Strict Transport Security is a great solution to protecting against Firesheep

Now ultimately the vulnerable website is supposed to fix this issue on their side. But, let's not wait around for them. Let's fix it on our side and protect our traffic now.

Step 1: Grab a browser that supports Strict Transport Security (Firefox 4 & Google Chrome both support STS)
Step 2: Install an addon that lets you add specific STS settings - STS-UI
Step 3: Configure STS-UI for the sites you're concerned about
Step 4: Be happy your data is more secure. However, securely transmitting data is only one piece of the security pie. But at least you're good in that department.

Configuring STS-UI
Go to tools->Manager Strict Transport Security

Enter the domain name of each site you wish to protect (e.g. force Strict Transport Security upon the site). For example enter "facebook.com" and select "Force subdomains too"

After adding facebook.com and twitter.com it should look like this

Done. Now you will always be using HTTPS for data exchanged between twitter or facebook.

Remember, this only protects you against sites that are either already using STS or sites that you have manually added. This really isn't a scalable approach since xyz.com could be vulnerable and you wouldn't know unless you inspected the traffic going back and forth.

For those that have access to company VPNs or SSH tunnels for their traffic, I'd recommend you also use those when accessing the network from a wireless hotspot. A VPN doesn't solve the problem, but it does remove access from the likely attackers (e.g. other random users of the wireless hotspot).

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...


Talkback and comments are most welcome

Related posts
Stealing Twitter and Facebook Account - a Video Example
Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

WiFi security is looking grimmer then ever :)
Shortinfosec has discussed that guest or free WiFi is very open for collecting of interesting information. But you still needed to capture raw IP traffic, and sift through it in order to gain access to useful information.

From a couple of months ago, things became even easier. Eric Butler created the firesheep extension for Firefox. The extension was created as a demonstration of the security risk to users of web sites that only encrypt the login process and not the cookie created during the login process.

Firesheep filters through the captured traffic and collect unencrypted session cookies that 'fly' over the network. With firesheep, the potential attacker does not need to filter through anything - identities simply appear in the firesheep console.

Shortinfosec has performed a test capture on a free WiFi network - a mall. The capture of useful information takes a long time - we managed to capture 1 facebook and 1 twitter account in more then 4 hours. But for a dedicated attacker, whis period can be much longer.

Here is a brief video of the captured identities and opened in the same browser.

Talkback and comments are most welcome

Related posts

Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the environment in which Virtualization lives, and which targets will yield most benefits for an attacker:

The environment

1. Virtualization for production use is not a home tool - Virtualization is usually used by organizations of 500 employees or more. Smaller organizations also use it to create multiple environments on single hardware platforms. But smaller organizations are prone to make the classic mistake of mixing development and production platforms on same hardware.
   
2. Virtualization platforms can be under scrutiny of several security sensors - Corporations, as common users of virtualization also use a whole bunch of security devices. It is very common that the attack on virtual servers will be or at least logged by Intrusion Detection Systems, pattern matching logic on firewalls and log analysis systems.
   
3. It is rarely possible to initially plan for an attack on virtualization - In the information gathering and reconnaissance phase it is quite difficult to detect that some systems are virtualization platforms or virtual machines. You can confirm that there is virtualization only after you penetrate the perimeter and are able to scan for MAC addresses or specific signatures on the virtual hosts.
   

Targets of choice

The best virtualization attack targets, in order of preference are:

1. Training platforms - These platforms are created by the 'Let's see if I can do this' philosophy. They are notoriously unpatched, since nobody bothers to patch them - they are expendable. These platforms have a tendency of urgently becoming production platforms in times of need - resources are needed and these are available. But then, they remain unpatched for quite some time.
   
2. Test and development platforms - These platforms have a much better security posture then training platforms. But still, they are usually lagging behind production on patch levels. Also, test and development platforms are very good targets because they are full of production grade or near-production grade of data.
   
3. Mixed test and production platforms - Both production and test versions of applications with lower processing requirements can be placed on the same VM Host. But unless they are isolated to different VLANS or on separate physical network adapters, the test platform can be exploited and used to attack the production.
   
4. Proof of concept platforms - These platforms are usually outward facing platforms, like web servers that contain demo code or proof of concept code used for customer evaluations or marketing purposes. These platforms are usually compromised by a flaw in the web applications, and in a well maintained environment should be in an untrusted DMZ.

Attack guidelines

With this description of the environment, an attacker can prepare him/herself for attack on virtualization:

1. Virtual machines are targets of opportunity - Virtual machines are not advertised. They can be detected only after the initial penetration. In such a case, the attack should be re-planned to possibly compromise the virtualization platforms.
   
2. Virtual machines will hold a lot of valuable data - In a corporate environment, any host may be source of a wealth of information. Once inside, a good attacker will seize the opportunity to attack a virtual machine.
   
3. Do not make too much noise - assume that sensors are all over the place and that someone is reading through the logs. This rule also applies to attacking physical machines
4. Choose test/training platforms - these are usually on LAN segments where there are much less sensors

Conclusion
This enviroment description should be a guideline for security personnel to properly secure their virtualization environment:

• Patch everything - this is a well known rule, but one that is still often forgotten. When patching, incude test and experimental platforms.
  
• Do not expose test applications executing on a Virtual Machine to open internet - Simply, never risk the possibility of someone exploiting a web app vulnerability to gain access to your Virtualization infrastructure. If you must expose such a test platform the open internet, treat the entire VM Host and all guests as hostiles/honeypots and isolate the rest of the network from them.
  
• Do not mix production and test on the same VM Host unless you have isolated them at every level - especially network level.
  
• Isolate the VM test environments in network isolation layers. - Even if someone gains access to the network, he/she should have very difficult time exploiting a VM host, simply by not being able to reach it. Test environments should be self-sufficient - all test servers, test clients and supporting systems should be in the isolated block. Minimal services should be exposed to the rest of the organization, so that remote scanning shows nothing to the attacker.
  

Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
DHCP Security - The most overlooked service on the network

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

We will discuss the opportunities in this series of articles, with uncreative title "Hacking Virtual Machines".

Sniffing attack
By definition, a virtualization host will have several Guest OS systems running. Possibly, these systems will have a different purpose, and different levels of patching and functional configuration. The Guest OS systems should be perfectly isolated between each other and not access the same resource at the same time.

But most virtualization implementations collide on this rule at the network level. It is quite common that all Guest OS systems are accessing the LAN via one Network Adapter. And not many implementations of Virtual servers have configured virtual VLans.


All this means that if one virtual machine starts a sniffer - putting the adapter in a promiscuous mode - it is quite possible to sniff traffic from the other virtual machines, and collect all sorts of interesting information.

The sniffing attack is a second phase attack, after the first virtual machine has been compromised.

The following video presents an actual compromised VMware Guest is used for sniffing the LAN and capturing the data of a second VMware Guest on the same Host.

The sniffing target is a web server, running the Hacmebank web application. The sniffing easily captures authenticaiton process, as well as money transfer transactions



Talkback and comments are most welcome

Related posts
Checking web site security - the quick approach
Example - Bypassing WiFi MAC Address Restriction
DHCP Security - The most overlooked service on the network

Having an accurate depiction of your network is a fundamental prerequisite to being able to successfully handle system management, troubleshooting and growth. With the advent of network mapping tools, this process has become more simplified.

At the dawn of computer networking, interconnected systems were often contained to a building, if not a single room. But today's corporate networks span cities, countries, and the globe. This complexity has made network management an increasingly difficult task.


There are three techniques that are used to gather network information:

• SNMP – data is retrieved from routers and switches
• Active – probes an IP address range using trace route type functionality
• Route – analyze routing protocols

Measurable improvements have been noted in the time it takes to perform network management tasks. You can easily track inventory, monitor host uptime and downtime, services, applications and a myriad of other options. In addition, administrators can better understand the relationship between devices and the transport layers that connect them. This aids in faster identification of potential network issues.

Network maps are also an excellent security tool, as they are able to provide a snapshot of who is connected to wired or wireless networks at any given moment. If a map reveals a suspicious connection or IP address, it can be monitored or disconnected. Mapping views are customizable, providing as much or as little information as you need.

It should be noted that network mapping is most effective when it isn't viewed as a onetime task. The dynamic nature of networks, demand this to be an ongoing, periodic activity. As systems change, software or operating systems updated, a new map will need to be created to reflect the changes. Some organizations employ a weekly schedule, others, more often. While frequency will largely depend on the size and complexity of your network, developing a consistent schedule is what's most important.

This guest post was provided by Veronica Henry on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information about GFI network auditing software can be found at http://www.gfi.com/lannetscan/network-auditing-software.htm


Talkback and comments are most welcome


Related posts
DHCP Security - The most overlooked service on the network
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

"That’s vulnerable to a man in the middle attack!"

You've probably heard this before, but let’s dive into the details of this attack and understand exactly how it works.

Definition
First, a quick definition, a man in the middle (MitM) attack is an attack where the communication which is exchanged between two users is surreptitiously monitored and possibly modified by a third, unauthorized, party. In addition, this third party will be performing this attack in real time (i.e stealing logs or reviewing captured traffic at a later time would not qualify as a MitM)



While a MitM could be performed against any protocol or communication, we will discuss it in relation to HTTP traffic in just a bit.

Requirements for Attack
A MitM attack can be performed in two different ways:

1. The attacker is in control of a router along the normal point of traffic communication between the victim and the server the victim is communicating with.
2. The attacker is located on the same broadcast domain (e.g. subnet) as the victim.
3. The attacker is located on the same broadcast domain (e.g. subnet) as any of the routing devices used by the victim to route traffic.

We will discuss 2. This is a likely attack that can be used against your neighbors or the person sitting next to you at a coffee house.

The Attack
A MitM attack will take advantages of weaknesses in network communication protocols in order to convince a host that traffic should be routed through the attacker instead of through the normal router. In essence, the attacker is advertising that they are the router and the client should update their routing records appropriately. This attack is called ARP spoofing.
The (greatly simplified) purpose of ARP (Address Resolution Protocol) is to enable IP address to MAC address translations for hosts. This is required so that the packet can reach their final destined host.

By design, ARP does not contain authentication. Therefore, any host can reply to an ARP request or send an unsolicited ARP response to a specific host. These ARP response messages are used by the attacker to instruct the victim’s machine that the appropriate MAC address for a given IP address is now the MAC address of the attacker’s machine. More specifically, the attacker is instructing the victim to overwrite their ARP cache for the IP->MAC entry for the router. Now, the IP address for the router will correspond to the MAC address for the attacker’s machine.

What does this mean? Now, all of the victim’s traffic will be routed through the attacker. Of course, we don’t stop here. In order to allow the traffic to reach the Internet, the attacker must configure his system (or attack tool) to also forward this traffic to the original router. In addition, the attacker performs a similar ARP spoofing attack against the router. This way the router knows to send traffic, that was destined for the victim machine, to our attacker instead. The attacker then forwards on the traffic to the victim. This completes the “chain” and places the attacker “in the middle” of the communication.

Impacts on HTTP

At this point, the attacker has the ability to view and modify any TCP traffic sent to or from the victim machine. HTTP traffic is unencrypted and contains no authentication. Therefore, all HTTP traffic can be trivially monitored/modified by the attacker.

What about HTTPS?

Everything we have talked about thus far is related to getting in the middle of the network communications. This enables the attacker to view most exchanged data, but does not enable the attacker to intercept data exchanged of protocols that implement their own authentication and encryption (e.g. SSH, SSL/TLS)
But, this is where the fun starts. The purpose of HTTPS is to create a secure communication over top of HTTP by the use of SSL or TLS. On its own SSL/TLS can be very effective and secure. However, there are significant problems in the implementation of SSL/TLS which effectively renders it useless. In addition, the browsers handling of SSL/TLS can lead to issues when both HTTPS and HTTP sites are visited by the user.

More devious means are needed to perform a MitM against SSL/TLS. At this point the attacker could attempt to intercept HTTPS traffic by using a custom certificate. This would present a certificate warning message in the user’s browser and likely alert the user to the attack. Luckily for the attacker, most users would ignore the warning and continue – thus exposing all of their data.

Alternatively, the attacker could try and use tools such as SSLstrip to leverage poor application design with regards to SSL/TLS. This could also enable the attacker to obtain the victim’s password over clear text HTTP.


How concerned should you be?

The attack scenario described in 2a can be performed by any user on the same broadcast domain as your machine. This means that anyone sitting in the same coffee house on the wireless network could be an attacker. Also, if you connect directly to your Comcast/RoadRunner/ATT/whatever home connection, then many of your neighbors could also perform this attack against you. And if you use a home router instead of directly plugging the connection into your machine - well, then the attack is still possible via 2b (essentially the same attack).

Really the only reason this isn’t a bigger deal is because of the requirement to be on the same subnet. Right now we have so many other issues, such as XSS, SQL injection, etc, which can all be exploited remotely by attackers. The attackers just sit in their remote locations and destroy web sites from a far. However, the point is this, if an attacker wants to steal YOUR specific bank data then all they need to do is sit next to you at a coffee house or sign up for Internet service in your area.

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.

The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
How To - Malicious Web SIte Analysis Environment
Security Information Gathering - Brief Example
DHCP Security - The most overlooked service on the network
Example - Bypassing WiFi MAC Address Restriction

Vulnerability and Compliance Management as Software as a Service (SaaS) are springing up like mushrooms. The SaaS model enabled companies which focused on vulnerability management to extend their reach, and offer the services to more and more potential clients.
Most companies in this market name their SaaS service the "on-demand solutions for security risk and compliance management".


The players
Here is the list of potential vendors that you should look at, in no particular order:

• Random Storm
  
• OutPost24
  
• McAfee
• Tipping Point
  
• Qualys

Bear in mind that this list does not include all relevant vendors, so you may want to extend your search. But it's a representative sample that will help you to review what is the offering of the competition.

The offering
The services are usually delivered as a dedicated Black Box appliances that are placed within your infrastructure. They perform the scanning or IPS/IDS, but the results are then sent to the 'cloud' where reports are generated. Most companies are offering the usual set of services:

• Vulnerability Scanning - the basic offer of vulnerability scanning, with more or less success but definitely comparable to your local vulnerability scanner.
  
• PCI DSS Scanning - Payment Card Industry Data Security Standard (PCI DSS) was the important 'differentiators' of the SaaS vulnerability scanning. PCI DSS requires for a scan that is certified by the PCI group and performed by a certified company. So the SaaS Vulnerability Management companies got certified and created the PCI DSS scans. But for all everyday intents and purposes, your local vulnerability scanners have the same PCI DSS scans - all you need is to commission the scan 4 times a year for the PCI DSS audit
• Managed Intrusion Detection/Prevention - much like the vulnerability scanning, this is more or less what your local IPS/IDS does, only the results go out and get analyzed and compared in the cloud.
  
• Reporting and Fix Tracking - this element may be one of the differentiators, but local vulnerability scanners are catching up. In a SaaS solution, all results are kept as reports, and you can easily create comparative baseline reports, or even assign tasks to persons for fixing some vulnerabilities. The system will automatically send reminder e-mails to those persons and re-scan after the configured deadline for fixing.
  

Vulnerability Management - Local or Managed?
In conclusion, both the local and the managed solutions are living quite well at the moment. And function wise they are comparable. So which one to go for?

• The local solution can easily be reconfigured and directed at different targets. It us very flexible and because it is usually installed on a laptop, very portable. It is an excellent choice for anyone that needs to perform scans from different positions in the corporate network. This would include IT security teams, penetration testers, external auditors and consultants .
• The managed (SaaS) solution is stationary, fixed and quite cumbersome to move around. It usually lives in the data center as a black box probe, or in the manager service provider as an external scan. It can be configured with the required targets, scheduled to run at regular intervals and perform regular controls. It is a good choice for internal auditors, security officers and compliance officers - no need for maintenance, it is all handled by the managed service provider.
  
• Calculate the optimal price/performance - the SaaS versions are usually as yearly subscription charged per number of IP addresses to scan. This price may be quite significant, and you are fixed to the block of IP addresses. On the other hand, the local scanners require a hardware to run on, and you still pay a subscription for the updates of vulnerabilities. So you need to calculate your optimal cost based on your requirements and expectations.
  

Talkback and comments are most welcome

Related posts
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
NeXpose Community Edition - Our First Look
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

If you are using any sort of IP based filtering within your application, then you need to evaluate how IP spoofing attacks affect your security controls. In order to make a fair evaluation you will need a basic understanding of IP spoofing attacks.



Let's look at two different scenarios.

Scenario #1 Attacker wants to spoof an arbitrary IP address and the attacker is not on the same subnet (broadcast domain) as the targeted IP address. Example: attacker is 1.2.3.4 and wishing to spoof 4.5.6.7

Scenario #2 Attacker wants to spoof an IP address of someone on his own subnet (broadcast domain). Example: attacker is 192.168.1.55 and wishing to spoof 192.168.1.58 (assuming subnet of 255.255.255.0)


Scenario #1

The attacker can create forged TCP packets and modifies the source IP address to be any value. One tool that can do this is HPING2.

What can you do:

• Send an initial TCP packet with any source IP address
• Send a series of UDP packets with any source IP address
• Send a series of unrelated TCP packets from the same or varying IP addresses

What can't you do:

• Receive any responses to your forged messages. The responses, if sent, would go to the forged IP address.
• Send a string of related TCP packets (e.g. reconstruct an actual TCP exchange). This is because you can't complete the handshake or guess the necessary information to continue the TCP connection.

Scenario #2

The attacker can perform a variety of attacks to forge or take-over the IP address on the same subnet.

Attack Options:

• Simplest - Statically define your IP address to the target IP address
• Switch your MAC address to the MAC address of the current NIC for the target IP address and attempt to assume control of IP
• Execute man in the middle attack via arp spoofing (see tool Cain & Abel) and then gain control of user's unencrypted transmissions. You could likely modify or redirect traffic to accomplish your original spoofing goal.

What can you do:

• Assume control of the IP address. Note: This means you can send/receive valid data using the targeted IP address as your own. It does not grant you access to existing sessions that the user had with any websites (because you don't have the user's session cookies).
  

What can't you do:

• Intercept encrypted (e.g. SSL/TLS) communication destined for the target IP address without alerting the targeted user in some way (browser warning message for MitM invalid certificate).
  

Hope this is helpful. This is by no means an exhaustive list of attack techniques, but something to consider if your are using IP related controls within an application.


This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
DHCP Security - The most overlooked service on the network
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction

When pen-testing a corporation, always look for the Guest WLAN. If there is one and you manage to get on it, you are in luck!
Corporate Guest WLANs are a great place to get a lot of interesting and possibly confidential information without much effort. And this is simply because there are a lot of corporate laptops on the same WLAN.

Ofcourse, you'll discuss that the corporate devices have wired access to the internet, which is much more reliable and faster. But also, the wired infrastructure is fully controlled by IT - with web filters, content filters etc. So on the guest WLAN you can easily find the following high-profile targets related to the corporation:

1. corporate laptop holders - usually employees higher in the hierarchy who just got bored from the restrictions of the corporate Internet filters can easily turn on their wi-fi and check the private e-mail, or just download something.
2. corporate guests - most visitors to corporations have WLAN enabled devices, ranging from mobile phones/pda, over netbooks to full blown laptops
3. external contractors - a lot of corporations will isolate external contractors to the guest WLAN for internet access.
   

The following diagram is an example of hunting for interesting targets in the corporate WLAN

The diagram clearly depicts the high concentration of possible high profile targets - marked in red color.

One can always make the argument that the same attack can be made within a Mall, or even in the home networks of those interesting targets. This argument is completely true, but in a Mall your high profile targets are blended in the multitude of the students, casual freebie surfers and even the mall store clerks with their WLAN devices.

And the home environment is even more difficult, because the high profile targets are dispersed all over the city, and you may not know where they reside. So, sniffing the networks one specific high profile target will bring a lot of costs to the attacker.

The following diagram is an example of the difficulties in sniffing for interesting targets in the home or public places WLAN



So, for my money, I'll always prefer to sniff for traffic in the corporate guest WLAN

Talkback and comments are most welcome

Related posts
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction
DHCP Security - The most overlooked service on the network

Active Directory within a large organization goes through a lot of changes throughout the day. There are a lot of possibilities for error, creation of accounts with high privileges or missing the disabling task on an employee leaving the company.


Information Security Teams need fast and easily readable auditing, possibly with automation.

The tool
While there are several excellent products that perform this function, auditing of Active Directory can become a costly endeavor. NetWrix has a free version of their Active Directory Change Reporter. It can be installed on any computer that is a member of the domain. Here is a screenshot of the configuration screen:


The process
The auditing is performed by taking a 'snapshot' of the Active Directory Domain state at scheduled intervals. This snapshot is stored in a directory, and can be used to create HTML reports of the changes that happened between two 'snapshots'. There is even an automated reporting which will deliver report on changes to the directory at predefined schedules.

The report clearly displays what objects have been added, removed or modified within the Active Directory Domain. Ofcourse, additional history like who made the change and when can be obtained via the commercial version, but even in the free version it produces a nice set of information.

Here is a screenshot of the report


Conclusion
While the Free version of NetWrix is far in functionality from the big players, it provides an clear and automated reporting. It is a good choice to start with the free version, and prepare for purchasing a commercial tool by learning from it and noting which functionalities you require that this tool does not deliver.

Talkback and comments are most welcome

Related posts
Controlling Firefox Through Active Directory

When embarking on a security evaluation, the first stop for security information gathering is the Internet. Only connecting to the target public servers and DNS yields a wealth of information.
So here is an example what can be learned in a couple of minutes of checkup about a company domain from it's public servers, while NOT DOING ANYTHING ILLEGAL.

• Domain Name Servers (DNS) - Name servers are the first target of every information gathering. Once you know the domain name of a company, you should check it's DNS. Here is what it will give you
  
• The DNS Server provider - by checking who owns the IP you'll know whether it's in-house hosted DNS or outsourced. If it's in-house such a DNS server can be a prime target for inbound attacks, and such servers are less secure simply because the internal IT department is torn between administering all kinds of stuff.
  
• The level of isolation of zone transfers - A zone transfer is a completely legitimate function of a DNS server which is used to feed domain information from the primary server to the secondary servers. If it's open to any outsider, he/she can collect a list of all hosts registered in the domain for possible attack targets. Most zone transfer attempts will fail, but even the way they fail gives an excellent information
  
• Failed with message REFUSED or NOAUTH - you can communicate to the server on the appropriate port (TCP 53) but zone transfer is not allowed. Even so, you can try to attack the server via TCP SYN flood on that port
• Failed with message connection failed - you can't connect to the appropriate port, forget about zone transfers and TCP SYN flood
  
• Mail Exchanger (MX) - Mail exchangers are mail servers specifically dedicated to receiving e-mail for the target company domain. They usually are not the main corporate mail servers, but information from them can be useful to understand what types of adversaries are on the other side if you choose an e-mail vector of attack. And here is the summary of info from the MX
• Mail server provider - by checking who owns the IP you'll know whether it's in-house hosted MX or outsourced. If it's in-house such a MX server can be a good target for inbound attacks.
  
• Mail server banner - the default banner, unless modified gives the information about the server software, so you'll know what you're up against and search for known vulnerabilities.
  
• Web server - the same elements that apply to MX apply here, so we won't repeat them again.
  
• Typical server names - while the generic servers are in scope of the security administrators and usually well secured, a company can have any number of registered servers for testing or internal uses. These servers are in most cases excellent targets for attack, since they are usually 'temporary' and not treated by corporate policies. These server names can include 'www1', 'test', 'dc', 'gc', 'domain', 'mail', 'pop' and the like.
  

Tools of the trade
There are a lot of tools that can help you in information gathering. I have written a small program that will get you started. Here is a screenshot


Also, to check who owns an IP address, you should make good use the whois services of the Internet registries like RIPE, APNIC, AfriNIC, ARIN and LACNIC

Talkback and comments are most welcome

Related posts
Check Your DNS Zone Transfer Status
DHCP Security - The most overlooked service on the network

A corporate computer infrastructure is a large system, and one that is fairly resilient and made to last. After all, there are backup links, redundant servers, replication technologies all over the
place. And yet, there is a way to temporarily incapacitate an entire corporate windows infrastructure with a properly delivered blow, simply because it relies fully on an often ignored service - DNS.

NOTE: This particular post has NOTHING to do with the recent DNS vulnerability craze. The vulnerability just adds another vector of attack, but an attack can be performed even without this vulnerability.

Back to the topic at hand, let's review how many services DEPEND on DNS:

• E-mail service - relies on DNS to deliver e-mail destined for other domains - no DNS, no email sent to anywhere
  
• Corporate applicatons - rely on DNS to resolve application and database server names - no DNS, no core apps
  
• Active Directory - is entirely dependent on DNS, to look-up Global Catalog, register srv records, lookup active directory records. If the DNS is down, even the domain controllers will stop proper operation. - no DNS, big problems in logon and management of windows Active Directory
  
• Network Access Control (NAC) - depends on DNS to discover it's policy and update servers - no DNS, big problems in element authentication

Also, DNS has the following characteristics that make it even more vulnerable

• DNS servers need to be open to all corporate users - All clients need to communicate to the DNS servers, to perform lookups for their services
• DNS servers IP must be known so they can be used - no hiding behind names, DNS servers are published to all clients as IP addresses
• DNS server works with minimal or no maintenance - when was the last time you checked your DNS servers? When was the last time you checked your client's computers to see how DNS is assigned (DHCP, Manual, hard coded)
  

Attack scenario
An attacker can insert a bot into corporate client computers, by apple dropping, sending a malicious mails or hiding in games. The bot can be set-up to receive a remote command or just be a logic bomb, to start a DoS attack on corporate servers.

EFFECT: A proper attack will slow down the DNS response to a pace where 90% of all queries will result in a timeout. As a bonus, the links will clog-up with bogus traffic, thus preventing corporate applications on the client computers from any communication.

A good time for this attack is start of business hours, because even IPS systems have a trend that expects a lot of DNS traffic then, and will not react properly. This also goes for IT teams

Naturally, this attack is not straight-forward nor easy to do. It requires

• coordination and social engineering to collect information
• access or trick to install the bots on corporate clients
• a properly programmed bot to bypass detection by antivirus

However, just because this is not easy, does not mean that it's impossible. This attack can be used as to diminish a corporation's reputation by creating difficulties in operation, or as a diversion, so the majority of system admins will be focusing on recovering basic communication, while a more sinister attack is in progress.

Controls and Countermeasures
While there is no single foolproof defence, the following controls will mitigate such an attack.

• Have at least 1 cold backup DNS server - this can be a virtual machine, but offline, and with unpublished IP address. If all other DNS servers are under attack, this computer should be brought up and assigned as DNS to most critical clients, to achieve minimal operation.
• Have dedicated DNS servers for server infrasructure - these DNS servers should not be accessible by other corporate clients, thus even if a bot attacks the client accessible DNS servers, the server infrastructure will continue operation.
  
• Set-up DNS through DHCP for ALL client computers - in case of an attack, it is much easier to reconfigure a DHCP server and ask everybody to reboot.
• Have an IPS system on the entry/egress point of traffic from clients to servers - the IPS can be of great assisstance in analysis of an attack, and should be configured to send alerts upon breach of trend.
• Do not allow DNS traffic from the internet - Internal DNS servers are for internal use. If you have web and e-mail service, outsource a minimal DNS serves hosting to an ISP provider for these public addressess. This way the attackers from the internet cannot harm your network - your exposure is reduced.
  

Related posts
Check Your DNS Zone Transfer Status
DHCP Security - The most overlooked service on the network

Talkback and comments are most welcome

A reader in the comments on our post Example - Bypassing WiFi MAC Address Restriction made the following comment

"# Obtain a valid MAC address that is allowed on the network - And that right there is the hard bit. Perhaps an article on that before declaring how easy it is."

First, I would like to clarify several things

• Every hacker attack requires some amount of specific knowledge, time, effort and resources. If this wasn't the case, they wouldn't have been called hackers, they would be called - everyone!
  
• it is not the goal of this site to provide step-by-step tutorials on actual hacker attack methods.
• The presented MAC Address restriction protection is very easy and it requires the least amount of knowledge, time and resources compared to bypassing other protection methods and attack types

Now, here is an explanation on obtaining the difficult element - a valid MAC address

• If the WiFi network allows for unlisted MAC addresses to associate and then uses some sort of egress filtering, on the router or service selection gateway, just assoicate to the network and run wireshark for 5 minutes to collect other MAC addresses on the network. Results in 5 minutes
• If the WiFi network does not allow for unlisted MAC addresses to associate, then you can
• Download Backtrack and burn it to a LiveCD. Backtrack supports most of modern WiFi laptop cards.
• Boot your laptop from the Backtrack LiveCD. Run Kismet, which will put your wireless adapter into monitor mode. Use airodump to collect packets for analysis and find valid MAC address - Results in around 3 hours
  
• Create a small Perl program to generate a cycle of possibly valid MAC addressess and cycle them on your WiFi card using macshift. This yields best results paired with a bit of social engineering - to discover the models of laptops connecting to the network, thus reducing the address space to search - depending on skills and preparation, Results in 4 - 24 hours

Related posts
Example - Bypassing WiFi MAC Address Restriction
5 Rules to Home Wi-Fi Security

Talkback and comments are most welcome

Among security professionals, it is a well known fact that using only MAC Address restriction is useless as a protection mechanism for WiFi. But for the general publiv, this is still a popular method. This post aims to show how easy it is to actually hijack someones MAC address and bypass this restriction.

Here is the process, as used on a Windows laptop

1. Obtain a valid MAC address that is allowed on the network
2. Download macshift, created by one of Internet's renaissance men - Nate True
3. Copy macshift.exe to c:\Windows\System32\
4. Find the windows name of your wireless connection, from the Network Connections, for example "Wireless Network Connection"
5. Open a Command Prompt(start->run->cmd.exe)
6. Obtain your adapter's MAC address, by typing ipconfig /all on the command prompt. The result will include the MAC address of all interfaces.
7. Type macshift VALID_MAC_ADDRESS -i "Wireless Network Connection". Here is an example screenshot.
8. Happy surfing

NOTE: Don't forget to change your MAC to it's original value when you are done!

The process without step 1 takes a total of 5 minutes. Now, it can be argued that it is not easy to obtain a valid MAC address, here are two scenarios:

• If the WiFi network does not allow for unlisted MAC addresses to associate, then you can :
  
• Put your WiFi card in monitor mode and capture some traffic - from there it is easy to find the MAC addresses
• Write a brute force program that will cycle the MAC address of your adapter and try to associate with the LAN. You can optimize the brute force by finding a laptop that can connect to the network and record the actual model. Then you can just cycle through half of the MAC address bytes
• If the WiFi network allows for unlisted MAC addresses to associate and then uses some sort of egress filtering, on the router or service selection gateway, things are much easier - just run a sniffer for 5 minutes and collect all other MAC addresses on the network. Filter out the gateway MAC, and at a later time (usually in the dead of night) try them one by one.

This example is presented just as an eye-opener to the readers with less security experience. MAC Address filtering may be used as a deterrent, but only with WPA2 encryption and minimal possible range of the WiFi access point signal.

Related posts
5 Rules to Home Wi-Fi Security

Talkback and comments are most welcome

Yesterday Internet Security Systems (ISS) increased the Internet Threat Level to 2.

The reason for this increase is the publication of an exploit code for the DNS Cache poisoning vulnerability. Most of DNS Servers have this vulnerability unless patched with a recently issued vendor-specific patch.

Even with patched DNS servers, the threat remains under specific conditions

Details of the Threat can be read Here

In many companies, the powerful firewall systems are considered these black boxes and protection by and in themselves. Such organizations tends not to control their firewalls properly. This often leaves the full responsibility of firewall management and rule setting on a small (and usually overworked) group of administrators.

The problem with such an approach is that the firewall administrators are the only ones that know and understand what rules and permissions are set on the firewalls. Furthermore, this puts the burden of proper security directly on their shoulders.

In case of a security breach, an audit may show that an improper configuration was set-up on the firewall, either intentionally or by mistake. But in any case, the administrator will then have the argument that he performed under the "best effort" principle, and didn't have the big picture or proper guidelines.

Therefore, it is very useful to create a Corporate Firewall Policy. This policy is a high level documents that will

• assure firewall setup compliant to the Corporate Security Policy
• provide a high level, easily readable description of the rules that must be applied to the firewalls
• regulate responsibilities for set-up and approval of rules
• regulate emergency changes to rules
• regulate audit and control of compliance to the policy
• Give the administrators the guidebook on what to actually set-up

Information Security Short Takes has prepared a Template document, that you can download and use as a basis for your own Firewall Policy.

Download the Firewall Configuration Policy Template HERE


Related posts
8 Tips for Securing from the Security expert
Be Aware of Security Risks of USB Flash Drives
Check Your DNS Zone Transfer Status
6 steps to securing your backup media

Talkback and comments are most welcome

Even a company with very high level of security awareness can become a victim to simple oversight. Such companies have implemented the works: network segregation; firewalls on all egress points; corporate antivirus with automatic updates; WSUS server. And yet, a lot of these companies are vulnerable, since they haven't patched or upgraded their security systems.

In the complex infrastructure of today's network, it is very easy to observe certain elements as self-sufficient black boxes, which you set-up and never need to touch. Even more so, since because of budget cuts you don't have enough manpower, or training, or both.

But your security systems are nothing more then computers, even if they have the appearance of strange black devices without a VGA or keyboard interface. And, as any computer, their operating systems have bugs and glitches, the programs that they are running (firewalls, IDS, routing) can have bugs and be compromised.

This is the avenue by which a prepared attacker can gain access into your network.

Example Scenario
A number of e-mails destined for the company were undelivered, and a customer is complaining that he cannot communicate properly. An investigation concludes that the Intrusion Protection System (IPS) falsely identifies the e-mails as malicious and drops the IP packets of the SMTP session. The protection feature of the IPS is disabled.
2 days later, the mail server is compromised by a malicious attacker.

Analysis
Due to a bug in the IPS software, it created a large number of false positives, while also successfully blocking actual malicious attacks. A new version of the IPS software was available but wasn't installed. After the disabling of the protective feature, a bot net performed an automatic attack and discovered that the infrastructure is vulnerable to the malicious message

Recommendations

1. When purchasing security systems, apart from purchasing a subscription service to attack/virus signatures, always include an agreement for regular update of the engine/operating system. It is a good idea to task the supplier with proactive responsibility to inform you of the available updates.
2. In parallel, task an internal person/team with reviewing the advisories from the manufacturer of equipment, in order to plan upgrades or patching for the infrastructure operating systems. These persons should primarily observe advisories for: firewalls and other security equipment; network infrastructure; services and servers which are contactable from the outside
3. An attack can usually be blocked in more then one spots on the attack path. Maintain a layered defense, with updated versions of software and up-to-date patches on all levels. Even if you fall behind on patch level on one layer, you are relatively safe with the other layers in place until you fix the issue.

Related posts

Check Your DNS Zone Transfer Status

DHCP Security - The most overlooked service on the network
5 Rules to Home Wi-Fi Security
Why don't you like my network?

Talkback and comments are most welcome

The DNS service is a very low maintenance service. It is configured very easily, and runs with nearly no intervention. This is especially true for Windows DNS Servers. The downside of such ease of use means that the DNS server is often forgotten by the admins, and DNS security can be lacking.

The easiest attack that can be performed on a DNS server is a Zone Transfer. The Zone Transfer, also known as AXFR, is the method by which a primary and secondary DNS servers share updates about the domains for which they are authoritative.

The zone transfer being a standard DNS service function, can be requested by any system communicating via the DNS protocol. This includes the nslookup and dig programs, existent on every PC regardless of OS.

A standard security measure is to configure the DNS servers to refuse zone transfer requests except from specified IP addresses (usually the secondary DNS servers).

Here are the risks of not implementing Zone Transfer

Data Exposure

Even if querying individual DNS records is fully legal and required, if an attacker obtains a copy of the entire DNS zone for a domain, they will have a complete listing of all registered hosts in that domain. This would enable the attacker to easily identify the possible target machines and their IP addresses.

Denial of service

Unlike standard DNS queries, which are transported via UDP packets, the Zone Transfer requires a TCP connection. The TCP connection puts a much higher load on the server then an UDP request.
An attacker can craft a program that will perform multiple simultaneous Zone Transfer requests from a DNS server, thus making them slow and unresponsive. The primary effect of this attack is to disable normal requests and block regular users from resolving the required hostnames.

How to check
It is very easy to check whether your DNS server allows Zone Transfers. Start a command line, and run the program nslookup. On the nslookup prompt, type ls -d yourdomain.com (replace yourdomain.com with the name of your domain).

• If you get a response like Query refused or Can't list domain you are ok.
• If you instead get a list of hostnames, take measures to limit the Zone Transfers immediately.

Related posts
DHCP Security - The most overlooked service on the network
Why don't you like my network?

Talkback and comments are most welcome

A lot of companies lately are seeing that their employees attach personal and company laptops to corporate networks, and bring Trojans and viruses into the network. A defence mechanism for this risk is seen in Network Access Control (NAC) solutions. However, as all new solutions, this one can problems of its own.

The fundamental idea behind NAC is to allow the network to make access control decisions based on gathered intelligence about end-systems (laptops, computers).
To do this effectively, any NAC system needs to do the following

1. Establish controls to allow/deny access at the network level.
2. Gather information about the end-systems.

This means that the NAC system will need to integrate with network elements and have partial or full control over them (to enable/disable access), access to inventory software, and possibly even install a client agent on every end system.

When in operation, the NAC system should identify every end-system connecting to the network, authenticate it against a preset policy, verify it's compliance to antivirus levels, patch level and possibly group policy applied and take protective measures. The measures can range from simple denial of access, via message for manual update of systems to become compliant, to automatic updating of all required elements to make the system compliant.

Primary targets for NAC are financial institutions and large corporations with distributed offices. There are definite benefits from

An intelligent access control also system has it's drawbacks. I did an interview about the percieved risks of NAC implementation with a CEO, a Network Admin, a System Admin and a user of a company. Here are the problems that they identify :

The CEO's view

1. A NAC is costly to implement - the costs are not only for the NAC system, we need to upgrade a lot of network equipment to be interoperable with the NAC
2. A NAC will require a large effort to achieve full compliance on all end-systems. This will reflect in additional operating expenditures for the personnel effort.

The NetAdmin's view

1. A NAC will include another element of potential failure to the network - possible poor maintenance or misconfiguration of the NAC system can cause huge problems

The SysAdmin's view

1. A NAC will cause complexity in integration with other services (antivirus, active directory, patch management) and will become a critical point of failure - if the NAC fails, what will happen?

A user's view

1. A NAC can cause immediate productivity problems if the NAC fails or misinterprets my end-system's compliance. Due to security policies in place, the remediation of such an event takes at least an hour.
2. I would be very interested to see what will happen if the CEO's laptop is deemed non-compliant

Conclusions

Network Access Control is a good technology but the organization has to be extremely careful when to implement it. It is not a silver bullet, and risks and drawbacks need to be investigated and analyzed before embarking on the road of NAC implementation

Related articles

DHCP Security - The most overlooked service on the network

5 Rules to Home Wi-Fi Security

Why don't you like my network?

Talckback and comments are most welcome

DHCP Service is the service which a lot of you use, whether you are aware of this or not. That is the service that delegates an IP address to hosts on the network when they are set-up for auto configuration. This service is extremely frequent on large corporate networks, but with the advent of Wi-Fi in So-Ho networks the DHCP service becomes more and more present in these environments.

Short description of DHCP
The Dynamic Host Configuration Protocol (DHCP) automates the assignment of IP addresses, subnet masks, default gateway, and other IP parameters. The DHCP protocol operates at the MAC sublayer of the Data-Link layer of the TCP/IP protocol stack. The only distinguishable identifier of the client computers at this level is the network interface MAC address.

When a DHCP client connects to a network, it will send a broadcast query trying to discover DHCP servers. Upon receiving response from the DHCP server, the client will send a broadcast requesting necessary information from a DHCP server.
Upon receipt of a valid request the server will assign the computer an IP address and other configuration parameters such as the subnet mask and the default gateway, and send these parameters to the requesting client. The DHCP server is configured to manage and lease a pool of IP addresses within a specific address range, according to the routing settings of the network, and the number of clients on the LAN segment.

The assigned parameters are 'leased' from the server, and when the 'lease' expires, the client must release assigned IP address and parameters effectively unconfiguring the network interface. To prevent this, the client will try to renew the 'lease', usually starting with the renewal requests at the half of the lease period.


Vulnerabilities that can be exploited in a DHCP service

1. Rogue DHCP server - a very dangerous attack and a very easy one to set up. It involves creating your own DHCP server and connecting it on the network, with the intention of sending your parameters to the clients. The attacks of a rogue DHCP server to the clients can range from a simple denial of service (issuing non-routable ip addresses or wrong DNS information) to the very subtle issuing of rogue DNS server. With this second attack the attacker will set-up the clients to use his DNS server instead of the standard corporate one. His rogue DNS server can be then configured to direct users to fake copies of some sites, for the purpose of credential collection.
2. DHCP denial of service - a simple attack to perform, but not too critical if used by itself. It involves placing a specially configured attack DHCP client which will request many DHCP leases with spoofed MAC addresses, effectively 'draining' the available pool of IP addresses from the DHCP server. If this happens, normal clients will not be able to obtain an IP address and use the network. This attack is usually combined with the previous one, in order to prevent the regular DHCP server from responding to the requests.
3. DHCP routing attack - if a rogue or a compromised DHCP server returns the IP address of the hacker's machine as the default gateway, then all traffic from the local network will pass through this machine, and can be subject to traffic sniffing and reconstruction of TCP sessions, thus revealing user names, passwords, personal information etc.. And it is very very easy to set-up a computer to be a NAT router and forward all communication to the regular gateway, so no one will actually see any change on the network
4. Compromise of the corporate DHCP server - the most difficult attack to perform and the most dangerous. It is quite difficult to achieve since the hacker needs to compromise an actual corporate server, which is often well protected by hardening and IDS systems. Once penetrated, the compromised DHCP server offers the entire set of attacks on clients described above, with the added benefit that this attack is very difficult to identify. There are no rogue DHCP servers on the network that the Net Admin can scan for, and at first glance business goes on as usual.
   

Securing of DHCP service

Securing the DHCP server is very difficult because it is designed to operate at a very low level, there are very few security controls that can be implemented for it:

• Manually set-up DNS IP address on each client to a trusted DNS IP address - DNS servers are rarely changed so this is an excellent protection against rogue DNS server. On the other hand, it is a relatively cumbersome process.
• Harden the operating system and procedures of the DHCP server and the DHCP relay agents - implement all available security patches; change all default passwords and maintain a rule to have complex and frequently changed passwords (This includes SNMP). Disable all unnecessary services and user names.
• Implement procedural rules that ban the connection of outsider laptops on the corporate network - Write the procedures, and scan for rogue PC's on the network at frequent intervals; implement regular unannounced scanning for rogue DHCP servers on your network.
• For Wi-Fi networks, use WPA2 encryption and perform patches and updates on the access points and routers.

Related posts
5 Rules to Home Wi-Fi Security

Further reading

DHCP service description on Wikipedia

Talk back and comments are most welcome