April, 2009

Encrypt Your Laptops NOW

SC Magazine has reported that a laptop belonging to the State of Oklahoma was stolen, with 1 million names, Social Security numbers, birth dates and home addresses of Oklahoma’s Human Services’ clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits.

All this was secured with a password. The State of OK seems to think that is adequate protection - has nobody there heard of a Linux boot disk? It will ( and probably already has) taken a cracker ten minutes or less to gather the SAM database, and probably not much time to crack the password.

No excuses! Get it done. The cost of losing a laptop is now estimated at $50,000, after the cost of corporate security efforts, bad publicity, and lawsuits. No one is too small to get sued.

The Risks of Using Gmail, Hotmail and Yahoo

We all do it; we connect to the web and grab our mail all the time. But those web pages are vectors for cross site scripting (CSS) and a new nasty - CSRF (pronounced SeeSurf), cross-site request forgery, affects many webmail providers, most notably Gmail.

Gmail even knows about a flaw it hasn’t bothered to patch, according to several researchers. It’s tricky, but an attacker can use it to change your password in the right technical situation.

Not to mention the fact that if you’re checking your mail at an unencrypted WiFi hotspot (you don’t do that, do you?) your password can be captured by the teenager sitting at the window sipping his latte while he runs a packet sniffer.

When I’m asked for advice about this from users that are generally unacquainted with the acronyms above, I have two recommendations:

First, if you’re at a free WiFi hotspot, don’t go anywhere you have to log in. That’s the simplest advice. But if you’re on business, or do want to check Gmail, Yahoo, etc., there is something you can do: Log in using https. This forcibly encrypts your traffic when you log in.

Keep in mind that some services let you log in using https, but then bounce you to an unencrypted page for the rest of the activity. Yahoo and Hotmail do exactly that. So if you’re sending an email with private information, it will go across the net in open format.

Gmail has a setting (somewhat well-hidden) that can require you to connect and stay in https. If you are in Gmail, select settings at the right top corner. Scroll all the way to the bottom of the page, to the category “browser connection.” Select “always use https,” and you can read your email safe from prying eyes. I haven’t found anything like this in Yahoo and Hotmail. Good enough reason to switch!

Scans and Pentests and Audits, Oh My!

Why isn’t a vulnerability scan part of a penetration test? A scan looks for vulnerabilities the way hackers do - but hackers are MUCH better at it. Scans look for what they are programmed to look for - hackers look for holes.

Penetration testing certainly involves scanning, but most professional pentesters don’t waste time with scanners. They’re nice to have if you have a lot of money and only a little time to check your security. But the guy who gets in doesn’t usually have one in his kit. Scanning software tends to be huge (think database on the backend) and cumbersome.

Don’t get me wrong; there are some terrific pieces of software out there that can and should be used on a regular basis. They can catch the misconfigured server and identify the “low hanging fruit” that needs to be cleaned up. They are a part of a security audit, and VERY handy to have. I’d like to have a few in MY toolkit.

Do I use them for pentesting? No.

The first two or three steps in a penetration test have nothing to do with scanning the network for vulnerabilities, and often are far more effective than a scan will ever be. The nice man who lets me in the door does far more for me than a scan….why do a whole bunch of scanning when I can access the server physically? Ten minutes (or less) with your server and it’s MINE.

Of course, because I’m an auditor, and the First Rule is usually: “Don’t break anything,” I settle for leaving my business card on the back of the chassis or a little file in the root directory. But a thumb drive with some fun software can capture the SAM database pretty quickly and erase traces of itself pretty fast.

So don’t let anyone call a scan a pentest - it just means they don’t know their business.

The Beginning of the End for PIN Codes

Yesterday Wired released a story that reveals a startling detail about the TJMaxx data breach: hackers were able to cash in on stolen debit cards because they had a way to crack PINS.

This “minor detail” was buried in an affadavit last year, but Wired has put it together with some other information afloat on the NET, and the article is a really good read on what happens to your PIN from your debit card as it transits various networks to receive approval. Your PIN gets decrypted and re-encrypted by a Hardware Security Module (HSM) each time it transits a network. Lots of opportunities for capture with the help of an insider or some sniffing malware.

“While statistically not a large percentage…in 2008, attacks against PIN information represent individual data-theft cases having the largest aggregate exposure in terms of unique records,” says the report. “In other words, PIN-based attacks and many of the very large compromises from the past year go hand in hand.”

Although there are ways to mitigate the attacks, experts say the problem can only really be resolved if the financial industry overhauls the entire payment processing system.

Ouch.

Clearly, PIN-based authentication has been cracked, and will be cracked more and more. Leave your debit card at home and Pay Cash Instead.

A DAM Good Idea

(Sorry, I apologize for using an acronym, but I couldn’t resist.)

Whenever the subject comes up of logging activity in a database, immediately the complaints of “Too much overhead!” can be heard. Everybody thinks it’s a good idea in theory, but from a practical standpoint, it adds a lot of burdens to the database.

From a security standpoint, it’s really difficult to make sure that DBAs or Administrators are accurately logged AND denied access to the logs. On the database server itself, it’s next to impossible.

This isn’t really a new idea, but it has recently gained a lot of adherents: database monitoring. Quest Software has had some good products around for monitoring performance, but recently the focus (because of compliance, big surprise) has turned to access controls, logging, and monitoring activity.

For example, someone might have noticed a little sooner at Countrywide that someone was accessing a lot of customer data if a Database Activity Monitoring device had been installed.

There are two versions of this type of device. First, is the Network-based DAM, which can monitor all traffic going to and from the database server, and puts no load on the server itself. This is a great idea, unless, of course, your traffic is encrypted. Another issue is that this type of monitoring will miss activity that is local to the server itself.

Second is the host-based DAM, which is really the most effective of the two, because it can see everything you want to see via an agent installed on the server that reports back to the monitoring device elsewhere on the network. The overhead of an agent will not be as high as trying to enable auditing within the database itself, and, as much as I am not fond of agent software, in this case I would make an exception, after careful testing.

The drawback to this system is that the agent could be disabled, but the DAM should immediately alert personnel to that fact. If you are able to size your server appropriately, an agent’s overhead could be minimized. I’d love to hear from anyone using this type of configuration, and how they like it.

What Conficker Tells Us

The latest statistics I’ve read from vendors now say that up to 6% of PCs worldwide are infected by the worm. What is going to happen as a result of this worm is still yet to be determined. The “patch” provided by Microsoft disables autorun so that the worm cannot infect the machine, but that is for only one variant of the worm. Another patch addresses the underlying vulnerability in the server service.

Windows patch MS08-067. What’s wrong with this picture?

The patch was released in October of 2008. The French Navy, British Parliament and the Armed Forces of Germany have all reported outbreaks.

It’s been almost six months since the first patch release from Microsoft. Why isn’t everybody patched?
The fact that so many computers have been infected tells us that patch management and deployment as it is now is not working.

Companies frequently refuse to patch because they “don’t want to break something.” SQL SLammer brought networks down worldwide - what will Conficker do to your network if you aren’t up to date on patches?

When News Isn’t News

A client of ours was notified recently by their financial institution that some of their credit cards had been compromised by a vendor.

The rational question followed: “Which vendor?” To which the bank replied, we aren’t going to tell you in order to protect the reputation of the vendor. Given that a high percentage of vendors have had more than one security breach, why are banks protecting them? Wouldn’t you want to know which company had been broken into so that you could pay extra attention to transactions from that company?

This kind of financial behavior is what drives people to enacting regulatory requirements for notification.

“Citibank contacted my husband and told him that they would be re-issuing him a new account number because a “major merchant” had notified authorities that its secure data had been compromised. They would not release the name of the merchant, instead saying that it was “the kind of thing we would probably hear about in the news,” she writes.

Why do we have to hear about it from the news? Why are we protecting organizations that are not protecting their data? Because it would cost the vendor money, and that would impact the profits at the bank. It’s the same reason VISA doesn’t shut down big PCI violators - and it’s why we really need independent oversight.

Making it Easy For Hackers

How many rules do you have in your firewall? How many rules allow access directly into your network? How many rules allow ANY/ANY?

The more rules you have in your firewall rulebase, the higher your risk of allowing attackers in. I’m not talking about opening access to your webserver in the DMZ. But the rules are not linear, which many people (including some professionals) do not understand.

Firewall rules are inherited, like Access Control Rules, so that you can end up with some unintended consequences. If the ANY/ANY rule is above the tighter rules, the ANY/ANY rule will prevail. This is exactly what happened in a rulebase I looked at not too long ago. The company was not convinced until we ran a packet capture and I could demonstrate that IP addresses from Russia AND China were banging on internal IP addresses.

Allowing ingress to your internal network using any protocol is fraught with peril. Terminal Services/RDP allowed in? Somebody will be running scripts against the Administrator ID trying to log in all the time. FTP? There are too many ways to badly configure an FTP server. That’s what a DMZ is for. So is your Outlook Web Access. If any internal server is compromised, it becomes a jumping off point into the rest of your network. This goes for printers, too, which have little miniature hard drives.

ANY/ANY rules are red flags to the auditor - they tell me someone is sloppy, and hasn’t taken the time to ascertain what ports are absolutely necessary to open. Yes, we’re all busy, but think how busy you will be cleaning up after hackers. Or, worse yet, cleaning up your resume on the unemployment line.

Have a rule labeled TEMP? Put an expiration date and a contact person in the notes. If you are run over by the turnip truck, the next engineer will have a clue as to what is going on and will offer up burnt offerings in gratitude.