All Entries Tagged With: "security"

CISOs Keep Breach Costs Lower

The latest “Cost of a Data Breach” survey from the Ponemon Institute finds companies with a CISO are better able to handle loss of sensitive information

By Joan Goodchild, Senior Editor

Companies continue to pay a high price to clean up the mess created by a data breach, but having a Chief Information Security Officer (CISO) may offer some protection. That is the conclusion of a study released Monday by the Ponemon Institute, a Michigan-based consultancy that conducts independent research on privacy, data protection and information security policy.

This is the fifth year Ponemon has conducted its “Cost of a Data Breach” survey, which examined actual data breach experiences of 45 U.S. companies from 15 different industry sectors. This year, the cost of a data breach has increased to $204 from last year’s $202 per customer record. However, companies that had a CISO (or equivalent title) who managed the data breach incident experienced an average per capita cost of $157 versus $236 for companies without such CISO leadership.

Approximately 40 percent of participating companies had a CISO in charge of managing the data breach incident, according to the survey.

“While other functional areas are typically involved in crisis management activities surrounding the data breach, our results suggest CISO leadership substantially reduces the overall cost of data breach,” the report states.

“The one big take away on positive takeaway is that in (companies) that have CISO involvement, breaches tend to cost less because they have a more strategic view of protecting data than the old idea of whack-a mole, fix-it a hundred different times, ” explained Phillip Dunkelberger, president and CEO of PGP Corp., which co-sponsored the study. “CISO involvement at a higher level means less cost of a data breach and less chance of repeating it because of the strategic view of protecting it that these professional take.”

While the cost of a breach only rose two dollars per record this year, Dr. Larry Ponemon, founder and chair of the Ponemon Institute, pointed out the massive increase in cost over the five years since the study’s inception, when breaches cost $138 per compromised customer record. In figuring out the costs, the study takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after the fact (ex-post) response. The economic impact of lost or diminished customer trust and confidence, measured by customer churn or turnover rates, is also analyzed.

Other highlights from this year’s research include:
- Forty two percent of all cases in this year’s study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties, especially when the third party is offshore, are most costly. The per capita cost for data breaches involving third parties is $217 versus $194, more than a $21 difference, according to Ponemon.

-Twenty four percent of all cases in this year’s study involved a malicious or criminal attack that resulted in the loss or theft of personal information. Research shows data breaches involving malicious or criminal acts are much more expensive than incidents resulting from negligence. The per capita cost of a data breach involving a malicious or criminal act averages $215. The per capita cost of a data breach involving a negligent insider or a systems glitch averages $154 and $166, respectively.

-Thirty six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study the per victim cost for a data breach involving a lost or stolen laptop is $225.

“Its not just about bad guys, but also good guys who make mistakes,” noted Ponemon.

Companies on IT Security Spending: Where’s the ROI?

Companies have spent millions to bolster their IT security in recent years. But some are starting to wonder if it’s been worth it, according to the 2010 Cyber Security Watch survey CSO conducted with the U.S. Secret Service, Carnegie Mellon University CERT and Deloitte & Touche.

By Bill Brenner, Senior Editor, CSO Online

Companies have spent many millions of dollars to build defenses around their IT assets this past decade, motivated by malware attacks, data security breaches and the resulting regulatory compliance cattle prod.

But the bad guys are still a few steps ahead in terms of sophistication and speed and some wonder if their investments were all for nothing, according to the newly-released 2010 Cyber Security Watch Survey.

More than 500 respondents, including business and government executives, professionals and consultants, participated in the survey, conducted by CSO Magazine with help from the U.S. Secret Service, Carnegie Mellon Software Engineering Institute (CERT) and Deloitte’s Center for Security and Privacy Solutions. Though respondents point to sizable efforts to keep their companies secure, many admit it’s getting almost impossible to outpace the bad guys.
Also see Network Security: The Basics

“Security confidence seems to be waning. Respondents are spending more money and implementing new capabilities, but overall they seem to be unsure about how truly effective their efforts really are toward ensuring security,” said Ted DeZabala, principal at Deloitte & Touche LLP and U.S. leader of Deloitte’s Security & Privacy services.

The survey showed a drop in cybercrime victims — 60 percent this year compared to 66 percent in 2007. But the affected organizations have experienced significantly more attacks than in previous years, fueling doubts over a lack of return-on-investments (ROI).

Between August 2008 and July 2009 more than a third (37 percent) of respondents experienced an increase in cybercrimes compared to the previous year. While outsiders (non-employees or contractors) are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders (employees or contractors). One quarter of all cybercrime attacks were committed by an unknown source.

Although the number of incidents rose, the ramifications have not been as severe. Since 2007, when the last cybercrime survey was conducted, the average monetary value of losses resulting from cybercrimes declined by 10 percent. This can likely be attributed to an increase in both IT security spending (42 percent) and corporate/physical security spending (86 percent) over the past two years.

And yet, as technology advances, so do the attack methods, and many respondents worry that the bad guys are still winning. Outsiders invade organizations with viruses, worms or other malicious code; phishing; and spyware, while insiders most commonly expose private or sensitive information unintentionally, gain unauthorized access to/use of information systems or networks, and steal intellectual property.

The survey finds that insiders most often use their laptops or copy information to mobile devices as a means to commit electronic crimes against their organization. Respondents suggested data is often downloaded to home computers or sent outside the business via e-mail. This may lead to damaged reputations and may put organizations in violation of state or federal data protection laws.

More than half of the respondents — 58 percent — do believe they are more prepared to prevent, detect, respond to or recover from a cybercrime incident compared to the previous year. But only 56 percent have a plan for reporting and responding to an incident.

The research also indicated that businesses are trying to take steps to identify insider threats. Nearly one-third (32 percent) now monitor the online activities of employees who may be disgruntled or who have turned in their resignations.

Dawn Cappelli, technical manager for the Threat and Incident Management division of the Software Engineering Institute CERT Program, said insider attacks continue to be seen as a bigger problem than anything that might come from the outside.

“Attacks are more costly than outside attacks, and seven of the top eight practices that were indicated as being most effective at prevention, detection and deterrence apply to employees,” she said.

Though many respondents may be doubting the ROI of their security investments, the activity to deal with the insider threat at least indicates that no one is thinking about tightening up on their spending. Perhaps that’s because many feel like they have no choice but to keep spending, lest they fall even further behind the bad guys.

“This looks like good news — they have found effective practices for handling the most costly threats,” Cappelli said. “However, the technical solutions for insider threat mitigation were ranked alarmingly low: DLP, Ranked 9th least effective and change control/configuration management systems, ranked 5th least effective. In addition, account audits are only being performed by 43 percent of respondents, probably because of the technology gap.

To that end, her parting advice is not to the respondents, but to the vendor community: Come up with something better to help customers achieve the DLP and change control/configuration management they need.

USB History

From: COMMAND LINE KUNG FU: PaulDotCom, Ed Skoudis, Hal Pomeranz, byte_bucket

Ed Embarks:

Believe it or not, one of the things that we strive for in this blog is to be, not to put too fine a point on it, actually useful. We keep our musings here away from the theoretical and focused on the practical, in the hopes of helping people do their jobs better with a little bit of command-line fun. Almost* nothing gives Hal that special warm glow like e-mail from readers telling us that a recent article saved them tons of work, or allowed them to accomplish something they thought impossible. And, once Tim taught his mom to spoof e-mail addresses, the amount of such e-mail we receive has gone up a full 33% since we brought Tim on board.

Regular readers know that most of the techniques we cover here are focused on system administration and security work (such as audit, penetration testing, or, occasionally, forensics). For this episode, I’d like to address a technique that I find quite useful in my forensics work. As is our way, I’ll talk about it in good ol’ cmd.exe. But, I’m especially interested in seeing what magickal incantations Tim can add with PowerShell, and then I really want to see how Hal can tease this kind of information from Linux.

Sometimes, when working on a forensics case, we need to determine whether a given USB device was plugged into a given computer. Perhaps we are wondering if a user brought in an unauthorized USB token and attached it, infecting their system with malware which then spread. Or, maybe we want to get an idea if an intruder with physical access to a machine plugged in a USB hard drive so he or she could have copied large numbers of files. Sometimes, for a huge number of reasons, we need historical information about USB activities on the box for some extra proof of a perpetrators actions.

Windows stores information in the registry about every USB device plugged into the box. We can view this information with the following command:

c:\> reg query hklm\system\currentcontrolset\enum\usbstor /s

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0
DeviceDesc REG_SZ @disk.inf,%disk_devdesc%;Disk drive
Capabilities REG_DWORD 0x10
HardwareID REG_MULTI_SZ USBSTOR\DiskSanDisk_Enterprise______6.52\0USBS
TOR\DiskSanDisk_Enterprise______\0USBSTOR\DiskSanDisk_\0USBSTOR\SanDisk_Enterprise______6\0SanDisk_Enterprise______6\0USBSTOR\GenDisk\0GenDisk
CompatibleIDs REG_MULTI_SZ USBSTOR\Disk\0USBSTOR\RAW
ClassGUID REG_SZ {4d36e967-e325-11ce-bfc1-08002be10318}
Driver REG_SZ {4d36e967-e325-11ce-bfc1-08002be10318}\0001
Class REG_SZ DiskDrive
Mfg REG_SZ @disk.inf,%genmanufacturer%;(Standard disk drives)
Service REG_SZ disk
ConfigFlags REG_DWORD 0x0
FriendlyName REG_SZ SanDisk Enterprise USB Device

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\Device Parameters

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\Device Parameters\MediaChangeNotification

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\Device Parameters\Partmgr
Attributes REG_DWORD 0x0

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\LogConf

HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\Properties
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\Control


The /s indicates that I want the reg command to recurse the Registry, showing all settings under this area. In my output, I first see an indication of the vendor and product information, which is prefaced with “Disk&Ven”. I can just pull that information by piping the output through the find command in a case-insensitive (/i) fashion:

c:\> reg query hklm\system\currentcontrolset\enum\usbstor /s | find /i "Disk&Ven"

Here, you’ll see stuff like SanDisk (for a lot of thumb drive memory tokens), Lexar, WD, SAMSUNG, and much more. You’ll also typically see a “Prod” indication on this same line, showing the product name or number the vendor associates with the device. A quick Google search on the vendor and product data will often show you more details about the product.

After that, we get a registry entry with a unique id number associated with the device (0B919380B2629895&0 in the example above). This value is derived from a serial number from the device. With this number, I can track the usage of a single USB device across multiple machines.

Also, keep in mind that the reg key can be used remotely, so I can pull this data from target systems where I have admin credentials and SMB access, by simply prefixing the hklm above with \\MachineName\. Oh, and one more nifty bonus: The reg key is case insensitive, so I don’t have to memorize the annoying CamelCase nonsense of registry keys when using reg. No, unfortunately, the cmd.exe reg command doesn’t have tab autocomplete with registry paths, something that I’m sure Tim is going to extol in his PowerShell write-up.

*Don’t ask. You really don’t wanna know.

Tim finds his way in:

So we are digging to the registry huh? Well, that’s easy. Especially with tab completion! (Insert angel AAAAAAAAHHHHH sound here) Tab completion in the registry is such a hand feature, expecially when you can’t remember if the CurrentVersion key has a space in the middle (it doesn’t).

PS C:\> gci -r HKLM:\SYSTEM\curr<Press tab>

PS C:\> gci -r HKLM:\SYSTEM\CurrentControSet

See how easy that was? That saved a dozen key strokes, keystrokes that can be shipped to the keystroke challenged and help them with their crops and…uh…let’s get back to what we are supposed to be working on.

So we are using Get-ChildItem, the same command we use to browse the file system. However, when we use Get-ChildItem with the registry it doesn’t display the values. Why? Well, you don’t see the contents of files with you do a directory listing do you? Ok, that is a bit weak, but it does make sense if you think about it just right.

Another thing that might take you by surprise is that you can “change directory” into the registry. Technically “cd” is an alias for Set-Location, but it still works the same as the “cd” you know and love from the other shells.

PS C:\> cd HKLM:
PS HKLM:\> cd software
PS HKLM:\SOFTWARE> ls

Hive: HKEY_LOCAL_MACHINE\SOFTWARE

SKC VC Name Property
--- -- ---- --------
1 0 ActiveTouch {}
4 0 Adobe {}
1 0 AGNS {}
2 0 Alps {}
...

Now that you have seen some of the mind-bending features of PowerShell let try to recreate what Ed did.

PS C:\> gci -r HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR | select name
Name
----
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\Device Parameters
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\Device Parameters\MediaChangeNotification
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\Device Parameters\Partmgr
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\LogConf
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\Properties
HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\usbstor\Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52\0B919380B2629895&0\Control
...


We use -r, which is short for Recurse, in order to show all the keys below our current location. Now let’s find all of the devices that have been plugged in.

PS C:\> gci -recurse HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR |
? { $_.PSPath -match ".*Disk&Ven[^\\]*$" } | select PSChildName
Disk&Ven_SanDisk&Prod_Enterprise&Rev_6.52
Disk&Ven_&Prod_USB_Flash_Memory&Rev_PMAP
Disk&Ven_Generic&Prod_&Rev_6000
Disk&Ven_IronKey&Prod_Secure_Drive&Rev_1.00
...

First, we get the results of Get-ChildItem. Next, we filter the results based on a regular expression. The regular expression looks for Disk&Ven followed by any characters that are NOT a backslash. Finally, we select the name of the node using the PSChildName property. The PSChildName is the name of the node in question. The property name leaves a little to be desired, but it works.

We got the Vender &: Product info, and we can use a similar command to get all the unique ids.

PS C:\> gci -recurse HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR |
? { $_.PSParentPath -match ".*Disk&Ven[^\\]*$" } | select PSChildName
0B919380B2629895
...


The difference between the commands is subtle. In the second command we use our regular expression on the parent item, not the current item. This takes us one step deeper and gets us the unique id.

PowerShell allows us to use the .NET framework, which gives us access to a lot of cool tools. While I wasn’t able to finish it for this episode, we can use the Windows API in order to get the last write time of the registry keys. It isn’t pretty, but it works. Much like some friends of mine.

Hal is happy to come along

I was really happy when Ed proposed this idea because the Linux side was something I’d been meaning to research for quite some time now. But now Ed just let me in on where all of those fan emails are coming from and I’m all depressed. Ah well, nothing to do but get really geeky in order to take my mind of things.

So your first question might be, how exactly does one research something like this? I went for the “brute force and massive ignorance” approach, using a technique similar to the find trick I discussed back in Episode #29. I simply used touch to update the timestamp on an empty file, plugged in the USB device, and then did a “find … -newer …” to locate any files that had changed as a result of the device being inserted. So the command line looked like:

# touch /root/timestamp
[... plug in USB device ...]
# find / -newer /root/timestamp

The results were actually quite interesting and fairly consistent across the two Linux distros I tested against: CentOS 5.4 (a Red Hat derivative running kernel v2.6.18) and Ubuntu 9.10 aka “Karmic Koala” (a Debian derivative running kernel v2.6.31). Here’s what I found:

1. When the device is plugged in, it inherits the next available “sd” device name. So on my laptop, for example, the internal drive is “sda”, so the first USB device gets “sdb”, the second “sdc”, and so on. Also a number of symlinks are created under /dev pointing to the sd device for the USB drive that was just inserted. Here’s some of the pathnames to show you what I’m taking about:

/dev/disk/by-uuid
/dev/disk/by-uuid/80a5317f-8e4c-4c83-88ea-b5192b442f97
/dev/disk/by-path
/dev/disk/by-path/pci-0000:02:02.0-usb-0:1:1.0-scsi-0:0:0:0-part1
/dev/disk/by-path/pci-0000:02:02.0-usb-0:1:1.0-scsi-0:0:0:0
/dev/disk/by-id
/dev/disk/by-id/usb-Kingston_DataTraveler_2.0_8990000000000000000000B0-part1
/dev/disk/by-id/usb-Kingston_DataTraveler_2.0_8990000000000000000000B0
/dev/.udev/links
/dev/.udev/links/disk\x2fby-uuid\x2f80a5317f-8e4c-4c83-88ea-b5192b442f97
/dev/.udev/links/disk\x2fby-uuid\x2f80a5317f-8e4c-4c83-88ea-b5192b442f97/b8:17
/dev/.udev/links/disk\x2fby-path\x2fpci-0000:02:03.0-usb-0:1:1.0-scsi-0:0:0:0-part1
/dev/.udev/links/disk\x2fby-path\x2fpci-0000:02:03.0-usb-0:1:1.0-scsi-0:0:0:0-part1/b8:17
/dev/.udev/links/disk\x2fby-id\x2fusb-Kingston_DataTraveler_2.0_8990000000000000000000B0-0:0-part1
/dev/.udev/links/disk\x2fby-id\x2fusb-Kingston_DataTraveler_2.0_8990000000000000000000B0-0:0-part1/b8:17
/dev/.udev/links/disk\x2fby-path\x2fpci-0000:02:03.0-usb-0:1:1.0-scsi-0:0:0:0
/dev/.udev/links/disk\x2fby-path\x2fpci-0000:02:03.0-usb-0:1:1.0-scsi-0:0:0:0/b8:16
/dev/.udev/links/disk\x2fby-id\x2fusb-Kingston_DataTraveler_2.0_8990000000000000000000B0-0:0
/dev/.udev/links/disk\x2fby-id\x2fusb-Kingston_DataTraveler_2.0_8990000000000000000000B0-0:0/b8:16

You can see the manufacturer name for the device (“Kingston DataTraveler 2.0″), the serial number of the device (“8990000000000000000000B0″), and the UUID associated with the file system on the device (“80a5317f-8e4c-4c83-88ea-b5192b442f97″) in the path names above. And if you look closely, you’ll see that there’s a single partition on the device (in addition to the links that point to the device as a whole). If you wanted to, you could also run the mount command (see Episode #59) to get more information about this file system.

The only problem with all of this information is that it’s completely ephemeral. As soon as the drive is removed, all of this information goes away. So from an “after the fact” sort of forensic perspective, it’s not really all that useful.

2. In addition to the device files and links under /dev, the OS also creates some information files under /dev/.udev/db. CentOS calls these files names like “/dev/.udev/db/block@sdb” and “/dev/.udev/db/block@sdb@sdb1″, while the newer kernel on my Ubuntu box uses names like “/dev/.udev/db/block:sdb” and “/dev/.udev/db/block:sdb1″, but the basic information in the files is pretty much the same. Here’s the data in the “/dev/.udev/db/block:sdb1″ file from my Ubuntu system:

N:sdb1
S:block/8:17
S:disk/by-id/usb-Kingston_DataTraveler_2.0_8990000000000000000000B0-0:0-part1
S:disk/by-path/pci-0000:02:03.0-usb-0:1:1.0-scsi-0:0:0:0-part1
S:disk/by-uuid/80a5317f-8e4c-4c83-88ea-b5192b442f97
W:51
E:ID_VENDOR=Kingston
E:ID_VENDOR_ENC=Kingston
E:ID_VENDOR_ID=0951
E:ID_MODEL=DataTraveler_2.0
E:ID_MODEL_ENC=DataTraveler\x202.0
E:ID_MODEL_ID=1603
E:ID_REVISION=1.00
E:ID_SERIAL=Kingston_DataTraveler_2.0_8990000000000000000000B0-0:0
E:ID_SERIAL_SHORT=8990000000000000000000B0
E:ID_TYPE=disk
E:ID_INSTANCE=0:0
E:ID_BUS=usb
E:ID_USB_INTERFACES=:080650:
E:ID_USB_INTERFACE_NUM=00
E:ID_USB_DRIVER=usb-storage
E:ID_PATH=pci-0000:02:03.0-usb-0:1:1.0-scsi-0:0:0:0
E:ID_FS_UUID=80a5317f-8e4c-4c83-88ea-b5192b442f97
E:ID_FS_UUID_ENC=80a5317f-8e4c-4c83-88ea-b5192b442f97
E:ID_FS_SEC_TYPE=ext2
E:ID_FS_VERSION=1.0
E:ID_FS_TYPE=ext3
E:ID_FS_USAGE=filesystem
E:DKD_PARTITION=1
E:DKD_PARTITION_SCHEME=mbr
E:DKD_PARTITION_NUMBER=1
E:DKD_PARTITION_TYPE=0x83
E:DKD_PARTITION_SIZE=4018885632
E:DKD_PRESENTATION_NOPOLICY=0


There isn’t a whole lot here we couldn’t have pulled out of the link names shown above, but this format is definitely a lot more readable. Unfortunately, this file is also ephemeral and gets cleaned up as soon as the drive is disconnected from the system.

At this point you’re probably asking yourself if there’s any forensic technique we could use to recover the deleted. The bad news is that both the links and the db files created by the device insertion are created in a memory-based file system:

$ df /dev/.udev
Filesystem 1K-blocks Used Available Use% Mounted on
udev 1992768 276 1992492 1% /dev
$ df /dev/disk
Filesystem 1K-blocks Used Available Use% Mounted on
udev 1992768 276 1992492 1% /dev


Assuming the system hasn’t been rebooted since the device was inserted, I suppose it’s possible that you might find some strings still floating around in the memory image of the system (or possibly in the disk-based swap area). But frankly, I don’t hold out much hope for you. At least the db file has a nice regular structure to assist in searching.

3. There are, however, some more permanent records of the device having been connected to the system. Any of you who’ve been using Linux for a while know that when you hook up a removable device to the system, the Nautilus agent in the standard Gnome desktop will position an icon on the desktop that represents the device. You may have noticed that if you disconnect and later reconnect the same device, the icon will always re-appear in the same spot on the desktop. Nautilus keeps track of this in a file in your home directory.

On CentOS, the file is called “~/.nautilus/metafiles/x-nautilus-desktop\:%2F%2F%2F.xml” and looks like this:

<?xml version="1.0"?>
<directory><file name="trash" timestamp="1200596020" icon_position="64,182"/>
<file name="home" timestamp="1200596020" icon_position="64,102"/>
<file name="computer" timestamp="1200596020" icon_position="64,22"/>
<file name="CD-ROM%20Drive.volume" timestamp="1206558600" icon_position="64,282"/>
<file name="CD-RW%2FDVD%C2%B1RW%20Drive.volume" timestamp="1212709603" icon_position="64,282"/>
<file name="465.8%20GB%20Volume.volume" timestamp="1263069239" icon_position="64,282"/>
<file name="USB%20DISK%202.0.volume" timestamp="1263070714" icon_position="64,282"/>
<file name="Kingston%20DataTraveler%202.0.volume" timestamp="1263073745" icon_position="64,582"/></directory>


What’s interesting to me about this file is the time stamp value. The time stamp is in the Unix “seconds since Jan 1, 1970″ format, but this can easily be converted to something human readable, if my co-authors will permit me to use a little bit of Perl:

$ perl -e 'print scalar(localtime(1263073745)), "\n";'
Sat Jan 9 13:49:05 2010


The only problem is that this time stamp value gets updated if the user moves the icon for the device around on their desktop. But since users don’t tend to do this very often, it usually reflects the time the device was first connected to the system.

On my Ubuntu box running a newer version of Gnome, the Nautilus agent actually creates a separate file for each new device. For example, the information for the “4.0 GB Filesystem” on my Kingston device ends up in a file called “~/.gconf/apps/nautilus/desktop-metadata/4@46@0@32@GB@32@Filesystem@46@volume/%gconf.xml”, which looks like this:

<?xml version="1.0"?>
<gconf>
<entry name="nautilus-icon-position-timestamp" mtime="1263074552" type="string">
<stringvalue>1263074552</stringvalue>
</entry>
<entry name="icon-scale" mtime="1263074552" type="string">
<stringvalue>1</stringvalue>
</entry>
<entry name="nautilus-icon-position" mtime="1263074552" type="string">
<stringvalue>64,10</stringvalue>
</entry>
</gconf>

What’s nice about the newer file format is that there are multiple time stamps in the file. The “icon-scale” time stamp does not get updated if the user repositions the icon on their desktop, and therefore may give you a truer reading on when the device was first connected to the system.

The only problem with data in a user’s home directory, is that an astute user may clean up after themselves if they’re doing something nefarious. And they may use a secure deletion tool (see Episode #32) to prevent recovery of the data.

4. The last place to find information about the device is in the system logs. Both the kernel and the file system drivers log information about the device being inserted.

Here’s the log from my CentOS system when the device is inserted:

Jan 9 13:51:22 localhost kernel: usb 1-1: new high speed USB device using ehci_hcd and address 8
Jan 9 13:51:22 localhost kernel: usb 1-1: configuration #1 chosen from 1 choice
Jan 9 13:51:22 localhost kernel: scsi7 : SCSI emulation for USB Mass Storage devices
Jan 9 13:51:28 localhost kernel: Vendor: Kingston Model: DataTraveler 2.0 Rev: 1.00
Jan 9 13:51:28 localhost kernel: Type: Direct-Access ANSI SCSI revision: 02
Jan 9 13:51:28 localhost kernel: SCSI device sdb: 7856128 512-byte hdwr sectors (4022 MB)
Jan 9 13:51:28 localhost kernel: sdb: Write Protect is off
Jan 9 13:51:28 localhost kernel: sdb: assuming drive cache: write through
Jan 9 13:51:28 localhost kernel: SCSI device sdb: 7856128 512-byte hdwr sectors (4022 MB)
Jan 9 13:51:28 localhost kernel: sdb: Write Protect is off
Jan 9 13:51:28 localhost kernel: sdb: assuming drive cache: write through
Jan 9 13:51:28 localhost kernel: sdb: sdb1
Jan 9 13:51:28 localhost kernel: sd 7:0:0:0: Attached scsi removable disk sdb
Jan 9 13:51:28 localhost kernel: sd 7:0:0:0: Attached scsi generic sg1 type 0
Jan 9 13:51:29 localhost kernel: kjournald starting. Commit interval 5 seconds
Jan 9 13:51:29 localhost kernel: EXT3 FS on sdb1, internal journal mode.
Jan 9 13:51:29 localhost hald: mounted /dev/sdb1 on behalf of uid 500

And here’s what happens when the device is removed:

Jan 9 14:00:43 localhost hald: unmounted /dev/sdb1 from '/media/disk' on behalf of uid 500
Jan 9 14:00:47 localhost kernel: usb 1-1: USB disconnect, address 8

You’ll notice that the system logs the UID of the user on the console of the system, as well as giving you information about the device name (no serial number though), and the size and type of file system found on the device.

The information logged on my Ubuntu box with a newer kernel version is slightly different:

Jan 9 14:02:26 ubuntu kernel: [ 2350.984617] usb 1-1: new high speed USB device using ehci_hcd and address 5
Jan 9 14:02:26 ubuntu kernel: [ 2351.365130] usb 1-1: configuration #1 chosen from 1 choice
Jan 9 14:02:26 ubuntu kernel: [ 2351.377732] scsi6 : SCSI emulation for USB Mass Storage devices
Jan 9 14:02:26 ubuntu kernel: [ 2351.378321] usb-storage: device found at 5
Jan 9 14:02:26 ubuntu kernel: [ 2351.378330] usb-storage: waiting for device to settle before scanning
Jan 9 14:02:31 ubuntu kernel: [ 2356.399268] usb-storage: device scan complete
Jan 9 14:02:31 ubuntu kernel: [ 2356.404119] scsi 6:0:0:0: Direct-Access Kingston DataTraveler 2.0 1.00 PQ: 0 ANSI: 2
Jan 9 14:02:31 ubuntu kernel: [ 2356.406027] sd 6:0:0:0: Attached scsi generic sg2 type 0
Jan 9 14:02:31 ubuntu kernel: [ 2356.438414] sd 6:0:0:0: [sdb] 7856128 512-byte logical blocks: (4.02 GB/3.74 GiB)
Jan 9 14:02:31 ubuntu kernel: [ 2356.441587] sd 6:0:0:0: [sdb] Write Protect is off
Jan 9 14:02:31 ubuntu kernel: [ 2356.441594] sd 6:0:0:0: [sdb] Mode Sense: 23 00 00 00
Jan 9 14:02:31 ubuntu kernel: [ 2356.441599] sd 6:0:0:0: [sdb] Assuming drive cache: write through
Jan 9 14:02:31 ubuntu kernel: [ 2356.463161] sd 6:0:0:0: [sdb] Assuming drive cache: write through
Jan 9 14:02:31 ubuntu kernel: [ 2356.463231] sdb: sdb1
Jan 9 14:02:31 ubuntu kernel: [ 2356.495857] sd 6:0:0:0: [sdb] Assuming drive cache: write through
Jan 9 14:02:31 ubuntu kernel: [ 2356.495900] sd 6:0:0:0: [sdb] Attached SCSI removable disk
Jan 9 14:02:32 ubuntu kernel: [ 2356.945441] kjournald starting. Commit interval 5 seconds
Jan 9 14:02:32 ubuntu kernel: [ 2356.957462] EXT3 FS on sdb1, internal journal
Jan 9 14:02:32 ubuntu kernel: [ 2356.957535] EXT3-fs: mounted filesystem with writeback data mode.
[... device is removed ...]
Jan 9 14:12:17 ubuntu kernel: [ 2942.693376] usb 1-1: USB disconnect, address 5


You’ll notice that the Ubuntu system isn’t logging the UID of the user on the console at the time the drive is connected. But you could always get this information by running “last” to get the last login history of the system. The other problem, however, is that the newer kernel logs use a slightly different format for reporting the device manufacturer info, so there isn’t a simple grep expression that will work when parsing logs from multiple different kernel versions.

Phew! That’s a whole lot of information! The short summary, though, is that the only data that may exist long after the drive has been removed is the limited data in the system logs plus possibly some data in user home directories. I have to say that Windows leaves a much more detailed forensic trail. Whether you consider this a “feature” or not is up to you. I suppose it depends on whether you’re representing the prosecution or the defense.

Man-in-the-middle attacks demoed on 4 smartphones

Security researchers from SMobile Systems have released a paper detailing successful man-in-the-middle attacks against several smartphones.

The SSL enabled log in sessions on the tested, Nokia N95, HTC Tilt, Android G1 and iPhone 3GS devices was sniffed using the publicly available SSLstrip tool, with the attack taking place over insecure Wi-Fi network, now prevalent literally everywhere. Here’s the scenario they used, and possible mitigation approaches:

“The attacker visits the same cafe that offers a free Wi-Fi hotspot and decides to employ basic host, network identification and enumeration tools from the laptop to enumerate all the active devices connected to the Wi‐Fi hotspot. From the results, the attacker notices a MAC address referring to a Nokia smartphone. The attacker know that there is little to no detection capabilities present on an overwhelming majority of smartphone’s in use today, so the owner would likely never find out about a successful man-in-the-middle- attack (MITM).

The well-informed attacker creates a successful MITM attack. In the meantime, the smartphone owner accesses the online bank website and enters the login credentials required to gain access to the banking information. In this scenario, all of the communication between the smartphone and the online bank site is routed through the attacker’s machine and the attacker can see the login details in plain text, as well as can capture all the sites accessed by the victim.”

The awareness-raising test aims to educate users on approaching convenient and free, public Wi-Fi networks with caution, emphasizing on how their mobile service provider’s 3G connection, or the one offered by a trusted Wi-Fi network should always be considered as their first choice.
Anyway, just how insecure or susceptible to compromise are the majority of Wi-Fi networks found on high-trafficked locations such as airports or international cities? The answer is sadly, self-evident with data backing it up available publicly.

• Go through related posts: GPU-Accelerated Wi-Fi password cracking goes mainstream; D-Link router’s CAPTCHA flawed, WPA passphrase retrieved; Survey: 88% of Mumbai’s wireless networks easy to compromise

Last year, AirTight Networks conducted a major wireless network security study by visiting 14 airports (11 in the U.S and 3 in the Asia-Pacific) and found out that a huge percentage of the 478 Wi-Fi Access Points analyzed are either open, or using outdated encryption protocols. Even more interesting was the fact that users were falling victims to “viral” Wi-Fi networks using descriptive and lucrative names seeking to establish legitimacy.

The prevalence of such “handy”, but easy to compromise Wi-Fi networks internationally, is virtually the same. For instance, similar wardriving tests conducted in Paris; Santiago, Chile; China; Monterrey — Mexico, Sao Paulo – Brazil, Caracas (Venezuela), Warsaw, and London offer similar insights into the “security” of such public networks.

Possible mitigation practices? According to Marlinspike, the author of the tool:
Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping. This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
How often do you face the trade-off of using a public, and possible insecure Wi-Fi hotspot, for the sake of convenience instead of sticking to your 3G data plan, even when traveling abroad?

Have you ever avoided using your mobile device and instead used your laptop at an airport, due to your host-based firewall’s better ARP filtering features — if any — enabling the detecting of changed MAC address for a (trusted) gateway network adapter in order to detect possible MItM attempts?

How EV SSL-aware is your E-banking provider, especially if you’re E-banking over a mobile device? Or do you simply “VPN-and-forget” over a public Wi-Fi network?

Facebook Privacy & Security Guide

Created by Tom Eston. This is version 1.1 of the guide, last updated September 2009. It is updated when Facebook changes any privacy settings or configuration. Soon you will also be able to check out the video that walks you through these settings in your Facebook account (link coming soon).

Deactivating the rootkit – Core Labs

Deactivating the rootkit – from Core Labs, who are part of Core Security – the makers of Core IMPACT Pro.

Here’s an update from Core Security posted today – Wednesday August 12th, 2009

I attended Black Hat and Defcon this year and gained much useful information from that trip. There were a couple of eye opening presentations in the general terms of the security world, and the one I am going to summarize here is “Deactivating the Rootkit” from Core Labs. You can view all the information, and download the white paper and presentation from Core Labs. I’m going to outline it here from my notes – I would strongly suggest you read the details from Core Labs though – scary stuff!

Here are my notes:

HISTORY

2004: The BIOS size of 60% of all notebooks increased by 25kb.

2009: When Core Labs were investigating creating their own rootkit, they found one already there! There had been agreements with major vendors that this agent would be installed in the BIOS (Phoenix) as an anti-theft agent. It is dormant until activated – wait – activated? BACK DOOR!

More details: US 6,300,863 B1 Patent – Filed Mar 24, 1998 byAbsolute Corp – Agent inside modemOption ROM – Support for DOSBackdooring

WHAT IS THIS ROOTKIT?

Absolute Corp, Computrace Anti-theft agent – Option ROM Embedded in Phoenix BIOS – Agreements with law enforcement agencies – Inside notebooks from HP, Dell, Lenovo, Toshiba, Gateway, ASUS, Panasonic, & more … estimated 60% of PC notebooks have this rootkit.

Option ROM header: (you’ll need to copy/paste this to see it properly)


00000000 55 aa 2a eb 15 43 6f 6d 70 75 54 72 61 63 65 20 |U.*..CompuTrace |
00000010 56 38 30 2e 38 36 36 78 1d 00 e9 5c 01 50 43 49 |V80.866x...\.PCI|
00000020 52 17 19 34 12 00 00 18 00 00 06 00 00 2a 00 00 |R..4.........*..|

PROBLEMS FOUND

Huge privacy risk (bad/no authentication) – Anyone can activate it with enough privileges – Anyone can change the configuration – Anyone can de-activate it – Whitelisted by AV (potentially undetectable)

If the notebook OS is not Windows it will not place any files – but it’s still there!

MORE ISSUES FOUND

Uses URL instead of IP – Configuration block can be modified:

Configuration block XOR 0xB5: (you’ll need to copy/paste this to see it properly)
00000000 b1 b7 b5 b5 35 ab b1 b4 b5 f5 b4 aa b1 b5 b5 b5 |....5...........|
00000010 b5 a5 bf 41 41 30 49 4e 30 30 30 30 30 95 b1 1f |...AA0IN00000...|
00000020 ee 30 86 a0 b1 8b b5 35 b5 ac ae 4a 4a 4a 4a 4a |.0.....5...JJJJJ|
00000030 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a |JJJJJJJJJJJJJJJJ|
00000040 4a 4a 4a 4a 4a 4a af b4 35 ae b3 b5 b5 b5 b5 b5 |JJJJJJ..5.......|
00000050 b5 a8 b7 b5 b5 f3 b3 b5 b5 b5 b5 b5 b5 f2 b3 b5 |................|
00000060 b5 b5 b5 b5 b5 fd af 00 50 d1 35 71 17 73 65 61 |........P.5q.sea|
00000070 72 63 68 2e 6e 61 6d 65 71 75 65 72 79 2e 63 6f |rch.namequery.co|
00000080 6d bf b7 b2 a5 b3 b3 ac 35 b4 b4 b5 b5 b2 b3 b5 |m.......5.......|
00000090 b5 b5 b5 b5 4a 98 b4 0d 98 b4 0d 9e b1 41 54 44 |....J........ATD|
000000a0 54 81 b7 38 2c 80 b7 39 2c 82 b2 39 2c 39 31 38 |T..8,..9,..9,918|

Stub agent: Unauthenticated BIOS code execution

DETECTING THE ROOTKIT AGENT

Two files to look for: system32\rpcnet.exe (normal agent) – System32\rpcnetp.exe (BIOS persistent agent) – A service called “Remote Procedure Call (RPC) Net” with no description – Outgoing connections to search.namequery.com (209.53.113.223) – A custom tool from Core (not released yet)

DEACTIVATING THE ROOTKIT

Easiest way is host file redirection (127.0.0.1) – Modifying the BIOS (only unsigned BIOS!) – Modifying the configuration block (registry, hard drive, etc) – Modifying nvram, then full HD wipe – anyone think of more?

Does anyone else see what a huge risk this is to anyone owning a notebook with this BIOS, let alone corporations who (these days) predominately issue notebooks to ALL employees? I strongly suggest you hop on over to Core Labs (they are a part of Core Security by the way – the makers of Core IMPACT Pro.

These notes are the outline from the presentation, and of a further presentation that I made to the executive staff at the company I work for. It made them nervous, and we are going to take steps to negate this risk. What are you going to do?

Security Architecture Cheat Sheet for Internet Applications

Shutting Down XSS with Content Security Policy

Content Security Policy is really coming – no joke – this is a huge browser security game changer. There is so much potential, assuming it all works. Life would be so much easier is this became real. Read about it for yourself!

http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/

User Security Training Presentation

Here’s a “User Security Training” PowerPoint deck that I found on the web, edited a little and removed the branding – made it generic so to speak. Since no-one had one available when I asked I thought I would share the wealth, and post the one I found – like I said, I gave it a neutral ‘brand’ so you can add your ‘brand’ to it.

Passively Detecting SQL Injection

From the Tenable Security Blog

Passively Detecting SQL Injection

SQL injection is a class of vulnerabilities that can plague web applications in your environment, often with devastating consequences. They can be difficult to detect and validate and are sometimes the cause of major data breaches. This is a deadly combination. Databases contain the information that attackers are after, including SSN, credit card numbers and other information associated with an individual’s identity such as name, address, phone number, mother’s maiden name and more.

The Tenable Passive Vulnerability Scanner (PVS) contains a check for detecting SQL injection attacks. It is a very simple check that first looks for an HTTP request:

pregex=^(GET|POST) /.* HTTP/1\.

Next, it looks for a response that is not formatted as HTML:

match=!<html> match=!<HTML>

At first glance you might be inclined to think this would lead to false positives. In fact, it turns out to be quite an accurate check. At one of the Tenable research sites we saw this alert:

When I went to the above URL manually, I was presented with an error page:

It appears that the error page was not rendering correctly (an error on the error page, how ‘bout that?). Viewing the source of the page revealed information about the problem:

The result of “View source” above contains valuable information that can be used in SQL injection attacks. This includes a table name and a column name visible in the SELECT statement. In addition, the page reveals the file system path in use on the web server. Finally, the error message tells us that the remote server is using a MySQL database. This is extremely valuable information for an attacker looking to exploit this potential vulnerability.

Conclusion

The parameter should be more thoroughly tested to see if SQL injection is indeed possible. However, the information gathered from the error message is certainly a good start for an attacker. It is important to configure the web application to not display this error message to the end user. Passive monitoring is an excellent method to monitor your web applications without any impact to the environment. Activity from normal users, potential hackers and even web spiders can all provide input that may result in displaying an unexpected SQL error.

Maximum Risk to Maximum Security

From http://blog.sebastien.raveau.name/

(Sorry for the delay; doing now what I should have done a long time ago: split my article in two parts, as it is the second part that really keeps me back… What do you want? Being a perfectionist I can’t publish a “From Maximum Risk To Maximum Security” article until I have everything covered :P)

What I describe here should be very useful to you if you can find yourself in at least one of the following situations:

• you can use an Internet access but it lacks security (e.g. free WiFi hotspots, campus Internet, etc)
• you want to demonstrate ineffective firewalling during a pentest
• you subscribed to a 2-years contract for “unlimited mobile Internet access” – so unlimited their marketing department even named it “Illimythics 3G+” in my case – asked every rep you could if it would indeed correspond to your needs, and while none of them seemed to know what SSH is, they all blatantly assured you that it was possible… until you realized, too late, that it is in fact HTTP-only
• you feel ripped-off by a hotel reservation that you chose specifically because it advertised Wi-Fi access for customers, but once there you realize they charge extra for it.

All in all, this comes down to a simple problem: how to get a full & secure Internet access in (almost) every case?

To address this problem, we’ll rely on what I call a “stepping stone”, i.e. a computer reachable by all means, preferably 24/7, with a private full Internet access and to which we will tunnel our Internet traffic by whatever mean we have available at some point.

Now, being able to reach your stepping stone depends on what kind of traffic you are allowed on the connection you try to reach it from… Let’s enumerate them from best case to worst case in terms of usability:

1. IPSec traffic directly to the stepping stone

I cite IPSec first because it is THE standard for secure Virtual Private Network-ing and therefore available on all operating systems. However, you will only be able to use it if there is no firewall or if the firewall doesn’t filter it (cf. paragraph on IPv6 below), and if behind a NAT router, if you’re the sole IPSec user or if the router supports NAT-T.

2. any kind of traffic directly to at least one UDP port on the stepping stone

In this case the best is to use OpenVPN; if you know the port number in advance all you have to do is configure OpenVPN to bind on this port, otherwise you can redirect traffic arriving on other UDP ports to OpenVPN with Netfilter:

iptables -t nat -A PREROUTING -i eth0 -p udp -j REDIRECT --to-port 1194
I made my OpenVPN reachable on all UDP ports because every now and then I am surprised to see some exotic UDP port allowed through a firewall, no idea why… HD Moore wrote a very useful script to test that.

3. any kind of traffic directly to at least one TCP port on the stepping stone

Here you can use OpenVPN like above (but two separate configuration files are needed in order to get it to listen both to UDP and TCP) or OpenSSH tunneling.

I put TCP under UDP because TCP over TCP is considered a bad idea so OpenVPN over TCP or OpenSSH with its new VPN capability (ssh -w) won’t work as well as OpenVPN over UDP.

Personally I chose OpenVPN on TCP too because:

• using OpenSSH to tunnel to a HTTP proxy (like Squid) on the stepping stone is definitely quick to setup (ssh -L 3128:127.0.0.1:3128, and adjust HTTP proxy parameters in your browser, instant messaging client, etc accordingly), or to act itself as a SOCKS proxy (ssh -D 1080) which is even quicker if your applications support SOCKS proxying (all browsers do), but that requires having a highly-privileged daemon facing the Internet for little reason
• it sure is nice to be able to administer your stepping stone remotely with OpenSSH, but you can always do that once you’re connected with OpenVPN

And, same as above, if you know the port number in advance all you have to do is configure OpenVPN to bind on this port, otherwise you can redirect traffic arriving on other TCP ports to OpenVPN with Netfilter:

iptables -t nat -A PREROUTING -i eth0 -p tcp -j REDIRECT --to-port 1194
Like with UDP, you never know what crazy TCP port a firewall might allow. I once found a firewall that would allow me nothing but emailing the whole Internet (TCP port 25) : what the f… oh well.

4. IPv6 traffic directly to the stepping stone

While not answering the communications confidentialy aspect by itself (but it goes along with IPSec pretty well), if you’re lucky enough to have IPv6 support on both sides and if the firewall administrators were as clueless as to have a default allow policy (yes… they’re many) and as not to take IPv6 into account (usually that goes together), IPv6 is a firewall traversal mean deserving to be mentioned.

5. any kind of traffic or just SSL traffic to at least one TCP port (typically 443, the HTTPS port) on the stepping stone via a HTTP or SOCKS proxy

Many people use OpenSSH tunneling with connect.c to get through such proxies; it is indeed convenient but once again, I’m not comfortable with the security implications. Fortunately, OpenVPN supports HTTP and SOCKS proxying out of the box. You can make OpenVPN reachable on TCP port 443 and other ports like explained above.

Note: some mobile Internet operators filter access to their proxy based on the User-Agent string of the web browser shipped with your smartphone; copy it to OpenVPN via the “http-proxy-option AGENT” parameter and off you go!

6. ICMP (like ping) traffic directly to the stepping stone

If for example you are able to ping 4.2.2.2 (one of the easiest publicly pingable IP address to remember), chances are you can use PingTunnel to connect to a TCP port on your stepping stone, and from there access the whole Internet securely by using OpenVPN or OpenSSH… There are issues with some NAT routers, so you might want to try “unprivileged mode” in PingTunnel, not for security reasons (I heavily patched PingTunnel to make it super tight; you’ll see in next blog post) but because it then uses real ICMP Echo requests and replies (to the cost of throughput), which get through the NAT routers that don’t like how PingTunnel normally operates.

Also, a firewall not allowing ICMP Echo doesn’t mean it won’t allow ICMP messages of other types… Come to think about it, I’ll have to add this feature too to PingTunnel.

7. recursing DNS requests to the stepping stone via some DNS server

Now, about DNS tunneling: I put it among the last in this list because it provides less throughput than the previous solutions and really, from a protocol engineering point of view, it’s ugly… Then again, it’s AWESOME because it works almost everywhere!

In order to use it, you will need a domain name (or a subdomain at DNSTunnel.de, kindly offered by Julius Plenz) and one of the following: NSTX, Iodine, OzymanDNS, Heyoka…

Research is still active on the subject of DNS tunneling, this is why there are many tools already and more coming up. NSTX is the historical one, Iodine offers better throughput than NSTX and is available for most operating systems. OzymanDNS and Heyoka are less than a year old and still a bit proof-of-concept-ish but nonetheless interesting: the former is Dan Kaminsky’s attempt, and the latter has the highest ambition.

Personally I’m more than happy with Iodine.

8. HTTP traffic to TCP port 80 on the stepping stone through a (transparent) HTTP proxy

As the name suggests, transparent proxies transparently redirect your connections to the Internet on TCP port 80 to a local HTTP proxy; it may look like you are simply allowed TCP port 80 to the Internet, but try sending anything else than HTTP on this port, it won’t work. Good thing to know though: even if the transparent HTTP proxy doesn’t let you through for some reason, you will most likely be able to do DNS tunneling (see above) as letting the clients perform their own DNS requests is mandatory in transparent HTTP proxy setups.

Now, allowing HTTP but not HTTPS is utterly suspicious, besides breaking many web authentication procedures. Fortunately it is very rare, but in case you end up in this situation, HTTPTunnel is the way out: it will give you the possibility to connect to another TCP port on your stepping stone (and thus reach OpenVPN or OpenSSH) while making your traffic look like HTTP.

Note: User-Agent filtering can happen in this case too, see paragraph on HTTP and SOCKS proxies for solution.

9. other means of relaying data to and from the stepping stone via some reachable server

Apparently my friend Mubix has a super-secret project coming on that… in addition to having a Hak5 episode on tunneling SSH over DNS :)

As you can see, if you want to maximize your chances to reach your stepping stone and thus get a full & secure Internet access, you basically have to make it face the Internet with all TCP ports open, all UDP ports open and even ICMP tied to a daemon… While I generally disagree with the people who say a computer with 10 ports open is more insecure than a computer with 4 ports open, I have to concede that we are kind of daring the devil here…

And that is why in the other half of this article (which I’ll hopefully manage to find the time to finish within the week) I will explain how to achieve maximum security!

Show Account Security Settings

From: COMMAND LINE KUNG FU: PaulDotCom, Ed Skoudis, Hal Pomeranz, byte_bucket

Ed engages:

Yesterday, I was doing a presentation for a bunch of auditors, and a nice question came up from the attendees: “How can I quickly see the local account security settings on a Windows box from the command line?” When I gave the answer, I saw a lot of people’s eyes light up. Of course, whenever an auditor’s eyes start to flicker, we should all watch out. :)

Seriously, though… the vast majority of the people in the room quickly wrote down a note with my answer, so I figured it would make a good episode here.

On Windows, you can see overall security settings for all accounts on the box using the command:

C:\> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.

A simple little command like that shows really useful information, for auditors, pen testers, general security personnel… great stuff. We’ve got password aging information, minimum password length, password history (so users can’t just reset their password to an older one they used to have), the threshold of bad logon attempts for account lockout, the time duration of account lockout, and the amount of time before a locked out account is re-activated.

The output I show above is the default settings for most versions of Windows, including Win2K, WinXP, and Vista (Yup… minimum password lenght of 0 by default!). On Win2k3, the only difference is that the “Computer role:” says SERVER.

Another nifty related command is:

C:\> net accounts /domain

You can run this on any system that is a member of the domain, and it’ll show you the domain-wide settings for accounts.

Pretty cool, and all in one place.

So, what’ve you got for us on Linux, big guy?

Hal reports in:

I’m sure you all are getting fairly tired of this, but I have to give my usual disclaimers:

1) Different Unix systems handle password security settings in different ways, so we’re just going to focus on Linux

2) The answer is different if you’re working with a network-based authentication database like LDAP or Kerberos, but for purposes of this article we’re just going to stick to local password files

With those disclaimers in mind, the basic answer is simple:

# chage -l hal
Last password change : Jul 14, 2007
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

The “chage” command can be used to get (and set) basic password security parameters for accounts on your Linux system (other Unix variants often use the “passwd” command for this). This is actual output from one of my test systems and shows you the standard Linux defaults for these parameters, which are obviously not terribly secure. You may change the defaults by modifying the /etc/login.defs file, but be aware that the defaults you set in login.defs will only apply to new accounts that you create with the built-in “useradd” program that comes with Linux. If you use some other scheme for creating accounts, then you’ll have to use the “chage” command to manually set these values after you create each account.

If you compare the “chage” output with the output of Ed’s “net accounts” command, you’ll notice that “chage” doesn’t have anything to say about password history settings or “lockout on failure” parameters. That’s because this level of password security is a property of the lower-level PAM configuration on most Unix systems. On Linux, the pam_cracklib and pam_unix modules take care of password history and strong password enforcement, while pam_tally is responsible for “lockout on failure”. Unfortunately there’s no way to audit the settings for these modules other than to look at the actual PAM configuration files, usually found in /etc/pam.d.

iBotnet: Researchers find signs of zombie Macs

From http://blogs.zdnet.com/security/

April 16th, 2009
iBotnet: Researchers find signs of zombie Macs

Posted by Ryan Naraine @ 8:28 am

Malware hunters at Symantec have discovered a direct link between a malicious file embedded in pirated copies of Apple’s iWork 09 software and what appears to be the first Mac OS X botnet launching denial-of-service attacks.

Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice and OSX.Iservice.B — using different techniques to obtain the user’s password and take control of the infected Mac machine.

[ SEE: Mac OS X Malware found in pirated Apple iWork 09 ]

The variants have been found inside bogus copies of iWork ’09 and Adobe Photoshop CS4 which were shared on the popular p2p torrent network. The author of the malware downloaded the original/trial versions of each program and introduced a copy of the malicious binary into the packages. Users who then downloaded and installed the applications from the torrent download would have been infected. It is estimated that thousands of people have downloaded the infected torrent files.

They describe this as the “first real attempt to create a Mac botnet” and notes that the zombie Macs are already being used for nefarious purposes.

The researchers pointed to this blog entry that describes a a PHP script, running as root, launching attacks against an unknown Web site.

The article goes into detail on the botnet’s peer-to-peer engine, startup and encryption capabilities and configuration file structure and concludes that the person who wrote the malware is not the same as the person who actually ‘used’ it.

“The code indicates that, wherever possible, the author tried to use the most flexible and extendible approach when creating it – and therefore we would not be surprised to see a new, modified variant in the near future,” the researchers added.

Five Minute Security Assessment

From http://www.shortinfosec.net/

A security assessment is a big deal. It takes a lot of time, requires a good chunk of budget since it is done by independent consultants and the outcome is at best ‘OK, but could be better’.

For all these reasons, as well as some egoistic ones which won’t be mentioned here, a lot of companies avoid hiring a security consultant and doing this assessment.

While the real thing may take time, budget lobbying and guts to admit that you are not perfect, here is a very fast self-assessment which will give you a feeling where are you standing. You can do this assessment on your own time, and no one needs to know the outcome.

Assessment instructions
Answer each of the questions truthfully with a yes or a no. If it is partial, write it up as a no. For each answer add appropriate number of points to a total score (indicated on each question). After finishing with all the questions, sum the score and find the appropriate assessment result depending in which interval your score fell.

Assessment questions

1. Do we have a firewall active at all ingress points of the network? Yes – 5 points, No – 0 points
2. Does our team control all firewalls? Yes – 5 points, No – 0 points
3. Do we have the following basic technical policies in place? Add 1 point for each policy in place
* password complexity
* password retention
* password history
* logon hours
* controlled registry editing
4. Does everyone in the organization have their own individual and unique username for all activities? Yes – 5 points, No – 0 points
5. Do we have logon/logoff auditing active on all servers and stations? Yes – 5 points, No – 0 points
6. Do we have a testing environment for patches, new versions and new software before it is rolled out into production? Yes – 5 points, No – 0 points
7. Do we have written procedures for regulating the above questions as process? Add 1 point for each procedure in place

Assessment results

* 30-36 points – Very good security posture – You have the basics of a great security governance. Continue developing in both the procedural and technical levels of security.
* 20-30 points – Acceptable security posture – You are lacking in written procedures and change management, but basic technical security is at a good level – you need to work harder on formalization
* 10-20 points – Basic security posture – Very basic security, lacking in any formal process of security, and also probably missing elements in auditing, ingress path control and technical policies. You need to go a long way, and you should have started yesterday!
* 0-10 points – Disaster waiting to happen – So you have firewalls? Really? And maybe you’ve even plugged them in? Hire a good security expert – after firing your current one and start getting somewhere

Information Technology and Security

Information technology and information security are my fields of expertise, and I have the pleasure of working within those fields as a career. The abstract thought process and mix of technical knowledge make it almost like play time. Thinking outside the box is outmoded – you have to think even more abstract since you are trying to see all points of view – from CEO to hacker – from tactical to strategic, and even political.

I’ve posted a lot of information technology and information security related post to this website. I learn from the information I gleen from around the web and I wanted a place where I could refer back, since some of the command line and shortcut stuff is priceless. It doesn’t matter what status I hold at work, I’m always interested in cleaning up my skills, and learning new ones. There should never be a point, even in the executive layer, that we should let go of those skills.

Information Security is an area I have a lot of passion in. I am the Director of Information Technology and Information Security Officer for the company that I work for and, as such, have to keep my finger on the pulse. I have done hacking course and am technically proficient, but I would not say that I am anything other than someone who sees how it can be done, and wants to prevent it happening to the company I work for.

Here’s a Standard Penetration Testing Checklist. See how involved it is, and that is just the entry point. I didn’t write this by the way – why re-invent the wheel, but it’s a great reminder and backbone for penetration testing. All that I am trying to illustrate is the complexity of information security, and that it is all too often overlooked by executives for no other reason than not arming them with enough information. Yes – we should take the blame for some of that. When I presented the base level of hacking techniques to our executive staff I immediately got budget money. I meant to scare them, and boy did I.

You’ll notice in the tech section there is a ton of useful information. This is just a piece of what I find useful – I don’t have time to post it all so I try to post the most interesting – well, to me anyway. More as it comes to me.