Every corporation nowadays is very concerned with account security. And the first thing that an auditor or security officer asks for are the treatment and storage of the default admin accounts (root, administrator, sa, DBO...).
We don't need to repeat the well known mantra of not using the default accounts for daily use.

But these accounts and passwords still need to be well secured, in order to achieve the following criteria

• Security - the passwords for the default admin accounts need to be strong and complex, and should withstand most attempts at brute force or social engineering attacks
• Confidentiality -no single person should know the default admin account password, since he/she can abuse this account for gain or to cause damage.
  
• Availability - In times of crisis, the organization may still need to use these default admin accounts, so they cannot be lost
  

The following procedure can be applied by any organization, and it meets all three criteria.

Security and Confidentiality - the passwords should be constructed in two parts (each part entered by different person). Having two people create a password increases the complexity significantly, and reduces the possibility of using social knowledge of a single person to attack the password. Also, no single person knows the password.

Confidentiality and Availability - The parts of the password should be written on separate pieces of paper marked first and second part and stored in separate envelopes. These two envelopes should then be stored in a tamper evident envelope.

Placing the passwords in tamper evident envelope is a place where most attempts at secure storing fail. The basic reason is that tamper evident envelopes are not readily available, or even that they cannot be ordered through central procurement. This is rarely the case, since such envelopes are available in most office supplies stores.

But even if such envelopes are not available, you can easily create a DYI tamper evident envelope like this:

1. Take an ordinary envelope.
2. Ask your manager to sign his name at least 2 times on the edges of the envelope, from both sides.
3. Cover the length of signed edges with a transparent adhesive tape (scotch tape) - make sure that you overlap the envelope with the adhesive tape.
4. Put the password envelopes inside the tamper-evident envelope
5. Seal the envelope, and have the manager sign the edge where the envelope is sealed
6. Cover the length of the seal and the signatures with the adhesive tape - make sure that the tape touches both the flap and the envelope surface as well as the signatures

The end result can be seen on the following image.


Through this process you have created a crude tamper-evident envelope. If someone tries to open this envelope at any edge or through the sealed flap, he/she will damage the adhesive tape. This damage is easily visible. If someone tries to remove the adhesive tape prior to opening the envelope, the removed adhesive tape will remove the signature that it covers - thus showing that the envelope was tampered with.

Once this step is out of the way, the securing of password can be finished by storing the envelope in the department safe, where employees can still get to it if needed (a crisis situation)


This process is very simple to follow, and can be applied in one afternoon. All it takes is 3 people, some envelopes and the will to secure the default admin accounts. Just make sure that you reset the passwords of the default admin accounts in all places where they are used, like services/daemon accounts, and system jobs.

Talkback and comments are most welcome

Related posts
Cracking a TrueCrypt Container
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
5 Minute Security Assessment

Having an antivirus software is a gold standard in the Windows world. But what if you are using a Mac? The prevailing opinion is that there aren't enough viruses or malware in the wild to merit having an antivirus.

But in reality, while very few will name 5 viruses for Mac off the top of their heads, Mac has a lot of issues. For instance, Safari does not have a stellar reputation on security. In March of 2011, at CanSecWest, a Mac with Safari fell victim to a security exploit in under 10 seconds.

Also, social engineering attacks can be easily used to con the user into running malware code on their Mac. So having an antivirus and antimalware package on your Mac is a very wise choice.

But this brings us to another problem: What antivirus software packages have a Mac version. As of June 2011, Wikipedia lists that only 16 out of 62 antivirus software packages support the Mac. In a very interesting marketing move, some antivirus manufacturers actually offer free use of antivirus packages for Mac. Norton has another very interesting combination product - one that runs on the native MacOS and another that runs on the Windows environment available through BootCamp.

The policy of implementing an antivirus on Mac is a very wise choice for corporate environments. If a corporate environment is just starting to adopt the Mac platform, one can start 'light' with the free antivirus packages. These are not manageable through a central console, so you will soon be looking for a corporate antivirus platform that includes Mac antivirus software. But while you are using a couple of Macs, the free stuff will help immensely.


Talkback and comments are most welcome

Related posts

Managing the permanent security issue of Top Management
Protecting from the CCenter Malware and Trojan
Managing Antivirus Software - Keep the reinstall away

Regardless of procedures and policies, a company can have a nearly permanent security issue in top management. This issue results from the speed with which top management requires their services delivered and, more than probably, their lack of an information assurance degree - or even an understanding of what information assurance is, for that matter. No top manager wants to be bothered with the problems and challenges that security and IT guys are facing with their wishes. They want them resolved, preferably yesterday.

The security issue of top management results from their lack of time and insistence that everything works when they request it. Usually that means that the security request aspects of the solution have not been researched or even familiarized with. All this results in a half-baked workaround solution.

We will provide two examples of security issues that can easily arise:

1. The manager requests a new gadget - like a smart phone, tablet computer or a new 'bling computer' with a different OS. Procurement is quick to purchase the new device for the top manager that orders it. When the new gadget arrives procurement informs him in a CYA (Cover Your A*s) approach that they have done their job. The manager expects it to run immediately, so this is what usually happens:
   
• the gadget is set-up as fast as possible, using the basic instructions from the Internet or what little experience an engineer has with the gadget.
• help to install the gadget is solicited from any current users of the gadget, who also assist in set-up to the best of their knowledge, but with little concern about security or compliance to corporate standards
  
• the gadget is configured to provide all or most corporate services as used by the manager on the standard corporate computers.
  
• The end result is a device which can connect to most of the corporate services, but which is rarely properly secured. If the gadget is stolen, there will be a whole lot of grief for security guys.
2. The manager wants to open photos on a foreign USB - a guest arrives at the managers office, and he/she has an USB stick with photos. The manager wants to see the photos on his computer.
   
• If the manager's computer has permissions to open a USB, he/she will read the USB, possibly opening a virus or Trojan.
• If the manager's computer doesn't have permissions to open USB, it will be rushed through operations to enable access. Again, the end result can be a executing a virus or a trojan
• If not captured properly, a Trojan may enter the computer network of the corporation, and collect data or cause havoc
  

The harsh reality is that these situations will happen, and cannot be avoided in most corporate environments. So what can be done to mitigate these situations?
1. Have antivirus with very frequent auto-updating and realtime scanning installed on everything. Even if an infected USB is inserted, this mitigates the risk of the virus/trojan infecting a corporate compoter.
2. When configuring a new gadget, educate the IT team to first set up security - they should find out how to install/activate antivirus, put up a firewall and set up password protection for using the device. Even if you have limited amount of time with the gadget, it will have deterrents in place to reduce the risk of a stolen device.
3. Try to set-up the gadgets so they don't store corporate data locally - Access mail via IMAP or webmail, and computer services via VPN. Even if the gadget is stolen, all it takes is a password reset.
3. Have a good relationship to procurement - if they give you just a day advanced notice that there will be new gadgets, that is a day more to read up and prepare for a more proper configuration.

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review
Brief reminder - The value of a stolen corporate laptop
Tutorial - Breaking Weak Encryption With Excel

Any computer within a company is full of confidential information. And corporate desktop computers are quite resilient and long living. But at the end, any electronic device can fail.

But contrary to the rules that everyone repeats about laptops, desktop computers do not have encrypted disk drives.

Unlike industrial electronic repair, in which the repairs are performed on-site, desktop computers are treated as consumer electronics and are repaired at the vendors premises. So, if proper controls are not present, an IT technician may pick up the computer with the functional hard drive full of information and send it off to an external vendor - thus creating a security incident

To prevent this, a simple process should be put in place:

1. When performing electronic repairs on IT equipment, first try to fix system with replacement parts - internal IT can replace RAM memory, Hard Drive and PSU.
   
2. If the motherboard or elements on the motherboard are an issue, remove the Hard Drive prior to delivering the computer to the vendor.
3. If the computer is fully failed, remove the hard drive for data transfer or controlled data destruction
4. Even if the hard drive is fully failed, remove it for mechanical or magnetic destruction.
   

This very simple process will prevent possible security incidents


Talkback and comments are most welcome

Related posts
Windows 7 Full Disk Encryption with Truecrypt
Brief reminder - The value of a stolen corporate laptop

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the ways an attacker will know that the target is a Virtual Machine

When attacking a virtual machine it is very useful to know that your target is a virtual machine. This is important for the following reasons:

• Isolation - once you gain access to a virtual machine, there are a number of isolation vulnerabilities that can be attempted
• Sphere of trust - all virtual machines on the same Host are part of the same sphere of trust
• Impersonation - in most implementations, virtual machines on the same host communicate with the rest of the network via the same physical NIC. Therefore it is extremely simple to modify the MAC address of the compromised host and attempt to impersonate another host on the network. The network defenses will have a difficult time locating who is the impersonator, since there are multiple virtual machines on the same host
• Nobody looks at a screen of a VM - Virtual Machines do not have a console screen. So tools that throw feedback on the console (like VNC) do not appear anywhere.

Identifying that you are attacking a virtual machine can happen in two phases:

1. Before you penetrate the target - identification of a VM can happen if the attacker is on the same LAN, and can therefore investigate the characteristics of the target. You can easily locate a Virtual Machine through the MAC address. You can check a MAC address for it's decriptive name here. Here is the list of MAC addresses that get assigned to Microsoft and VMware Virtual Machines
   
• 00-15-05-xx-xx-xx Microsoft Corporation MAC Address
• 00-0C-29-xx-xx-xx VMware, Inc.
• 00-50-56-xx-xx-xx VMware, Inc.
• This approach can fail if the VM Engine has a method of changing it's MAC address to 'seem' like a real host. Most often Realtek MAC addresses are used for this change , but this leads to an inconclusive check.
  
2. After you penetrate the target - This is a bit like a 'Catch 22': Once you penetrate the target, you have a lot more options, but all these require that you penetrate the target :). And these are your options:
• MAC Address - just as the previous approach, you can look at the MAC address. And ofcourse, you can hit the same obstacle - the replaced driver with one that is brought by the VM engine which is inconclusive
• Attack toolkit checkup - Metasploit, Core Impact and most other serious attack toolkits have a module that checks whether the compromised target is a VM. But these can fail miserably, as is presented on the screenshots below. This is why you need a second opinion.
• Internal windows tools - there are a whole host of tools that windows brings with itself that can be used to make sure whether you are on a virtual machine. Here are two
• driverquery - a simple command-line tool that queries all loaded drivers. If a VM Engine driver set is installed, you'll find a lot of reported information as on the screenshot below
• wmic - WMI command-line tool that can be used to query every possible aspect of a machine. The simplest query is wmic baseboard list which returns excellent information. In a Microsoft Virtualization, you'll see the following string: "Microsoft Corporation Base Board TRUE Virtual Machine" . In a VMware virtualization you'll see the following string: "Intel Corporation Base Board TRUE 440BX Desktop Reference Platform".
  

Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
Hacking Virtual Machines Part 2 - Environments Where Virtualization Lives
Hacking Virtual Machines Part 3 - Crashing unpatched Hyper-V hosts

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the issue of Denial Of Service to a Virtualization enviroment:

One of the most important element of a Virtualization environment is the isolation. Since the host OS and the Guest OS machines run on the same hardware, and none should access each others resources - including memory, CPU time, video memory etc.


A lot of Virtualization implementations fail in proper isolation, and that can allow an attacker to mount different types of successful attacks.

The simplest one is a Denial of Service Attack. The compromised guest generates communication to memory address space attempting to breach the isolation walls and cause corruption of other Guest OS or the Host OS. It is very usual that early versions of a Virtualization platforms have vulnerabilities in the isolation mechanisms.

The following is an example of breach of the isolation wall on an unpatched Windows 2008 Hyper-V.

Please note that this attack only works on a default installation of Windows 2008, with no patches applied. So all your Virtualizaiton platforms should be fully patched

Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
Hacking Virtual Machines Part 2 - Environments Where Virtualization Lives

Laptops have become a commodity. Buying a corporate laptop costs nearly the same as buying a desktop PC.
And corporations love laptops for one simple reason. Laptops are mobile. When you issue laptop to an employee, you encourage him/her to take the work at home. Productivity increases, at no extra cost

But there is a flip side: this same trait of mobility also puts the laptop at risk of theft. Although the mantra of protecting your laptop is long going, there are a lot of companies who do not take this issue seriously. The mindset of managers still needs to be adjusted to present the issue.
Because managers speak the language of money, let's make a simple calculation that shows the impact of how much is your laptop worth:

Total Impact Value = Cv*[(Pl^2/Lv)/ProtL^2]

• Cv = Company value - Place the value of a company (usually declared in annual reports)
  
• Lv = Laptop purchase value (with costs of protection - licenses, encryption, GPS)
  
• Pl = Position level of laptop user:
• 10 - CEO/CFO/CSO
• 7 - Division Manager
• 5 - Department Head
• 2 - Senior Employee
• 1 - Junior Employee

• ProtL = Protection Level of Laptop

• 10 - hardware supported full HDD encryption, biometric, GPS location
  
• 7 - hardware supported full HDD encryption, biometrics
• 5 - Full HDD encryption
• 1 - password protected Account
  

This simple calculator can present the financial impact of non-protected laptop. For example, in a company worth 10,000,000 USD, if the CEO's laptop with no encryption is lost, it can cost the company more than 500,000 USD.

Securing a laptop is very well known issue connected to laptops. So when you buy new PC Laptops you may want to invest in a higher value of laptops, in order to provide better protection.

Interesting PC laptops for companies should be devices with security features like

• Full HDD encryption
  
• fingerprint reader, even retina scanner,
  
• Trusted Platform Module (TPM) chip (hardware supported encryption).
• Even GPS tracking can be added to protection, but this is only for the most serious systems
  

Talkback and comments are most welcome

Related posts

TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop
Windows 7 Full Disk Encryption with Truecrypt

Adobe has released a Critical Advisory on Flash Player and Adobe Acrobat. Here is an extract from the Adobe Advisory:

A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.

The really scary thing is that this vulnerability is already exploited in the wild. Adobe plans to release updates for the affected systems in the next week

There is a workaround that can be used in the meantime, but it requires a lot of footwork in a large organization.

Adobe Reader and Acrobat 9.x - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

Adobe Reader 9.x - Macintosh
1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Acrobat Pro 9.x - Macintosh
1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Adobe Reader 9.x - UNIX
1) Go to installation location of Reader (typically a folder named Adobe).
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).
3) Remove the library named "libauthplay.so.0.0.0."

Talkback and comments are most welcome

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the environment in which Virtualization lives, and which targets will yield most benefits for an attacker:

The environment

1. Virtualization for production use is not a home tool - Virtualization is usually used by organizations of 500 employees or more. Smaller organizations also use it to create multiple environments on single hardware platforms. But smaller organizations are prone to make the classic mistake of mixing development and production platforms on same hardware.
   
2. Virtualization platforms can be under scrutiny of several security sensors - Corporations, as common users of virtualization also use a whole bunch of security devices. It is very common that the attack on virtual servers will be or at least logged by Intrusion Detection Systems, pattern matching logic on firewalls and log analysis systems.
   
3. It is rarely possible to initially plan for an attack on virtualization - In the information gathering and reconnaissance phase it is quite difficult to detect that some systems are virtualization platforms or virtual machines. You can confirm that there is virtualization only after you penetrate the perimeter and are able to scan for MAC addresses or specific signatures on the virtual hosts.
   

Targets of choice

The best virtualization attack targets, in order of preference are:

1. Training platforms - These platforms are created by the 'Let's see if I can do this' philosophy. They are notoriously unpatched, since nobody bothers to patch them - they are expendable. These platforms have a tendency of urgently becoming production platforms in times of need - resources are needed and these are available. But then, they remain unpatched for quite some time.
   
2. Test and development platforms - These platforms have a much better security posture then training platforms. But still, they are usually lagging behind production on patch levels. Also, test and development platforms are very good targets because they are full of production grade or near-production grade of data.
   
3. Mixed test and production platforms - Both production and test versions of applications with lower processing requirements can be placed on the same VM Host. But unless they are isolated to different VLANS or on separate physical network adapters, the test platform can be exploited and used to attack the production.
   
4. Proof of concept platforms - These platforms are usually outward facing platforms, like web servers that contain demo code or proof of concept code used for customer evaluations or marketing purposes. These platforms are usually compromised by a flaw in the web applications, and in a well maintained environment should be in an untrusted DMZ.

Attack guidelines

With this description of the environment, an attacker can prepare him/herself for attack on virtualization:

1. Virtual machines are targets of opportunity - Virtual machines are not advertised. They can be detected only after the initial penetration. In such a case, the attack should be re-planned to possibly compromise the virtualization platforms.
   
2. Virtual machines will hold a lot of valuable data - In a corporate environment, any host may be source of a wealth of information. Once inside, a good attacker will seize the opportunity to attack a virtual machine.
   
3. Do not make too much noise - assume that sensors are all over the place and that someone is reading through the logs. This rule also applies to attacking physical machines
4. Choose test/training platforms - these are usually on LAN segments where there are much less sensors

Conclusion
This enviroment description should be a guideline for security personnel to properly secure their virtualization environment:

• Patch everything - this is a well known rule, but one that is still often forgotten. When patching, incude test and experimental platforms.
  
• Do not expose test applications executing on a Virtual Machine to open internet - Simply, never risk the possibility of someone exploiting a web app vulnerability to gain access to your Virtualization infrastructure. If you must expose such a test platform the open internet, treat the entire VM Host and all guests as hostiles/honeypots and isolate the rest of the network from them.
  
• Do not mix production and test on the same VM Host unless you have isolated them at every level - especially network level.
  
• Isolate the VM test environments in network isolation layers. - Even if someone gains access to the network, he/she should have very difficult time exploiting a VM host, simply by not being able to reach it. Test environments should be self-sufficient - all test servers, test clients and supporting systems should be in the isolated block. Minimal services should be exposed to the rest of the organization, so that remote scanning shows nothing to the attacker.
  

Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
DHCP Security - The most overlooked service on the network

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

We will discuss the opportunities in this series of articles, with uncreative title "Hacking Virtual Machines".

Sniffing attack
By definition, a virtualization host will have several Guest OS systems running. Possibly, these systems will have a different purpose, and different levels of patching and functional configuration. The Guest OS systems should be perfectly isolated between each other and not access the same resource at the same time.

But most virtualization implementations collide on this rule at the network level. It is quite common that all Guest OS systems are accessing the LAN via one Network Adapter. And not many implementations of Virtual servers have configured virtual VLans.


All this means that if one virtual machine starts a sniffer - putting the adapter in a promiscuous mode - it is quite possible to sniff traffic from the other virtual machines, and collect all sorts of interesting information.

The sniffing attack is a second phase attack, after the first virtual machine has been compromised.

The following video presents an actual compromised VMware Guest is used for sniffing the LAN and capturing the data of a second VMware Guest on the same Host.

The sniffing target is a web server, running the Hacmebank web application. The sniffing easily captures authenticaiton process, as well as money transfer transactions



Talkback and comments are most welcome

Related posts
Checking web site security - the quick approach
Example - Bypassing WiFi MAC Address Restriction
DHCP Security - The most overlooked service on the network

Microsoft cannot stress enough the importance of keeping your systems patched. And yet, server systems tend to drift from best practice, for several reasons

• The patch may fail the application that the server is running
• The patch will require reboot, which may cause unwanted downtime
• It's simply a hassle

But non-patched systems are a great target for an attacker. Even if the attacker doesn't gain permanent access to the network, he/she can cause nasty Denial of Service (DoS) on an unpatched server.
Here is the attack scenario

We will use a Windows 2008 target for this demonstration. The Win2008 is a good example because even if it was released in 2008, and we now have the R2 version, a lot of companies are just starting to implement it.

The attack is based on two well known vulnerabilities of Win2008 based on SRV2.SYS driver. In Metasploit, these exploits are know as:

• ms_09_050_smb2_negotiate_pidhigh
• ms_09_050_smb2_session_logoff

Both are Denial of Service type of attacks, so we'll use them without a payload.

To use these exploits, just fire up the msfconsole and type

msf > use exploit auxiliary/dos/windows/smb/ms_09_050_smb2_negotiate_pidhigh
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > set rhost (Target IP address)
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > exploit

You can do the same with the second exploit.

Here is the end result from a Metasploit command line point of view.


And here is the end result from a Windows 2008 Console point of view


Conclusion
Although this is just a demo type of exploit, it provides an excellent example of what happens to an unpatched server. Imagine that this was the web server running your Web Site. Now go and patch your systems :)

Talkback and comments are most welcome

During everyday work our computers collect all kinds of information: E-mail is received, browser history is recorded, files are created. In all this exchange, a significant amount of sensitive data can be collected, even without intervention of the user (CC in e-mails).

Most of this data is not of much daily use to a user, and is in fact a liability. It is a very good practice to check what information has the computer gathered over the course of the daily work, and clean out the unnecessary sensitive data.

The definition

First, let's define sensitive data. University of California defines sensitive data as

Information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the reputation, constitute an unwarranted invasion of privacy

The test

Everyone's first reaction is: 'This can't happen to me!'. It is well known that a lot of computers get sold with huge amounts of sensitive data still on them. So we performed a simple test: We ran the tools on the laptop of a university assistant professor. These are the results:

• 3 of his credit card numbers were saved in the browser history
• 7 e-mails containing lists of students social security numbers were discovered in e-mails from Student Services where the user was placed in CC, and only briefly read.
• 4 files with home addresses of project team members and partners were discovered, from a project that has ended 2 years ago.
  

Anyone making the check will be very unpleasantly surprised at the amount of sensitive data on their computers

The tools

This definition makes a great point: If you don't work with it, remove it! To ensure that your computer is free of sensitive data you can use several tools to locate possible sensitive data. Bear in mind that no tool can determine conclusively what is or is not sensitive data, but automated tolls are great in sifting through gigabytes of information to locate patterns of data that resemble sensitive data.

We have compiled a list of 3 tools that can help you in discovering potential sensitive data on your computer. The tools are ordered in alphabetical order and each is presented with it's own pros and cons.

Identity Finder

• Commercial application that can be used to find sensitive data, as well as providing other functions such as protection of identified files.
  
• Pro: Apart from standard credit card numbers or SSN, it also searches for the string password: and thus can find a lot of cleartext stored passwords. It is quite efficient in it's search and offers quick solutions, like destruction of identified files with sensitive data, or protecting data. It is also capable of searching Outlook PST files. The enterprise version apparently works with web sites, but Shortinfosec was not able to test this functionality
• Con: It is a commercial application, so you need to pay for it :)

senf

• A simple Credit Card Number and Social Security Number search tool from the University of Texas designed to look for Social Security Numbers and Credit Cards.
• Pro: Nearly no configuration effort, just start it and send it searching.
• Con: Not useful for anything except SSN and Credit Card Numbers.

Spider

• A very good open source tool for finding sensitive data.

  

• Pro: Allows great flexibility of searches and is quite near the range of a commercial application. Although not as easy to use as a commercial counterpart, since it supports search for regular expressions, you can search for nearly anything. It is of searching Outlook PST files. Also, it is capable of searching web sites, which functions quite well.
  
• Con: you need to know regular expressions to make the most of it, and the presentation of results is not very clear, especially in Outlook PST files
  

Conclusion
The sensitive data scanners are a very useful set of tools. Although they are all plagued with huge numbers of false positives, they also find the really nasty forgotten sets of data which everyone will be better off without.
So, a periodic scan for left over sensitive data is a very good practice to maintain security of your computer. This is even more true for enterprises, where this check-up should become part of the regular security awareness program and security check of corporate computers. A home user can achieve excellent results with open source tools, but for enterprises which require centralized management and reporting, a commercial solution may be an option.

Talkback and comments are most welcome

Related posts
5 rules to Protecting Information on your Laptop

I decided to search out a good web fuzzer for some testing needs. I wanted a fuzzer that was capable, customizable and could support my testing. The last thing I wanted was some sort of all-in-one application security scanner (since the false positives can just get ridiculous at times). Nope, all I needed was some automation assistance.

First thing a simple definitio: Fuzzing or Fuzz testing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.

I came across OWASP's JBroFuzz and think I've found a good match. The tool provides a variety of brute force options and includes some nice graphing and statistics to analyze the information. I was also happy to see some nice documentation so I could quickly get up and running. My only compliant at the moment is that the proxy setup is a little clunky and not-intuitive at first. But again, as long as you follow the guide, it shouldn't be an issue.

When do I plan to use this new found fuzzer?
1. Sites where I don't have source for some reason. This is actually a rarity. If you want someone to assess the security of your web app, you should really give them the source code. Quick aside: if the consultants you select for an assessment aren't asking for source code, an alarm should go off in your head. If they don't do source code analysis, then they aren't doing there job.

2. When a site relies heavily on complex regular expressions for input validation and has weak output encoding. Yes, we can make the argument straight away that this is an issue. But its very powerful to make your case with a working exploit. Otherwise, you are trying to justify a bug fix to an issue that may or may not be currently exploitable. This can be a tough sell if developers are heavily leveraged with feature enhancements, new functionality, upcoming releases, etc.


This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
Skipfish - New Web Security Tool from Google
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
How To - Malicious Web SIte Analysis Environment
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
Checking web site security - the quick approach

When working on a security assessment, it is always helpful to use an automated tool that compares the key elements to the known best practices, and generates an overview result set.
Among other tools which can be used, Microsoft has released a tool titled Microsoft® Security Assessment Tool.

The assessment of this tool strives to identify the business risk of the organization and the security measures deployed to mitigate risk.
The assessment takes the form of a questionnaire, with Yes/No answers that cover the following areas

• Infrastructure - Infrastructure security collects information on how the networks function, what business processes (internal or external) it supports, how hosts are built and deployed, and how the network are managed and maintained.
  
• Applications - Applications security reviews applications within the organization and assess them from a security and availability standpoint. It examines technologies used within the environment, and reviews the high level procedures an organization can follow to help mitigate application risk
  
• Operations and People - This section reviews those processes within the enterprise governing corporate security policies, Human Resources processes, and employee security awareness and training. It also focuses on dealing with security as it relates to day-to-day operational assignments and role definitions.
  

The resulting comparison to best practices generates a summary report, as well as much more useful detailed report with areas which are lacking in comparison to the best practices. The report contains a lot of suggestions and links to related products and best practices published by Microsoft.


The MS Security Assessment Tool and it's report isn't a replacement for a full blown analysis, nor it can be a used as a one stop shop for a realistic security analysis. When performing a real analysis, an in-depth review of process and technology is needed.
MSAT is just a helpful tool to generate a security posture overview and some automated recommendations, so it is a nice start. For everything else, you will need to bring in expert professionals.


Talkback and comments are most welcome

Related posts
WMI Scanning - Excellent Security Tool
Risk Assessment with Microsoft Threat Assessment & Modeling
Google's Ratproxy Web Security Tool for Windows
Analysis of Windows Security Logs with MS Log Parser
How To - Malicious Web SIte Analysis Environment

Auditing is a one of the major tools used in detecting system intrusions or malicious activity on systems and network. And yet, even in the 'secure by design' incarnation - Windows 7, the Microsoft Client OS log event entries in the security log out of the box.

So here is another reminder on how to enable auditing on your system.To enable auditing on a computer running Windows 7, use the same old approach used in every standalone Windows OS starting from Windows 2000 Pro:

1. Open the Control Panel.
2. In Control Panel, double-click Administrative Tools, and then click Local Security Policy.
3. In Local Security Settings, double-click Local Policies, double-click Audit Policy, and then click the events that you want to audit.

We recommend that you audit the following events with the types of audited events specified in the parentheses:

• Audit account logon events (Success, Failure) - This setting determines whether the OS audits each time this computer validates an account’s credentials.
  
• Audit account management (Success, Failure) - This setting determines whether to audit each event of account management on a computer.
  
• Audit directory service access (Failure) - This setting determines whether the OS audits user attempts to access Active Directory objects.
  
• Audit logon events (Success, Failure) - This setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer.
  
• Audit object access (Failure) - This setting determines whether the OS audits user attempts to access non-Active Directory objects.
  
• Audit policy change (Success, Failure) - This setting determines whether the OS audits each instance of attempts to change user rights assignment policy, audit policy, account policy, or trust policy.
  
• Audit system events (Success, Failure) - This setting determines whether the OS audits any of the following events: Attempted system time change; Attempted security system startup or shutdown; Attempt to load extensible authentication components; Loss of audited events due to auditing system failure; Security log size exceeding a configurable warning threshold level.
  

To view the resulting audit events, start Event Viewer and choose Windows Logs -> Security.


Talkback and comments are most welcome

Related posts
5 rules to Protecting Information on your Laptop
TrueCrypt Full Disk Encryption Review
5 Minute Security Assessment

We have mentioned our favorite vulnerability scanning tools in this blog. But a lot of time has passed since, so it is time to put these tools against each other and evaluate the quality of the results received when scanning the same target.
UPDATE: After the constructive input from Michael A. in the comments, we have reworked the test for Nessus, to achieve more comparable results.


The Test Environment
The tested vulnerability scanning tools were installed on a Windows 7 Pro PC.

• Nessus server and client were installed and updated to the latest plugins.
• Retina 5.10.18.2135 Evaluation version was downloaded and installed. The Evaluation version does not allow updates, so we used what updates are included in the build.

The target was Damn Vulnerable Linux (DVL) version 1.5 installed as a VMWARE host with bridged networking on the same host PC as the vulnerability scanning tools. The network of the DVL target was bridged, and all firewalls (both of the host OS and the guest OS) were disabled. The DVL was started with the following services, with default settings and content as included in the distro.

• MySQL
• HTTP
• IPP Printer sharing which was active by default
  

The Scanning Process
Both scanners were started with setting on full port scan, with disabled safety of scanning, and all available plugins were activated. NOTE: Since Retina does not have WebApplication Analysis, Nessus was run twice, once with WebApplications disabled, and once with WebApplication enabled in order to do a meaningful performance comparison.
Performance

• The Nessus scanner without WebApplication scan took 8 minutes to complete the scan
• The Nessus scanner with WebApplication scan took 67 minutes to complete the scan
• The Retina scanner took 38 minutes to complete the scan

Results

• Both scanners failed to identify the target operating system
  

• The Nessus scanner identified the expected open ports, concluded that MySQL does not accept connections from unauthorized IP's. On a repeat scan, it regenerated the same results.
  
• You can download the full report of the Nessus Scan Here
  
• The Retina scanner identified HTTP and TCP port 631 (IPP Printer Sharing). It did not identify the MySQL port as open. On the Web server, it identified a significant number of vulnerabilites, but did not collect any information from the HTTP server. On a repeat scan it missed the HTTP port and only identified the MySQL port.
  
• You can download the full report of the Retina Scan Here
• The Nessus Scanner running the WebApplication Scanning repeated the previous results and additionally it identified a significant number of WebApp vulnerabilites, and collected information from HTTP through web mirroring.
• You can download the full report of the Nessus Scan with WebApplication Scanning Here

Conclusions
Both scanners performed a very well vulnerability identification but missed the OS identification. Also, both manifested flaws:

1. Nessus missed the IPP port every time
2. Retina manifested erroneous scan results, identifying different ports and vulnerabilities during different sessions - while no configuration changes were made to the test environment.

In terms of speed, without WebApplication Scan Nessus performed much faster then Retina. On the other hand, with active WebApplication Scan, Nessus was much slower then Retina.
In terms of scan depth, Nessus has a small advantage, since it includes a web mirroring tool that is very helpful in HTTP.

It can be clearly concluded that these tools cannot be used as the sole source of information when performing a vulnerability test. One must also utilize network mapping (NMAP, LanGuard), OS identification (NMAP) and specific application vulnerability scanners (ParosProxy, WebScarab for Web) for maximum effect.

In a direct comparison, Nessus wins because

1. Retina manifested erroneous results on repeat scans,
   
2. The Nessus package includes a WebApplication scanning module, which in eEye products needs to be purchased as a separate application

Talkback and comments are most welcome

Related posts
System Hardening Process Checklist
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Checking web site security - the quick approach

Our Microsoft Baseline Security Analyzer scanner has just reported that a new version (2.1.1) is available. It can be downloaded from the following URL
http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-8b52-c871d012ba78&displaylang=en


We were disappointed to see that the 2.1 version did not work properly on Windows 7 - it just reported that the computer is not a Windows NT/2000/XP/2003 computer.

The 2.1.1 does not provide any new major functionality, but now it is fully compatible with the current version of Windows.

You can download the baseline that we did on our demo Windows 7 laptop here

Talkback and comments are most welcome

Related posts
Windows 7 Full Disk Encryption with Truecrypt
WMI Scanning - Excellent Security Tool
Example - Bypassing WiFi MAC Address Restriction

After the TrueCrypt Full Disk Encryption Review and the 5 rules to Protecting Information on your Laptop, we are following up with a practical test of full disk encryption of Windows 7.

Shortinfosec is a great promoter of full disk encryption of laptop hard drives, and we have been using Windows 7 for several months now. On 21 Oct 2009, Truecrypt published the version 6.3 which has full support for Windows 7. Of course, why go for an open source product instead of the native BitLocker? Well, Microsoft with it's product strategy includes BitLocker only in Ultimate and Enterprise versions of Windows 7!

Can someone say 'huge security misstep' - especially for the Windows 7 Pro users?

Encryption
Naturally, Shortinfosec started with a full disk encryption test on a laptop. The laptop has the following configuration.

• 2.1 Ghz Core2Duo CPU
• 3 GB of RAM
  
• 320 GB of disk drive
• NVIDIA graphics
• Windows 7 Pro 32 bit operating system

The process is the same as already described in TrueCrypt Full Disk Encryption Review. The installation of the TrueCrypt is so generic that even the most inexperienced users should have no problems whatsoever.

The actual encryption is lasts between 6-7 hours. After it finishes, you have an encrypted system drive. If absolutely necessary, you may even use the computer while the drive is being encrypted, but you won't be very productive.

Performance test
The laptop had a passmark test run before and after the encryption. We focused on CPU and HDD performance, since these areas are impacted when using an encrypted file system.

The test results are presented on the following screenshots. The overall performance of the Test Laptop is marginally better for the non-encrypted disk clone. The disk drive is most impacted on the random read/write test.

The results in red color are before the encryption
The results in green color are after the encryption



Conclusion
Encrypting the entire hard drive of Windows 7 may not seem to be a natural choice, but the product strategy of MS opens up an opportunity for products like Truecrypt.

Encrypting the entire hard drive will cause performance reduction of the disk subsystem, but the performance reduction on our system is so minute that it is just ignored by everyone.

Talkback and comments are most welcome

Related posts

Cracking a TrueCrypt Container
TrueCrypt Full Disk Encryption Review
Tutorial - Hidden Operating System with Truecrypt
Tutorial - A Poor Man's Secure USB

A recent study confirmed the long known fact - any employee that is being fired will try to steal something from his now ex-employer.

While 20 years ago one the companies had to worry about stolen petty cash or office supplies, today such items are not the target of the disgruntled ex-employee. Instead, especially in IT companies the laid off employee will try to:

1. steal corporate information or documents
   
2. steal confidential data,
   
3. create some form of flaw in the system that will hurt his ex-employer
4. all of the above
   

When dismissing a single employee one can make provisions so that no damage is done - locking out his accounts, security guard being present when clearing the desk etc.

Performing the same amount of diligence when laying off hundreds or thousands of employees is much more difficult. For example, Nortel announced that they'll be laying off more then 3,200 employees. So while HR departments do the headcount and select the redundant, there will be a window of several days to several weeks for a lot of insecure employees to become instant corporate spies undercover system vandals, or a combination of both.

Corporations will soon find that the only defense against such employees is the currently implemented system security and procedures, which will deter any attempts to steal information or assets undetected. And only now will they find out that all the cost cutting on audit systems and data encryption and information protection was not worth the saved amount.

So, what piece of information will get stolen next?

Talkback and comments are most welcome

Related posts
6 steps to securing your backup media
8 Tips for Securing from the Security experts
Be Aware of Security Risks of USB Flash Drives

Starting from version 6, Truecrypt boasts an interesting function- creation of a hidden operating system. With this article we walk through the process of creating the hidden OS and analyze the possible uses of such a solution.

The concept
The basic idea of the hidden OS is to have two operating systems on the PC

• the decoy (the visible one) - an OS that is visible to an outsider and actually contains no sensitive data, so it can be safely opened up to external personnel (investigators, customs officers etc)
• the outer volume - a container partition where the hidden OS resides. It can contain some decoy confidential files. The idea of the outer volume is to explain the existence of a seemingly unformatted partition, since it can be mounted from within the decoy OS to show the decoy confidential files.
  
• the hidden one - non-existent at first glance and created within an encrypted partition, which can hold sensitive data and should not be reported to external personnel.

The process
The process of creating the hidden OS is quite simple but takes time

1. Create an outer container of the hidden OS
2. Create an inner container and image the running OS into a hidden OS
3. Re-create the visible (decoy) OS
   

A prerequisite to the process is having an empty partition (must be the one immediately behind the system system) at least 5% larger then the system partition.


After that, it boils down to following the on-screen instructions and waiting (the encryption and copying can take some time)




The final element of the process is the destruction of the original OS partition - don't worry, it has been entirely copied to the hidden volume. After that comes the only manual part of the process - the user must install the decoy operating system from scratch, and encrypt it's partition.



Usability of the solution
Apart from proving the concept, it does work without any glitches, how effective is it?

1. Using a hidden OS with plausible deniability- The entire concept as presented within the TrueCrypt software should enable the user to claim that he has divulged all passwords for all operating systems/partitions on the computer. This is disputable to say the least, since any analysis will show a second partition with seemingly random data on it, which is a nice giveaway that there is something hidden there. In most cases where a person is under investigation the investigators will press to gain access to any partitions on the computer.
• This hiding methodology is public, so even if the existence of the hidden OS is not divulged, the investigators can destroy the hidden OS by filling the outer container with dummy files just to be on the safe side.
• 
2. Using a hidden OS as a dual function computer - a much more useful case of the Truecrypt hidden OS, it can be used to create a mobile computer. The hidden OS should be used for corporate functions. For field use or use in an insecure environment, the decoy OS should be used, which cannot access the encrypted volume and which should not have any corporate or confidential data on it.
   

Talkback and comments are most welcome

Related posts
Cracking a TrueCrypt Container
TrueCrypt Full Disk Encryption Review
Tutorial - A Poor Man's Secure USB
Creating secure CD/DVD media for transport usingTruecrypt