Security Ripcord

I decided to follow up the *nux Live Acquisition Techniques post from a few days ago with a demonstration of image or file manipulation using DD and SPLIT.  This will help me get it all straight in my head while documenting it for prosterity, yours and mine.  Certainly there are other tools to do this, but knowing the basics is key to being good at anything.

Here is the scenario.

• Copy the swap partition using DD.  Get one big image and start manipulating it.  I could just copy swap every time, but as it continuously changes I will have a problem verifying some of the commands or techniques were successful.
• Get a hash of the image.
• Chop the image of the swap partition into smaller pieces using DD and the SPLIT.
• Pull the chunks back together using CAT.
• Verify that CAT successfully rebuild the image by checking the hash.
• Delete the last two chucks to simulate that the original copy, if it had been run using SPLIT, failed at some point for any reason.
• Chop the swap partition image again but this time skip the good chunks and only re-run the bad chunks.  This could end up saving A LOT of time in the imaging process.  Which, in turn, saves the customer money.
• Pull the new chunks together using CAT.
• Verify that the new chucks can be used to create a valid image by checking the hash.
• Stop SCRIPT, write post, grab beer (should have remembered to do this at the beginning).

In the following output I have added my notes while also bolding interesting pieces of output.  I did have a little glitch when trying to skip the good chunks, so be sure to watch for it and what I did to correct the problem.

user@cutsec:~$ script dd_stuff.txt <- Start SCRIPT so I don’t have to cut and paste
Script started, file is dd_stuff.txt
user@cutsec:~$ sudo -i <- Being root makes imaging swap easier. Plus, I like power!!
[sudo] password for user:
root@cutsec:~# cd /opt/Test
root@cutsec:/opt/Test ls
root@cutsec:/opt/Test dd if=/dev/sda5 of=./swap_orig.dd <- Copy an Image of the Swap Partition
2104452+0 records in
2104452+0 records out
1077479424 bytes (1.1 GB) copied, 96.2791 s, 11.2 MB/s
root@cutsec:/opt/Test ls -al
total 1053268
drwxr-xr-x 2 root root 4096 2008-10-01 22:19 .
drwxr-xr-x 3 root root 4096 2008-10-01 11:46 ..
-rw-r–r– 1 root root 1077479424 2008-10-01 22:20 swap_orig.dd
root@cutsec:/opt/Test md5sum swap_orig.dd <- Hash it for verification
9a63cfbea3005551f4021aac7c287997 swap_orig.dd
root@cutsec:/opt/Test dd if=swap_orig.dd | split -d -b 200m – swap_split.dd. <- Split the Partition Image into small chunks
2104452+0 records in
2104452+0 records out
1077479424 bytes (1.1 GB) copied, 105.6389 s, 10.2 MB/s
root@cutsec:/opt/Test ls -al
total 2106548
drwxr-xr-x 2 root root 4096 2008-10-01 22:26 .
drwxr-xr-x 3 root root 4096 2008-10-01 11:46 ..
-rw-r–r– 1 root root 1077479424 2008-10-01 22:20 swap_orig.dd
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.01
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.02
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.03
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.04
-rw-r–r– 1 root root 28903424 2008-10-01 22:26 swap_split.dd.05
root@cutsec:/opt/Test cat swap_split.dd.0* >>./swap_cat.dd <- Pull them back together using the CAT command
root@cutsec:/opt/Test ls -al
total 3159808
drwxr-xr-x 2 root root 4096 2008-10-01 22:28 .
drwxr-xr-x 3 root root 4096 2008-10-01 11:46 ..
-rw-r–r– 1 root root 1077479424 2008-10-01 22:30 swap_cat.dd
-rw-r–r– 1 root root 1077479424 2008-10-01 22:20 swap_orig.dd
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.01
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.02
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.03
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.04
-rw-r–r– 1 root root 28903424 2008-10-01 22:26 swap_split.dd.05
root@cutsec:/opt/Test md5sum swap_cat.dd <- Verify CAT worked properly
9a63cfbea3005551f4021aac7c287997 swap_cat.dd
root@cutsec:/opt/Test rm swap_split.dd.03 swap_split.dd.04 swap_split.dd.05 <- Remove chunks to simulate DD or SPLIT command failure
root@cutsec:/opt/Test ls -al
total 2721540
drwxr-xr-x 2 root root 4096 2008-10-01 22:33 .
drwxr-xr-x 3 root root 4096 2008-10-01 11:46 ..
-rw-r–r– 1 root root 1077479424 2008-10-01 22:30 swap_cat.dd
-rw-r–r– 1 root root 1077479424 2008-10-01 22:20 swap_orig.dd
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.01
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.02
root@cutsec:/opt/Test dd if=./swap_orig.dd bs=200MB skip=3 | split -d -b 200m – swap_new_split.dd. <- Start copying by Skipping first 3 chunks of 200MB
2+1 records in
2+1 records out
477479424 bytes (477 MB) copied, 38.3604 s, 12.4 MB/s
root@cutsec:/opt/Test ls -al
total 3188300
drwxr-xr-x 2 root root 4096 2008-10-01 22:37 .
drwxr-xr-x 3 root root 4096 2008-10-01 11:46 ..
-rw-r–r– 1 root root 1077479424 2008-10-01 22:30 swap_cat.dd
-rw-r–r– 1 root root 209715200 2008-10-01 22:36 swap_new_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 22:37 swap_new_split.dd.01
-rw-r–r– 1 root root 58049024 2008-10-01 22:37 swap_new_split.dd.02 <- Note the size
-rw-r–r– 1 root root 1077479424 2008-10-01 22:20 swap_orig.dd
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.01
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.02
root@cutsec:/opt/Test mv swap_new_split.dd.00 swap_split.dd.03
root@cutsec:/opt/Test mv swap_new_split.dd.01 swap_split.dd.04
root@cutsec:/opt/Test mv swap_new_split.dd.02 swap_split.dd.05
root@cutsec:/opt/Test ls -al
total 3188300
drwxr-xr-x 2 root root 4096 2008-10-01 22:40 .
drwxr-xr-x 3 root root 4096 2008-10-01 11:46 ..
-rw-r–r– 1 root root 1077479424 2008-10-01 22:30 swap_cat.dd
-rw-r–r– 1 root root 1077479424 2008-10-01 22:20 swap_orig.dd
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.01
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.02
-rw-r–r– 1 root root 209715200 2008-10-01 22:36 swap_split.dd.03
-rw-r–r– 1 root root 209715200 2008-10-01 22:37 swap_split.dd.04
-rw-r–r– 1 root root 58049024 2008-10-01 22:37 swap_split.dd.05
root@cutsec:/opt/Test cat swap_split.dd.0* >>./swap_cat2.dd <- Pull new chunks together
root@cutsec:/opt/Test md5sum swap_orig.dd swap_cat.dd swap_cat2.dd <- Verify success
9a63cfbea3005551f4021aac7c287997 swap_orig.dd
9a63cfbea3005551f4021aac7c287997 swap_cat.dd
eec1975aed363dbd2254262594577da7 swap_cat2.dd <- FAIL!!
root@cutsec:/opt/Test rm swap_split.dd.03 swap_split.dd.04 swap_split.dd.05 <- Remove bad chunks
root@cutsec:/opt/Test ls -al
total 3803292
drwxr-xr-x 2 root root 4096 2008-10-01 23:02 .
drwxr-xr-x 3 root root 4096 2008-10-01 11:46 ..
-rw-r–r– 1 root root 1106625024 2008-10-01 22:42 swap_cat2.dd
-rw-r–r– 1 root root 1077479424 2008-10-01 22:30 swap_cat.dd
-rw-r–r– 1 root root 1077479424 2008-10-01 22:20 swap_orig.dd
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.01
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.02
root@cutsec:/opt/Test dd if=./swap_orig.dd bs=200M skip=3 | split -d -b 200m – swap_new_split.dd. <- Try Skip again but this time use the proper bs, MB = 1024*1024 but M = 1000*1000
2+1 records in
2+1 records out
448333824 bytes (448 MB) copied, 39.6093 s, 11.3 MB/s
root@cutsec:/opt/Test ls -al
total 4241560
drwxr-xr-x 2 root root 4096 2008-10-01 23:03 .
drwxr-xr-x 3 root root 4096 2008-10-01 11:46 ..
-rw-r–r– 1 root root 1106625024 2008-10-01 22:42 swap_cat2.dd
-rw-r–r– 1 root root 1077479424 2008-10-01 22:30 swap_cat.dd
-rw-r–r– 1 root root 209715200 2008-10-01 23:03 swap_new_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 23:03 swap_new_split.dd.01
-rw-r–r– 1 root root 28903424 2008-10-01 23:03 swap_new_split.dd.02 <- Note the size, that looks better
-rw-r–r– 1 root root 1077479424 2008-10-01 22:20 swap_orig.dd
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.01
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.02
root@cutsec:/opt/Test mv swap_new_split.dd.00 swap_split.dd.03
root@cutsec:/opt/Test mv swap_new_split.dd.01 swap_split.dd.04
root@cutsec:/opt/Test mv swap_new_split.dd.02 swap_split.dd.05
root@cutsec:/opt/Test ls -al
total 4241560
drwxr-xr-x 2 root root 4096 2008-10-01 23:05 .
drwxr-xr-x 3 root root 4096 2008-10-01 11:46 ..
-rw-r–r– 1 root root 1106625024 2008-10-01 22:42 swap_cat2.dd
-rw-r–r– 1 root root 1077479424 2008-10-01 22:30 swap_cat.dd
-rw-r–r– 1 root root 1077479424 2008-10-01 22:20 swap_orig.dd
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.01
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.02
-rw-r–r– 1 root root 209715200 2008-10-01 23:03 swap_split.dd.03
-rw-r–r– 1 root root 209715200 2008-10-01 23:03 swap_split.dd.04
-rw-r–r– 1 root root 28903424 2008-10-01 23:03 swap_split.dd.05
root@cutsec:/opt/Test rm swap_cat2.dd
root@cutsec:/opt/Test cat swap_split.dd.0* >>./swap_cat2.dd <- Pull new chunks together
root@cutsec:/opt/Test ls -al
total 4213068
drwxr-xr-x 2 root root 4096 2008-10-01 23:08 .
drwxr-xr-x 3 root root 4096 2008-10-01 11:46 ..
-rw-r–r– 1 root root 1077479424 2008-10-01 23:09 swap_cat2.dd
-rw-r–r– 1 root root 1077479424 2008-10-01 22:30 swap_cat.dd
-rw-r–r– 1 root root 1077479424 2008-10-01 22:20 swap_orig.dd
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.00
-rw-r–r– 1 root root 209715200 2008-10-01 22:25 swap_split.dd.01
-rw-r–r– 1 root root 209715200 2008-10-01 22:26 swap_split.dd.02
-rw-r–r– 1 root root 209715200 2008-10-01 23:03 swap_split.dd.03
-rw-r–r– 1 root root 209715200 2008-10-01 23:03 swap_split.dd.04
-rw-r–r– 1 root root 28903424 2008-10-01 23:03 swap_split.dd.05
root@cutsec:/opt/Test md5sum swap_orig.dd swap_cat.dd swap_cat2.dd <- Verify success
9a63cfbea3005551f4021aac7c287997 swap_orig.dd
9a63cfbea3005551f4021aac7c287997 swap_cat.dd
9a63cfbea3005551f4021aac7c287997 swap_cat2.dd <- Success!!
root@cutsec:/opt/Test logout
user@cutsec:~$ exit
Script done, file is dd_stuff.txt

There you have it.  The basics of using system commands to image a partition, chop it up, and pull it all back together.  Hopefully this is useful in some capacity.

Go forth and do good things,

Don C. Weber

I hate the MS Windows command shell.  Maybe it is because I am not well versed in it or maybe it is just because I am lazy.  Not sure.  Either way, I wanted to find a nice way to create a list of all the files in a directory and put it into a file.  But, as I was working in Windows I didn’t want to open a command shell to get it done.  In steps Microsoft KB371379: How to add the Print Directory feature for folders in Windows XP and in Windows Vista.  This is a handy little feature that would send the directory listing directly to the default printer simply by right clicking on the folder and selecting “Print Directory Listing.”

Now, printing directly to the default printer might be fun for some, but it is not what I had in mind.  So, I modified the batch script a little.

@echo off
date /t > %2
time /t >> %2
echo. >> %2
dir %1 /b /-p /o:gn >> %2
exit

This adds a file to the specified directory.  This file includes a date/time stamp (accurate to a minute) and a plan file listing that does not include any other information.  I find this helpful for quickly including things in notes and reports and I hope that it helps you as well.

Go forth and do good things,

Don C. Weber

I would like to start off by saying, “You can’t!!” The quicker you come to grips with that the better off you will be in the long run. Politics, or perhaps Micro-Politics since I am talking about intra/inter-office politics, is just a fact of life. Everybody has an agenda whether it is to further themselves, further their family, further the company, or any number of other things. So, get over it because it is just going to happen.

Now, let me tell you how you can control politics. I’m not talking “hand of God” control. I’m talking about making it difficult for politics to adversely (because some politics are good) influence the security of your organization. The answer can be found in my previous post on Organized Security. The answer is “Document Your Processes!” Okay, that is not the full answer, but it is the start. Getting your processes written down and accepted is the first step. The thing that seems to be working the best for my team is to document a process’ flow before writing down the procedure. Understanding the actions, decisions, and touch points of a process before writing the document that details each action and decision point. Here is a simple example pertaining to a user account request. This process flow utilizes “swim lanes” to show different teams or departments.

Once you have created this flowchart it is very hard to justify a deviation from this process. It becomes even more difficult once you detail each box in your procedural documentation. Getting your management and each team or department listed in the “swim lanes” to sign off on their involvement with the process will decrease the deviation possibilities even more. And if all else fails, it will make deviations readily apparent to management and all of the teams or departments involved.

Now, this does not mean that deviations will not happen. It is a fact of life that a situation or event was not taken into consideration during the development of the process. These instances shouldn’t matter in the grand scheme. Once the event has happened and been addressed, the individuals responsible for the process should quickly run through the process to see if any documentation needs to be generated or additional actions taken. After everything has been addressed the team can conduct a lessons learn to determine if the process needs to be updated or if the deviation was just an anomaly that will rarely occur and can be addressed on a case by case basis. Of course, politics can fall into this category. But all of this, as I mentioned, makes the deviation very apparent and the extra work associated with running back through the process and evaluating the overall process should raise questions about the validity of the action.

Once everything is documented and approved there is another very important step. That step is to consistently apply the process. Lack of consistency will leave gaps in all of your processes. Lack of consistency will breed contempt for your system and provide individuals and groups the leverage they need to circumvent the process in question and possibility the other processes developed by your team.

In the end you are not going to solve politics in your organization. You and your team need to learn how to accept it as a part of doing business. Just remember, diligent documentation, repeatable processes, and consistent application will protect you as much as they can.

Go forth and do good things,

Don C. Weber

Well, this week at work was very interesting. Actually, the last two weeks have been extremely busy. As Friday rolled in I looked into the eyes of my team members and I could see the tired, slightly overwhelmed, and, for some, haggled look in their eyes. They had shouldered what our organization decided to throw at them and they pulled through with their heads held high. No small feat when you are talking about a crew with that was built from individuals with very little security background and a manager (me) who is hell-bent on documenting and improving each procedure as they are going through it. I do this not only to help them build a program that is repeatable and lends itself to self-improvement, but so that our customer can “feel-the-pain” when their goals are not being accomplished due to the never ending “high priority” additional tasks (something I, and others, refer to as “firefighting”).

I usually make it a point to congratulate my team members for a job well done. It builds confidence, denotes achievement, and helps give a sense of closure to on-going tasks and issues that never seem to have an “end.” But this week I went a step further. I let them know that when they are working on the “high priority” issues, when the “firefighting” is taking all of their time and effort, that the things they are doing are enough. Just working the task is enough to help secure our environment. Even if they haven’t completed the task or specific issues mean they were not able to address regular duties and other tasks, as long as they worked hard and smart, it is enough.

It has to be enough. No environment is ever going to be 100 percent secure. Security professionals and security cynics can all agree to that statement. But, when you look at it from the other end, no environment is zero percent secure either. Each operating system comes with some controls. So every environment starts a little bit “in the black.” As an organization starts adding personnel and controls they increase their security percentage. Finally, with the addition of security professionals and a well-rounded security approach, an organization sees its greatest jump towards the unobtainable 100 percent secure goal. Just dong things to move towards that endpoint is enough. And I think that sometimes organizations and managers forget that aspect of the big picture.

So, when you get back in the office next week, take a look around. Look at the accomplishments of your team members. Take note of these accomplishments and provide the appropriate praise to the situation. Let them know that their efforts are enough and that because of their actions the overall environment is more secure. Then look at the other individuals in your organization. Look at the system administrators, the desktop support personnel, the help desk operators, and everybody else. Look at their actions and point out their accomplishments as well. Let them know that they are helping secure the environment and that their actions are enough.

If you do this, you are doing enough and you are speeding up your progress towards that unobtainable goal.

Go forth and do good things,

Don C. Weber

For the past week I have been re-involving myself in the Security Catalyst Community. While wading through some of the posts I had yet to read I came across one titled ICMP Tunneling by Donald Tabone. I decided to do some quick research and post a response. After reading it Andy Willingham suggested I post it here. So here it goes.

Donald’s question:

Hi All,

There has been an impending problem with MS ISA server that I have trouble defending against: ICMP tunneling which doesn’t seem to be stopped(firewalled). To my understanding it can be used for remote access and denial of service attack tools which use ICMP to establish covert communication channels.

Question is: What is the best approach to protect against something like what is described in the article quoted below using ISA Firewall.?
http://nulldigital.net/articles/stealinginternet.pdf

Thanks,
D.

My response:

Your best bet is to determine your ICMP requirements, determine how you can limit ICMP within your organization, create policies that specifically state what ICMP is permitted and not permitted, and then implement protection and detection in your countermeasures (routers, layer 3 switches, firewalls, and IDS/IPS).

Rational Security http://rationalsecurity.typepad.com/blog/2006/08/icmp_internet_c.html said people who do not limit ICMP “officially belong to the LBNaSOAC (Lazy Bastard Network and Security Operators and Administrators Consortium.)”. They then pointed to an article that briefly explains ICMP Attacks http://javvin.com/networksecurity/ICMPAttacks.html.

Your ISA should not be your first line of defense to the Internet. You should have countermeasure in place between the “wild” and this application firewall. Use those countermeasures to provide the protections the ISA firewall cannot and increase your defense in depth.

Go forth and do good things,
Cutaway

Policy is definitely the way to start. One thing I have thought of after posting this response is that I should have made it a little more clear about where ICMP should be in the policy. Although some organizations may have a specific ICMP policy, more than likely ICMP will be just one piece of the network or firewall policy. Certainly if you do not have any policies then you do not just want to start the time consuming process of whipping up a new policy before mitigating some of the risks involved with not locking down ICMP. Rather, come up with a solution (in this case for ICMP) and document how you have decided to handle it. Once you start working on your policies then you can use what you have documented as a starting point.

Go forth and do good things,
Cutaway

AndyITGuy, ICMP, ISA, SCC, Security Ripcord, ICMP Tunneling, ICMP Attacks, Rational Security, Donald Tabone, Malta Info Security

Okay, Windows NT has been out since 1993. Windows NT4 has been out since 1996. And to this date the developers at Microsoft have not provided administrators a way to automatically centralize their logs. Windows 2000 does not do it. Neither does XP, 2003, or Vista.

Why is this? As far as I know UNIX and LINUX have had this capability since their inception or at least near to it. But for now Windows administrators have to utilize third party applications to provide this capability and some people are reluctant to push them into production environments (See the thread on this subject, started by Anton Chuvakin, at the Security Catalyst Community).

Log monitoring is one of the key aspects of maintaining a working and secure environment. Centralizing logs allows administrators to quickly review events on their systems and networks while providing them with the ability to correlate those events with other log entries. Certainly there is always going to be robust alternatives that give the administrators extended capabilities. But I am amazed that Microsoft has yet to provide some type of simple, default, solution to administrators of their servers and workstations. I believe that it would go a long way to helping businesses and schools who cannot afford to purchase or implement third party solutions.

UPDATE: Thank you to Andrew Hay for pointing out some additional information on this via the thread in the Security Catalyst Community and on his blog.

The loganalysis mailing list had a rather lengthy thread on this topic: http://www.loganalysis.org/pipermail/loganalysis/2007-July/000254.html where Eric Fitzgerald from Microsoft explained the reasons for not having a native logging method.

Anton blogged about it here: http://chuvakin.blogspot.com/2007/07/why-there-is-no-syslog-in-windows.html
As did I: http://www.andrewhay.ca/archives/158

The thread was killed by the moderator before it got out of hand

Indeed, I should have Googled “why is there no windows syslog” as Anton’s blog post comes up first. Thanks again to Andrew and Anton. As I am writing this, however,, I see that both of these post happened on the same day as mine So, I don’t feel so bad. They just beat me to the punch.

And, of course, I appear to be mistaken about Vista not being able to forward events as it does have this feature through the Event Viewer Tool according to the reference Anton points us all to. This feature would permit you to consolidate your Windows logs. Unfortunately it is not currently compatible with Syslog. But why would they want to support a standard built for Unix, or rather BSD, anyway? Sure would have been nice of them if they had, though.

Go forth and do good things,
Cutaway

Security Ripcord, Windows NT, Windows NT4, Anton Chuvakin, Andrew Hay

One of the problems facing many universities is the use of their graduate students as developers and administrators within their departments. Although many students are very capable individuals they are often people who have limited or no experience in business environments. But, because the students are providing services for people who have limited experience with technology they are the duty expert. Now combine this situation with sensitive information. Are you scared yet?

Unfortunately it is hard to blame the people directly involved for this situation. The people utilizing the grad students do so because they have to. There is little money or the university wants to ensure that their students are given some real world experience. The grad students are just trying to expose themselves to as many experiences as possible before they move on to a higher paying job with benefits and vacation time.

Who is to blame then? Well, the people that permit this to happen, of course. There are several layers to look at when looking for responsible parties. You can blame the grad student’s professors for not closely monitoring the progress or accomplishments of their students. You can blame the grad student’s college for not instituting programs that utilize a software/system development life cycle with an detailed code review (after all this is what most people would experience at a programming company). You can blame the administrators responsible for the protection of the sensitive data for allowing access to the information. Or you can blame the administration for not having policies and guidelines in place to address all of these issues.

Really, the college environment is not usually built to facilitate any of these activities. Most universities have developed departments that operate in SILOs. Each separated from the others in duties as well as technology implementation. Often times these departments have learned to fend for themselves because of money and man-power. The man-power issue leads to overloading personnel with important duties, especially the capable and willing individuals.

One goal of an university security officer should be to pull the SILOs closer together. The more departments support each other the more information they can share. The closer each department works together the more likely they will be able to devote man-hours to ensure the grad students have proper monitoring and encouragement.

Go forth and do good things,
Cutaway

Security Ripcord

CGISecurity recently pointed out that a Russian company has released a password recovery program tool for Intuit Quicken files. This information helps show the importance of protecting sensitive information within your environment. For home users “within your environment” means on your personal computer(s), portable computing devices, and storage devices. You can definitely benefit from using some of the same tools and methods I listed in a recent post to protect your financial files such as those utilized by Quicken, Microsoft Money, and any other money management tool. You should also be using these methods to protect your digital bank and stock statements, wills, and any other highly sensitive information.

So, where is the breakdown in the protections (other than this stated vulnerability) provided by Intuit Quicken’s password protection capabilities? Well, it is not really providing defense in depth. Sure, the files are not readable if you do not have the password, but people are still aware of what software the files are used with because of their file extension. In addition to the password protections supplied by the manufacturer the files should also be encrypted so that their intent is not readily identifiable to casual inspection.  Good practice would be to ensure that both of these safeguards utilize different passwords or passphrases.

By utilizing the password protection and encryption technologies an attacker is forced to defeat two mechanisms or find another way to attack . If the file password and encryption protections are employed, attackers are better off trying to subvert the overall operating system so that they can gather the information in these files by either installing a key logger to steal the passwords as they are typed or by visual monitoring via some type of virtual network console. Countermeasures for these types of attacks delve into the system hardening arena and users need to increase their defense indepth by utilizing operating system configuration considerations, network and host based firewalls, anti-malware software, and good email and web surfing practices.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, CGISecurity, Intuit, Quicken, password, sensitive information, Microsoft Money, Cobia, Kerio, pfsense, Center for Internet Security, Comodo, Zone Alarm, AVG Free, Spybot, NoScript, Firefox, Thunderbird

I recently received an email from Sunbelt Software about their new product “Ninja Disclaimers.”  This is definitely a marketing gimmick blown way out of proportion.  I don’t think that Ninja’s really care whether an email or any other type of communication has a disclaimer on it. 

All ninja technique information transmitted is intended only for the ninja to whom it is addressed and may contain confidential material. All death threats or mocking of soon to be realized death experiences are intended only for the intended victim. Review or other use of this information by persons other than the intended ninja or victim is prohibited. If you’ve received this in error, please contact the sending ninja so that you can be added to the list. Do not worry about deleting this message from any computer as this message will self destruct immediately.

Of course, combining the ninja and victim response message is apparently not necessary because the ninja stealth technology provided by Sunbelt’s software should be able to recognize the syntax differences between messages going to other ninjas and message going to ninja victims. I am not sure, however, if this will sign ninja signatures properly as I suspect ninjas use multiple identities and the algorithm involved in this type of detection might just be too much for a product that only costs $100.

This is just taking ninja terminology too far and it is a shame.

I am also a bit skeptical as to the legality of these disclaimers. Are they really worth the bits they consume on the network? Has anybody been charged, fined, or sentenced for reading an email that was not addressed to them and had a disclaimer attached? Would they have gotten away with it if the disclaimer was not attached? Please leave a comment and let me know if these are worth it?

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, ninja, sunbelt software, ninja disclaimers

University practices concerning the distribution and control of sensitive information located on university and personally owned information resources is forcing most of the faculty and staff at these universities to analyze how they are collecting, receiving, accessing, storing, sending, and destroying sensitive information related to their student, faculty, staff, and business partners.  Although each university can provide guidance to individuals on how to properly interact with sensitive information, it is ultimately up to each university employee to proactively protect the information people have entrusted into their care.  To that end, as a team, each university needs to start reviewing their processes for collecting, receiving, storing, sending and destroying sensitive information.

All university employees to include staff, tenured and non-tenured faculty, graduate assistants, student workers, interns, guests, volunteers, and probationary, temporary, or wage employees of each university should be required to immediately review all university computers, mobile devices, and removable storage devices and media that they have been assigned responsibility to maintain for any file that contains sensitive personal information.  Individuals who have been permitted to utilize personal resources to conduct university business should be required to check these resources as well.  Sensitive personal information includes a person’s full or partial name in conjunction with other information such as complete or partial Social Security Numbers, date of birth, driver’s license or government-issued identification number, or any financial information such as credit card or bank account numbers.  Perhaps the best method for locating Social Security and credit card numbers on Windows, Linux, Unix, and OS X is the Spider program developed by security administrators at Cornell University.  Before conducting any search for sensitive information each employee utilizing this program should be instructed to read the Spider documentation as this tool is know to be subject to false positives and negatives.

Once located, sensitive information should NOT be immediately deleted.  Individuals who locate sensitive information will need to identify whether there is a specific business need to maintain the information on that resource.  Any information that has been determined to be unnecessary should be deleted using a secure deletion method such as SDelete, Eraser, or Wipe (OS X securely deletes information automatically).  Individuals who identify files that contain sensitive information that is necessary to complete a specific business function should immediately notify their immediate supervisor for review, clarification, and instructions on how that to protect the information.  Most likely one of the methods selected will involve one of the following tools:  TrueCrypt, GnuGP, WinZip, or FileVault.  Each university employee should be required to complete and sign a formal document which certifies he/she has removed all unnecessary sensitive data and validates that they understand all state laws and regulations and university policies and procedures associated with the security of sensitive information.

University departments should be required to maintain a list of all information resources, to include any type of database, that contains sensitive information and the individuals who are directly responsible for security and controlling access to this resource and the information it contains.  Departments should be required to review how they collect and store sensitive information via paper forms.  During the review of paper forms, methods and techniques for removing fields associated with an individual’s Social Security number from these forms should be considered.  University departments should be held responsible for ensuring that each one of their employees completes university policy, security awareness, and FERPA training courses.
 
The administrators of each university should do their best to assist their fellow employees in all of these efforts.  The information technology departments should develop step by step guidelines to assist departments and individuals in the identification, deletion, and secure storage of sensitive information.  Links to these guidelines should be distributed through the university’s notification mechanism.  University policies associated with the utilization of university information resources should be published to an easy to locate section of the University’s web site.

Certainly these actions may seem a bit confusing to the average university employee and may prove to be initially time consuming.  But the end result of providing proper protection for an individual’s sensitive information will ensure that each university can focus future activities on the normal services they provide to their students, faculty, and staff.  Providing a safe and protective working environment for university students and employees has always been a top priority of every university.  I assure you that the combination of all of these actions will ensure you and your university successfully move down the path of protecting your sensitive information.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, sensitive information, security, truecrypt, wipe, eraser, gnupg, winzip, filevault, univesity, SDelete, Cornell, Cornell Spider, policies