Sunday, October 11, 2009

Free Anti-Virus for Commercial Use (on Windows Platform)

Recently, I discovered Fortinet FortiClient 4.0 Standard is free even for commercial use. It contains personal firewall, antivirus/antispyware scanning, Intrusion Prevention and web filtering.

It is not a trial software. It does not have an expiry date. It has ICSA and VB100 certifications. It can run on Server platform. The most important, it is free.


Tuesday, September 1, 2009

Breaking Information Security Controls – From an Offensive Point of View

Did your company implement controls?

I have a friend, Joker, who he is working for an ISO 27001 compliant company. Let’s call this company Fictional Enterprise. The IT Manager of Fictional Enterprise tries every effort to implement technological controls. Part of these controls include
  1. URL filtering – filter out community websites, such as Facebook, access from FE network
  2. IM archiving – record the IM conversation from and to FE network
Joker did an experiment to try overriding these two controls. He tried several methods.

  1. Use an anonymous proxy server on the Internet
  2. Build and use a SSLVPN gateway at home
  3. Build and use remote access technology at home

All three methods successfully override the controls.

Use an anonymous proxy server on the Internet - Joker launched a search at Google for "Anonymous Proxy". The first ten hits are all usable anonymous proxy services. Some of them are free of charge while some of them are paid service. Joker selected a paid service at USD 9.95 per month and found the service can successfully by pass the URL filtering software. The service use a SSL encrypted tunnel between Joker’s computer and the proxy server. He can access Facebook with the service, while Facebook is being blocked without the service.
With the service, actually the proxy can serve both web browsing and IM communication. Because of the SSL encryption, the (2) control cannot archive the IM conversations.
This proofs that using an anonymous proxy can easily bypass these two controls.

Build and use a SSLVPN gateway at home - Joker installed a Fortigate 60B appliance at home. The list price of the appliance is USD 995. Joker then configured the appliance to have dynamic DNS and SSLVPN features. Afterwards, he created a bookmark for Facebook. This is basically a HTTP redirect technique.

After that, every time Jokers would like to access Facebook from Fictional Enterprise, he login to his SSLVPN using dynamic DNS and click on the bookmark. However, this seems not supporting HTTP redirect for IM conversations.

Build and use remote access technology at home - Joker tried two remote access techniques.

The first one is easier to setup – he prepared a desktop computer running Windows XP Professional. The desktop computer enabled Remote Desktop and allowed Joker to connect from FE network. The browser and IM program are basically running from this desktop computer, hence bypassed all URL filtering and IM archive. The drawback is that the whole desktop is transmitted to Joker’s computer at FE network, switching between desktops is somehow not very convenience.

The second one is more difficult to setup – he prepared a computer running Windows Server 2008. He then activated Terminal Service with RemoteApp support. Afterwards, Joker defined Internet Explorer and MSN Messenger as RemoteApp applications and created shortcuts for them. This is more difficult to setup, but easier to use. This is because only the application window is bringing to Joker’s computer at FE network. Now, Joker can use the browser and IM application running remotely, at the same time seamlessly integrated to the desktop at FE network.

This proofs that using remote access technology can also easily bypass these two controls.

Controls should come after Control Objectives

Joker tried all methods to override controls. However, he is not violating any policy. This is because Fictional Enterprise does not have a good way to develop and announce policy. The implemented controls do not have control objective.

Information security policies are the documented control objectives that form the foundation of IT governance. It seems that Fictional Enterprise still a long way to go, instead of a paper-compliant company.

Monday, August 3, 2009

Data lost prevention vendor McAfee spills 1400 private names

On July 17, McAfee held a security conference at the Sydney Convention Centre. The event was well attended by about 800 guests. But in e-mail a week later thanking people for attending, McAfee added a spreadsheet containing names, numbers, e-mail addresses, employment details and even dietary requirements of 1408 people.

Reference link from media:

http://www.cw.com.hk/content/security-vendor-mcafee-spills-1400-customer-names

http://www.techworld.com.au/article/312889/oops_e-mail_security_vendor_mcafee_spills_1400_private_names

Friday, July 17, 2009

Is StillSecure Really Secure?!

Just done a simple test on IPS from StillSecure - Strata Guard. I downloaded Strata Guard Lite - the freeware offer from StillSecure. I installed it on my virtualised testbed.



The test setup is simple. I made an attacker VM running BackTrack 3 with latest updated Metaspolit. This VM is connected to the Bridged (VMnet0) virtual switch. I also made a victim VM running Windows XP SP3 (without post-SP3 patches) with an antivirus package. The victim VM is connected to Host Only (VMnet8). Finally, SG Lite is installed as the 3rd VM with 3 interfaces - eth0 and eth1 are connected to VMnet0 and eth2 is connected to VMnet8. eth0 is for management interface while eth1 and eth2 are for a bridge deployment.

After installing SG Lite, I immediately update the rules. After updating, SG Lite has over 6 thousand rules. I also configured SG Lite to "Block" all attacks on all rules. This should made all traffic being inspected, and if any traffic match with any rules should be blocked.

Afterwards, I use Metasploit to start attack the victim. I choose my favorite MS08-067 with Add User to see if SG Lite can stop the attack. The result made me supprise - the attack success and SG Lite did not notice the attack!


Saturday, May 2, 2009

Defense in Depth – Example of Wireless Network

From Wikipedia, Defense in depth has the definition of “multiple layers of defense are placed throughout an Information Technology (IT) system”. In short, that means multiple protection strategy to protect an information asset or an infrastructure component.
Have you ever think of the security features of your wireless router? Usually a wireless router supports at lease the following

  • Encryption between router and endpoint device (WEP, WPA or WPA2)
  • MAC address filtering (a kind of ACL)

Did you implement all of them? Or you just implemented some of them? This article aimed to tell the readers why they need a mix of these security features to form a defense in depth protection strategy.

Most wireless network nowadays only implemented encryption between router and endpoint device. Some of them may even using weak encryption (WEP). The author does not aimed to tell why WEP should not be used, because there are many good articles for the purpose. One of them is from Wikipedia. Even wireless network implemented strong encryption like WPA2, the network should not solely rely on encryption. Additional ACL should also be implemented.

For example, a company would like to limit wireless network usage to its owned laptops only and secure the transport layer. The company implemented WPA2 in the wireless network in one of their local offices without additional ACL. The IT Manager distributes laptop computers for the staff members. The laptops are preconfigured with the WPA2 pre-share key. With tools like WirelessKeyView, it is too easy to view or clone the pre-share key. After copying the key to another device (like a Wi-Fi enabled phone), additional device is now allowed to access the wireless network.

For this simple scenario, it can demonstrate the need for defense in depth. Applying encryption alone can prevent data leakage; however it is not a protection scheme for access control. So in order to achieve the original security requirements – limit wireless network usage to its owned laptops, applying encryption alone cannot fit the requirement. In this situation, adding ACL (in terms of MAC filtering) can help achieving the access control requirement.

So, the first thing in security is to define the objectives. Afterwards, selecting applicable controls and implementation to achieve the goals. Finally, having reviews to see if the controls can really meet the defined control objectives.

Sunday, April 19, 2009

5-phase approach in successful vulnerability management

Know the problem

Many people have wrong perceptions on the issues. Examples of these perceptions includes

  • Vulnerability Management = Apply Software Patch
  • Vulnerability only occurs in Microsoft operating system products
  • Vulnerability Management is only needed by large enterprise

The fundamental of software cycle is that software always contains programmatic errors, referred as bugs. Traditionally, these bugs may be just programmed not according to the initial software specifications. However, nowadays, the issues of bugs may become more complicated. The problems may involve insecure coding methods that lead to memory leakage or privilege escalation.

No software is perfect without any issues. Software vendors pay efforts to fix the discovered problems.

Understand the current situation – Scanning, Assessment and Trending

Does it mean I just apply all the software patches and the problem is solved? Not exactly. The author suggests a vulnerability assessment with an experienced security consultant. This assessment process involved vulnerability initial scans and trend analysis. The security consultant should provide a trend report and suggestion on how to develop a vulnerability management strategy. Vulnerability situation of a specific part of the enterprise can be better that that of the others. For example, the server farm contains less vulnerability. This is quite typical as the server farm may be administrated from different group of people, and the hardening procedures of production server may be different from other machines in the enterprise.

Develop vulnerability management strategy

Vulnerability management strategy is important for enterprise of all sizes. If a specific part of the infrastructure components do not contain any customized software (for example, an email server running Microsoft Exchange 2007 and Microsoft Windows Server 2003), the vulnerability strategy will be quite different from the infrastructure components running an in-house developed CRM application. It is essential to have security professionals to review and assess the vulnerability management strategy. This makes sure the strategy is practical and met the industrial baseline requirements.

Implement the vulnerability management strategy

Once the vulnerability management strategy is defined and confirmed, it comes to the implementation. Tools helping implementation of the strategy is equally important as the strategy itself. Tools may include vulnerability scanner, patch management software, patch testing software, etc. These tools can automate the vulnerability management strategy and hence improve the overall security situation of the enterprise.

Continued reassessment

Regular reassessment of the strategy is crucial. The review should include strategy execution review, enterprise-wide vulnerability trend analysis and the strategy itself. The author recommends the strategy should be reviewed every year by an information security professional.

Saturday, April 18, 2009

Security Ingredients in Software Development

Security is a basic requirement in every software development. However, most of the system analysts missed this fundamental requirement. This is because when the system analysts started the requirement engineering process, they are focus on the business requirements and the end users are not able to provide insight on information security.

The “Security” term used here essentially refers to the CIA Triad, which contains Confidentiality, Integrity and Availability. That means apart from the business requirements to solve real world business problems, the target application must also solve the information security requirements at the same time.

Confidentiality ensuring that information is accessible only to those authorized to have access. This typically refers to authentication and authorization. That is to confirm one’s identity and to allow if the specific individual access based on access control technique. In the past, this means username and password combination for authentication and access control list for authorization. There are other techniques nowadays. The system should check against the individual’s access rights to allow or deny the individual’s access to specific resources. Security features should also protect unauthorized access. For example, if the application has already included authentication and authorization. However the related data travel on the network and stored on the database without appropriate protection will still make confidentiality to fail. Data in transit protection and data at rest protection should also be considered, typically using encryption if local laws allows.

Integrity refers to the consistency and accuracy of the data. This extended into who had accessed and modified the data. Accessed and/or modified the data through the developing application should be logged to provide audit trail. Moreover, additional controls should be applied to make sure data in transit and data at rest are protected. This means if the data is being modified unexpected, the developing application should have ability to detect the situation. Typical technique to ensure integrity is combination of hashing, digital signing and encryption.

Availability guarantee the developing system’s features are available when needed. This includes not only the security features, but also other systems features. In terms of security, the developing system should have ability to against deny of service attack. High availability configuration, tarpit applied on failed authentication and other redundant arrangements are mainstream practices for availability.

To sum up, the following are typical security ingredients:

  • Authentication
  • Authorization
  • Critical data item storage encryption
  • Digital signature
  • Hashing
  • High availability and other redundant arrangements
  • Tarpit
  • Transport layer encryption

The author hopes this article reminds the system analysts that they should include these considerations into their requirements engineering process, making resulting application more secure and hence making the world more secure.