Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the issue of Denial Of Service to a Virtualization enviroment:

One of the most important element of a Virtualization environment is the isolation. Since the host OS and the Guest OS machines run on the same hardware, and none should access each others resources - including memory, CPU time, video memory etc.


A lot of Virtualization implementations fail in proper isolation, and that can allow an attacker to mount different types of successful attacks.

The simplest one is a Denial of Service Attack. The compromised guest generates communication to memory address space attempting to breach the isolation walls and cause corruption of other Guest OS or the Host OS. It is very usual that early versions of a Virtualization platforms have vulnerabilities in the isolation mechanisms.

The following is an example of breach of the isolation wall on an unpatched Windows 2008 Hyper-V.

Please note that this attack only works on a default installation of Windows 2008, with no patches applied. So all your Virtualizaiton platforms should be fully patched

Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
Hacking Virtual Machines Part 2 - Environments Where Virtualization Lives

Microsoft cannot stress enough the importance of keeping your systems patched. And yet, server systems tend to drift from best practice, for several reasons

• The patch may fail the application that the server is running
• The patch will require reboot, which may cause unwanted downtime
• It's simply a hassle

But non-patched systems are a great target for an attacker. Even if the attacker doesn't gain permanent access to the network, he/she can cause nasty Denial of Service (DoS) on an unpatched server.
Here is the attack scenario

We will use a Windows 2008 target for this demonstration. The Win2008 is a good example because even if it was released in 2008, and we now have the R2 version, a lot of companies are just starting to implement it.

The attack is based on two well known vulnerabilities of Win2008 based on SRV2.SYS driver. In Metasploit, these exploits are know as:

• ms_09_050_smb2_negotiate_pidhigh
• ms_09_050_smb2_session_logoff

Both are Denial of Service type of attacks, so we'll use them without a payload.

To use these exploits, just fire up the msfconsole and type

msf > use exploit auxiliary/dos/windows/smb/ms_09_050_smb2_negotiate_pidhigh
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > set rhost (Target IP address)
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > exploit

You can do the same with the second exploit.

Here is the end result from a Metasploit command line point of view.


And here is the end result from a Windows 2008 Console point of view


Conclusion
Although this is just a demo type of exploit, it provides an excellent example of what happens to an unpatched server. Imagine that this was the web server running your Web Site. Now go and patch your systems :)

Talkback and comments are most welcome

When investigating an intrusion in a Windows system, one of the first places to start is the Windows security log. Security event log is also very useful for analysis when searching for anomalies and possible intrusions.

Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commerical, there is a tool that will get you going without any cost. Against all odds, it's a tool made by Microsoft!

The tool
The tool in question is Microsoft Log parser. Log parser is a command line tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. So, you can use it to analyze most structured text based files and the eventlog and AD on a single computer.

You can query remote computers on the network, as long as the credentials that Log parser is running under can access the data sources on the remote computers.

For Security Log, you need to run Log Parser as administrator
Note that this tool doesn't collect data from multiple computers, it just analyzes data in a single file/single computer repository.

The improved interface
In it's original form, Log Parser is a command line tool, so it is not the most user friendly tool in the world. Also, it has no way of saving/storing your prepared queries so you can invoke them later. But a promising developer named Dimce Kuzmanov created a free frontend to Log parser called Log Parser Lizard.


Log Parser Lizard enables you to store the prepared queries, and organizes them by type of data source on which you wish to do an analysis. It also includes the ability to export results to Excel, autogenerates charts on the result of the executed query, or ability to export the queried subset into the original format from which the analysis was performed.

Analyzing the Security Log with Log Parser Lizard
Using Log Parser Lizard for Security Log analysis is very simple. Choose the Queries button and select the Event Logs category, then create the queries that you need for your analysis. Here are some examples:

• SELECT * FROM SECURITY - simple dump all data from the security log
• SELECT EVENTID, COUNT(*) FROM SECURITY GROUP BY EVENTID - analyze what types of events appear in the security log and in what quantity
• SELECT * FROM SECURITY WHERE EVENTID='517' - find whether the security log was cleared in Win2000/XP/2003

After you create the query, choose the apropriate category, then click the 'Generate' button to execute the query. You can also graph the results by choosing the Chart->Visible option.

Conclusion
Analyzing the Security Log is always a useful approach to security controls, so you need to include it in your routine operations. And until you buy a SIEM system which will run an automatic and scheduled analysis, you should adopt a simple tool like Log Parser and Log Parser Lizard.


Talkback and comments are most welcome

Related posts
Tutorial - Mail Header Analysis for Spoof Protection
Reminder Tutorial - Enable Auditing on Windows 7
Windows 7 Full Disk Encryption with Truecrypt

Auditing is a one of the major tools used in detecting system intrusions or malicious activity on systems and network. And yet, even in the 'secure by design' incarnation - Windows 7, the Microsoft Client OS log event entries in the security log out of the box.

So here is another reminder on how to enable auditing on your system.To enable auditing on a computer running Windows 7, use the same old approach used in every standalone Windows OS starting from Windows 2000 Pro:

1. Open the Control Panel.
2. In Control Panel, double-click Administrative Tools, and then click Local Security Policy.
3. In Local Security Settings, double-click Local Policies, double-click Audit Policy, and then click the events that you want to audit.

We recommend that you audit the following events with the types of audited events specified in the parentheses:

• Audit account logon events (Success, Failure) - This setting determines whether the OS audits each time this computer validates an account’s credentials.
  
• Audit account management (Success, Failure) - This setting determines whether to audit each event of account management on a computer.
  
• Audit directory service access (Failure) - This setting determines whether the OS audits user attempts to access Active Directory objects.
  
• Audit logon events (Success, Failure) - This setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer.
  
• Audit object access (Failure) - This setting determines whether the OS audits user attempts to access non-Active Directory objects.
  
• Audit policy change (Success, Failure) - This setting determines whether the OS audits each instance of attempts to change user rights assignment policy, audit policy, account policy, or trust policy.
  
• Audit system events (Success, Failure) - This setting determines whether the OS audits any of the following events: Attempted system time change; Attempted security system startup or shutdown; Attempt to load extensible authentication components; Loss of audited events due to auditing system failure; Security log size exceeding a configurable warning threshold level.
  

To view the resulting audit events, start Event Viewer and choose Windows Logs -> Security.


Talkback and comments are most welcome

Related posts
5 rules to Protecting Information on your Laptop
TrueCrypt Full Disk Encryption Review
5 Minute Security Assessment

Every organization has some form of Information Security Risk assessment. Some perform a formal risk assessment, others simply use their practical experience. Whatever method is chosen, it always help to use a tool which will assist the organization in performing the risk assessment in a controlled and reproducible manner.

The tool
There aren't that many tools that assist the organization in performing risk assessment. The most widely used one is Excel, but it is far from a good choice. Microsoft has also created MS Threat Assessment and Modeling - a tool that although designed for a slightly different purpose, can easily be used for Risk Assessment.

The process
Performing risk assessment with MS TAM is easy once you understand the components and the process.
Components of the MS TAM Analysis

• Roles – Functional Identities involved in the assessed process/system; these can include both service identities and human identities
• Components – System elements used in the involved in the assessed process/system – most commonly servers or subsystems
• Data – Data stored and processed in the involved in the assessed process/system – in effect ANYTHING THAT TRAVERSES THE components
• External Dependencies – Any external elements including data, components or roles from other processes or systems
• Use Cases – the steps involved in operating the system/performing the process
• Relevancies – characteristics attributed to any component that relevant to the components method of operation and open a possible vector of attack
• Attacks – methods of compromising or destroying a component via misuse of characteristics of one or several relevancy attributed to the component
• Threats - the assessed threats to the system. This component will be used to generate and assess the risks
  

The process consists of the steps/phases

• Step 0 – Before starting anything, know your system/process/company. You will need to simulate and configure all relevant elements of the assessed system/process/company.
  
• Step 1 – Define Roles - Define the logical groups of users involved in the system/process/company that is assessed
  
• Step 2 – Define Components and Data - These are the building blocks of the system/process. Data traverses components and is accessed by users and components
  
• Step 3 – Update and Define Relevancies - Create or update relevant attributes that define behavior of a component. For instance, a relevancy is that a component uses power supply, therefore it is susceptible to the risk of power failure. Add new relevancies for your specific components
• Step 4 – Update attacks - Attacks are methods of misusing relevancies. Update the current attacks with specific ones - if you have them. If you have created new relevancies, create the attacks that compromise them. For each attack, include countermeasures that mitigate this attack. For instance, if the attack is power supply brownout, one possible countermeasure is an in-line UPS that acts as a voltage stabilizer.
  
• Step 5 – Define Use Cases and Calls- The Use cases are the steps in the process, or the way a system is operated/used. Without the use cases, the risk assessment cannot be performed. For instance, one use case for a mail server system is the reception of an e-mail from an external mail server (from the Internet).
  
• Step 6 – Model Risks - After you have modeled your system, generate the Threats, and analyze them one by one to assess frequency and impact, and define countermeasures from the offered possibilities. At the end of the process, the finalized threats are the risks to your system.

NOTE: It’s very important to be very meticulous about the relevancies – the attributes of the components. Choosing well in this step allows good modeling of attacks and the more automated risk model is created

The results
After completing the process, the end result is the report set. The MS TAM has a predefined set of reports. Since MS TAM is primarily targeted at software development, the generic reports may be found to be lacking. The most useful report is the comprehensive report, which includes nearly all information. But it is still lacking a report which summarizes the risk assessment parameters:

1. Impact
2. Probability
3. Risk Rating
4. Risk Response
5. Countermeasures

To address this, Shortinfosec has created a custom report for MS TAM 2.1 which can be downloaded here. Just place the file in the MS_TAM_INSTALL_FOLDER\Graphics\Reports\Custom and choose Custom Reports, risk_report.xslt

Conclusion
MS Threat Assessment and Modeling 2.1.2 may not be the best tool for Risk Assessment. It may not match your Risk assessment methodology to the letter, nor does it deliver the final result out of the box. But unless you have a better tool, it is very usable, since it controls the process, and with MS TAM you will always follow the mindset of risks, threats and impact.
And of course, until you have a better product, use the one that is readily available!

If anyone encounters a problem or has a question with using MS TAM, just leave a comment, or send me an e-mail

Talkback and comments are most welcome

Related posts
Example Risk Assessment of Exchange 2007 with MS TAM
Reduce Risks in Projects with 'Deal Breakers'
Tutorial - Secure Web Based Job Application
Information Risks when Branching Software Versions

Our Microsoft Baseline Security Analyzer scanner has just reported that a new version (2.1.1) is available. It can be downloaded from the following URL
http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-8b52-c871d012ba78&displaylang=en


We were disappointed to see that the 2.1 version did not work properly on Windows 7 - it just reported that the computer is not a Windows NT/2000/XP/2003 computer.

The 2.1.1 does not provide any new major functionality, but now it is fully compatible with the current version of Windows.

You can download the baseline that we did on our demo Windows 7 laptop here

Talkback and comments are most welcome

Related posts
Windows 7 Full Disk Encryption with Truecrypt
WMI Scanning - Excellent Security Tool
Example - Bypassing WiFi MAC Address Restriction