All Entries Tagged With: "security"

The art of technology

…and it is an art. This is from the perspective of a technology leader seeing the changes over the last ten or so years, and is in the same thought process as the CIO write up I posted last week.

There’s more than a few non-technical hurdles we have to jump over. Consider these scenarios as a for instance.

A C level executive wants to push a project through – you as the senior IT executive cannot sign off on the release until some sanity checks are done, but the C level releases anyway.
A senior executive refuses to implement controls because it will add complexity to the project – yet the controls are required by the industry.
These aren’t insurmountable issues but are just a couple of the hoops we have to jump through. The point here isn’t to have answers to the above issues, but to show that the art (see title) is not only being a leader in the technical field, a mentor to technical staff and all the other attributes of a senior IT executive, but also to deal with the personalities of those above you – managing your managers so to speak.

Should it be this way? No, not really but it’s not a perfect world we live in. If we can’t communicate at all levels we are in the wrong job. If we can’t make these people see reason all we can do is inform them of the risk. Since it’s our neck on the line when things go awry we need to make sure all bases are covered. Even if we are right we cannot afford to make any part of the business look bad so it becomes a strategic issue, but is that really where we want to go with this, or where we need to be? If we have tried all avenues and we are still not being heard – perhaps the business isn’t ready for a senior executive in the IT leadership role. That’s a hard truth and also a tough call.

We’ve seen the IT role move from being a customer organization to a business partner, and rightfully so. Look how long it took to do that. In the age of ever advancing technology does everyone realize that the business will not function without IT? That’s a rhetorical question but the excuse of not knowing what IT does isn’t going to cut it anymore. Should we explain the complexity of our environment to everyone, or should we be seen as the enabling business partner that drives the business forward from the proper use of technology?

This isn’t a rant by the way. It’s attempting to realize something that I have been working with for a long time. IT has value to the business and is a business partner. We know IT is not revenue generating but we should not be seen as a drain on assets, or a department that spends for the sake of spending. We have to trust that our IT executives know what they are doing, just as you would trust a CEO or COO that they know what they are doing, and accept that you cannot know all about everything that we do. (yes, I meant to write that sentence that way!). Superseding and second guessing our world is not going to help the business, in fact more often than not it will hurt the business.

As with everything there are many points of view pertaining to this topic. I’ve read many on the CIO forums and LinkedIn noticeboards, and I’ve heard many when speaking at conferences and attending seminars. But what I feel the most is, we as leaders can say the words “they don’t understand”. If that is where we leave it we don’t deserve to be leaders. We have to stand up and bridge the gap. For example, in the role of information security some say “the execs will get it when we get hacked, then we’ll get the money”. That’s a little too late for my liking. In that case I will take drastic measures to protect the business, that might include hacking the company myself. I would rather it be me that breaches the company than a hacker, and if done correctly it will have the desired effect. That will also add to your credence as a leader and more trust will start to flow. That being said there is a chance it could backfire. Not everyone can accept a direct approach like that.

I can go around in circles on this one, but I’ll leave it here for now. This isn’t meant as a blue print or guideline. It is meant to provoke thought and point of view and I fully understand that there are those that will push back hard – and that is good too. Care to share your thoughts? I’d love to hear them.

American Express Security – FAIL!

I came upon this from a twitter post – check it out! American Express have an insecure web form. They actually ask you to click on a link if you want a secure web form. Wow – talk about conflict of interest. Consider the stringent PCI requirements that Amex put corporations under, with some pretty expensive repercussions if you don’t comply, and they have an insecure web form. I’m flabbergasted!

See for yourself HERE!

CISOs Keep Breach Costs Lower

The latest “Cost of a Data Breach” survey from the Ponemon Institute finds companies with a CISO are better able to handle loss of sensitive information

By Joan Goodchild, Senior Editor

Companies continue to pay a high price to clean up the mess created by a data breach, but having a Chief Information Security Officer (CISO) may offer some protection. That is the conclusion of a study released Monday by the Ponemon Institute, a Michigan-based consultancy that conducts independent research on privacy, data protection and information security policy.

This is the fifth year Ponemon has conducted its “Cost of a Data Breach” survey, which examined actual data breach experiences of 45 U.S. companies from 15 different industry sectors. This year, the cost of a data breach has increased to $204 from last year’s $202 per customer record. However, companies that had a CISO (or equivalent title) who managed the data breach incident experienced an average per capita cost of $157 versus $236 for companies without such CISO leadership.

Approximately 40 percent of participating companies had a CISO in charge of managing the data breach incident, according to the survey.

“While other functional areas are typically involved in crisis management activities surrounding the data breach, our results suggest CISO leadership substantially reduces the overall cost of data breach,” the report states.

“The one big take away on positive takeaway is that in (companies) that have CISO involvement, breaches tend to cost less because they have a more strategic view of protecting data than the old idea of whack-a mole, fix-it a hundred different times, ” explained Phillip Dunkelberger, president and CEO of PGP Corp., which co-sponsored the study. “CISO involvement at a higher level means less cost of a data breach and less chance of repeating it because of the strategic view of protecting it that these professional take.”

While the cost of a breach only rose two dollars per record this year, Dr. Larry Ponemon, founder and chair of the Ponemon Institute, pointed out the massive increase in cost over the five years since the study’s inception, when breaches cost $138 per compromised customer record. In figuring out the costs, the study takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after the fact (ex-post) response. The economic impact of lost or diminished customer trust and confidence, measured by customer churn or turnover rates, is also analyzed.

Other highlights from this year’s research include:
- Forty two percent of all cases in this year’s study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties, especially when the third party is offshore, are most costly. The per capita cost for data breaches involving third parties is $217 versus $194, more than a $21 difference, according to Ponemon.

-Twenty four percent of all cases in this year’s study involved a malicious or criminal attack that resulted in the loss or theft of personal information. Research shows data breaches involving malicious or criminal acts are much more expensive than incidents resulting from negligence. The per capita cost of a data breach involving a malicious or criminal act averages $215. The per capita cost of a data breach involving a negligent insider or a systems glitch averages $154 and $166, respectively.

-Thirty six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study the per victim cost for a data breach involving a lost or stolen laptop is $225.

“Its not just about bad guys, but also good guys who make mistakes,” noted Ponemon.

Companies on IT Security Spending: Where’s the ROI?

Companies have spent millions to bolster their IT security in recent years. But some are starting to wonder if it’s been worth it, according to the 2010 Cyber Security Watch survey CSO conducted with the U.S. Secret Service, Carnegie Mellon University CERT and Deloitte & Touche.

By Bill Brenner, Senior Editor, CSO Online

Companies have spent many millions of dollars to build defenses around their IT assets this past decade, motivated by malware attacks, data security breaches and the resulting regulatory compliance cattle prod.

But the bad guys are still a few steps ahead in terms of sophistication and speed and some wonder if their investments were all for nothing, according to the newly-released 2010 Cyber Security Watch Survey.

More than 500 respondents, including business and government executives, professionals and consultants, participated in the survey, conducted by CSO Magazine with help from the U.S. Secret Service, Carnegie Mellon Software Engineering Institute (CERT) and Deloitte’s Center for Security and Privacy Solutions. Though respondents point to sizable efforts to keep their companies secure, many admit it’s getting almost impossible to outpace the bad guys.
Also see Network Security: The Basics

“Security confidence seems to be waning. Respondents are spending more money and implementing new capabilities, but overall they seem to be unsure about how truly effective their efforts really are toward ensuring security,” said Ted DeZabala, principal at Deloitte & Touche LLP and U.S. leader of Deloitte’s Security & Privacy services.

The survey showed a drop in cybercrime victims — 60 percent this year compared to 66 percent in 2007. But the affected organizations have experienced significantly more attacks than in previous years, fueling doubts over a lack of return-on-investments (ROI).

Between August 2008 and July 2009 more than a third (37 percent) of respondents experienced an increase in cybercrimes compared to the previous year. While outsiders (non-employees or contractors) are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders (employees or contractors). One quarter of all cybercrime attacks were committed by an unknown source.

Although the number of incidents rose, the ramifications have not been as severe. Since 2007, when the last cybercrime survey was conducted, the average monetary value of losses resulting from cybercrimes declined by 10 percent. This can likely be attributed to an increase in both IT security spending (42 percent) and corporate/physical security spending (86 percent) over the past two years.

And yet, as technology advances, so do the attack methods, and many respondents worry that the bad guys are still winning. Outsiders invade organizations with viruses, worms or other malicious code; phishing; and spyware, while insiders most commonly expose private or sensitive information unintentionally, gain unauthorized access to/use of information systems or networks, and steal intellectual property.

The survey finds that insiders most often use their laptops or copy information to mobile devices as a means to commit electronic crimes against their organization. Respondents suggested data is often downloaded to home computers or sent outside the business via e-mail. This may lead to damaged reputations and may put organizations in violation of state or federal data protection laws.

More than half of the respondents — 58 percent — do believe they are more prepared to prevent, detect, respond to or recover from a cybercrime incident compared to the previous year. But only 56 percent have a plan for reporting and responding to an incident.

The research also indicated that businesses are trying to take steps to identify insider threats. Nearly one-third (32 percent) now monitor the online activities of employees who may be disgruntled or who have turned in their resignations.

Dawn Cappelli, technical manager for the Threat and Incident Management division of the Software Engineering Institute CERT Program, said insider attacks continue to be seen as a bigger problem than anything that might come from the outside.

“Attacks are more costly than outside attacks, and seven of the top eight practices that were indicated as being most effective at prevention, detection and deterrence apply to employees,” she said.

Though many respondents may be doubting the ROI of their security investments, the activity to deal with the insider threat at least indicates that no one is thinking about tightening up on their spending. Perhaps that’s because many feel like they have no choice but to keep spending, lest they fall even further behind the bad guys.

“This looks like good news — they have found effective practices for handling the most costly threats,” Cappelli said. “However, the technical solutions for insider threat mitigation were ranked alarmingly low: DLP, Ranked 9th least effective and change control/configuration management systems, ranked 5th least effective. In addition, account audits are only being performed by 43 percent of respondents, probably because of the technology gap.

To that end, her parting advice is not to the respondents, but to the vendor community: Come up with something better to help customers achieve the DLP and change control/configuration management they need.

Man-in-the-middle attacks demoed on 4 smartphones

Security researchers from SMobile Systems have released a paper detailing successful man-in-the-middle attacks against several smartphones.

The SSL enabled log in sessions on the tested, Nokia N95, HTC Tilt, Android G1 and iPhone 3GS devices was sniffed using the publicly available SSLstrip tool, with the attack taking place over insecure Wi-Fi network, now prevalent literally everywhere. Here’s the scenario they used, and possible mitigation approaches:

“The attacker visits the same cafe that offers a free Wi-Fi hotspot and decides to employ basic host, network identification and enumeration tools from the laptop to enumerate all the active devices connected to the Wi‐Fi hotspot. From the results, the attacker notices a MAC address referring to a Nokia smartphone. The attacker know that there is little to no detection capabilities present on an overwhelming majority of smartphone’s in use today, so the owner would likely never find out about a successful man-in-the-middle- attack (MITM).

The well-informed attacker creates a successful MITM attack. In the meantime, the smartphone owner accesses the online bank website and enters the login credentials required to gain access to the banking information. In this scenario, all of the communication between the smartphone and the online bank site is routed through the attacker’s machine and the attacker can see the login details in plain text, as well as can capture all the sites accessed by the victim.”

The awareness-raising test aims to educate users on approaching convenient and free, public Wi-Fi networks with caution, emphasizing on how their mobile service provider’s 3G connection, or the one offered by a trusted Wi-Fi network should always be considered as their first choice.
Anyway, just how insecure or susceptible to compromise are the majority of Wi-Fi networks found on high-trafficked locations such as airports or international cities? The answer is sadly, self-evident with data backing it up available publicly.

• Go through related posts: GPU-Accelerated Wi-Fi password cracking goes mainstream; D-Link router’s CAPTCHA flawed, WPA passphrase retrieved; Survey: 88% of Mumbai’s wireless networks easy to compromise

Last year, AirTight Networks conducted a major wireless network security study by visiting 14 airports (11 in the U.S and 3 in the Asia-Pacific) and found out that a huge percentage of the 478 Wi-Fi Access Points analyzed are either open, or using outdated encryption protocols. Even more interesting was the fact that users were falling victims to “viral” Wi-Fi networks using descriptive and lucrative names seeking to establish legitimacy.

The prevalence of such “handy”, but easy to compromise Wi-Fi networks internationally, is virtually the same. For instance, similar wardriving tests conducted in Paris; Santiago, Chile; China; Monterrey — Mexico, Sao Paulo – Brazil, Caracas (Venezuela), Warsaw, and London offer similar insights into the “security” of such public networks.

Possible mitigation practices? According to Marlinspike, the author of the tool:
Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping. This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
How often do you face the trade-off of using a public, and possible insecure Wi-Fi hotspot, for the sake of convenience instead of sticking to your 3G data plan, even when traveling abroad?

Have you ever avoided using your mobile device and instead used your laptop at an airport, due to your host-based firewall’s better ARP filtering features — if any — enabling the detecting of changed MAC address for a (trusted) gateway network adapter in order to detect possible MItM attempts?

How EV SSL-aware is your E-banking provider, especially if you’re E-banking over a mobile device? Or do you simply “VPN-and-forget” over a public Wi-Fi network?

Facebook Privacy & Security Guide

Created by Tom Eston. This is version 1.1 of the guide, last updated September 2009. It is updated when Facebook changes any privacy settings or configuration. Soon you will also be able to check out the video that walks you through these settings in your Facebook account (link coming soon).

Deactivating the rootkit – Core Labs

Deactivating the rootkit – from Core Labs, who are part of Core Security – the makers of Core IMPACT Pro.

Here’s an update from Core Security posted today – Wednesday August 12th, 2009

I attended Black Hat and Defcon this year and gained much useful information from that trip. There were a couple of eye opening presentations in the general terms of the security world, and the one I am going to summarize here is “Deactivating the Rootkit” from Core Labs. You can view all the information, and download the white paper and presentation from Core Labs. I’m going to outline it here from my notes – I would strongly suggest you read the details from Core Labs though – scary stuff!

Here are my notes:

HISTORY

2004: The BIOS size of 60% of all notebooks increased by 25kb.

2009: When Core Labs were investigating creating their own rootkit, they found one already there! There had been agreements with major vendors that this agent would be installed in the BIOS (Phoenix) as an anti-theft agent. It is dormant until activated – wait – activated? BACK DOOR!

More details: US 6,300,863 B1 Patent – Filed Mar 24, 1998 byAbsolute Corp – Agent inside modemOption ROM – Support for DOSBackdooring

WHAT IS THIS ROOTKIT?

Absolute Corp, Computrace Anti-theft agent – Option ROM Embedded in Phoenix BIOS – Agreements with law enforcement agencies – Inside notebooks from HP, Dell, Lenovo, Toshiba, Gateway, ASUS, Panasonic, & more … estimated 60% of PC notebooks have this rootkit.

Option ROM header: (you’ll need to copy/paste this to see it properly)


00000000 55 aa 2a eb 15 43 6f 6d 70 75 54 72 61 63 65 20 |U.*..CompuTrace |
00000010 56 38 30 2e 38 36 36 78 1d 00 e9 5c 01 50 43 49 |V80.866x...\.PCI|
00000020 52 17 19 34 12 00 00 18 00 00 06 00 00 2a 00 00 |R..4.........*..|

PROBLEMS FOUND

Huge privacy risk (bad/no authentication) – Anyone can activate it with enough privileges – Anyone can change the configuration – Anyone can de-activate it – Whitelisted by AV (potentially undetectable)

If the notebook OS is not Windows it will not place any files – but it’s still there!

MORE ISSUES FOUND

Uses URL instead of IP – Configuration block can be modified:

Configuration block XOR 0xB5: (you’ll need to copy/paste this to see it properly)
00000000 b1 b7 b5 b5 35 ab b1 b4 b5 f5 b4 aa b1 b5 b5 b5 |....5...........|
00000010 b5 a5 bf 41 41 30 49 4e 30 30 30 30 30 95 b1 1f |...AA0IN00000...|
00000020 ee 30 86 a0 b1 8b b5 35 b5 ac ae 4a 4a 4a 4a 4a |.0.....5...JJJJJ|
00000030 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a |JJJJJJJJJJJJJJJJ|
00000040 4a 4a 4a 4a 4a 4a af b4 35 ae b3 b5 b5 b5 b5 b5 |JJJJJJ..5.......|
00000050 b5 a8 b7 b5 b5 f3 b3 b5 b5 b5 b5 b5 b5 f2 b3 b5 |................|
00000060 b5 b5 b5 b5 b5 fd af 00 50 d1 35 71 17 73 65 61 |........P.5q.sea|
00000070 72 63 68 2e 6e 61 6d 65 71 75 65 72 79 2e 63 6f |rch.namequery.co|
00000080 6d bf b7 b2 a5 b3 b3 ac 35 b4 b4 b5 b5 b2 b3 b5 |m.......5.......|
00000090 b5 b5 b5 b5 4a 98 b4 0d 98 b4 0d 9e b1 41 54 44 |....J........ATD|
000000a0 54 81 b7 38 2c 80 b7 39 2c 82 b2 39 2c 39 31 38 |T..8,..9,..9,918|

Stub agent: Unauthenticated BIOS code execution

DETECTING THE ROOTKIT AGENT

Two files to look for: system32\rpcnet.exe (normal agent) – System32\rpcnetp.exe (BIOS persistent agent) – A service called “Remote Procedure Call (RPC) Net” with no description – Outgoing connections to search.namequery.com (209.53.113.223) – A custom tool from Core (not released yet)

DEACTIVATING THE ROOTKIT

Easiest way is host file redirection (127.0.0.1) – Modifying the BIOS (only unsigned BIOS!) – Modifying the configuration block (registry, hard drive, etc) – Modifying nvram, then full HD wipe – anyone think of more?

Does anyone else see what a huge risk this is to anyone owning a notebook with this BIOS, let alone corporations who (these days) predominately issue notebooks to ALL employees? I strongly suggest you hop on over to Core Labs (they are a part of Core Security by the way – the makers of Core IMPACT Pro.

These notes are the outline from the presentation, and of a further presentation that I made to the executive staff at the company I work for. It made them nervous, and we are going to take steps to negate this risk. What are you going to do?

Security Architecture Cheat Sheet for Internet Applications

Shutting Down XSS with Content Security Policy

Content Security Policy is really coming – no joke – this is a huge browser security game changer. There is so much potential, assuming it all works. Life would be so much easier is this became real. Read about it for yourself!

http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/

User Security Training Presentation

Here’s a “User Security Training” PowerPoint deck that I found on the web, edited a little and removed the branding – made it generic so to speak. Since no-one had one available when I asked I thought I would share the wealth, and post the one I found – like I said, I gave it a neutral ‘brand’ so you can add your ‘brand’ to it.

Passively Detecting SQL Injection

From the Tenable Security Blog

Passively Detecting SQL Injection

SQL injection is a class of vulnerabilities that can plague web applications in your environment, often with devastating consequences. They can be difficult to detect and validate and are sometimes the cause of major data breaches. This is a deadly combination. Databases contain the information that attackers are after, including SSN, credit card numbers and other information associated with an individual’s identity such as name, address, phone number, mother’s maiden name and more.

The Tenable Passive Vulnerability Scanner (PVS) contains a check for detecting SQL injection attacks. It is a very simple check that first looks for an HTTP request:

pregex=^(GET|POST) /.* HTTP/1\.

Next, it looks for a response that is not formatted as HTML:

match=!<html> match=!<HTML>

At first glance you might be inclined to think this would lead to false positives. In fact, it turns out to be quite an accurate check. At one of the Tenable research sites we saw this alert:

When I went to the above URL manually, I was presented with an error page:

It appears that the error page was not rendering correctly (an error on the error page, how ‘bout that?). Viewing the source of the page revealed information about the problem:

The result of “View source” above contains valuable information that can be used in SQL injection attacks. This includes a table name and a column name visible in the SELECT statement. In addition, the page reveals the file system path in use on the web server. Finally, the error message tells us that the remote server is using a MySQL database. This is extremely valuable information for an attacker looking to exploit this potential vulnerability.

Conclusion

The parameter should be more thoroughly tested to see if SQL injection is indeed possible. However, the information gathered from the error message is certainly a good start for an attacker. It is important to configure the web application to not display this error message to the end user. Passive monitoring is an excellent method to monitor your web applications without any impact to the environment. Activity from normal users, potential hackers and even web spiders can all provide input that may result in displaying an unexpected SQL error.

Maximum Risk to Maximum Security

From http://blog.sebastien.raveau.name/

(Sorry for the delay; doing now what I should have done a long time ago: split my article in two parts, as it is the second part that really keeps me back… What do you want? Being a perfectionist I can’t publish a “From Maximum Risk To Maximum Security” article until I have everything covered :P)

What I describe here should be very useful to you if you can find yourself in at least one of the following situations:

• you can use an Internet access but it lacks security (e.g. free WiFi hotspots, campus Internet, etc)
• you want to demonstrate ineffective firewalling during a pentest
• you subscribed to a 2-years contract for “unlimited mobile Internet access” – so unlimited their marketing department even named it “Illimythics 3G+” in my case – asked every rep you could if it would indeed correspond to your needs, and while none of them seemed to know what SSH is, they all blatantly assured you that it was possible… until you realized, too late, that it is in fact HTTP-only
• you feel ripped-off by a hotel reservation that you chose specifically because it advertised Wi-Fi access for customers, but once there you realize they charge extra for it.

All in all, this comes down to a simple problem: how to get a full & secure Internet access in (almost) every case?

To address this problem, we’ll rely on what I call a “stepping stone”, i.e. a computer reachable by all means, preferably 24/7, with a private full Internet access and to which we will tunnel our Internet traffic by whatever mean we have available at some point.

Now, being able to reach your stepping stone depends on what kind of traffic you are allowed on the connection you try to reach it from… Let’s enumerate them from best case to worst case in terms of usability:

1. IPSec traffic directly to the stepping stone

I cite IPSec first because it is THE standard for secure Virtual Private Network-ing and therefore available on all operating systems. However, you will only be able to use it if there is no firewall or if the firewall doesn’t filter it (cf. paragraph on IPv6 below), and if behind a NAT router, if you’re the sole IPSec user or if the router supports NAT-T.

2. any kind of traffic directly to at least one UDP port on the stepping stone

In this case the best is to use OpenVPN; if you know the port number in advance all you have to do is configure OpenVPN to bind on this port, otherwise you can redirect traffic arriving on other UDP ports to OpenVPN with Netfilter:

iptables -t nat -A PREROUTING -i eth0 -p udp -j REDIRECT --to-port 1194
I made my OpenVPN reachable on all UDP ports because every now and then I am surprised to see some exotic UDP port allowed through a firewall, no idea why… HD Moore wrote a very useful script to test that.

3. any kind of traffic directly to at least one TCP port on the stepping stone

Here you can use OpenVPN like above (but two separate configuration files are needed in order to get it to listen both to UDP and TCP) or OpenSSH tunneling.

I put TCP under UDP because TCP over TCP is considered a bad idea so OpenVPN over TCP or OpenSSH with its new VPN capability (ssh -w) won’t work as well as OpenVPN over UDP.

Personally I chose OpenVPN on TCP too because:

• using OpenSSH to tunnel to a HTTP proxy (like Squid) on the stepping stone is definitely quick to setup (ssh -L 3128:127.0.0.1:3128, and adjust HTTP proxy parameters in your browser, instant messaging client, etc accordingly), or to act itself as a SOCKS proxy (ssh -D 1080) which is even quicker if your applications support SOCKS proxying (all browsers do), but that requires having a highly-privileged daemon facing the Internet for little reason
• it sure is nice to be able to administer your stepping stone remotely with OpenSSH, but you can always do that once you’re connected with OpenVPN

And, same as above, if you know the port number in advance all you have to do is configure OpenVPN to bind on this port, otherwise you can redirect traffic arriving on other TCP ports to OpenVPN with Netfilter:

iptables -t nat -A PREROUTING -i eth0 -p tcp -j REDIRECT --to-port 1194
Like with UDP, you never know what crazy TCP port a firewall might allow. I once found a firewall that would allow me nothing but emailing the whole Internet (TCP port 25) : what the f… oh well.

4. IPv6 traffic directly to the stepping stone

While not answering the communications confidentialy aspect by itself (but it goes along with IPSec pretty well), if you’re lucky enough to have IPv6 support on both sides and if the firewall administrators were as clueless as to have a default allow policy (yes… they’re many) and as not to take IPv6 into account (usually that goes together), IPv6 is a firewall traversal mean deserving to be mentioned.

5. any kind of traffic or just SSL traffic to at least one TCP port (typically 443, the HTTPS port) on the stepping stone via a HTTP or SOCKS proxy

Many people use OpenSSH tunneling with connect.c to get through such proxies; it is indeed convenient but once again, I’m not comfortable with the security implications. Fortunately, OpenVPN supports HTTP and SOCKS proxying out of the box. You can make OpenVPN reachable on TCP port 443 and other ports like explained above.

Note: some mobile Internet operators filter access to their proxy based on the User-Agent string of the web browser shipped with your smartphone; copy it to OpenVPN via the “http-proxy-option AGENT” parameter and off you go!

6. ICMP (like ping) traffic directly to the stepping stone

If for example you are able to ping 4.2.2.2 (one of the easiest publicly pingable IP address to remember), chances are you can use PingTunnel to connect to a TCP port on your stepping stone, and from there access the whole Internet securely by using OpenVPN or OpenSSH… There are issues with some NAT routers, so you might want to try “unprivileged mode” in PingTunnel, not for security reasons (I heavily patched PingTunnel to make it super tight; you’ll see in next blog post) but because it then uses real ICMP Echo requests and replies (to the cost of throughput), which get through the NAT routers that don’t like how PingTunnel normally operates.

Also, a firewall not allowing ICMP Echo doesn’t mean it won’t allow ICMP messages of other types… Come to think about it, I’ll have to add this feature too to PingTunnel.

7. recursing DNS requests to the stepping stone via some DNS server

Now, about DNS tunneling: I put it among the last in this list because it provides less throughput than the previous solutions and really, from a protocol engineering point of view, it’s ugly… Then again, it’s AWESOME because it works almost everywhere!

In order to use it, you will need a domain name (or a subdomain at DNSTunnel.de, kindly offered by Julius Plenz) and one of the following: NSTX, Iodine, OzymanDNS, Heyoka…

Research is still active on the subject of DNS tunneling, this is why there are many tools already and more coming up. NSTX is the historical one, Iodine offers better throughput than NSTX and is available for most operating systems. OzymanDNS and Heyoka are less than a year old and still a bit proof-of-concept-ish but nonetheless interesting: the former is Dan Kaminsky’s attempt, and the latter has the highest ambition.

Personally I’m more than happy with Iodine.

8. HTTP traffic to TCP port 80 on the stepping stone through a (transparent) HTTP proxy

As the name suggests, transparent proxies transparently redirect your connections to the Internet on TCP port 80 to a local HTTP proxy; it may look like you are simply allowed TCP port 80 to the Internet, but try sending anything else than HTTP on this port, it won’t work. Good thing to know though: even if the transparent HTTP proxy doesn’t let you through for some reason, you will most likely be able to do DNS tunneling (see above) as letting the clients perform their own DNS requests is mandatory in transparent HTTP proxy setups.

Now, allowing HTTP but not HTTPS is utterly suspicious, besides breaking many web authentication procedures. Fortunately it is very rare, but in case you end up in this situation, HTTPTunnel is the way out: it will give you the possibility to connect to another TCP port on your stepping stone (and thus reach OpenVPN or OpenSSH) while making your traffic look like HTTP.

Note: User-Agent filtering can happen in this case too, see paragraph on HTTP and SOCKS proxies for solution.

9. other means of relaying data to and from the stepping stone via some reachable server

Apparently my friend Mubix has a super-secret project coming on that… in addition to having a Hak5 episode on tunneling SSH over DNS :)

As you can see, if you want to maximize your chances to reach your stepping stone and thus get a full & secure Internet access, you basically have to make it face the Internet with all TCP ports open, all UDP ports open and even ICMP tied to a daemon… While I generally disagree with the people who say a computer with 10 ports open is more insecure than a computer with 4 ports open, I have to concede that we are kind of daring the devil here…

And that is why in the other half of this article (which I’ll hopefully manage to find the time to finish within the week) I will explain how to achieve maximum security!

iBotnet: Researchers find signs of zombie Macs

From http://blogs.zdnet.com/security/

April 16th, 2009
iBotnet: Researchers find signs of zombie Macs

Posted by Ryan Naraine @ 8:28 am

Malware hunters at Symantec have discovered a direct link between a malicious file embedded in pirated copies of Apple’s iWork 09 software and what appears to be the first Mac OS X botnet launching denial-of-service attacks.

Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice and OSX.Iservice.B — using different techniques to obtain the user’s password and take control of the infected Mac machine.

[ SEE: Mac OS X Malware found in pirated Apple iWork 09 ]

The variants have been found inside bogus copies of iWork ’09 and Adobe Photoshop CS4 which were shared on the popular p2p torrent network. The author of the malware downloaded the original/trial versions of each program and introduced a copy of the malicious binary into the packages. Users who then downloaded and installed the applications from the torrent download would have been infected. It is estimated that thousands of people have downloaded the infected torrent files.

They describe this as the “first real attempt to create a Mac botnet” and notes that the zombie Macs are already being used for nefarious purposes.

The researchers pointed to this blog entry that describes a a PHP script, running as root, launching attacks against an unknown Web site.

The article goes into detail on the botnet’s peer-to-peer engine, startup and encryption capabilities and configuration file structure and concludes that the person who wrote the malware is not the same as the person who actually ‘used’ it.

“The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it – and therefore we would not be surprised to see a new, modified variant in the near future,” the researchers added.

Five Minute Security Assessment

From http://www.shortinfosec.net/

A security assessment is a big deal. It takes a lot of time, requires a good chunk of budget since it is done by independent consultants and the outcome is at best ‘OK, but could be better’.

For all these reasons, as well as some egoistic ones which won’t be mentioned here, a lot of companies avoid hiring a security consultant and doing this assessment.

While the real thing may take time, budget lobbying and guts to admit that you are not perfect, here is a very fast self-assessment which will give you a feeling where are you standing. You can do this assessment on your own time, and no one needs to know the outcome.

Assessment instructions
Answer each of the questions truthfully with a yes or a no. If it is partial, write it up as a no. For each answer add appropriate number of points to a total score (indicated on each question). After finishing with all the questions, sum the score and find the appropriate assessment result depending in which interval your score fell.

Assessment questions

1. Do we have a firewall active at all ingress points of the network? Yes – 5 points, No – 0 points
2. Does our team control all firewalls? Yes – 5 points, No – 0 points
3. Do we have the following basic technical policies in place? Add 1 point for each policy in place
* password complexity
* password retention
* password history
* logon hours
* controlled registry editing
4. Does everyone in the organization have their own individual and unique username for all activities? Yes – 5 points, No – 0 points
5. Do we have logon/logoff auditing active on all servers and stations? Yes – 5 points, No – 0 points
6. Do we have a testing environment for patches, new versions and new software before it is rolled out into production? Yes – 5 points, No – 0 points
7. Do we have written procedures for regulating the above questions as process? Add 1 point for each procedure in place

Assessment results

* 30-36 points – Very good security posture – You have the basics of a great security governance. Continue developing in both the procedural and technical levels of security.
* 20-30 points – Acceptable security posture – You are lacking in written procedures and change management, but basic technical security is at a good level – you need to work harder on formalization
* 10-20 points – Basic security posture – Very basic security, lacking in any formal process of security, and also probably missing elements in auditing, ingress path control and technical policies. You need to go a long way, and you should have started yesterday!
* 0-10 points – Disaster waiting to happen – So you have firewalls? Really? And maybe you’ve even plugged them in? Hire a good security expert – after firing your current one and start getting somewhere

Information Technology and Security

Information technology and information security are my fields of expertise, and I have the pleasure of working within those fields as a career. The abstract thought process and mix of technical knowledge make it almost like play time. Thinking outside the box is outmoded – you have to think even more abstract since you are trying to see all points of view – from CEO to hacker – from tactical to strategic, and even political.

I’ve posted a lot of information technology and information security related post to this website. I learn from the information I gleen from around the web and I wanted a place where I could refer back, since some of the command line and shortcut stuff is priceless. It doesn’t matter what status I hold at work, I’m always interested in cleaning up my skills, and learning new ones. There should never be a point, even in the executive layer, that we should let go of those skills.

Information Security is an area I have a lot of passion in. I am the Director of Information Technology and Information Security Officer for the company that I work for and, as such, have to keep my finger on the pulse. I have done hacking course and am technically proficient, but I would not say that I am anything other than someone who sees how it can be done, and wants to prevent it happening to the company I work for.

Here’s a Standard Penetration Testing Checklist. See how involved it is, and that is just the entry point. I didn’t write this by the way – why re-invent the wheel, but it’s a great reminder and backbone for penetration testing. All that I am trying to illustrate is the complexity of information security, and that it is all too often overlooked by executives for no other reason than not arming them with enough information. Yes – we should take the blame for some of that. When I presented the base level of hacking techniques to our executive staff I immediately got budget money. I meant to scare them, and boy did I.

You’ll notice in the tech section there is a ton of useful information. This is just a piece of what I find useful – I don’t have time to post it all so I try to post the most interesting – well, to me anyway. More as it comes to me.