The Security Detail


March 26, 2011  1:15 AM

Microsoft Leaves Freedom Fighters Vulnerable by Turning Off HTTPS

Tony Bradley Tony Bradley Profile: Tony Bradley

The Electronic Frontier Foundation (EFF) reports that Microsoft has disabled the option to have all Hotmail communications encrypted with HTTPS in a variety of countries, including Iran, Myanmar, Bahrain, Sudan, and other nations where intercepted emails could place political dissidents in grave danger.

Just this week, an attack suspected to be a state-sponsored attack emanating from Iran compromised Comodo SSL certificates for a number of domains such as Google, Yahoo, Skype, and Microsoft’s Windows Live. Why would Iran want SSL certificates for these domains? The speculation is that rogue SSL certificates would allow the nation to spoof the sites and intercept sensitive communications of political dissidents and freedom fighters.

Turn on the news. Political upheaval is rocking entire regions–primarily across Africa and the Middle East. Look at Lybia. These nations are not shy about using any means necessary to put an expedient end to political protests or rebellion. Those with the courage to speak out, or to take charge and organize opposition against the reigning regime are arrested or killed.

Microsoft needs to explain why it has chosen to take away the encryption that is so crucial to protecting communications. Not only why–but why in these nations in particular.

Those affected do have some options, though. The EFF points out that users can change the country associated in their profile to another nation where the HTTPS option is still on–like the United States. Another alternative is to simply stop using Hotmail, and instead switch to a webmail service that does have HTTPS encryption like Google Gmail.

March 22, 2011  10:34 PM

Win a Free Copy of “The Accidental Administrator: Cisco ASA Security Appliance”

Tony Bradley Tony Bradley Profile: Tony Bradley

Recently I posted an article by Don Crawley excerpted from his book The Accidental Administrator: Cisco ASA Security Appliance. One of our other IT Knowledge Exchange blogs has a brief interview with Crawley, and is giving away a copy of the book.

The post by Melanie Yarbrough shares this tidbit about Crawley and the origin of the concept of the “accidental administrator”:

“Many [IT professionals] got into it because of a knack for technology,” he said, explaining where the title for his book series originated. Many students in his training classes approached him to say that they had accidentally become administrators. Because of their affinity for technology, they had become the go-to person at their company and when their positions became official they were sent to him seeking certification and proper training.”

To learn more about Crawley–and the book–read Yarbrough’s blog post. To register for a chance to win a copy of The Accidental Administrator: Cisco ASA Security Appliance, click here.


March 21, 2011  9:54 PM

Use Microsoft EMET to Reduce Risk of Attack

Tony Bradley Tony Bradley Profile: Tony Bradley

Today, Adobe patched a critical security flaw in Flash Player that impacted Flash Player, Acrobat, and Reader. When Adobe announced the vulnerability last week, it noted that attacks were being seen in the wild using a malicious Flash (SWF) file embedded in a Microsoft Excel (XLS) file attachment.

Microsoft was quick to point out, however, that the Flash Player attack would not work on Excel 2010. A Microsoft Security Research & Defense blog post explains, “The current attacks do not bypass the Data Execution Prevention security mitigation (DEP).Microsoft Office 2010 turns DEP on for the core Office applications, and this will also protect Flash Player when it is loaded inside an Office application.In addition to that, users of the 64 bit edition of Microsoft Office 2010 have even less exposure to the current attacks as the shellcode for all the exploits we’ve seen will only work on a 32 bit process.”

Fair enough. Office 2010 provides better security than previous versions of Office, and the 64-bit version of Office 2010 is even more secure still. Many organizations still rely on Office 2007 or earlier releases, though–so are they just out of luck?

Fortunately, Microsoft provides a better solution than simply suggesting that everyone upgrade to Office 2010. Microsoft offers a tool called the Enhanced Mitigation Experience Toolkit–or EMET. The tool is basically designed to let you implement mitigations to better protect older software that does not have the benefit of the security controls found in current products.

The Microsoft blog post says, “Turning on EMET for the core Office applications will enable a number of security protections called security mitigations. The exploits we’ve seen so far are broken by three of these mitigations: DEP, Export Address Table Access filtering (EAF), and HeapSpray pre-allocation. EMET is of value even to Microsoft Office 2010 as it has the first of the three enabled by default, but does not have the second or third ones.”

I highly suggest you download EMET and take a look at what it can do for you. It can help with newer software, but for legacy software it is a must-have.


March 19, 2011  11:14 AM

RSA Vague on SecurID Hack Details

Tony Bradley Tony Bradley Profile: Tony Bradley

RSA posted an open letter to customers this week revealing that it had been the target of an advanced persistent threat (APT) that led to the compromise of sensitive information related to its SecurID authentication tokens.

The information shared in the letter is concerning for customers, but what is even more concerning at this point is what is not being shared. RSA has been scarce on details–basically just saying that it is “confident” there is no immediate threat of an exploit resulting from the hack, and that it has “no evidence” that any other products are impacted. But, other than that, RSA just wants customers to not panic, and have faith that RSA has everything under control.

Art Coviello’s letter states, “As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.”

The problem is deciding who gets to define “as appropriate”. Many customers feel it would be “appropriate” for RSA to be much more forthcoming with details about what information, specifically, was compromised by the hack so customers can better understand the threat and be armed with information necessary to determine the scope and impact of the potential threat, and take proactive steps to guard against any potential SecurID hacks.

Perhaps, RSA is unsure whether the attackers even really realize what they have, and they fear that divulging too many details could exacerbate the problem by pointing would-be attackers in the right direction. That seems like a reasonable possibility. But, for now RSA is just being vague about the details of the SecurID hack, and what RSA isn’t saying seems to be more revealing than what RSA is saying.


March 16, 2011  11:40 AM

Information Security = Job Security

Tony Bradley Tony Bradley Profile: Tony Bradley

Wikileaks. ZeuS botnets. Inside threats. Public WiFi hotspots. Mobile app malware. Targeted malicious attacks. There is certainly no shortage of computer and data security threats. That is bad news for consumers and businesses, but excellent news for information security professionals.

The volume and scope of information security careers continues to grow and diversify. Whether it is developing more secure software in the first place, identifying and resolving issues with existing software and websites, responding to security incidents, monitoring efforts to comply with security and data protection requirements, or a thousand other roles–people with information security skills are in high demand.


March 14, 2011  9:15 PM

If It Can Be Jailbroken, It Can’t Be Secure

Tony Bradley Tony Bradley Profile: Tony Bradley

Apple deployed iOS 4.3 last week–the latest version of the mobile OS that powers the iPhone, iPad, and iPod Touch. A day later, the OS had already been jailbroken.

For those who may be out of the loop, “jailbreak” is the term used for circumventing the security controls of iOS and gaining root access to hack the device and let you customize and configure it in ways that Apple would never allow.

Many people swear by jailbreaking, and consider it a “right” of sorts that they should be able to modify their iGadget of choice to fit their needs without getting Steve Jobs approval. Fair enough. But, the fact that iOS is so easily hacked to gain root access is not a great sign for the security of the mobile OS overall.

As organizations embrace smartphones and consider deploying tablets en masse, the security and stability of the platform are important factors to consider. There are a growing number of enterprise tools coming to market to enable IT admins to configure, monitor, and maintain remote devices like smartphones and tablets, and some of those are able to identify devices that have been jailbroken.

That is at least a band-aid, or a step in the right direction. But, Apple should be looking seriously at what it can do to protect iOS and prevent jailbreaking. No software is perfect, but iOS 4.3 was hacked in under 24 hours. Breaking into the OS should at least be a challenge requiring some effort and not just a trivial walk in the park.


March 12, 2011  1:28 AM

Safari Exploit Used to Hack iOS

Tony Bradley Tony Bradley Profile: Tony Bradley

Apple rolled out the latest version of its mobile operating system this week–iOS 4.3–as a prelude to the launch of the iPad 2. Among a myriad of updates and new features included in iOS 4.3, Apple included a new securtiy control to help protect iOS-based mobile devices from malicious attack.

ASLR (address space layout randomization) randomize the location of core system functions to make them more difficult to locate and exploit. That is, when it works. Charlie Miller was able to bypass the ASLR protection and hack an iOS to win the iPhone portion of the Pwn2Own competition using a security hole in the iOS version of the Safari Web browser.

Miller has shared the details of the flaw with Apple, and Apple is reportedly working on an incremental update for iOS 4.3. Expect to see an iOS 4.3.1 update very soon.


March 9, 2011  2:23 PM

Understanding the Eight Basic Commands on a Cisco ASA Security Appliance

Tony Bradley Tony Bradley Profile: Tony Bradley

There are literally thousands of commands and sub-commands available to configure a Cisco security appliance.  As you gain knowledge of the appliance, you will use more and more of the commands.  Initially, however, there are just a few commands required to configure basic functionality on the appliance.  Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access the inside hosts.  Additionally, management must be allowed from at least one inside host.  To enable basic functionality, there are eight basic commands (these commands are based on software version 8.3(1) or greater):

·         interface

·         nameif

·         security-level

·         ip address

·         switchport access

·         object network

·         nat

·         route

interface

The interface command identifies either the hardware interface or the Switch Virtual Interface (VLAN interface) that will be configured.  Once in interface configuration mode, you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces.

 

 

nameif

The nameif command gives the interface a name and assigns a security level.  Typical names are outside, inside, or DMZ.

security-level

Security levels are numeric values, ranging from 0 to 100, used by the appliance to control traffic flow.  Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way.  Access-lists must be used to permit traffic to flow from lower security levels to higher security levels.  The default security level for an outside interface is 0.  For an inside interface, the default security level is 100.  In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, then the DMZ interface is named and a security level of 50 is assigned to it.

ciscoasa(config)# interface vlan1

ciscoasa(config-if)# nameif inside

INFO: Security level for “inside” set to 100 by default.

ciscoasa(config-if)# interface vlan2

ciscoasa(config-if)# nameif outside

INFO: Security level for “outside” set to 0 by default.

ciscoasa(config-if)# interface vlan3

ciscoasa(config-if)# nameif dmz

ciscoasa(config-if)# security-level 50

ip address

The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client.  With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks.  If you are using non-standard masks, you must explicitly configure the mask, otherwise, it is not necessary.

In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface.

ciscoasa(config-if)# interface vlan 1

ciscoasa(config-if)# ip address 192.168.1.1

 

 

switchport access

The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface.  In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on).  This command is not used on the ASA 55×0 appliances.

ciscoasa(config-if)# interface ethernet 0/0

ciscoasa(config-if)# switchport access vlan 2

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# interface ethernet 0/1

ciscoasa(config-if)# switchport access vlan 1

ciscoasa(config-if)# no shutdown

object network obj_any

The object network obj_any statement creates an object called “obj_any”.  (You do not have to name the object “obj_any”; that is a descriptive name, but you could just as easily name it “Juan”.)  The network option states that this particular object will be based on IP addresses.  The subnet 0.0.0.0 0.0.0.0 command states that obj_any will affect any IP address not configured on any other object.

ciscoasa(config-if)#object network obj_any

ciscoasa(config-network-object)#subnet 0.0.0.0 0.0.0.0

nat

The nat statement, as shown below, tells the firewall to allow all traffic flowing from the inside to the outside interface  to use whatever address is dynamically (DHCP) configured on the outside interface.

ciscoasa(config)#nat (inside,outside) dynamic interface

route

The route command, in its most basic form, assigns a default route for traffic, typically to an ISP’s router.  It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets.

In this sample configuration, the route command is used to configure a default route to the ISP’s router at 12.3.4.6.  The two zeroes before the ISP’s router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0.  The statement outside identifies the interface through which traffic will flow to reach the default route.

ciscoasa(config-if)# route outside 0 0 12.3.4.6

 

The above commands create a very basic firewall, however, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill.

Other commands to use include hostname to identify the firewall, telnet or SSH to allow remote administration, DHCPD commands to allow the firewall to assign IP addresses to inside hosts, and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts. 

Here is a sample base configuration: 

 

Sample Base Configuration

ciscoasa(config)# interface vlan1

ciscoasa(config-if)# nameif inside

INFO: Security level for “inside” set to 100 by default.

ciscoasa(config-if)# interface vlan2

ciscoasa(config-if)# nameif outside

INFO: Security level for “outside” set to 0 by default.

ciscoasa(config-if)# interface ethernet 0/0

ciscoasa(config-if)# switchport access vlan 2

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# interface ethernet 0/1

ciscoasa(config-if)# switchport access vlan 1

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# interface vlan 2

ciscoasa(config-if)# ip address 12.3.4.5

ciscoasa(config-if)# interface vlan 1

ciscoasa(config-if)# ip address 192.168.1.1

ciscoasa(config-if)# route outside 0 0 12.3.4.6

ciscoasa(config-if)#object network obj_any

ciscoasa(config-network-object)#subnet 0.0.0.0 0.0.0.0

ciscoasa(config)#nat (inside,outside) dynamic interface

ciscoasa(config)#exit

———————————————————————————- 

Excerpted with permission from The Accidental Administrator:  Cisco ASA Security Appliance: A Step-by-Step Configuration Guide by Don R. Crawley Paperback: 184 pages ISBN-10: 1449596622 ISBN-13: 978-1449596620

———————————————————————————-

Contributed by:

Don R. Crawley author of The Accidental Administrator series of books for IT professionals including The Accidental Administrator:  Cisco ASA Security Appliance: A Step-by-Step Configuration Guide and President of soundtraining.net a Seattle, Washington-based IT training firm. He is a veteran IT guy with over 35 years’ experience in technology for the workplace. He holds multiple certifications on Microsoft, Cisco, and Linux products. Don can be reached at (206) 988-5858  www.soundtraining.net   don@soundtraining.net


March 7, 2011  5:59 PM

Chuckling Safely from Within the “Walled Garden”

Tony Bradley Tony Bradley Profile: Tony Bradley

Apple runs a tight ship. It is very particular about its hardware, and the user experience. It has stringent controls, and sometimes seemingly capricious or arbitrary guidelines restricting the types of apps that are allowed in the Apple App Store.

Some might say it is controlling, or that Apple policies and restrictions within iOS and for iOS app developers lean toward draconian. But, sometimes there are benefits to the “walled garden” approach.

Android users have been hit by more than 50 malicious Trojan apps that somehow made their way into the official Google Android Market. What is even worse is that these DroidDream malicious apps are able to bypass Android security controls and gain root access to the system–granting the malware almost limitless power to further infect or compromise the Android smartphone.

Well, not only would the stringent app review process at Apple be more likely to uncover hidden malicious code like DroidDream, but the success of DroidDream is largely a result of the fragmented Android landscape. Google is on Android 2.3 Gingerbread for smartphones, and recently launched Android 3.0 Honeycomb for tablets. The vulnerabilities exploited by DroidDream to root Android were fixed in Gingerbread–which has been available for nearly three months. However, only about one percent of all Android devices have actually received the update to Gingerbread, and the rest are at the mercy of individual smartphone manufacturers to determine when–or if–they will get it.

Meanwhile, more than 90 percent of the iOS devices out there are running the latest version and anxiously awaiting the release of iOS 4.3 later this week. When iOS 4.3 is released, it will be available to virtually all iPhone, iPad, and iPod Touch devices (Verizon iPhones are already running a more current version of iOS than other devices and are excluded from the iOS 4.3 update for now).

The diversity of hardware, and the open software platform of Android are a double-edged sword. There are certainly benefits, but there is a problem when known vulnerabilities still exist in 99 percent of the Android devices because of device and OS fragmentation.


March 4, 2011  9:54 PM

Three Security Bulletins Planned for March Patch Tuesday

Tony Bradley Tony Bradley Profile: Tony Bradley

Next Tuesday is a big day for more reason than one. It is Fat Tuesday–a day to consume decadent paczkis and kick off Mardi Gras. It is also Microsoft’s Patch Tuesday for March. Patch Tuesday comes quick when the first day of the month is a Tuesday.

Microsoft has only three security bulletins planned this month. Two affect Windows, and one addresses issues with Microsoft Office. One of the two slated for Windows is Critical, while the second is rated Important. The Microsoft Office bulletin is ranked as Important as well, and all three may require a system reboot for the update to complete.

Amol Sarwate, manage of the Vulnerability Research Lab for Qualys, passed on this analysis of the Patch Tuesday advance notification. 

The critical update affects Windows XP, Vista and Windows 7 while Windows Sever 2003 and Server 2008 are not affected. One of the important updates affects all Windows operating systems and we expect it to be for the MHTML Information Disclosure issue which was left un-patched in last month’s patch cycle (2501696). The other important update patches the little known Office Groove 2007 software.”


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: