Bink.nu just published a tentative roadmap of upcoming Microsoft products for 2006.
Among them appears ISA Server 2004 Service Pack 2, already in beta, and ISA Server 2006, scheduled for H2.
No beta programs available now as far as I know.
Wednesday, December 28, 2005
Tuesday, December 27, 2005
How to use Google to create a One Time Pad encryption
This is a nice one.
Google results on very hot topics change every day. Even every hour or minute sometimes.
So one could build a One Time Pad (OTP) encryption system on this.
Well, someone did it and Cryptoogle born.
Thanks to SecuriTeam Blogs for the news.
Google results on very hot topics change every day. Even every hour or minute sometimes.
So one could build a One Time Pad (OTP) encryption system on this.
Well, someone did it and Cryptoogle born.
Thanks to SecuriTeam Blogs for the news.
Thursday, December 22, 2005
Sun Solaris 10 now integrates automated patching system
As I already reported on October Sun was planning to bring its Sun Update Connection patching system to Solaris 10.
Well, today Sun released Solaris 10 01/06 and Sun Update Connection, System Edition 1.0 is there:
Well, today Sun released Solaris 10 01/06 and Sun Update Connection, System Edition 1.0 is there:
The Sun Update Connection services enable you to keep your Solaris system up-to-date by giving you access to all the latest fixes and features. You can choose to perform local single-system update management or remote multiple-system update management. The Sun Update Connection services include these components:Read the available documentation.
- Sun Update Manager
The Sun Update Manager graphical user interface and the smpatch command-line interface enable you to manage updates locally on your Solaris system. The Sun Update Connection, System Edition software has the same functionality as the Sun Patch Manager tools, with the addition of some new features and enhancements.- Sun Update Connection
This web application is hosted at Sun and enables you to manage updates remotely on one or more of your Solaris systems.- Sun Update Connection proxy
This local caching proxy serves updates from Sun to the proxy's client systems inside your enterprise security domain.
Wednesday, December 21, 2005
Running Internet Explorer with lower privileges
Even with personal firewalls and antivirus we are always exposed to application security risks.
At the enterprise level these risks can be mitigated by application inspection technologies (like Check Point Application Intelligence, Juniper/NetScreen Deep Inspection and so on), but at the desktop level the best thing we can do is to run our programs and services within more restrictive permissions than administrative ones.
The first program we should protect in such a way is the browser.
For Microsoft this will be a major security enhancement planned for Internet Explorer 7.0, released with Vista and codename Longhorn Server.
Meanwhile we can start lowering execution privileges of our applications with a couple of freeware utilities:
Note that while eCondom works only with Internet Explorer, DropMyRights can be used with any Windows application.
At the enterprise level these risks can be mitigated by application inspection technologies (like Check Point Application Intelligence, Juniper/NetScreen Deep Inspection and so on), but at the desktop level the best thing we can do is to run our programs and services within more restrictive permissions than administrative ones.
The first program we should protect in such a way is the browser.
For Microsoft this will be a major security enhancement planned for Internet Explorer 7.0, released with Vista and codename Longhorn Server.
Meanwhile we can start lowering execution privileges of our applications with a couple of freeware utilities:
- DropMyRights
Released by Microsoft and explained in this MSDN article - eCondom
Released today by AMUST and annonced in this press release
(thanks to Steven Bink for the news)
Note that while eCondom works only with Internet Explorer, DropMyRights can be used with any Windows application.
Major security vulnerability found in VMware products
As already said previously I usually don't post security bulletins but virtualization is my second technology area of interets and this is a major flaw.
You can find everything on this post on my other blog about virtualization (www.virtualization.info).
You can find everything on this post on my other blog about virtualization (www.virtualization.info).
Saturday, December 17, 2005
Sniffing RFID traffic
Talking of RFID security isn't too early anymore.
After the March analysis of RFID attacks and the announcement of Telecom Italia, the incumbent italian telco provider, of embedding RFID into GSM SIMs, it makes sense start evaluating reliability of this technology.
I'd like to point out RFDump, open source project aimed to monitoring RFID traffic and RFID tags manipulation.
After the March analysis of RFID attacks and the announcement of Telecom Italia, the incumbent italian telco provider, of embedding RFID into GSM SIMs, it makes sense start evaluating reliability of this technology.
I'd like to point out RFDump, open source project aimed to monitoring RFID traffic and RFID tags manipulation.
Thursday, December 15, 2005
Microsoft operating systems achieve Common Criteria EAL4+ certification
After gaining Common Criteria EAL 4+ certification for ISA Server 2004, Microsoft reaches another important milestone: to see the same certification level (the highest ever assigned to a commercial product) assigned to its operating systems: Windows Server 2003 Service Pack 1 (every edition but the Web) and Windows XP Service Pack 2 (Professional and Embedded editions).
Windows Server 2003 Certificate Server has been certified CC EAL 4+ as well.
Competing operating systems didn't always achieved same results:
I'd like to remember that Sun Solaris 10 03/05 is actually under evaluation for EAL 4+, while upcoming Red Hat Enteprise Linux 5.0 aims to obtain EAL 5.
The value of Common Criteria is concrete, even if great security expert like Bruce Schneier have a different opinion.
As Richard Bejtlich correctly noted everything depends on Protection Profile, which can be declared in a sharp way to easily obtain the certification.
But Microsoft needs to reestablish a trust image from 30 years of negative security works, and this a significant starting point.
Windows Server 2003 Certificate Server has been certified CC EAL 4+ as well.
Competing operating systems didn't always achieved same results:
- Microsoft Windows 2000 Service Pack 3 was certified EAL 4+
- Hewlett-Packard HP-UX 11i was certified EAL 4
- IBM AIX 5L per Power 5.2 was certified EAL 4+
- IBM i5/OS V5r3 was certified EAL 4+
- Novell/SuSE Linux Enteprise Server 9.0 was certified EAL 4+
- Red Hat Enteprise Linux 3.0 update 2 was certified EAL 3+
- Sun Solaris 9 08/03 was certified EAL 4+
I'd like to remember that Sun Solaris 10 03/05 is actually under evaluation for EAL 4+, while upcoming Red Hat Enteprise Linux 5.0 aims to obtain EAL 5.
The value of Common Criteria is concrete, even if great security expert like Bruce Schneier have a different opinion.
As Richard Bejtlich correctly noted everything depends on Protection Profile, which can be declared in a sharp way to easily obtain the certification.
But Microsoft needs to reestablish a trust image from 30 years of negative security works, and this a significant starting point.
Tuesday, December 13, 2005
Circumventing Active Directory Group Policies
Mark Russinovich published a great post on his blog, describing how applying Group Policy in a non-perfect way can lead to security issues, useful to circumvent imposed restrictions.
Mark probably is one of the most famous developer on Microsoft technologies and his work isn't directly focused on security. But since the beginning of his blog he released an important amount of security essays and analysis.
This shows what I'm telling since years: security isn't a subject you can learn like learning a programming language or learning the configuration settings of a new product.
Security is the deepest knowledge of the technology you're using.
Completely knowing a technology means knowing its limits.
Security is the knowledge of a technology's limits.
Mark probably is one of the most famous developer on Microsoft technologies and his work isn't directly focused on security. But since the beginning of his blog he released an important amount of security essays and analysis.
This shows what I'm telling since years: security isn't a subject you can learn like learning a programming language or learning the configuration settings of a new product.
Security is the deepest knowledge of the technology you're using.
Completely knowing a technology means knowing its limits.
Security is the knowledge of a technology's limits.
Securing RDP traffic
Who administers Microsoft technologies based networks would agree that remote access offered by Terminal Services is quite indispensable.
It's really fast and even it has not all features Citrix Presentation Server offers (for that we'll need to wait till the release of codename Longhorn Server), the RDP protocol does its job good.
But a problem stands still: a production server accessible via RDP, unable to provide strong authentication systems like SSH, is a risk.
The RDP authentication is Windows-integrated so if your server is joined at domain you can count on centralized authentication provided by Active Directory.
Also, you have the integrated TCP/IP Filtering feature, to limit IPs connecting to the machine.
On the other side the TCP/IP Filtering is everything but flexible (I still wonder why Microsoft won't rebuild this foundation component, available on there since years, instead of implementing new firewalls and application proxies): you cannot specify other limiting criteria and you cannot filter for RDP traffic only (TCP3389).
Today 2X, a company focused on thin clients technologies, released a freeware utility, SecureRDP, able to filter RDP terminal accesses in a very granular way: you can define IPs but also MACs, host names, client versions and hours for connecting.
A must download.
It's really fast and even it has not all features Citrix Presentation Server offers (for that we'll need to wait till the release of codename Longhorn Server), the RDP protocol does its job good.
But a problem stands still: a production server accessible via RDP, unable to provide strong authentication systems like SSH, is a risk.
The RDP authentication is Windows-integrated so if your server is joined at domain you can count on centralized authentication provided by Active Directory.
Also, you have the integrated TCP/IP Filtering feature, to limit IPs connecting to the machine.
On the other side the TCP/IP Filtering is everything but flexible (I still wonder why Microsoft won't rebuild this foundation component, available on there since years, instead of implementing new firewalls and application proxies): you cannot specify other limiting criteria and you cannot filter for RDP traffic only (TCP3389).
Today 2X, a company focused on thin clients technologies, released a freeware utility, SecureRDP, able to filter RDP terminal accesses in a very granular way: you can define IPs but also MACs, host names, client versions and hours for connecting.
A must download.
Web Services Enhancements (WSE) 3.0 security guide
After releasing Web Services Enhancements 3.0 Microsoft offers today a security guide titled Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0.
The 365-pages document is mainly aimed to solution architects and software developers involved in the designing phase of web services solutions, considering typical security issues: authentication, authorization and encryption.
The book includes the following:
Part I - Core Web Service Security Patterns
The 365-pages document is mainly aimed to solution architects and software developers involved in the designing phase of web services solutions, considering typical security issues: authentication, authorization and encryption.
The book includes the following:
Part I - Core Web Service Security Patterns
- Chapter 1 - Autentication Patterns
- Chapter 2 - Message Protection Patterns
- Chapter 3 - Implementing Transport and Message Layer Security
- Chapter 4 - Resource Access Patterns
- Chapter 5 - Secvice Boundary Protection Patterns
- Chapter 6 - Service Deployment Patterns
- Chapter 7 - Technical Supplements
Review: Core Impact 5.0
Core Security's Impact is probably the most known commercial tool for penetration testing.
If you are not sure what a penetration testing tool is you could check my previous post: Introduction to Automated Penetration Testers.
The company is wide famous among security guys also for a series of parallel works, from publishing public security advisories and research papers, to hosting some very interesting security projects, which in part are inside Impact.
After following a demo webcast about new features Impact 5.0 offers, I was contacted by the company as usual in these cases.
I asked if I could produce a public review about the product on Security Zero and received an enthusiastic positive answer.
I received more online, interactive training on a real installation and the trial product to realize the following review.
Installation and configuration
Core Impact 5.0 will fit well in a Windows XP Professional machine but will absolutely require administrative privileges for installation.
As soon as you start the program you’ll notice the downloaded updates summary.
They are composed by new exploits developed by Core Security, which customers can download for a whole year since the day their license starts, and the new OS fingerprinting database, provided by NMap.
The update operation can be manually invoked at any time and I strongly suggest doing so before any new penetration test.
When a new vulnerability goes public, Core Security develops and put online for download a new exploit in a 1-2 weeks timeframe.
Penetration tests management is organized in Workspaces, which you can assign to your customers or parts of your network to be treated as isolated.
Every workspace is ciphered with prime numbers generated by mouse movements and a user-defined passphrase.
This is an important feature granting privacy even in machine theft case.
Impact activity is organized in 6 phases:
Targets discovery
The network discovery module is developed directly by Core Security and as already said it uses the NMap OS fingerprinting database.
You can choose to customize the discovery asking to recognize applications instead of just enumerating ports (like NMap can do since some releases).
This module can easily replace any vulnerability scanner you have, like Shadow Security Scanner or eEye Retina.
Another way to find targets to attack is to import a list from portscanners and vulnerability scanners like NMap, Nessus, Retina, LANguard and Saint.
The attack
The real attack can be configured in a very flexible way: you can choose if permit DoS attacks, which eventually will freeze the target network, you can choose to be very invasive giving priority to privileges escalations exploits, etc.
Impact intelligently selects which exploit to launch against a target analyzing what ports portscanner module found opened.
But remember this method is prone to the tricky use of non-standard ports for services, rarely used by companies to protect certain private, critical applications.
When it finds vulnerability in a target system it immediately exploits it injecting an agent. And this is for sure the strength of Impact.
Agents are classified on an invasive level from 0 to 1. A higher agent level means more attack actions available on the target system, until the total machine control.
Depending on how severe the found vulnerability is Impact will be able to inject an agent of level 0 or 1.
But if you chosen to be not much invasive it will try to inject level 0 agents everywhere. At a second time you’ll be able to upgrade the agent from level 0 to level 1.
Pre-made actions (organized in modules) offered by agents are impressive: from simple screen capture to user password dumping, to keylogger installation (and remote sending of every single key pressed by users), to personal firewall disabling, to DLL injection into a running process.
One of the most critical actions is the password sniffer installation with its packet driver.
But the most important feature at all is the capability of using an already-compromised machine (where an agent already is injected) as source for a new attack wave.
In this way every attack can be relaunched towards new network segments where the compromised machine could be connected, unreachable from the starting attack position.
In my test environment the first penetration test victim had two network interfaces connected to networks 10.0.0.0 and 10.1.0.0.
The machine where Impact was installed was on the 10.0.0.0 network and from there was impossible to reach the 10.1.0.0 network.
Attacking and compromising the first victim made possible to reach the second network and a second victim, compromising it too.
Every single module is developed in Python and Core Security offers customers the chance to create their home-made modules to be integrated inside Impact. Obviously an appropriate know-how is required to do so.
At today attacks cannot be scheduled in any way and this is really a pity since Impact can already register an attack sequence with a Macro Wizard.
Anyway Core Security could evaluate introducing this feature in a future release if customers start asking for it.
Meanwhile you could try to drive Impact with 3rd party’s automation tools like Automate.
Information gathering
When an agent is installed on a target machine, customers can require as much information about that machine as they want: what OS patches are installed, local running services, installed applications, etc.
You’ll eventually find now the data you’re looking for.
Agents clean-up
At the end of penetration testing you can launch a clean-up procedure, removing any agent installed on victims, to revert the environment to original conditions.
Reporting
The reporting module is really complete. Is able to extract data and arrange it in four different kinds of reports, aimed to different audiences, from the executive manager to the security manager.
The report is generated by the embedded Crystal Report engine, from BusinessObjects, and can be viewed by the embedded Crystal Report Viewer.
Then you can print it or save in a lot of formats: PDF, HTML, XML, RPT (Crystal Reports), XLS, DOC, etc. It can even be injected in a database via ODBC.
Here an example.
Pricing
Core Security typically offers a one-year unlimited license, able to scan as many IPs as the customer wants and including product updates, training, maintenance and support.
After the year you can still use the product but don’t have exploits updates.
The price for such a license is of $25,000 USD.
Even if the price seems expensive, the cost of a single, outsourced, penetration test on a complex environment can go far beyond it.
The bottom line
Core Impact is a real complex product with huge potential, but has a very high learning curve and you just need few hours to manage basic features with confidence.
The product has a price worth paying with these characteristics.
On the end I strongly suggest it to companies who implemented or are implementing a security assessment plan on their infrastructures, particularly if are much extended.
I also would recommend it to consulting companies offering a penetration testing service.
If you are not sure what a penetration testing tool is you could check my previous post: Introduction to Automated Penetration Testers.
The company is wide famous among security guys also for a series of parallel works, from publishing public security advisories and research papers, to hosting some very interesting security projects, which in part are inside Impact.
After following a demo webcast about new features Impact 5.0 offers, I was contacted by the company as usual in these cases.
I asked if I could produce a public review about the product on Security Zero and received an enthusiastic positive answer.
I received more online, interactive training on a real installation and the trial product to realize the following review.
Installation and configuration
Core Impact 5.0 will fit well in a Windows XP Professional machine but will absolutely require administrative privileges for installation.
As soon as you start the program you’ll notice the downloaded updates summary.
They are composed by new exploits developed by Core Security, which customers can download for a whole year since the day their license starts, and the new OS fingerprinting database, provided by NMap.
The update operation can be manually invoked at any time and I strongly suggest doing so before any new penetration test.
When a new vulnerability goes public, Core Security develops and put online for download a new exploit in a 1-2 weeks timeframe.
Penetration tests management is organized in Workspaces, which you can assign to your customers or parts of your network to be treated as isolated.
Every workspace is ciphered with prime numbers generated by mouse movements and a user-defined passphrase.
This is an important feature granting privacy even in machine theft case.
Impact activity is organized in 6 phases:
- Network Discovery
- Attack and Penetration
- Local Information Gathering
- Privileges Escalation
- Clean Up
- Report Generation
Targets discovery
The network discovery module is developed directly by Core Security and as already said it uses the NMap OS fingerprinting database.
You can choose to customize the discovery asking to recognize applications instead of just enumerating ports (like NMap can do since some releases).
This module can easily replace any vulnerability scanner you have, like Shadow Security Scanner or eEye Retina.
Another way to find targets to attack is to import a list from portscanners and vulnerability scanners like NMap, Nessus, Retina, LANguard and Saint.
The attack
The real attack can be configured in a very flexible way: you can choose if permit DoS attacks, which eventually will freeze the target network, you can choose to be very invasive giving priority to privileges escalations exploits, etc.
Impact intelligently selects which exploit to launch against a target analyzing what ports portscanner module found opened.
But remember this method is prone to the tricky use of non-standard ports for services, rarely used by companies to protect certain private, critical applications.
When it finds vulnerability in a target system it immediately exploits it injecting an agent. And this is for sure the strength of Impact.
Agents are classified on an invasive level from 0 to 1. A higher agent level means more attack actions available on the target system, until the total machine control.
Depending on how severe the found vulnerability is Impact will be able to inject an agent of level 0 or 1.
But if you chosen to be not much invasive it will try to inject level 0 agents everywhere. At a second time you’ll be able to upgrade the agent from level 0 to level 1.
Pre-made actions (organized in modules) offered by agents are impressive: from simple screen capture to user password dumping, to keylogger installation (and remote sending of every single key pressed by users), to personal firewall disabling, to DLL injection into a running process.
One of the most critical actions is the password sniffer installation with its packet driver.
But the most important feature at all is the capability of using an already-compromised machine (where an agent already is injected) as source for a new attack wave.
In this way every attack can be relaunched towards new network segments where the compromised machine could be connected, unreachable from the starting attack position.
In my test environment the first penetration test victim had two network interfaces connected to networks 10.0.0.0 and 10.1.0.0.
The machine where Impact was installed was on the 10.0.0.0 network and from there was impossible to reach the 10.1.0.0 network.
Attacking and compromising the first victim made possible to reach the second network and a second victim, compromising it too.
Every single module is developed in Python and Core Security offers customers the chance to create their home-made modules to be integrated inside Impact. Obviously an appropriate know-how is required to do so.
At today attacks cannot be scheduled in any way and this is really a pity since Impact can already register an attack sequence with a Macro Wizard.
Anyway Core Security could evaluate introducing this feature in a future release if customers start asking for it.
Meanwhile you could try to drive Impact with 3rd party’s automation tools like Automate.
Information gathering
When an agent is installed on a target machine, customers can require as much information about that machine as they want: what OS patches are installed, local running services, installed applications, etc.
You’ll eventually find now the data you’re looking for.
Agents clean-up
At the end of penetration testing you can launch a clean-up procedure, removing any agent installed on victims, to revert the environment to original conditions.
Reporting
The reporting module is really complete. Is able to extract data and arrange it in four different kinds of reports, aimed to different audiences, from the executive manager to the security manager.
The report is generated by the embedded Crystal Report engine, from BusinessObjects, and can be viewed by the embedded Crystal Report Viewer.
Then you can print it or save in a lot of formats: PDF, HTML, XML, RPT (Crystal Reports), XLS, DOC, etc. It can even be injected in a database via ODBC.
Here an example.
Pricing
Core Security typically offers a one-year unlimited license, able to scan as many IPs as the customer wants and including product updates, training, maintenance and support.
After the year you can still use the product but don’t have exploits updates.
The price for such a license is of $25,000 USD.
Even if the price seems expensive, the cost of a single, outsourced, penetration test on a complex environment can go far beyond it.
The bottom line
Core Impact is a real complex product with huge potential, but has a very high learning curve and you just need few hours to manage basic features with confidence.
The product has a price worth paying with these characteristics.
On the end I strongly suggest it to companies who implemented or are implementing a security assessment plan on their infrastructures, particularly if are much extended.
I also would recommend it to consulting companies offering a penetration testing service.
Introduction to Automated Penetration Testers
Too often people tend to accumunate penetration testing concept with the action of executing a portscanning or a vulnerability scanning on one or more network computers.
Portscanning is the simple enumeration of open ports (and then of the listening services).
Until few years ago the portscanning technology was only able to list open ports without really checking which services were behind them.
Vulnerability scanning is the precise verification of a series of well-known vulnerabilities affecting those services recognized during portscanning.
The verification consists in launching a series of attacking sequences (called exploits, with the English pronunciation and not the French one) against open ports, and checking how the targeted system answers to packets.
Nor the first neither the second, which can be considered an extension of the first, are recognizable as penetration tests.
A real penetration test consists in a successful compromising of one or more targeted machines, recognizing vulnerabilities but also exploiting them to reach some data, real objective of whole operation.
A penetration test can be executed in at least two ways: interacting directly with the target system or interacting indirectly with it, contacting its users, with a series of techniques forming the so called social engineering discipline.
An indirect attack based on social engineering usually retrieve so many more information than a direct one, and leads you to the operation objective (reaching the data) in a more precise and discrete way.
But the social engineering is a complex and risky technique, and for sure not an exact science.
It costs a lot and negatively impacts on the budget allocated for penetration testing, at a point that the large part of the industry prefers to avoid it.
Companies usually go for a simpler direct analysis of systems to check against security.
Apart the technique used for penetration testing, the attack can be blind, with a determined target or not, or with a total knowledge of victim infrastructure (even if in this case the term security auditing is usually preferred).
A blind penetration test on a medium complexity infrastructure can become a very time-consuming activity where you check systems vulnerabilities just as first step (and this won’t work at all against non-commercial applications).
Then you are going to use fuzzing and reverse engineering methods developed ad hoc for your targets, producing new, effective attacks.
To simplify part of this complex activity in these last years sever attack frameworks appeared, acting as automating exploit creation platforms.
We still are in a very early age for this kind of tools but on the market already appeared important products, both open source and commercial.
Among most famous names we can find Core Impact (commercial), Immunity CANVAS (commercial), Metasploit (open source) and SecurityForest Framerwork (open source).
I already wrote about the strategic and economical value of penetration testing on this post on March.
Portscanning is the simple enumeration of open ports (and then of the listening services).
Until few years ago the portscanning technology was only able to list open ports without really checking which services were behind them.
Vulnerability scanning is the precise verification of a series of well-known vulnerabilities affecting those services recognized during portscanning.
The verification consists in launching a series of attacking sequences (called exploits, with the English pronunciation and not the French one) against open ports, and checking how the targeted system answers to packets.
Nor the first neither the second, which can be considered an extension of the first, are recognizable as penetration tests.
A real penetration test consists in a successful compromising of one or more targeted machines, recognizing vulnerabilities but also exploiting them to reach some data, real objective of whole operation.
A penetration test can be executed in at least two ways: interacting directly with the target system or interacting indirectly with it, contacting its users, with a series of techniques forming the so called social engineering discipline.
An indirect attack based on social engineering usually retrieve so many more information than a direct one, and leads you to the operation objective (reaching the data) in a more precise and discrete way.
But the social engineering is a complex and risky technique, and for sure not an exact science.
It costs a lot and negatively impacts on the budget allocated for penetration testing, at a point that the large part of the industry prefers to avoid it.
Companies usually go for a simpler direct analysis of systems to check against security.
Apart the technique used for penetration testing, the attack can be blind, with a determined target or not, or with a total knowledge of victim infrastructure (even if in this case the term security auditing is usually preferred).
A blind penetration test on a medium complexity infrastructure can become a very time-consuming activity where you check systems vulnerabilities just as first step (and this won’t work at all against non-commercial applications).
Then you are going to use fuzzing and reverse engineering methods developed ad hoc for your targets, producing new, effective attacks.
To simplify part of this complex activity in these last years sever attack frameworks appeared, acting as automating exploit creation platforms.
We still are in a very early age for this kind of tools but on the market already appeared important products, both open source and commercial.
Among most famous names we can find Core Impact (commercial), Immunity CANVAS (commercial), Metasploit (open source) and SecurityForest Framerwork (open source).
I already wrote about the strategic and economical value of penetration testing on this post on March.
Modern security seen by Brian Snow, NSA
Bruce Schneier reports a wonderful essay of Brian Snow, Technical Director, U.S. National Security Agency (NSA), about modern IT security.
Snow's point is simple: today we still insist developing products with tons of new features, but we fail to make a single system, already available, secure and reliable.
If even a teenager can compromise with no effort systems the world economy is based on, than those systems surely won't resist to professional attacks, lead by organized crime, terrorism, counterespionage.
And the actual trend isn't going to change for at least 5-10 years.
A must read.
Snow's point is simple: today we still insist developing products with tons of new features, but we fail to make a single system, already available, secure and reliable.
If even a teenager can compromise with no effort systems the world economy is based on, than those systems surely won't resist to professional attacks, lead by organized crime, terrorism, counterespionage.
And the actual trend isn't going to change for at least 5-10 years.
A must read.
Nessus 3.0 available
The so much debated Nessus 3.0 is officially released (actually just for Linux and FreeBSD).
You can download it here.
Please note that from this version Nessus leaves the open source model.
Meanwhile its open source fork previously known as GNessUs, is now called OpenVAS.
Let's see where this road leads...
You can download it here.
Please note that from this version Nessus leaves the open source model.
Meanwhile its open source fork previously known as GNessUs, is now called OpenVAS.
Let's see where this road leads...
An operating system to stay anonymous
Once upon a time nobody was taking care of privacy. And anybody could spy on us without being disturbed.
Then privacy become a trendy subject. Since that time everybody looks for anonimity tools with the same effort of looking for Holy Grail.
Meanwhile anybody still can spy on us without being disturbed, but at least we have a new way to spend time and complain.
The Kaos.Theory group tomorrow will present at the ShmooCon 2006 security conference an OpenBSD customization, released as liveCD, called Anonym.OS.
These guys developed the platform so that any inbound connection is dropped and every outbound connection is encrypted or made anonymous, thanks to many well-known privacy-granting tools.
In details Anonym.OS is an OpenBSD with:
Then privacy become a trendy subject. Since that time everybody looks for anonimity tools with the same effort of looking for Holy Grail.
Meanwhile anybody still can spy on us without being disturbed, but at least we have a new way to spend time and complain.
The Kaos.Theory group tomorrow will present at the ShmooCon 2006 security conference an OpenBSD customization, released as liveCD, called Anonym.OS.
These guys developed the platform so that any inbound connection is dropped and every outbound connection is encrypted or made anonymous, thanks to many well-known privacy-granting tools.
In details Anonym.OS is an OpenBSD with:
- OS hardening
- TCP/IP fingerprinting scrambling patches
- ingress/egress firewall filtering
- content filtering to block and clear pop-ups, banners, cookies, etc.
- pre-configurated browser to use public proxies
Monday, December 12, 2005
Vulnerabilities and exploits database for wireless
Planet 3 Wireless is one of the most famous institutes for wireless. In 2000 they created a certification program, unbinded to any vendor, for wireless technologies, from wi-fi to Bluetooth: the CWNP Program, today counting 5 focused certifications (you could be mainly interested in the CWSP, Certified Wireless Security Professional).
Today, sponsored by the CWNP Program, Planet 3 Wireless opens a new public database called WVE, collecting vulnerabilities and exploits for any wireless technologies aspect, from access points to cell phones stacks, passing by WEP encryption or IrDA wireless stack.
Actually it is a subset of more well-known databases like CVE or SecurityFocus, and it can be confusing for readers since it adopts a proprietary classification naming convention.
But it's surely very nice to have a convergent place where to look for wireless security bulletins.
Today, sponsored by the CWNP Program, Planet 3 Wireless opens a new public database called WVE, collecting vulnerabilities and exploits for any wireless technologies aspect, from access points to cell phones stacks, passing by WEP encryption or IrDA wireless stack.
Actually it is a subset of more well-known databases like CVE or SecurityFocus, and it can be confusing for readers since it adopts a proprietary classification naming convention.
But it's surely very nice to have a convergent place where to look for wireless security bulletins.
Sunday, December 11, 2005
The (in)security black market
A very interesting news appeared on 9th December eWeek: a guy discovered a new vulnerability in Microsoft Excel, developed an exploit (a so called 0day code) and started an auction on eBay to sell it.
From a starting price of 1 cent 19 potential buyers raised it to 60 dollars, until eBay removed the item (More on the auction chronology here).
Obviously this behavior is contrary to any ethical action a bug hunter should take.
The price reached only 60 dollars for 2 good reasons:
In underground channels is usual to sell and buy 0day exploits and pricing are much higher than 60 dollars.
This market is mostly undiscovered since 99.9% of these exploits is used for other, more serious things that creating worms (the only thing world press seems to be interested in).
This event should put in lights the world (in)security underground market, on a side eventually grabbing authorities and large public attention, on the other side eventually accelerating the growth (crakers never thought about this opportunity could start considering this method to raise money very fast).
From a starting price of 1 cent 19 potential buyers raised it to 60 dollars, until eBay removed the item (More on the auction chronology here).
Obviously this behavior is contrary to any ethical action a bug hunter should take.
The price reached only 60 dollars for 2 good reasons:
- This was the first time someone tried to sell an exploit in this way (at least in a public, wide-known auction system) so few potential buyers were at the right place at the right moment
- eBay removed the item in few hours
In underground channels is usual to sell and buy 0day exploits and pricing are much higher than 60 dollars.
This market is mostly undiscovered since 99.9% of these exploits is used for other, more serious things that creating worms (the only thing world press seems to be interested in).
This event should put in lights the world (in)security underground market, on a side eventually grabbing authorities and large public attention, on the other side eventually accelerating the growth (crakers never thought about this opportunity could start considering this method to raise money very fast).
Saturday, December 10, 2005
Mobile phone SIM embedding RFID coming
The italian portal about GSM/UMTS mobile phones Telefonino.net reports the launch of a new SIM card from Telecom Italia, the italian telco incumbent, called Z-Sim, integrating RFID technology.
Or at least this is what I think the card does since the press article describe a scenario where the handset can interact with common household appliances and standard consumer services (like buying a movie ticket).
The Z-Sim will be a worldwide exclusive of Telecom Italia for Italy.
I was unable to find any documentation about this card, so I cannor provide further details on mentioned very reliable security gears.
The Z-Sim could produce a larger interest in wireless hacking (at least in my country), already growing for Bluetooth MAN networks.
Or at least this is what I think the card does since the press article describe a scenario where the handset can interact with common household appliances and standard consumer services (like buying a movie ticket).
The Z-Sim will be a worldwide exclusive of Telecom Italia for Italy.
I was unable to find any documentation about this card, so I cannor provide further details on mentioned very reliable security gears.
The Z-Sim could produce a larger interest in wireless hacking (at least in my country), already growing for Bluetooth MAN networks.
Friday, December 09, 2005
Severe vulnerability in Check Point SecureClient
Until today I never wrote about vulnerabilities of security products I use to blog about. And for sure I don't want to start from now.
But today I'll write something.
The researcher Viktor Steinmann found a severe vulnerability in the Secure Configuration Verification (SCV) feature offered with the Check Point VPN client (it afflicts NGX family but could be found in NG too): SecureClient.
The SCV engine is the oldest form of Endpoint Security that many companies started to integrate onto their products.
It remained quite unused for years, much before the IT security industry even started talking about Endpoint Security, and only today is considered interesting because main antivirus products started to be integrated with it (McAfee was the first one to launch a SCV compliant AV solution).
SCV verifies its integrity (checking all DLLs for eventual compromising) and enforces SecureClient settings: availability of Desktop Security Policies (a rulebase injected on the VPN client and acting as a personal firewall), blocked user disabling capability, and more.
All of these checks are stored in the local.scv file, locally injected from the remote Policy Server component.
If the SCV finds something wrong it blocks VPN access, only permitting to contact the Policy Server to revert to a trusted condition.
The researcher discovered that a simply batch file can confuse the SCV without loosing VPN access.
Here you can find the complete advisory.
I wanted describe this vulnerability because in the last 5 years in my classes I always said this solution was very insecure and could be workarounded with a simple attack. This is the best proof of it.
But today I'll write something.
The researcher Viktor Steinmann found a severe vulnerability in the Secure Configuration Verification (SCV) feature offered with the Check Point VPN client (it afflicts NGX family but could be found in NG too): SecureClient.
The SCV engine is the oldest form of Endpoint Security that many companies started to integrate onto their products.
It remained quite unused for years, much before the IT security industry even started talking about Endpoint Security, and only today is considered interesting because main antivirus products started to be integrated with it (McAfee was the first one to launch a SCV compliant AV solution).
SCV verifies its integrity (checking all DLLs for eventual compromising) and enforces SecureClient settings: availability of Desktop Security Policies (a rulebase injected on the VPN client and acting as a personal firewall), blocked user disabling capability, and more.
All of these checks are stored in the local.scv file, locally injected from the remote Policy Server component.
If the SCV finds something wrong it blocks VPN access, only permitting to contact the Policy Server to revert to a trusted condition.
The researcher discovered that a simply batch file can confuse the SCV without loosing VPN access.
Here you can find the complete advisory.
I wanted describe this vulnerability because in the last 5 years in my classes I always said this solution was very insecure and could be workarounded with a simple attack. This is the best proof of it.
Thursday, December 08, 2005
VoIP for Dummies
VoIP will become the most frequent network traffic.
Enterprise sniffers, firewalls (Check Point VPN-1 NG e NGX already do it today), IDSes, and any other security product (included antispam systems) will start to analyze and manipulate VoIP protocols to care about security and privacy, as with any other protocol.
Avaya freely released a cut down version of VoIP for Dummies, published by Wiley Publishing.
Is worth to download and read it, to start taking confidence with VoIP if you still did not.
Enterprise sniffers, firewalls (Check Point VPN-1 NG e NGX already do it today), IDSes, and any other security product (included antispam systems) will start to analyze and manipulate VoIP protocols to care about security and privacy, as with any other protocol.
Avaya freely released a cut down version of VoIP for Dummies, published by Wiley Publishing.
Is worth to download and read it, to start taking confidence with VoIP if you still did not.
Microsoft released a Best Practices Analyzer for ISA Server 2004
In this period Microsoft is releasing a bunch of analysis tools for its critical back-end servers, the Best Practices Analyzers.
Finally the one for ISA Server 2004 appeared. It checks the installed environment and evaluates it against some aspects: registry keys, DNS settings, software patching level, disabled services.
The scan can be scheduled to ckeck for eventual unwanted environment modifications.
The ISA Server 2004 Best Practices Analyzer tool is available here.
Finally the one for ISA Server 2004 appeared. It checks the installed environment and evaluates it against some aspects: registry keys, DNS settings, software patching level, disabled services.
The scan can be scheduled to ckeck for eventual unwanted environment modifications.
The ISA Server 2004 Best Practices Analyzer tool is available here.
Wednesday, December 07, 2005
Microsoft Windows Server 2003 R2 new security features
After a long beta test (totally forgotten for the Vista and codename Longhorn Server beta program) Microsoft released Windows Server 2003 R2.
This update (requiring a new license and not comparable with a usual Service Pack) is just the same old good Windows 2003 with the last 2 years free tools embedded, from AD/AM to SharePoint Services (WSS).
There also are some very few new features. On the security front we've 3 to mention:
This update (requiring a new license and not comparable with a usual Service Pack) is just the same old good Windows 2003 with the last 2 years free tools embedded, from AD/AM to SharePoint Services (WSS).
There also are some very few new features. On the security front we've 3 to mention:
- Storage Manager for SAN
LUN administering tool for Fiber Channel or iSCSI SANs, with HBA Discovery e Multipath I/O features.
You can check a quick start guide and a demo. - Common Log File System (CLFS)
Framework to create, manage and store log messages (nobody talked about this feature, neither Microsoft, and there is no documentation about it at the moment). - Active Directory Federation Services (ADFS)
Single Sign-On (SSO) capability for web applications based on Active Directory or AD/AM and not related toMicrosoft Passport, with Kerberos, X.509 digital certificates and smart cards support.
Great to manage centralized authentication issues on DMZ servers, for example.
You can check the overview, a step-by-step guide, a design guide, a webcast (level 200) and the Microsoft internal case study.
Tuesday, December 06, 2005
New Firewall Client for ISA Server 2004
A new beta program for ISA Server 2004 Firewall Client just started.
This program isn't related to the one started last month for ISA Server 2004 Service Pack 2.
Even here I cannot be too explicit so I will just say that the update will introduce support for new operating systems and new hardware architectures.
This program isn't related to the one started last month for ISA Server 2004 Service Pack 2.
Even here I cannot be too explicit so I will just say that the update will introduce support for new operating systems and new hardware architectures.
Comparison between Check Point and Symantec Endpoint Security solutions
InfoWorld released a limited but interesting comparison between Check Point Integrity 6.0 and Sygate (now Symantec) Enterprise Protection 5.0.
Both are Endpoint Security solutions.
The Sygate product received an higher score but I won't be in hurry to adopt it: after Symantec acquisition isn't clear how things will evolve, also considering the Symantec of Borg way of doing and the recent decision to dismiss Sygate Personal Firewall.
Both are Endpoint Security solutions.
The Sygate product received an higher score but I won't be in hurry to adopt it: after Symantec acquisition isn't clear how things will evolve, also considering the Symantec of Borg way of doing and the recent decision to dismiss Sygate Personal Firewall.
Saturday, December 03, 2005
Network IDS evasion techniques
SecurityFocus released a new article is worth to read about an old topic: evasion techniques against network intrusion detection systems (NIDS) like Dragon IDS, Snort, RealSecure, etc., based on TTL manipulation.
On bottom there also are details on how Snort can block these kind of techniques.
On bottom there also are details on how Snort can block these kind of techniques.
Friday, December 02, 2005
Red Hat becomes the 4th player on centralized authentication
After acquiring Netscape Directory Server last summer, today Red Hat finally makes available the product as open source withing the Fedora Core project, releasing Fedora Directory Server 1.0.
With this move Red Hat grant itself a position on a 2 giants competition: Microsoft Active Directory 2003 and Novell Netware 7.0 (now integrated in Novell Open Enterprise Server).
Over their shoulders there is Sun which still doesn't officially support its Java System Directory Server 5.2 on Solaris 10 platforms.
With this move Red Hat grant itself a position on a 2 giants competition: Microsoft Active Directory 2003 and Novell Netware 7.0 (now integrated in Novell Open Enterprise Server).
Over their shoulders there is Sun which still doesn't officially support its Java System Directory Server 5.2 on Solaris 10 platforms.
Thursday, December 01, 2005
Microsoft heavily entering in the antivirus market
3 products with a single action:
Now the best thing to do would be binding first 2 products together but underlying technologies were acquired from 2 different companies and Microsoft would probably miss its releasing timelines (eventually syncronized with Vista) trying to achieve the integration.
I'm quite sure this will happen for the codename Longhorn Server timeframe, when these products will become the missing part of Network Access Protection (NAC) strategy, the Microsoft Endpoint Security solution.
This move puts in serious risk the whole antivirus market.
If Microsoft is going to offer these products integrated with the operating system and for free (well, at least included in Windows standard license price) how much time will pass before other products unsatisfied users will make the switch?
The only way to survive seems the one taken by Check Point, which is not an antivirus vendor, that understood how to integrate AV products with other security technologies, filling a market segment hole.
Anyway Microsoft has a small problem, lately more and more urgent: Google.
The George Orwell illegitimate child just enabled antivirus checking (based on Sophos engine as discovered in this illuminating analysis) for GMail attachments.
From here Google could easily build something very similar to Windows Live Safety Center and this would be a wonderful excuse to gather users data even deeper.
- Windows Defender
Windows Defender is the antispyware solution actually in public beta that will be embedded in the next Windows Vista (you'll see it embedded since the December CTP). - Windows One Care
Windows One Care, in public beta since yesterday, is the antivirus solution that also checks system patching and Windows personal firewall. - Windows Live Safety Center
Windows Live Safety Center, in public beta, is an online, free, antivirus scanning service (it requires to download an ActiveX before launching the scan) also doing portscanning and wasted resources checking for Windows systems.
Now the best thing to do would be binding first 2 products together but underlying technologies were acquired from 2 different companies and Microsoft would probably miss its releasing timelines (eventually syncronized with Vista) trying to achieve the integration.
I'm quite sure this will happen for the codename Longhorn Server timeframe, when these products will become the missing part of Network Access Protection (NAC) strategy, the Microsoft Endpoint Security solution.
This move puts in serious risk the whole antivirus market.
If Microsoft is going to offer these products integrated with the operating system and for free (well, at least included in Windows standard license price) how much time will pass before other products unsatisfied users will make the switch?
The only way to survive seems the one taken by Check Point, which is not an antivirus vendor, that understood how to integrate AV products with other security technologies, filling a market segment hole.
Anyway Microsoft has a small problem, lately more and more urgent: Google.
The George Orwell illegitimate child just enabled antivirus checking (based on Sophos engine as discovered in this illuminating analysis) for GMail attachments.
From here Google could easily build something very similar to Windows Live Safety Center and this would be a wonderful excuse to gather users data even deeper.
RSS to become the next virus vector
TrendMicro just published an interesting whitepaper on how worm distribution trends are about to change.
Who wrote it predicts that for the Microsoft Internet Explorer 7 release timeframe we'll assist to a massive recent worms conversion to take advantage of RSS feeds for spreading.
Internet Explorer 7 will reach competitors Firefox and Opera providing full RSS feeds support. Recent worms are written with a modular architecture, making easy to change their spreading engine.
In details this kind of new worms could reach first victim PC by traditional methods, compromising installed applications (like browsers and RSS readers) and subscribing new feeds, downloading at a second time malicious contents from dedicated websites.
This way of acting would permit to have very small viral codes (once they were called uploader) that download through RSS other attacking modules.
And hiding a very small viral code is much easier than doing the same with a large binary with all features available.
Who wrote it predicts that for the Microsoft Internet Explorer 7 release timeframe we'll assist to a massive recent worms conversion to take advantage of RSS feeds for spreading.
Internet Explorer 7 will reach competitors Firefox and Opera providing full RSS feeds support. Recent worms are written with a modular architecture, making easy to change their spreading engine.
In details this kind of new worms could reach first victim PC by traditional methods, compromising installed applications (like browsers and RSS readers) and subscribing new feeds, downloading at a second time malicious contents from dedicated websites.
This way of acting would permit to have very small viral codes (once they were called uploader) that download through RSS other attacking modules.
And hiding a very small viral code is much easier than doing the same with a large binary with all features available.
Microsoft recognizes third parties security certifications
This is a very good news.
Microsoft officially accepted security certifications from ISC2 and ISACA institutes as prerequisites for Partners trying to achieve security competency.
So who earns a CISSP (like me) / SSCP or CISA / CISM certification from today can be a key specialist for companies wanting to operate as Microsoft Certified Partner on Security Solutions.
Microsoft officially accepted security certifications from ISC2 and ISACA institutes as prerequisites for Partners trying to achieve security competency.
So who earns a CISSP (like me) / SSCP or CISA / CISM certification from today can be a key specialist for companies wanting to operate as Microsoft Certified Partner on Security Solutions.
Sizing a SEM solution
I already wrote in a previous post about security products known as Security Event Manager (SEM).
In another recent post I mentioned which are considered this market leaders.
Some of you wrote me asking how to correctly size a SEM solution, considering infrastructure characteristics to be monitored.
This is the most critical part of a SEM project in quite any IT field, from virtualization to security: the so called capacity planning isn't an exact science.
An unexpected help comes from a new start-up that just launched a new SEM based on Open Source technologies: Splunk.
Commercial licenses of this product are organized in sizes, proportionated to the total number of daily events the SEM collects.
But since knowing this number is quite impossible without doing a capacity planning, the company with a pleasing marketing strategy realized an online Data Calculator.
This wonderful tool permits to calculate the total amount of daily events to be managed, based on several parameters you can customize at will.
And the equation it will generate is perfectly useful even with other kind of SEMs.
In another recent post I mentioned which are considered this market leaders.
Some of you wrote me asking how to correctly size a SEM solution, considering infrastructure characteristics to be monitored.
This is the most critical part of a SEM project in quite any IT field, from virtualization to security: the so called capacity planning isn't an exact science.
An unexpected help comes from a new start-up that just launched a new SEM based on Open Source technologies: Splunk.
Commercial licenses of this product are organized in sizes, proportionated to the total number of daily events the SEM collects.
But since knowing this number is quite impossible without doing a capacity planning, the company with a pleasing marketing strategy realized an online Data Calculator.
This wonderful tool permits to calculate the total amount of daily events to be managed, based on several parameters you can customize at will.
And the equation it will generate is perfectly useful even with other kind of SEMs.
Subscribe to:
Posts (Atom)