Rainbow Table method works great with Windows password hashing algoritms. But it can be applied to other hashing algorithms, like the ubiquitous MD5.
A new website, Free Rainbow Tables, just started its business and the first offering is a great set of 36 tables for lower alphanumeric strings hashed with MD5, from 1 to 8 characters. For free obviously.
And it's just the beninning since creators developed a Windows distributed application to spend free computation time generating new or extended tables.
Friday, September 29, 2006
Thursday, September 28, 2006
SMAU 2006
This year I'll be present at the italian event SMAU 2006.
I'll attend the October 6th day only, Friday (whole day), and I'd be happy to meet some Security Zero italian readers.
So if you partecipate at the exhibition look for me at the Microsoft booth, along with other Most Valuable Professionals (MVP).
See you there!
I'll attend the October 6th day only, Friday (whole day), and I'd be happy to meet some Security Zero italian readers.
So if you partecipate at the exhibition look for me at the Microsoft booth, along with other Most Valuable Professionals (MVP).
See you there!
Tuesday, September 26, 2006
Release: Microsoft Threat Analysis & Modeling 2.0
Threat Analysis & Modeling is one of that free tools you letting you think Microsoft could do incredible things in security.
Threat modeling is an analysis process aimed to identify characteristics of an application and potential threats they are exposed to.
And, as I already said during beta, this new version perform the task in an impressive way.
Here some of the new features:
The new wizard is surely the most notable improvement, helping you defining all application aspects, from users to services, from data to components, from business objectives to relevancies, at a very deep level of detail:
Microsoft has also been so smart to create a whole video series to introduce you the tool:
Check the development team blog here and obviously download the tool here.
Meanwhile I still wonder if I could have something similar for network security. Microsoft are you listening?
Threat modeling is an analysis process aimed to identify characteristics of an application and potential threats they are exposed to.
And, as I already said during beta, this new version perform the task in an impressive way.
Here some of the new features:
- TreeView Navigation with visibility to all nodes at all times
- Wizard based threat model creation
- Default Attack library with descriptive countermeasure guidance
- Automatic Threats and Use Cases generation
- Consolidated Call Flow (System Flow), Attack Surface, Threat Tree are some of the few visualizations available, which can all be exported to Visio
- Exportable Analytics and Reports to HTML
- Import 1.0 Threat Model
- Export countermeasures and attack test cases to Visual Studio Team Foundation Server (TFS)
- Import SDM Deployment Reports from VSTA
- Copy Paste and Drag-&-Drop features
- Enhanced Find Feature
The new wizard is surely the most notable improvement, helping you defining all application aspects, from users to services, from data to components, from business objectives to relevancies, at a very deep level of detail:
Microsoft has also been so smart to create a whole video series to introduce you the tool:
- What is Microsoft Application Threat Modeling
- Creating a Threat Model - Define Application Requirements
- Creating a Threat Model - Define Application Architecture
- Creating a Threat Model - Model
- Creating a Threat Model - Assimilation
- Creating a Threat Model - Measure
Check the development team blog here and obviously download the tool here.
Meanwhile I still wonder if I could have something similar for network security. Microsoft are you listening?
Monday, September 25, 2006
Check Point losing key figures
CRN revealed Check Point just lost 2 key persons few days ago:
The most interesting thing is a sentence from Moynihan:
I always said Check Point is an undiscussed market leader in firewall segment but it has a very evident chaotic development model.
This statement seems to indirectly confirm my judgement.
The biggest question is: are these key figures leaving before Check Point is acquired (despite denial from its CEO)?
- Viv Francis, EMEA Channel Manager (moved to Symbol Technologies)
- Niall Moynihan, founder of Check Point UK and Ireland and Africa Country Manager, (moved to Cisco)
The most interesting thing is a sentence from Moynihan:
Moving to Cisco was an easy choice because it has a clear roadmap and vision. Every day I’m seeing more positive developments
I always said Check Point is an undiscussed market leader in firewall segment but it has a very evident chaotic development model.
This statement seems to indirectly confirm my judgement.
The biggest question is: are these key figures leaving before Check Point is acquired (despite denial from its CEO)?
Sunday, September 24, 2006
Release: ISA Server 2006 Management Pack for MOM 2005
Microsoft released a refreshed management pack for monitoring the new ISA Server 2006 in Operation Manager (MOM) 2005.
Luckily it supports older versions 2000 and 2004.
Download it here.
Luckily it supports older versions 2000 and 2004.
Download it here.
Thursday, September 21, 2006
Free digital certificates for servers, applications and code
Many already know some commercial certificate authorities like Thawte (acquired by VeriSign in 2000) already offers free digital certificates.
What not everybody knows is these are client certificates only, which means cannot be installed in a web server for example.
If we are in need of a server digital certificate for lab environment or we plan to use it only inside your company, then we can create a self-signed one.
But if we need a worldwide trusted server certificate we'll have to pay for it.
Unless we turn to CAcert.
CAcert is a no-profit Certificate Authority based in New South Wales, Australia, and running since 2002 which issues client and server X.509 Class 3 digital certificates for free.
Client certificates are typically used for email encryption and/or authentication verification.
Lately they are also used for instant messaging encryption as well. And in the near future will probabily be the most used tool to secure VoIP communications.
Server certificates are instead used for securing and providing authentication verification from a vast range of servers, from web servers to mail servers, up to VPN gateways (where is much safer running a digital certificates peers recognition with IPSec instead of exchanging a secret).
CAcert certificates support all these use and can be used in mail servers to secure all three major protocols: POP3, SMTP and IMAP.
CAcert certs are also usable as so-called code signing certificates, allowing developers to provide identity verification for their installers, Java web applets or .NET framework executables.
Unfortunately (or fortunately) this kind of certificates are not immediately available like standard client and server certificates mentioned above, but requester have to enroll a special process to assure his identity.
The biggest issue with CAcert certificates is they are not recognized out-of-the-box: CAcert is not included among root certificate authorities in Internet Explorer, Firefox and Opera, so everybody interacting with these certs have to import the CAcert certificate inside their operating system.
This situation will eventually change in the future since more and more distributions are providing default support to CAcert.
Among existing ones today we have: CentOS, Debian, FreeBSD, Gentoo, Knoppix. Others will come.
Despite this limitation in many scenarios adopting a CAcert is still better than generating self-signed certificates: providing authentication for several tents or hundreds of servers for example would be unpracticable with self-signed certs, since all of them should be imported in clients.
Another less severe issue with these certificates is they don't contain any personal information immediately after release.
When a new free certificate is issued it contains the only information the certificate authority can easily verify: our email address for client certificates and domain name for server certificates.
If we want CAcert to certify our email address or our domain name are linked to a real person or company identity we have to prove that identity.
This is done involving human verification of real world documents.
Usually called Web of Trust (WoT) CAcert defines it Assurance Program, but the principle behind the process is identical:
some designed persons, assurers, around the world can verify our identity manually checking photo ID documents, and assign us a limited amount of points.
A requester is obliged to let serveral different assurers verify his identity, and he too is called to verify identity of other requesters to reach a certain score.
After reaching the required amount of points our certificate is enhanced and can contain more personal data, including for example company name and address.
Obtain a physical identity verification by assurers is not very easy (at the moment the program counts around 7,000 assurers worldwide) and could cost some money:
while CAcert doesn't charge for the service, sometimes Web of Trust members ask for a small amount of money, for their disturb (this also happens with Thawte).
Anyway it's not mandatory having full details in digital certificates to work with them, but once reached the assured status we overcome some other limitations:
CAcert is not the only free certification authority available on the net.
Startcom, Linux distributor based in Israel, has one existing since less than 2 years, but only issues Class 2 digital certificates.
What not everybody knows is these are client certificates only, which means cannot be installed in a web server for example.
If we are in need of a server digital certificate for lab environment or we plan to use it only inside your company, then we can create a self-signed one.
But if we need a worldwide trusted server certificate we'll have to pay for it.
Unless we turn to CAcert.
CAcert is a no-profit Certificate Authority based in New South Wales, Australia, and running since 2002 which issues client and server X.509 Class 3 digital certificates for free.
Client certificates are typically used for email encryption and/or authentication verification.
Lately they are also used for instant messaging encryption as well. And in the near future will probabily be the most used tool to secure VoIP communications.
Server certificates are instead used for securing and providing authentication verification from a vast range of servers, from web servers to mail servers, up to VPN gateways (where is much safer running a digital certificates peers recognition with IPSec instead of exchanging a secret).
CAcert certificates support all these use and can be used in mail servers to secure all three major protocols: POP3, SMTP and IMAP.
CAcert certs are also usable as so-called code signing certificates, allowing developers to provide identity verification for their installers, Java web applets or .NET framework executables.
Unfortunately (or fortunately) this kind of certificates are not immediately available like standard client and server certificates mentioned above, but requester have to enroll a special process to assure his identity.
The biggest issue with CAcert certificates is they are not recognized out-of-the-box: CAcert is not included among root certificate authorities in Internet Explorer, Firefox and Opera, so everybody interacting with these certs have to import the CAcert certificate inside their operating system.
This situation will eventually change in the future since more and more distributions are providing default support to CAcert.
Among existing ones today we have: CentOS, Debian, FreeBSD, Gentoo, Knoppix. Others will come.
Despite this limitation in many scenarios adopting a CAcert is still better than generating self-signed certificates: providing authentication for several tents or hundreds of servers for example would be unpracticable with self-signed certs, since all of them should be imported in clients.
Another less severe issue with these certificates is they don't contain any personal information immediately after release.
When a new free certificate is issued it contains the only information the certificate authority can easily verify: our email address for client certificates and domain name for server certificates.
If we want CAcert to certify our email address or our domain name are linked to a real person or company identity we have to prove that identity.
This is done involving human verification of real world documents.
Usually called Web of Trust (WoT) CAcert defines it Assurance Program, but the principle behind the process is identical:
some designed persons, assurers, around the world can verify our identity manually checking photo ID documents, and assign us a limited amount of points.
A requester is obliged to let serveral different assurers verify his identity, and he too is called to verify identity of other requesters to reach a certain score.
After reaching the required amount of points our certificate is enhanced and can contain more personal data, including for example company name and address.
Obtain a physical identity verification by assurers is not very easy (at the moment the program counts around 7,000 assurers worldwide) and could cost some money:
while CAcert doesn't charge for the service, sometimes Web of Trust members ask for a small amount of money, for their disturb (this also happens with Thawte).
Anyway it's not mandatory having full details in digital certificates to work with them, but once reached the assured status we overcome some other limitations:
- server certificates expire in 24 months instead of 6 (they are in any case renewable)
- client certificates can be used for code signing
CAcert is not the only free certification authority available on the net.
Startcom, Linux distributor based in Israel, has one existing since less than 2 years, but only issues Class 2 digital certificates.
Tuesday, September 19, 2006
EMC focuses acquisition strategy on security
EMC Corporation (EMC2) is worldwide known as leader in the high-end storage market.
The company acquired several companies, including LEGATO backup solution provider and Rainfinity high-availability solution provider, in the last 5 years from different markets but gained popularity among the masses after acquiring VMware, the leader in server virtualization (if you read my blog virtualization.info you know everything about this story).
After VMware EMC comes back in the security area and buy in rapid succession RSA, leader in token-based authentication, and Network Intelligence, one of the few players in the Security Event Manager (SEM) segment.
Where EMC is going?
At first sight they are building fundamental blocks of security around data they store: availability (Rainfinity), reliability (LEGATO), accessibility (RSA) and auditing (Network Intelligence).
But at the moment there isn't a clear integration plan between acquired technologies. It's evident looking at the announced rearrangement strategy, where RSA maintains its brand name but leads the whole security department, where Network Intelligence becomes a RSA business unit, where no word has been said about destiny of previously acquired security firms.
EMC have to detail how rearrangement will be done exactly and to prove real integration, otherwise will only generate confusion among customers, weakening all brands images and appearing as the new Symantec of Borg.
The company acquired several companies, including LEGATO backup solution provider and Rainfinity high-availability solution provider, in the last 5 years from different markets but gained popularity among the masses after acquiring VMware, the leader in server virtualization (if you read my blog virtualization.info you know everything about this story).
After VMware EMC comes back in the security area and buy in rapid succession RSA, leader in token-based authentication, and Network Intelligence, one of the few players in the Security Event Manager (SEM) segment.
Where EMC is going?
At first sight they are building fundamental blocks of security around data they store: availability (Rainfinity), reliability (LEGATO), accessibility (RSA) and auditing (Network Intelligence).
But at the moment there isn't a clear integration plan between acquired technologies. It's evident looking at the announced rearrangement strategy, where RSA maintains its brand name but leads the whole security department, where Network Intelligence becomes a RSA business unit, where no word has been said about destiny of previously acquired security firms.
EMC have to detail how rearrangement will be done exactly and to prove real integration, otherwise will only generate confusion among customers, weakening all brands images and appearing as the new Symantec of Borg.
Thursday, September 14, 2006
A free network analyzer from WildPackets
After talking about enhanced capabilities of Wireshark (formerly Ethereal) and new style of upcoming Microsoft Network Monitor 3, another sniffer is worth to mention: WildPackets OminPeek.
Originally called EtherPeek, OmniPeek offers more than a basic sniffer, with statistical analysis of traffic, advanced protocol decoders and support for hardware capture card (to name a few).
It's a highly appreciated product along with Observer (Network Instruments) and Fluke (Fluke Networks).
Since some time WildPackets offers for free the OminPeek 4.0 Personal Edition.
It has some limitations:
but it's still fully working and is worth a full evaluation.
OminPeek has some clear advantages over Wireshark in statistical analysis (which is updated in real-time, during capture):
while it suffers in filtering capabilities (Wireshark language filtering is unbeatable).
Anyway it can count on a very interesting filtering builder which someone could prefer over Wireshark boolean conditions:
Until Wireshark will not get serious enhancements on traffic analysis, I would consider OmniPeek Personal it's mandatory complement.
Originally called EtherPeek, OmniPeek offers more than a basic sniffer, with statistical analysis of traffic, advanced protocol decoders and support for hardware capture card (to name a few).
It's a highly appreciated product along with Observer (Network Instruments) and Fluke (Fluke Networks).
Since some time WildPackets offers for free the OminPeek 4.0 Personal Edition.
It has some limitations:
- Able to capture from a single network interface at one time only
- Expert analysis limited to 25 active conversations
- Licensed for use on networks up to 200 nodes only
- No support for matrix switches
- No specialized Gigabit or WAN Analyzer Card support
- No VoIP analysis experts or options
but it's still fully working and is worth a full evaluation.
OminPeek has some clear advantages over Wireshark in statistical analysis (which is updated in real-time, during capture):
while it suffers in filtering capabilities (Wireshark language filtering is unbeatable).
Anyway it can count on a very interesting filtering builder which someone could prefer over Wireshark boolean conditions:
Until Wireshark will not get serious enhancements on traffic analysis, I would consider OmniPeek Personal it's mandatory complement.
Wednesday, September 13, 2006
Endpoint security interoperability and standards
Endpoint security could revolutionize corporate security. I say this thing since a couple of years.
But endpoint security effectiveness is flawed by at least 2 big issues:
This second point is the most important at the moment: actual solutions aren't based on a standard and aren't interoperable by default.
A customer adopting the Check Point endpoint security solution (Total Access Protection or TAP) will not be able to integrate it with Cisco equipement featuring Network Admission Control (NAC) endpoint security implementation.
2 year ago Cisco and Microsoft annouced a cooperation to deliver interoperable endpoint security. But since that announcement nothing happened (also because Microsoft endpoint security solution, Network Access Protection or NAP, will appear not earlier than another year and a half).
Now Cisco and Microsoft are re-announcing their partnership for NAC-NAP interoperability at Security Standard conference.
Again? Yes, but this time they made a little more, producing a 8-pages whitepaper (half marketing half technical), about the interoperability.
The central point of this interoperability is the endpoint security agent, which is currently integrated in Windows XP SP2 (with some limitations) and in Vista and Windows codename Longhorn Server beta builds: the Microsoft NAP agent will serve also as Cisco NAC agent.
Luckily the agent will be updated by online Windows Update service or offline Windows Server Update Services (WSUS).
Meanwhile Cisco will continue to develop its own NAP client (Cisco Trust Agent) for non Microsoft operating systems and possibly for Microsoft OSes prior to Windows Vista.
How customers adopting Check Point TAP or Sygate NAC (now acquired by Symantec of Borg) other endpoint security solutions will be able to integrate on this? Has still to be known.
Obviously this complexity could be addressed creating a standard. The real problem is an attempt to standardize already exists but not all companies are embracing it.
It's called Trusted Network Connect and its first draft appeared in May 2005.
By chance both Check Point and Sygate immediately adhered to it, while others like Juniper, Nortel, StillSecure added or announced support to it this year.
Microsoft announced plans to make its NAP compliant to TNC standards on April 2005 while Cisco didn't.
So while you ask yourself why Cisco is once again preventing to return on your previous investments, you may want to look at a wonderful summary scheme about NAP-NAC-TNC interoperability, created by Opus One:
You may also want to check for further reference a needful terms comparison for all three implementations in the standardization assessment published by IETF in June 2006.
But endpoint security effectiveness is flawed by at least 2 big issues:
- it cannot handle machines where no endpoint agents are present
- it lacks of interoperability
This second point is the most important at the moment: actual solutions aren't based on a standard and aren't interoperable by default.
A customer adopting the Check Point endpoint security solution (Total Access Protection or TAP) will not be able to integrate it with Cisco equipement featuring Network Admission Control (NAC) endpoint security implementation.
2 year ago Cisco and Microsoft annouced a cooperation to deliver interoperable endpoint security. But since that announcement nothing happened (also because Microsoft endpoint security solution, Network Access Protection or NAP, will appear not earlier than another year and a half).
Now Cisco and Microsoft are re-announcing their partnership for NAC-NAP interoperability at Security Standard conference.
Again? Yes, but this time they made a little more, producing a 8-pages whitepaper (half marketing half technical), about the interoperability.
The central point of this interoperability is the endpoint security agent, which is currently integrated in Windows XP SP2 (with some limitations) and in Vista and Windows codename Longhorn Server beta builds: the Microsoft NAP agent will serve also as Cisco NAC agent.
Luckily the agent will be updated by online Windows Update service or offline Windows Server Update Services (WSUS).
Meanwhile Cisco will continue to develop its own NAP client (Cisco Trust Agent) for non Microsoft operating systems and possibly for Microsoft OSes prior to Windows Vista.
How customers adopting Check Point TAP or Sygate NAC (now acquired by Symantec of Borg) other endpoint security solutions will be able to integrate on this? Has still to be known.
Obviously this complexity could be addressed creating a standard. The real problem is an attempt to standardize already exists but not all companies are embracing it.
It's called Trusted Network Connect and its first draft appeared in May 2005.
By chance both Check Point and Sygate immediately adhered to it, while others like Juniper, Nortel, StillSecure added or announced support to it this year.
Microsoft announced plans to make its NAP compliant to TNC standards on April 2005 while Cisco didn't.
So while you ask yourself why Cisco is once again preventing to return on your previous investments, you may want to look at a wonderful summary scheme about NAP-NAC-TNC interoperability, created by Opus One:
You may also want to check for further reference a needful terms comparison for all three implementations in the standardization assessment published by IETF in June 2006.
Monday, September 11, 2006
Microsoft opens Network Monitor 3 beta 2 to public
After many years the Microsoft network sniffer, Network Monitor (friendly called NetMon), is coming back.
Network Monitor 2.1 is included as optional component in every Windows NT/2000 installation but has a severe limitation: it cannot put the network interface in promiscuous mode, preventing capture of all packets passing on the cable.
To have a full version of Network Monitor 2.1 you have to buy Microsoft System Management Server (SMS) 1.2 or 2.0.
Upcoming Network Monitor 3 will offer several new features and will finally be an uncapped, free, stand-alone application for Windows XP/2003/Vista/codename Longhorn (both 32 and 64bits):
The last feature is particularly interesting, permitting network experts to create new protocol decoders or complex packet manipulations in an easy and quick way (in previous releases writing a protocol parser implied writing a DLL).
With NPL (NetMon Parser Language) Microsoft has a big chance to involve the network and security communities around Network Monitor and should arrange a Parsers Center or something like that.
We'll see if it will be able to compete with Wireshark (formerly Ethereal) and its new enhanced features.
Enroll for the beta here and check dedicated beta newsgroup here.
Network Monitor 2.1 is included as optional component in every Windows NT/2000 installation but has a severe limitation: it cannot put the network interface in promiscuous mode, preventing capture of all packets passing on the cable.
To have a full version of Network Monitor 2.1 you have to buy Microsoft System Management Server (SMS) 1.2 or 2.0.
Upcoming Network Monitor 3 will offer several new features and will finally be an uncapped, free, stand-alone application for Windows XP/2003/Vista/codename Longhorn (both 32 and 64bits):
- Real time capture and display of frames
- Simultaneous capture on multiple network adapters
- Multiple simultaneous capture sessions
- Network conversations and a tree view displaying frames by conversation
- Enhanced capture/display filtering (with intelli-sense)
- A new script-based protocol parser language (NPL), and script-based parsers
The last feature is particularly interesting, permitting network experts to create new protocol decoders or complex packet manipulations in an easy and quick way (in previous releases writing a protocol parser implied writing a DLL).
With NPL (NetMon Parser Language) Microsoft has a big chance to involve the network and security communities around Network Monitor and should arrange a Parsers Center or something like that.
We'll see if it will be able to compete with Wireshark (formerly Ethereal) and its new enhanced features.
Enroll for the beta here and check dedicated beta newsgroup here.
Friday, September 08, 2006
The need for antivirus technologies
Roger Grimes, fellow CISSP and Microsoft MVP, wrote an article about value of antivirus products.
He reports antivirus tools are unable to recognize and clean a lot of recent malware code. But most of all he firmly claims they are unnecessary to stay uninfected. Pure truth.
Antivirus shouldn't even be called this way. Anti is a term leading to think about proactivity, while antivirus solutions are just virus cleaners. Something to use when you are already infected.
The most important point is Roger never suffered an infection even if he never used an antivirus. Me too, and probably many others.
He never got infected because he blocks source of malware instead of allowing them and then clean damage.
He does what I would call traffic sanitization:
Plus he maintains his system in good health, hardening and patching it every time is needed.
It's all the things you need to remain uninfected? It's true the fact he is a high profile security guy doens't help here?
I don't think so. And even if so, I still see many problems in this approach (which is the one I apply too).
For sure Roger knowledge granted him capability to recognize, choose, configure and update security tools mentioned above.
No matter if a less experienced user (his daughter) is then able to run virus-free even without skills. He secured the system at beginning.
It's easy to avoid troubles when every tool is at the right place.
Also, every time a threat bypass security defenses experience becomes the most powerful tool.
In some cases, when surfing or reading emails, there is something strange around and only experienced users are able to recognize the risk they are going to face, even if the malware or the technique is completely new and they never saw it before.
Not every system administrator or home user out there has same skills. But even having them, how much time costs deploying all mentioned tools? Surely 10 times what you would spend configuring and updating an antivirus tool.
Antivirus are useless and should disappear not because other tools exist and defend better, but because the way they try to provide fast and easy protection is fault.
We still need fast and easy protection, but with a different approach.
He reports antivirus tools are unable to recognize and clean a lot of recent malware code. But most of all he firmly claims they are unnecessary to stay uninfected. Pure truth.
Antivirus shouldn't even be called this way. Anti is a term leading to think about proactivity, while antivirus solutions are just virus cleaners. Something to use when you are already infected.
The most important point is Roger never suffered an infection even if he never used an antivirus. Me too, and probably many others.
He never got infected because he blocks source of malware instead of allowing them and then clean damage.
He does what I would call traffic sanitization:
- blocks unwanted traffic using a personal firewall
- blocks unwanted HTML malware converting incoming email in plaintext and (probably) using an ad-blocker in its browser
- blocks unwanted attachments using an antispam tool
Plus he maintains his system in good health, hardening and patching it every time is needed.
It's all the things you need to remain uninfected? It's true the fact he is a high profile security guy doens't help here?
I don't think so. And even if so, I still see many problems in this approach (which is the one I apply too).
For sure Roger knowledge granted him capability to recognize, choose, configure and update security tools mentioned above.
No matter if a less experienced user (his daughter) is then able to run virus-free even without skills. He secured the system at beginning.
It's easy to avoid troubles when every tool is at the right place.
Also, every time a threat bypass security defenses experience becomes the most powerful tool.
In some cases, when surfing or reading emails, there is something strange around and only experienced users are able to recognize the risk they are going to face, even if the malware or the technique is completely new and they never saw it before.
Not every system administrator or home user out there has same skills. But even having them, how much time costs deploying all mentioned tools? Surely 10 times what you would spend configuring and updating an antivirus tool.
Antivirus are useless and should disappear not because other tools exist and defend better, but because the way they try to provide fast and easy protection is fault.
We still need fast and easy protection, but with a different approach.
Wednesday, September 06, 2006
Microsoft releases Security Configuration Wizard for ISA Server 2006
While still much perfectible, Security Configuration Wizard (SCW). almong with WSUS, is one of the best tool Microsoft ever made in its path towards enterprise security leadership.
I covered it before in Hardening Windows 2003 platforms made easy.
SCW has 2 big limits:
This second limit obliges Microsoft to release a new version every time a new backend plaftorm is out, but since this process seems pretty time consuming it happens only when a critical product is released.
It's the case of the new ISA Server 2006, for which Microsoft silently published an updated SCW on early August.
It works for both Standard and Enterprise edition and can be downloaded here.
I covered it before in Hardening Windows 2003 platforms made easy.
SCW has 2 big limits:
- it doesn't work on all Windows editions
- its roles cannot be updated with Windows Update or WSUS
This second limit obliges Microsoft to release a new version every time a new backend plaftorm is out, but since this process seems pretty time consuming it happens only when a critical product is released.
It's the case of the new ISA Server 2006, for which Microsoft silently published an updated SCW on early August.
It works for both Standard and Enterprise edition and can be downloaded here.
Monday, September 04, 2006
Whitepaper: How to Protect Insiders from Social Engineering Threats
Microsoft published a 37-pages paper about a rarely-treated topic: social engineering.
The large majority of people listening at social engineering examples usually smiles or laughes, thinking about action movies like Mission Impossible or 007 series.
Security professionals aren't much different: in years of security courses I rarely found persons sensible to the topic, or taking it seriously.
The biggest reason for such behaviour is unbelief. People simply don't believe someone is able to threat service desk like it happens on the movies.
Even those security professionals who are aware of social engineering, usually have an inner conviction that there are no real chances an attacker could use social engineering techniques.
This lead to a numer of documents about this topic near to zero.
How to Protect Insiders from Social Engineering Threats, aimed to SMB companies, is interesting because, while very introductory, touches several points, including how to plan a reception hall:
The large majority of people listening at social engineering examples usually smiles or laughes, thinking about action movies like Mission Impossible or 007 series.
Security professionals aren't much different: in years of security courses I rarely found persons sensible to the topic, or taking it seriously.
The biggest reason for such behaviour is unbelief. People simply don't believe someone is able to threat service desk like it happens on the movies.
Even those security professionals who are aware of social engineering, usually have an inner conviction that there are no real chances an attacker could use social engineering techniques.
This lead to a numer of documents about this topic near to zero.
How to Protect Insiders from Social Engineering Threats, aimed to SMB companies, is interesting because, while very introductory, touches several points, including how to plan a reception hall:
To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hacker-someone who tries to gain unauthorized access to your computer systems-are similar to those of any other hacker: they want your company's money, information, or IT resources.
A social engineering hacker attempts to persuade your staff to provide information that will enable him or her to use your systems or system resources. Traditionally, this approach is known as a confidence trick. Many midsize and small companies believe that hacker attacks are a problem for large corporations or organizations that offer large financial rewards. Although this may have been the case in the past, the increase in cyber-crime means that hackers now target all sectors of the community, from corporations to individuals. Criminals may steal directly from a company, diverting funds or resources, but they may also use the company as a staging point through which they can perpetrate crimes against others. This approach makes it more difficult for authorities to trace these criminals...
Saturday, September 02, 2006
Writing firewall rules with your sniffer
Wireshark, the most popular network analyzer in the world (once known as Ethereal), reached version 0.99.3.
This new release introduces some very interesting feautres:
Last 2 of them deserve a detailed explaination.
Support for USB wireless adapters is at the moment limited to a special USB 2.0 dongle CACE Technologies, the company developing Wireshark, is selling online.
It costs $189 which is pretty high if you consider the average price for such gear is $50.
Wireshark is able to put the wireless adapter in monitor mode (the equivalent of promiscous mode in the Ethernet world) thanks to a new packet driver for Windows: AirPcap.
AirPcap is a different project from the universal packet driver originally deleloped by Politecnico di Torino italian university, WinPcap (even if they are fully integrated since new version 4.0 beta 1), and is not included in the standard Wireshark package.
Unfortunately there are no informations about which vendor manifactures the CACE dongle or about AirPcap compatibility with other USB adapters.
Firewall rules writing capability is much more unexpected.
Wireshark is now able to build simple ACL rules for most popular firewalls, including Windows Firewall, starting from any captured package.
The interface is still very raw (it doesn't permit to create multiple rules given a group of selected packets) but the idea in itself is very interesting.
While I don't think at the moment this feature is particularly useful, the immediate translation of the rule in every major rulebase language is particularly appreciated and has a great educative value.
I hope to see support for the new Windows Vista firewall (which finally is able to filter for both inbound and outbound directions) soon.
This new release introduces some very interesting feautres:
- support for ESP, Kerberos, and SSL decryption
- support for USB wireless adapters
- firewall rules writing capability
Last 2 of them deserve a detailed explaination.
Support for USB wireless adapters is at the moment limited to a special USB 2.0 dongle CACE Technologies, the company developing Wireshark, is selling online.
It costs $189 which is pretty high if you consider the average price for such gear is $50.
Wireshark is able to put the wireless adapter in monitor mode (the equivalent of promiscous mode in the Ethernet world) thanks to a new packet driver for Windows: AirPcap.
AirPcap is a different project from the universal packet driver originally deleloped by Politecnico di Torino italian university, WinPcap (even if they are fully integrated since new version 4.0 beta 1), and is not included in the standard Wireshark package.
Unfortunately there are no informations about which vendor manifactures the CACE dongle or about AirPcap compatibility with other USB adapters.
Firewall rules writing capability is much more unexpected.
Wireshark is now able to build simple ACL rules for most popular firewalls, including Windows Firewall, starting from any captured package.
The interface is still very raw (it doesn't permit to create multiple rules given a group of selected packets) but the idea in itself is very interesting.
While I don't think at the moment this feature is particularly useful, the immediate translation of the rule in every major rulebase language is particularly appreciated and has a great educative value.
I hope to see support for the new Windows Vista firewall (which finally is able to filter for both inbound and outbound directions) soon.
Subscribe to:
Posts (Atom)