Archive

Posts Tagged ‘security’

Security industry reacts to Oracle’s CSO missive | CSO Online

August 13, 2015 Leave a comment

Ever wonder where we will all be in 5 or 10 years? I would never had seen this coming – I mean this could be an example of professional hubris – read about how the chief security officer at Oracle thought it was time to tell it’s users to play nicely or ‘we will take our wagon away from you’.

This is just a glimpse of the next version of the end user license agreement (EULA) that we all just click on before using the software that it was written for. Judging from the industry reaction it could be a little ways off before a large company like oracle tries to flex it’s muscles but mark my words, reverse engineering software to find holes will likely lead us back to a time before open source. Companies should embrace the open architecture and provide a rich ‘bug bounty’ program if they do not have the talent inhouse to keep up with demand.

Read more on the article below and check out the archive of the post before it was pulled off the site.

http://www.csoonline.com/article/2970226/application-security/security-industry-reacts-to-oracles-cso-missive.html

Categories: General Tags:

The death of RC4 – here comes armageddon…

July 15, 2015 Leave a comment

The newest Java can cause some problems with your tools now that SSL is a thing of the past. Earlier this week some of the browser developers officially retired SSLv3 in favour of TLS and it has already started to cause issues. I recently upgraded to the newest Java this week only to find that my Cisco ASA interface no longer works. With Java 7 I had already added the website to the exception list in the security tab so my upgrade should have been relatively flawless as it has been throughout the 8 series of JRE. Unfortunately this was not the case…

I suspected that the self signed certificate that I created to manage the router through the Advanced Security Device Manager (ASDM) might be incompatible and as I reviewed it I see that it used SHA1 as the Signature algorithm. That should have only caused some issues if I was strictly using the browser to login but since I used the ASDM this was not the case…hmmm.

The problem was simpler than that – it seems that RC4-SHA1 was the only active algorithm being used for Configuration>Device Management>Advanced>SSL Settings on my router. Since the new Java update 1.8.51 no longer supports RC4 (Oracle and the rest of the community consider it to be weak and compromised since it can be brute forced now) you get an error when trying to connect to the ASDM if you are only using RC4. If I could add AES128-SHA1 to the list of algorithms used I would expect it to work but I cannot add it using the asdm (I got an error which is probably why I did not add it previously).

Adding the new algorithms must be done from the command line. Once I added a new cypher I was able to login again on my windows 8 machine after upgrading java. I hope this can help you resolve any issues you might have on other devices after upgrading your java runtime environment. I would encourage you to take this time to verify all of your existing web base https management portals. I suspect that we will all have a great deal of problems connecting to older systems. Its a good time to check if the vendor has a newer firmware that will support the changes (if the devices are still supported) and if not then it might be time to replace those old printers, Telco gateways, etc. Using an older device that only supports RC4 might represent risk to your organization if you have any shared username/passwords on those devices and the are breached.

Categories: General Tags:

Security Controls – Know ’em, Use ’em

June 8, 2015 Leave a comment

I wanted to create a post to share with our readers the SANs top 20 controls. These are a set of ‘good practices’ that are aligned with the National Institute of Standards and Technology (NIST) and should be adopted by any business in order to manage their computers and networks more effectively. I feel they are outlined in order of importance and I would like to begin with the most important (Number 1). A full list of the top 20 controls are available at http://www.sans.org/critical-security-controls/ I will try to detail several of them over the next few blog posts.

  • Inventory of Authorized and Unauthorized Devices

The need to have a complete and up to date inventory of what is on your network is crucial to knowing how to stop the bad guys from getting in. You can’t fix it if you don’t know its broken and the same holds true with networking. Just because you cannot see it doesn’t mean it can’t connect to your computers, servers, wireless. Anything that can connect to your wired network must be inventoried and if you use a wireless network you should REALLY inventory any system that is connected to it.

Use an automated asset discovery system to audit all of your devices or do it manually but you must do it. Audit your Dynamic IP configuration tools and consider network level authentication in the case of wireless. You can also consider using Private Key Infrastructure (PKI) to manage the authentication of devices if they support it in order to effectively manage access.

  • Inventory of Authorized and Unauthorized Software

Equally as important as knowing about all the devices connected to your network is knowing about all the software running on those devices. Attackers are scanning any device that is connected to your Internet connection starting with your router and any services that you expose to the public facing Internet. Port forwarding remote administration tools, web servers, even ports that you are not aware of so know all of the connection methods that your equipment uses and if you have wireless networks you need to inventory all software. A wireless network that is not separated from your wired (primary) network exposes ALL of your devices and the software running on those devices.

Use software that controls what applications are allowed to run (whitelisting). Use host based firewalls and remove unnecessary software and services that you do not know or need. Only deploy software tools from a known source and verify file integrity using hashes wherever possible.

  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

In their default configurations, most equipment manufacturers do not focus on safe and secured deployments. Why would they – they want the device to work in ANY situation. They leave the implementation of security to you, the purchaser. If you do not learn to modify configurations for your environment you are exposing yourself to attack not only from outside agents but from within as well (this is especially true with Wireless). Scripts that can be run (intentionally or otherwise) when a user visits a webpage will often include default credentials in order to catch the low hanging fruit. Adding your own configuration parameters can help mitigate those risks.

Utilize a standard build for new computer systems and store them offline if possible. Establish a secure mechanism to deploy any new system over the network and ensure that new configurations adhere to policies that you create and maintain. Implement a file integrity check on all key configuration files and maintain a change management system to log any/all modifications.

  • Continuous Vulnerability Assessment and Remediation

As new features, devices are added and software, firmware change the need to monitor and manage vulnerabilities can grow exponentially. Failing to scan for and fix critical vulnerabilities can introduce risk to your organization during the time it takes to find and the patch your software and firmware flaws. Implement or contract for vulnerability assessment on a regular basis to ensure that nothing is missed. All it takes is one avenue for an attacker to penetrate your systems – you have to make sure that all of them are closed. Implement central logging in order to monitor system wide activity and reduce the chance that an attacker can remove his tracks.

Setup a patch testing lab if uptime is important – it will allow you to rate your risk level whenever delay is necessary in deploying patches. Implement an automated patching mechanism and monitor activity to review any errors.

  • Malware Defenses

Malware is any software, script or piece of code that is intended to damage, disable or circumvent normal use of a computer. It can be harmful, benign or helpful although the latter is rarely the case. Your need to prevent it from happening is now more important that ever before. The ability for AniVirus/Antimalware software to prevent this from ever happening to you is gone. Attackers can and do use obfuscation techniques to thwart your scanning software so don’t rely on it. On the contrary, make sure that you use one and keep it up to date. It can be useful to catch 50-80% of the infection attempts.

 Control/Limit the use of external devices and consider implementing network based Intrusion Detection systems on or in conjunction with your firewall. Log all domain name queries to help identify known command and control contact to malicious domains. Create and implement an incident response process that can be helpful in adding any out of band malware that is not currently being detected by scanning signatures.

These five top 20 controls will have the most effect in preventing breach and helping you mitigate risk on your network. I suggest that my clients subscribe to our management service in order to help monitor and manage their Windows/Apple/Android devices and when we are contracted to manage the entire LAN we will monitor and manage the remaining devices. This allows us to have logs from all of the computer devices and can help us find the primary errors in any organization.

For a more detailed event monitoring approach we suggest that they utilize a device that can be used to hold all event logs from any network system (syslog server). It also allows us to use file integrity monitoring on devices that have a key role in the organization. There are agents for most hardware that can be installed to manage the files, bandwidth, etc.

OSSIM Version

OSSIM Version

It uses a vulnerability scanner to help identify any potential attack vector so we can remedy it. It also has a trouble ticket software built in that can create tickets automatically whenever a set of configured criteria are met which include traffic analysis, breach information, new devices found, etc.

For those of you who have read this far and find yourselves without adequate protection in any/all of these areas I would encourage you to consider looking at the Alienvault line of products.

I feel security is like insurance – it’s better to have and not need than need and not have.

Categories: General Tags: , ,

Imagine a single tool that hackers could use to break into your network…

March 12, 2015 2 comments

…and you are probably thinking about Metasploit.

As a security specialist I am saddened to think how easy it is to break into what was once considered a pretty safe way to conduct your business online. Years and years ago we all touted the necessity of a firewall with it’s ‘allow nothing in – allow everything out’ stance. Most sysadmins believed that if you had a crunchy outer shell it would be enough to protect you from the bad guys outside of your organization who are knocking on your proverbial door. We, as sysadmins then debated about the merits of network segmentation and egress filtering and a lot of us agreed that it would be a lot of work to implement and administrate compared to the risks associated with simply leaving the network topology flat and open. Then came along WiFi and for most of the users – it made connectivity easier but as sysadmins we knew that it would require some additional brain power to make it work securely. First WEP got cracked and when WPA-Personal and -Enterprise was introduced and at that time, it represented a pretty safe and uncrackable method to secure the wireless network. WPS made it easy to setup but we found shortly after that WPS has it’s flaws.

Today any user with a computer and extremely fast graphic card could crush a short password in a matter of hours. Now we tell users to make their password longer and to choose better passwords. Then would-be hackers build faster computers to crack longer passwords in a shorter period of time. It all begins to seem to me more like when the bad guys get in rather than if they get in.

It’s time to ask yourself about how well your assets are protected? Does your network topology resemble a cookie (hard on the outside and soft on the inside) or have you taken steps to limit the damage that can be done once your walls fall? It’s hard to believe that you could come in one Monday morning and find out that your network is having a really bad day; all the result of a little tool like Metasploit in the hands of a few skilled people. There are literally thousands of known vulnerabilities, at least one for any number of hardware devices that make up your network and they are all contained in and ready to be unleashed on all of your devices by this tool once they get in. Network switches, IP phones and phone systems, routers and firewalls, printers, etc. Lets not forget the laptops, workstations, servers, tablets, ipads and oh yes the smart phones that we all know and love?

You home users are just as vulnerable with your Thermostats, IP cameras, wifi adapters, home alarm systems, all web enabled. Every day we hear about some vendor that has IP enabled another appliance in your home and do you think they are worried about the safety of the device while you own it? As a consumer I am pleased when my new fridge can show me a picture on my cell phone of what is inside while I am standing in my local super market but as a security researcher – I am horrified of all the possibilities that could happen as a result of poor security. On the flipside and as a white hat (someone who hacks stuff to make it better) I am thrilled that there will soon be more things to test and ensure that the vendor has created a safe secure product for my fellow users to enjoy. The question that is raised in my mind by these likely events is just who is quality controlling these devices – them or you?

Categories: Work related Tags: ,