Today, I spent a rather grueling couple of hours taking an assessment of my network security skills. The assessment, for reasons known only to the assessors, focused more on Linux configuration, firewall and router commands than on security theory and principles. If you needed to hire a security administrator for your company which person would you choose: The guy who has memorized all of the commands for your brand of firewall/router; or, the person who understands security on a conceptual level? I’d choose the latter every time.
This goofy focus on configuration skills to the almost complete exclusion of general security knowledge got my brain gears meshing in overdrive; I decided to look deeper and see if I could find other examples of erroneous ideas of what constitutes good security. It wasn’t easy, except for picking number one. Here are my Top Five Security Faux Pas beginning with number five:
- 5. Relying Solely on Software Security Updates–What, you’ve never heard of a zero-day exploit? C’mon, we professionals know that the bad guys are usually first to discover the security flaws and they’re the first to exploit them.
- 4. Altering the Firewall–Oh! There’s a threat? Let’s add a rule to the firewall. You have a Cisco Certified CCIE-Security on staff? Good for you! If not, this isn’t a good option.
- 3. Failure to Monitor the Network–If you don’t analyze the firewall, IDS and server logs, you’re likely missing things that shouldn’t be. Buried among those thousands of failed attempts a finding an open port are those few that manage to attempt a connection and fail. Do you see them?
- 2. Failure to Consider Internal Threats–Your employees are all angels, right? They always follow the security guidelines, policies and procedures you set for them. Outright malice aside, what if that thumb drive they plugged in this morning picked up a trojan from their home computer last night? Oh, oh! You’re pwned.
- 1. Mistaking Technical Expertise for Security Savvy–So, the new “Sec Admin” can configure any router or firewall and knows all the commands to “protect” your network. So, what? Can he teach the receptionist how to detect and thwart a telephone phishing attempt? Does he even know how someone would go about that? If not, you’re doomed…
Suggestion for all you folks who love to do “assessments” of candidates’ “network security” abilities: Assess their security mindset, not their ability to memorize arcane firewall configuration commands. It does no good to block malicious packets at the firewall when Suzy Secretary is injecting them into the local network or becoming easy prey to the perpetrator of a telephone phishing attack.
It’s again time to delve into our Hacking Skills Challenge. Our last challenge was level 8 at HackThisSite.org and that was almost three months ago. They’re starting to get a little tougher now, but we’ve learned some good techniques that will help us. Here’s the challenge:
The password is again hidden in an unknown file. However, the script that was previously used to find it has some limitations. Requirements: Knowledge of SSI, unix directory structure.
Pay attention, now. Look at the challenge carefully. There’s some key information on the challenge page:
Network Security Sam is going down with the ship – he’s determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.
In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password. See if you can figure out how…
So, it looks like Sam goofed and we may be able to manipulate our directory hack slightly to find the level 9 password. Let’ see… Well, if you try anything in the level 9 page, you just get errors, so maybe this is the key clue: last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only.
So, let’s go back and hack level 8 a little differently and see what happens. Last time, we used the command [<]!–#exec cmd=”ls ..”–[>] (don’t use the brackets) to get us a listing of the level 8 directory (the “../” we used to take us back one level). Can it be as simple as specifying the directory for basic 9 in this way: [<]!–#exec cmd=”ls ../../9”–[>]?
Go back to the level 8 page and enter that string in the “Enter your name” field. Bingo! We get this: Your file has been saved. Please click here view the file. We click that link and we get:
Hi, index.php p91e283zc3.php! Your name contains 24 characters.
Load p91e283zc3.php in your browser like this: http://www.hackthissite.org/missions/basic/9/p91e283zc3.php, and you get the password, 3c40ec25.
Go back to level 9 and enter that password. Mission accomplished!
We all have a toolkit–that collection of security, maintenance and utility software that we carry around with us so we can get some real work done. I’ve written about several of my favorite tools in this blog. Here are some of the more useful ones from last year:
My complete Geek Toolkit is a compilation of free and Open Source software that contains, among other things, web wervers, utilities, spyware killers, security tools, disk tools, and disaster recovery info. It’s 354 MB contained in more than 700 files. In addition to that, I have seven other flash drives that are configured with various bootable utilities for those systems that are completely hosed.
What’s in your Geek Toolkit? Hit the comments and let me know. I’m going to be compiling more tools soon and I’d like to know what you like.
Goes to show that I’ve gotten behind on my keeping up with security news. Health and family issues have taken an inordinate amount of my attention this month. Consequently, I just came across this announcement.
Brian Krebs, whose column “Security Fix” was often a source of information for my own posts, has left The Washington Post effective December 31, 2009. I’ll let him tell you:
This will be the last post for the Security Fix blog. Dec. 31 marks my final day at The Washington Post Company.
Over the last 15 years, I’ve reported hundreds of stories for washingtonpost.com and the paper edition. I have authored more than 1,300 blog posts since we launched Security Fix back in March 2005. Dozens of investigative reports that first appeared online later were “reverse published” in the newspaper, including eight front-page stories and a Post Magazine cover.
He’s not out of the security reporting biz, though:
He now has his own site, Krebs on Security, and it looks like he’s on a roll. Check it out and know that I’ll be drawing on his insight, too.
What follows is an email version of what one of my family members went through a couple of years ago. It goes like this: foreign person in the states is facing expiry of green card and seeks a more permanent work visa; foreign person “falls in love” with American and convinces him/her to get married; foreign person now has the means to stay here; foreign person divorces American spouse after an “acceptable” amount of time.
That’s a real world example, but the scam also happens in cyberspace. In fact, here is an actual notice I got from the administrator of a social network that I happen to be a member of:
I am posting this as a warning… not from this site itself, but as a caution about other members and all sites in general.
It has been brought to my attention that a member of this site has been
befriending other members, asking for their emails and pics of them …
and subsequently getting to the point of asking the member to invite
them to their home (by filling out a request and visa for them to come
to the states).
Any complaints of such on any of my sites will warrant immediate suspension… no warning.
THIS IS NOT appropriate behavior or etiquette for internet sites anywhere at any time. Please do not give out your emails unless you are doing business with someone or you know them WELL ENOUGH to do so.
You are encouraged to use very wise judgment on doing anything that could
jeopardize your being. Please be cautious of such requests.
Sincerely, [name not revealed for security purposes]
Does this sound familiar to you? Please warn anyone you know who is being scammed in this way.
I don’t know about you, but I often get a bit weary of the constant “seriousness” of security issues. It’s not all doom and gloom, you know; some things are actually funny. With that in mind, I’m launching my new ongoing series “Security Humor” and with that, today’s installment (no offense to my Irish readers and friends) entitled, “Irish Password.”
During a recent password audit at Bank Of Ireland it was found that Paddy O’Toole was using the following password:
When asked why he had such a long password he replied: “Oi was told it had to be at least 8 characters long and include one capital!”
I plan to post a minimum of two installments a month, more during slow security news times. As always, comments are welcome. Go ahead and tell me what you think right now!
Do you block access to social networks from the office? Think this means you’re safe? Think again. You’re still susceptible to corporate espionage through your employees’ social network profiles. The Dark Reading article, “The Seven Deadliest Social Networking Hacks,” tells why:
To pull off a spear phishing attack, for example, all an attacker has to do is search for Company A’s employees on a social networking site and then pose as someone within the organization — such as the head of human resources — and email the employee addresses he finds, for example. A phony HR spear phish could look something like this, Sophos’s Cluley says: “Dear Fred Jones, Congratulations on joining XYZ Company. Click on this link to access our HR Intranet and then log in with your regular network username and password so we can update our files.”
A newbie to the company could easily fall for the ploy and hand over access to the corporate network, he says.
How can you prevent such a thing? It’s difficult at best; probably close to impossible because you have to educate your employees to never post your company name in personal profiles. It only takes one scrap of information to cause problems and the bad guys aren’t far away:
…the “six degrees of separation” rule applies on most social networks: You’re only a few hops away from a bad guy. “We know that there are bad people on these networks using them to steal information,” Cluley says. “You may be only a half a dozen hops from an identity thief if we’re all connected.”
The solution to having good security is, always has been, and always will be increasing the security awareness of everyone in the company from the janitor to the CEO. It requires a continuous educational process to instill a security mindset into people; it requires eternal vigilance on the part of those responsible for managing security. It’s not easy. When it comes right down to it, security uber-expert Bruce Schneier sums it up best:
“The user’s going to pick dancing pigs over security every time.”
*A fax was received by a former employer related to COBRA medical insurance coverage that I need to reapply for.
*An email was sent to me with the fax attached as a PDF file.
*Among the pages of the fax contained in that PDF was an “example” of how an attest form should be filled out.
*That form contained the full name and SSN of the “example” insured person, the employer group number, employer name, and certain other key pieces of information.
I was appalled! So, in the interest of security research, I did a quick and dirty check. With nothing more than a couple of simple Google searches, I was able to gain other information that would have allowed me social-engineer my way into a complete impersonation of the “example” insured person.
Naturally, I won’t go into details about what I found and how I found it, but this should serve as a wonderful example of how most people are completely oblivious of the security consequences of mishandling sensitive information.
The first failure occurred at management level of the insurance company where proper controls and procedures were not in place to catch an employee’s security breach. Sending a copy of an actual form instead of an invented one as an “example” of how to complete the documentation should not have been an option. Someone dropped the ball big time here.
The second failure occurred in the lack of security consciousness training of employees who deal with sensitive information. How could the person responsible for sending the fax have let such a thing get past them? The form didn’t say “Jane Doe,” it was a real person’s name; the SSN wasn’t “123-45-6789,” it was an actual SSN; the company name didn’t read “ACME Widgets,” it was a real business name; and, the employee who filled out and attested to the form was an actual employee.
The last weak link in the chain was the administrative person who forwarded the PDF–via email in clear text, not encrypted–to me. That person probably didn’t even look at it–it was just one more thing to do in an already too-busy day.
If you’re in Information Security at any level, things like this should make it obvious that there’s real truth in the statement, “Be afraid, be very afraid…”
I’m joking, of course, but we’re not going to escape that the weakest link in the security chain is the people responsible for it.
What’s on your social network profile? You have to be careful what you put up there because even seemingly basic information about you can give away some valuable tidbits –- your name and date of birth, for instance –- that identity thieves can use to guess passwords or impersonate you, and even eventually steal your identity.
Some people are very free with their personal information, even going so far as to provide their phone number, email address, full street address, etc. Not really a good idea, but what can you do about it?
For starters, don’t answer all of the questions in a social networking profile and for sure, don’t give your real birthday. Who will know? If you have family and close friends who know your real numbers, you can explain that it’s a security precaution–they certainly won’t care. And what difference does it make if your profile says your birthday is 07/24/73 when it’s really 08/16/75?
We’re social creatures and tend to be trusting, but there’s no need to be at risk. A little misdirection when posting your personal information is something you’ll probably never have reason to regret.
Cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities have been with us for some time and while many social networks have tightened their defenses against XSS attacks–as have many other conventional websites–there are some social networking worms have used XSS flaws to spread. Some security experts say that CSRF attacks are not common on the social networks, but best be on the lookout for them unless the site admins are proactive.
The openness of Web 2.0 sites in general makes these complicated attacks virtually unnecessary, but it is possible using CSRF to utilize a hacked MySpace account to jump across to Facebook and wreak havoc. One security specialist noted that as long as users are allowed to use code in one form or another in profiles and comments–especially with links to external content–there are going to be security problems.
That seems to be the real issue here. XSS and CSRF, while possible, probably aren’t even necessary for hackers to compromise accounts; they’re already open enough to be vulnerable.