Security Ripcord

For the past week I have been re-involving myself in the Security Catalyst Community. While wading through some of the posts I had yet to read I came across one titled ICMP Tunneling by Donald Tabone. I decided to do some quick research and post a response. After reading it Andy Willingham suggested I post it here. So here it goes.

Donald’s question:

Hi All,

There has been an impending problem with MS ISA server that I have trouble defending against: ICMP tunneling which doesn’t seem to be stopped(firewalled). To my understanding it can be used for remote access and denial of service attack tools which use ICMP to establish covert communication channels.

Question is: What is the best approach to protect against something like what is described in the article quoted below using ISA Firewall.?
http://nulldigital.net/articles/stealinginternet.pdf

Thanks,
D.

My response:

Your best bet is to determine your ICMP requirements, determine how you can limit ICMP within your organization, create policies that specifically state what ICMP is permitted and not permitted, and then implement protection and detection in your countermeasures (routers, layer 3 switches, firewalls, and IDS/IPS).

Rational Security http://rationalsecurity.typepad.com/blog/2006/08/icmp_internet_c.html said people who do not limit ICMP “officially belong to the LBNaSOAC (Lazy Bastard Network and Security Operators and Administrators Consortium.)”. They then pointed to an article that briefly explains ICMP Attacks http://javvin.com/networksecurity/ICMPAttacks.html.

Your ISA should not be your first line of defense to the Internet. You should have countermeasure in place between the “wild” and this application firewall. Use those countermeasures to provide the protections the ISA firewall cannot and increase your defense in depth.

Go forth and do good things,
Cutaway

Policy is definitely the way to start. One thing I have thought of after posting this response is that I should have made it a little more clear about where ICMP should be in the policy. Although some organizations may have a specific ICMP policy, more than likely ICMP will be just one piece of the network or firewall policy. Certainly if you do not have any policies then you do not just want to start the time consuming process of whipping up a new policy before mitigating some of the risks involved with not locking down ICMP. Rather, come up with a solution (in this case for ICMP) and document how you have decided to handle it. Once you start working on your policies then you can use what you have documented as a starting point.

Go forth and do good things,
Cutaway

AndyITGuy, ICMP, ISA, SCC, Security Ripcord, ICMP Tunneling, ICMP Attacks, Rational Security, Donald Tabone, Malta Info Security

Okay, Windows NT has been out since 1993. Windows NT4 has been out since 1996. And to this date the developers at Microsoft have not provided administrators a way to automatically centralize their logs. Windows 2000 does not do it. Neither does XP, 2003, or Vista.

Why is this? As far as I know UNIX and LINUX have had this capability since their inception or at least near to it. But for now Windows administrators have to utilize third party applications to provide this capability and some people are reluctant to push them into production environments (See the thread on this subject, started by Anton Chuvakin, at the Security Catalyst Community).

Log monitoring is one of the key aspects of maintaining a working and secure environment. Centralizing logs allows administrators to quickly review events on their systems and networks while providing them with the ability to correlate those events with other log entries. Certainly there is always going to be robust alternatives that give the administrators extended capabilities. But I am amazed that Microsoft has yet to provide some type of simple, default, solution to administrators of their servers and workstations. I believe that it would go a long way to helping businesses and schools who cannot afford to purchase or implement third party solutions.

UPDATE: Thank you to Andrew Hay for pointing out some additional information on this via the thread in the Security Catalyst Community and on his blog.

The loganalysis mailing list had a rather lengthy thread on this topic: http://www.loganalysis.org/pipermail/loganalysis/2007-July/000254.html where Eric Fitzgerald from Microsoft explained the reasons for not having a native logging method.

Anton blogged about it here: http://chuvakin.blogspot.com/2007/07/why-there-is-no-syslog-in-windows.html
As did I: http://www.andrewhay.ca/archives/158

The thread was killed by the moderator before it got out of hand

Indeed, I should have Googled “why is there no windows syslog” as Anton’s blog post comes up first. Thanks again to Andrew and Anton. As I am writing this, however,, I see that both of these post happened on the same day as mine So, I don’t feel so bad. They just beat me to the punch.

And, of course, I appear to be mistaken about Vista not being able to forward events as it does have this feature through the Event Viewer Tool according to the reference Anton points us all to. This feature would permit you to consolidate your Windows logs. Unfortunately it is not currently compatible with Syslog. But why would they want to support a standard built for Unix, or rather BSD, anyway? Sure would have been nice of them if they had, though.

Go forth and do good things,
Cutaway

Security Ripcord, Windows NT, Windows NT4, Anton Chuvakin, Andrew Hay

One of the problems facing many universities is the use of their graduate students as developers and administrators within their departments. Although many students are very capable individuals they are often people who have limited or no experience in business environments. But, because the students are providing services for people who have limited experience with technology they are the duty expert. Now combine this situation with sensitive information. Are you scared yet?

Unfortunately it is hard to blame the people directly involved for this situation. The people utilizing the grad students do so because they have to. There is little money or the university wants to ensure that their students are given some real world experience. The grad students are just trying to expose themselves to as many experiences as possible before they move on to a higher paying job with benefits and vacation time.

Who is to blame then? Well, the people that permit this to happen, of course. There are several layers to look at when looking for responsible parties. You can blame the grad student’s professors for not closely monitoring the progress or accomplishments of their students. You can blame the grad student’s college for not instituting programs that utilize a software/system development life cycle with an detailed code review (after all this is what most people would experience at a programming company). You can blame the administrators responsible for the protection of the sensitive data for allowing access to the information. Or you can blame the administration for not having policies and guidelines in place to address all of these issues.

Really, the college environment is not usually built to facilitate any of these activities. Most universities have developed departments that operate in SILOs. Each separated from the others in duties as well as technology implementation. Often times these departments have learned to fend for themselves because of money and man-power. The man-power issue leads to overloading personnel with important duties, especially the capable and willing individuals.

One goal of an university security officer should be to pull the SILOs closer together. The more departments support each other the more information they can share. The closer each department works together the more likely they will be able to devote man-hours to ensure the grad students have proper monitoring and encouragement.

Go forth and do good things,
Cutaway

Security Ripcord

CGISecurity recently pointed out that a Russian company has released a password recovery program tool for Intuit Quicken files. This information helps show the importance of protecting sensitive information within your environment. For home users “within your environment” means on your personal computer(s), portable computing devices, and storage devices. You can definitely benefit from using some of the same tools and methods I listed in a recent post to protect your financial files such as those utilized by Quicken, Microsoft Money, and any other money management tool. You should also be using these methods to protect your digital bank and stock statements, wills, and any other highly sensitive information.

So, where is the breakdown in the protections (other than this stated vulnerability) provided by Intuit Quicken’s password protection capabilities? Well, it is not really providing defense in depth. Sure, the files are not readable if you do not have the password, but people are still aware of what software the files are used with because of their file extension. In addition to the password protections supplied by the manufacturer the files should also be encrypted so that their intent is not readily identifiable to casual inspection.  Good practice would be to ensure that both of these safeguards utilize different passwords or passphrases.

By utilizing the password protection and encryption technologies an attacker is forced to defeat two mechanisms or find another way to attack . If the file password and encryption protections are employed, attackers are better off trying to subvert the overall operating system so that they can gather the information in these files by either installing a key logger to steal the passwords as they are typed or by visual monitoring via some type of virtual network console. Countermeasures for these types of attacks delve into the system hardening arena and users need to increase their defense indepth by utilizing operating system configuration considerations, network and host based firewalls, anti-malware software, and good email and web surfing practices.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, CGISecurity, Intuit, Quicken, password, sensitive information, Microsoft Money, Cobia, Kerio, pfsense, Center for Internet Security, Comodo, Zone Alarm, AVG Free, Spybot, NoScript, Firefox, Thunderbird

I recently received an email from Sunbelt Software about their new product “Ninja Disclaimers.”  This is definitely a marketing gimmick blown way out of proportion.  I don’t think that Ninja’s really care whether an email or any other type of communication has a disclaimer on it. 

All ninja technique information transmitted is intended only for the ninja to whom it is addressed and may contain confidential material. All death threats or mocking of soon to be realized death experiences are intended only for the intended victim. Review or other use of this information by persons other than the intended ninja or victim is prohibited. If you’ve received this in error, please contact the sending ninja so that you can be added to the list. Do not worry about deleting this message from any computer as this message will self destruct immediately.

Of course, combining the ninja and victim response message is apparently not necessary because the ninja stealth technology provided by Sunbelt’s software should be able to recognize the syntax differences between messages going to other ninjas and message going to ninja victims. I am not sure, however, if this will sign ninja signatures properly as I suspect ninjas use multiple identities and the algorithm involved in this type of detection might just be too much for a product that only costs $100.

This is just taking ninja terminology too far and it is a shame.

I am also a bit skeptical as to the legality of these disclaimers. Are they really worth the bits they consume on the network? Has anybody been charged, fined, or sentenced for reading an email that was not addressed to them and had a disclaimer attached? Would they have gotten away with it if the disclaimer was not attached? Please leave a comment and let me know if these are worth it?

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, ninja, sunbelt software, ninja disclaimers

University practices concerning the distribution and control of sensitive information located on university and personally owned information resources is forcing most of the faculty and staff at these universities to analyze how they are collecting, receiving, accessing, storing, sending, and destroying sensitive information related to their student, faculty, staff, and business partners.  Although each university can provide guidance to individuals on how to properly interact with sensitive information, it is ultimately up to each university employee to proactively protect the information people have entrusted into their care.  To that end, as a team, each university needs to start reviewing their processes for collecting, receiving, storing, sending and destroying sensitive information.

All university employees to include staff, tenured and non-tenured faculty, graduate assistants, student workers, interns, guests, volunteers, and probationary, temporary, or wage employees of each university should be required to immediately review all university computers, mobile devices, and removable storage devices and media that they have been assigned responsibility to maintain for any file that contains sensitive personal information.  Individuals who have been permitted to utilize personal resources to conduct university business should be required to check these resources as well.  Sensitive personal information includes a person’s full or partial name in conjunction with other information such as complete or partial Social Security Numbers, date of birth, driver’s license or government-issued identification number, or any financial information such as credit card or bank account numbers.  Perhaps the best method for locating Social Security and credit card numbers on Windows, Linux, Unix, and OS X is the Spider program developed by security administrators at Cornell University.  Before conducting any search for sensitive information each employee utilizing this program should be instructed to read the Spider documentation as this tool is know to be subject to false positives and negatives.

Once located, sensitive information should NOT be immediately deleted.  Individuals who locate sensitive information will need to identify whether there is a specific business need to maintain the information on that resource.  Any information that has been determined to be unnecessary should be deleted using a secure deletion method such as SDelete, Eraser, or Wipe (OS X securely deletes information automatically).  Individuals who identify files that contain sensitive information that is necessary to complete a specific business function should immediately notify their immediate supervisor for review, clarification, and instructions on how that to protect the information.  Most likely one of the methods selected will involve one of the following tools:  TrueCrypt, GnuGP, WinZip, or FileVault.  Each university employee should be required to complete and sign a formal document which certifies he/she has removed all unnecessary sensitive data and validates that they understand all state laws and regulations and university policies and procedures associated with the security of sensitive information.

University departments should be required to maintain a list of all information resources, to include any type of database, that contains sensitive information and the individuals who are directly responsible for security and controlling access to this resource and the information it contains.  Departments should be required to review how they collect and store sensitive information via paper forms.  During the review of paper forms, methods and techniques for removing fields associated with an individual’s Social Security number from these forms should be considered.  University departments should be held responsible for ensuring that each one of their employees completes university policy, security awareness, and FERPA training courses.
 
The administrators of each university should do their best to assist their fellow employees in all of these efforts.  The information technology departments should develop step by step guidelines to assist departments and individuals in the identification, deletion, and secure storage of sensitive information.  Links to these guidelines should be distributed through the university’s notification mechanism.  University policies associated with the utilization of university information resources should be published to an easy to locate section of the University’s web site.

Certainly these actions may seem a bit confusing to the average university employee and may prove to be initially time consuming.  But the end result of providing proper protection for an individual’s sensitive information will ensure that each university can focus future activities on the normal services they provide to their students, faculty, and staff.  Providing a safe and protective working environment for university students and employees has always been a top priority of every university.  I assure you that the combination of all of these actions will ensure you and your university successfully move down the path of protecting your sensitive information.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, sensitive information, security, truecrypt, wipe, eraser, gnupg, winzip, filevault, univesity, SDelete, Cornell, Cornell Spider, policies

I heard about a failing weather satellite on the NPR so I had to search out the story to confirm it. A quick Google lead me to this quote from The Associated Press

An aging weather satellite crucial to accurate predictions on the intensity and path of hurricanes could fail at any moment and plans to launch a replacement have been pushed back seven years to 2016.

Okay, just so the government is aware, the terms “crucial” and “fail” should not be used in the same sentence as “have been pushed back.”  I believe that there is even some precedence to be concerned about the “difference between a city being evacuated or not.”

As a person who lives along the Third Coast, I am very concerned about the accuracy of the information provided by these satellites.  I don’t like exposing my family, including two young boys, to the possibility of an 8 to 12 hour evacuation drive that might involve the possibility of being broken down in the middle of nowhere with limited resources and even less assistance from safety personnel who will be dealing with countless other issues.

Somebody needs to evaluate the methods that are used to identify the critical assets involved with protecting millions of lives and billions of dollars worth of assets.  Heck, I am not sure why the insurance companies allowed this to happen.  Wait a minute!! “Failure”…..”insurance”….didn’t anybody insure this asset so that if there was a critical malfunction we could speed up the implementation of a replacement?

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, BC/DRP, weather satellite, Third Coast, hurricane, NPR, AP

If you are a fan of old western movies you will probably know what I am talking about.  Whenever the cowboys were fighting the Indians there was always a scene where the cowboys were on the run or moving to the next trading post.  Eventually one of the cowboys would fall behind to stare off into the distance, light a cigarette, or get a drink of water.  Invariably this cowboy was picked off by the trailing Indians.  Either by arrow, bullet, or jumping off a bolder to dismount the cowboy from his horse.  Of course, this cowboy was never a big name in the movie and nobody really missed him when he was gone.

This scenario makes me think of small and medium sized businesses and their positions in the security hierarchy.   I very much doubt that we will ever be able to get all these businesses up to speed and create a security monoculture.  No, I don’t think this is the goal we are striving for but with time, effort, good standards, and supporting regulations we can get the larger companies in line or, at least, on the same sheet of music.  Unfortunately the small and medium sized businesses will always be the trailing cowboy who gets picked off.

Why do I think this?  Well, I have come to this conclusion through my own studies.  As I progress in the security industry I find myself striving to familiarize myself with as much of the basics that I can.  There is risk management, security plan development, assessments, system architecture, network and system hardening, application security, web application security, data classification and protection, training, etc.  Of course being a generalist or a “Jack of all trades” is just the way I am.  Although I am not trying to learn everything about everything I have recently come to the realization of just how frackin’ big complex this industry is.  Being responsible for a lot of this puts you into the position where you have to come to this realization.  And it is at this point that you realize that you need good people backing up your organization.  You need somebody who can manage how your organization is going to approach and address these issues.  That person will have to hire or train individuals to become familiar or even experts in certain security aspects so that they can properly advise the manager.  These individuals will come together to form a security team capable of addressing most issues.

Why has this situation come about?  Well, this is the way that the attackers and criminals approach the situation.  Some one out there has a need or desire that can only be fulfilled by compromising information through physical or technological means.  Although they can do some of the work themselves many situations that deal with technology quickly become very complex.  This is where they bring in experts.  These experts usually have a specialty like social engineering, web application cracking, network and system penetration, wireless exploitation, and more.  Certainly as these experts mature they branch out into other areas but generally they start (as security researchers do) in one field that they master.

These malicious experts are the Indians and, as I have stated, the small and medium sized businesses are the stray cowboys.  These businesses do not have the resources (yes, generally) to acquire or train security experts with the expertise required to properly defend against all scenarios.  Eventually they will stop to watch the sun set, smoke a cigarette, or sneak a sip of whiskey.

Although this post might seem fairly defeatist in nature the point I am trying to make is that there are going to be casualties.  There are always going to be security breaches, stolen laptops, data leaks, and any number of other security related incidents.  The public has to come to this realization and take some additional responsibility for their own, personal, information.  They need to start questioning where their credit card is going and if their information is being stored in a database.  They have to start showing their concerns through their pocketbooks and only selecting companies with which they feel comfortable and safe.  This will force the small and medium sized businesses to start paying attention to the security industry and set a little time, effort, and even money aside to address some of the security concerns.  These businesses need to start asking questions about the software they are buying or having developed.  They need to ask for third party security assessments from their hosting companies.  They need to start being proactive instead of reactive.

Nobody has to be that trailing cowboy.  All it takes is a little extra effort to stay with the group.  Certainly there can still be attacks but at least you will be more prepared and potentially in a defensible position.  Because if you do find yourself trailing, you are going to be picked off.  Although you might be missed for a little while you will basically just become one more cowboy lying in the ditch while everybody else moves on.  And lets face it, if you are going to get it, most of us are hoping that the Indian jumping off the boulder gets you.  Its just the coolest way to get taken out.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord

Security professionals are under constant pressure to create a security program that is both effective and efficient. They are often required to adhere to multiple regulatory requirements (which are, as we all know basically just methods to ensure organizations adhere to the security basics) while controlling costs and fighting numerous and seemingly ongoing fires. Michael Farnum wrote a good article in his Computer World blog describing how security professionals should also remember that the basis to their existence is the actual business they are supporting. I followed it up with a comment about how security professionals need to start looking to products that perform security functions while also providing benefits to other parts of the organization.

As I was thinking about these topics I was reminded of an incident that occurred during RSA 2007. I was sitting in the back of Ed Skoudis’ class during his pre-conference tutorial. Ed talked about some of the work that he and his crew have done with IDS/IPS where they compared how several major vendors handled different types of traffic. He pointed out that some handled certain traffic better than others but that they all had strengths and weaknesses in different areas. A situation that most of us are already aware exists.

When he finished with that topic we took a quick break and a man in the back row turned to me and asked me a question. From speaking with him earlier I knew he was new to the security field and had basically been moved into the position by his company from an administrative position. He told me that he had just recommended going with TippingPoint and, on his recommendation, his company had spent alot of money doing a full deployment within their organization. He asked me, referring to Ed’s examples, if he had made the right choice and how he should go about tell his executives that the option they went with might be flawed.

I had to explain to him about managing risk and that he was going to get weaknesses and problems with any solution. I reminded him that defense in depth should be their goal and that they should identify weaknesses in each one of their controls and decide how they are going to address them. I’m not sure if I helped his fears at all but it just goes to show that people do think (even today) that there is an end-all-be-all solution, the whole silver bullet concept. And, if it takes a while for somebody moving into security to figure out it will take even longer for executives to do the same. These types of situations and this type of thinking definitely has a direct impact on how business plans and decisions are made.

I think that the work Ed Skoudis, HD Moore, David Maynor, and other security researchers are doing help us identify products whose solutions have inherent, accidental, or misguided problems so that we can protect ourselves. But, unfortunately, their work does not instill the uninformed upper management with confidence in the security field. Actually, it probably has them all cussing under their breath. Of course this is where the security professional should be earning their keep by providing a buffer between the constant barrage of seemingly negative information and the actual state of the organization’s environment. I guess this is the point where people like Mike Rothman and Michael Santarcangelo step in to help security professionals learn how to provide this buffer so that the executives can go back to managing the other aspects of the business.

I know this post has jumped around a little bit. But the basic point I have been trying to make is that security professionals are a unique breed with a wide range of responsibilities. From developing and implementing security plans, to dealing with administrators, developers and vendors, to handling malicious intruders and vandals, to managing upper management, all while making sure the business flow does not stop or, at the very minimum, only experiences a slight hiccup. I think that NIST has established another good way to show how all of these skill tie together. They have recently released a job posting for their new Chief Cybersecurity Advisor. Although the job summary details their requirements don’t forget to have a look at the Duties and Qualifications & Evaluations that they believe are appropriate from the person filling this position. They list some impressive requirements that many CSO/CISOs currently fulfill. With these types of requirements and responsibilities I, like many of you out there, find it hard to believe that CSO/CISOs are finding it hard to break into the executive meetings. This gets back Michael Farnum’s original point about the necessity for security professionals to remember they are supporting the business operations. Until security professionals get a track record that shows we are business centric, we might just find ourselves hanging out to dry for while. And being left out of the loop will, eventually, have an adverse effect of our organizations.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, NIST, Michael Farnum, Computer World, Ed Skoudis, David Maynor, HD Moore, business, security, RSA, Mike Rothman, Michael Santarcangelo, Chief Cybersecurity Advisor, Intelguardians

I was just taking a break and reviewing some of my feeds when I noticed the Phrack is Back post at CGISecurity.

Indeed, the new version of Phrack, Issue #64, is out. This online magazine is not for the faint of heart when it comes to technical writing. But if it is your thing or you want it to be you had better pay attention.

Phrack is back in business and we can only hope it is here to stay.

Go forth and do good things,
Cutaway

Phrack, CGISecurity, security, Security Ripcord