 can make a copy of active, open files on the fly. It works on the block level similarly to an open file agent. This works a treat if you need a quick-and-dirty command line backup.

To make a copy of the (C:) volume:

C:\> vssadmin create shadow /for=c:

To view copies of the (C:) volume:

C:\> vssadmin list shadows /for=c:

To mount a shadow copy as a browseable folder:

C:\>mklink /d <folder name> <shadow copy volume from list>

C:\>mklink /d C:\mycopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6

For more information, see:
http://technet.microsoft.com/en-us/library/cc754968(WS.10).aspx

Viewing memory on hibernating computers

Posted August 8, 2009 by Wolf Goerlich

Windows 7/2008 writes memory to disk when the computer goes into sleep mode. To test this, execute “powercfg /hibernate on” followed by “shutdown /h”. These commands enable the hibernate mode in the power config and force the computer to hibernate. Windows will then write memory to hiberfil.sys on the local (C:) partition.

You probably new that already. But did you know that the hiberfil.sys file can be viewed?

Check out the Volatility Framework forensics tool. Volatility has a command that converts the Windows file (hiberfil.sys) to a forensics data file (dd). The resulting bytes can be scanned and manipulated. The command is:

python \Volatility3\volatility hibinfo -f C:\hiberfil.sys -d C:\YourMemoryHere.dd

Protect your hibernating computers, folks. Your memory is open for forensics.

IP addressing by integer

Posted June 10, 2009 by Wolf Goerlich

Most people are familiar with the dot-decimal notation used in IPv4 addresses. For example, 70.38.56.57 is the address of www.simwitty.org. Note each of the four numbers in the address can range from 0-255. 255 is the maximum that can be stored in 8 bits. Four numbers, 8 bits, 32 bits in an IPv4 address.

Some network systems store these values as one number.(Technically, the address is stored as a 32-bit uint value.) For example, Snort’s database lists www.simwitty.org as 1176909881. The advantage here is that database joins are significantly faster on numbers than on strings, so representing all the bits as a number has advantages. Where does this number come from? Let’s break a part the bits.

DNS: www.simwitty.org
IPv4 dot-decimal notation: 70.38.56.57
IPv4 binary: 01000110 00100110 00111000 00111001
IPv4 decimal: 1176909881

An interesting bit of trivia. If you run across such a 32-bit number, the quickest way I know of to convert it back to dot-decimal notation is to use the ping command on Windows 7 and Windows 2008. Pinging the number does not work on Linux insofar as I can tell.

C:\>ping 1176909881

Pinging 70.38.56.57 with 32 bytes of data:
Reply from 70.38.56.57: bytes=32 time=36ms TTL=112
Reply from 70.38.56.57: bytes=32 time=36ms TTL=112
Reply from 70.38.56.57: bytes=32 time=36ms TTL=112
Reply from 70.38.56.57: bytes=32 time=36ms TTL=112