Tuesday, November 12, 2013

Fixing Internet Explorer

Ever get sick of Internet Explorer thinking it needs to run? Windows forcing a substandard (more like anti-standards from a web standards point of view) browser on you?

Here at SecsAndCyber I have a solution for you! This one registry patch will solve all of your Internet Explorer issues in a single double-click! (and accompanying UAC prompt if you have kept your system secure) I give you... FixIE.reg!


Humor aside, the technique used in this joke is a serious target for malware persistence.

The fine authors over at SysInternals, Mark Russinovich and Bryce Cogswell, have built detection of this into their tool Autoruns for Windows. The "Image Hijacks" tab looks for executables that are being grabbed like this. Try it out and keep yourself safe!

Sunday, November 10, 2013

System Assurance through Memory and Shared Resource Protection

To follow up on the teaser introduction posted a few days ago, here is the public release of my recent paper System Assurance through Memory and Shared Resource Protection!

Week 10 of 12 for this semester. Almost finished!

System Assurance through Memory and Shared Resource Protection

Thursday, November 7, 2013

Cloud Provider Assurances

How could Airange maintain a proper authentication system for its clients?

As Airange is providing only remotely accessible services, their options for authentication is severely limited. Options which are not viable include photo badge validation, physical keys to unlock the system space, and safe locks. (Jessup, Valacich, & Wade, 2003) Passwords are the most common system in use, though they only provide effective security if they are sufficiently long enough, randomized, and changed frequently. Additionally, they must be stored securely by Airange, both to be inaccessible to clients and intruders and be protected from insiders. Salting and hashing is an absolute necessity, else the weaker passwords are susceptible to rainbow tables and identifying shared passwords between users. (Goodrich & Tamassia, 2011) Encrypting the plaintext passwords would provide them the ability to provide forgotten passwords back to the users, but presents the administrators the ability to recover the passwords too.

How might Airange ensure that one client’s data is kept confidential and protected from other clients who also have access to the same data center?

One effective method of ensuring confidential and protected data is to enforce isolation through virtualization. (UMUC, 2011) Each client is provided their own virtual server to work within without the option of communicating with the host machine or other virtual servers on the system. Within the sandbox environment of the virtual server, an individual client can access, manipulate, and delete their own data, but cannot see any of the data stored by any other. This arrangement poses the risk of a client being able to escape their virtual server and directly access or impact the host system. Airange must run intrusion detection software on the host and regularly update the software, else a malicious client could gain access to the host and directly view the contents of the storage mediums, including the data stored by other clients. (Coggins & Levine, 2009)

What type of assurances would a client expect that the security of the software components and utilities provided by Airange will be consistently maintained?

Clients expect Airange to provide detailed guarantees as to the expected confidentiality, integrity assurances, and uptime or availability of the system. These details can be provided to clients, and documented, through negotiated service level agreements. (UMUC, 2011) Concerning the availability of the system, specifics as to the allowable downtime, expected maintenance time, mean time between failures, and mean time to repair will be needed to be declared ahead of time. Given that standing behind rigorous uptime guarantees is expensive, Airange will have to decide how to market their brand and provide the service. Do they want to provide budget-friendly services or strictly security focused ones?

Coggins, C. & Levine, D. (2009). Monitoring and Control Systems. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Goodrich, M. T., & Tamassia R., (2011) Introduction to Computer Security. Boston, MA: Pearson

Jessup, L. M., Valacich, J. S., & Wade, M. (2003). Information systems today. Upper Saddle River, NJ, USA: Prentice Hall.

UMUC. (2011). Preventive and Protective Strategies in Cybersecurity. CSEC-630. Retrieved from http://tychousa3.umuc.edu/

Cloud Storage and Confidentiality

How could Medical Imaging manage the images split across multiple third-party ISPs?

This is a strong point of cloud storage and virtualization, the abstraction away of what specific machine data is stored on. MI doesn’t have to manage how the images are split across the ISPs, since Airange provides transparent aggregation for them. That transparent aggregation allows for there to be rapid scaling and load balancing to provide high availability, even with fluctuating computing needs. (UMUC, 2011, pg 5)

What they do need to manage is that they provide for the confidentiality protection of their images, since they are not direct parties to the security arrangements between the cloud provider and the third party infrastructure. Since the images they are storing should be just be stored, MI should be encrypting their data before uploading it. This is not always useful, or practical though; such as when the cloud is being expected to provide data analytics or manipulation. (Kumar & Lu, 2010) Documents, like those written on Google Docs, cannot be encrypted before uploading if users want to harness the benefits of spelling checks.

How might Medical Imaging (MI) keep other cloud subscribers from accessing MI’s data?

Depending on how their storage situation is occurring, MI may not have any action other than to encrypt their uploads. If, though, they have been provided an entire virtual machine in which to store the images, then they should implement the full gambit of host based protections, just as if it were their own machine. A hardened operating system, if that level of customization is available, such as SELinux or a BSD distro versus Ubuntu. (NSA, 2009) Anti-virus, software firewall, and disabling unnecessary services.

Kumar, K., & Lu, Y. H. (2010). Cloud computing for mobile users: Can offloading computation save energy?. Computer, 43(4), 51-56.

NSA. (2009). Security-Enhanced Linux. National Security Agency. Retrieved from http://www.nsa.gov/research/selinux

UMUC. (2011). Preventive and Protective Strategies in Cybersecurity. CSEC-630. Retrieved from http://tychousa3.umuc.edu/

Wednesday, October 30, 2013

System Assurance through Memory and Shared Resource Protection - Introduction

This is the introduction to my new paper, System Assurance through Memory and Shared Resource Protection. Like previous ones, I will be posting it in pieces with the last page having a link to the paper.

Regardless of the operating system, architecture, or purpose, general purpose computing devices have one unquestioned constant: instructions and the data they operate on are available in primary storage. While instructions and initial data can be permanently fixed in read only memory, data being interacted with must be writable and is typically volatile, random access memory: RAM. (Jessup, Valacich & Wade, 2003) Whenever an interaction involves reading information there is a potential for concerns about the confidentiality of the data and the reliability of the read is dependent on the data integrity. Writing interactions present potential threats to data integrity, and both reading and writing actions are dependent on the availability of the data source. This statements are true and applicable when the interactions in question are performed with reference to computer memory; thus memory needs protection to ensure the confidentiality, integrity, and availability of the system it resides within.

Operating systems, as massively complex pieces of software, are simultaneously dependent on the integrity of system memory and responsible for the protection of that same memory. To achieve this state of existing in the same memory that it is protecting, the operating system utilizes the privilege features provided by the hardware to allocate sections of the memory to by only accessible by code running in a privileged context: the kernel. (Vacca, 2009) Remaining sections of memory are left readable, writable, or both by code running without being in a privileged context: userspace.

Abstracting the limitations and layout of physical RAM away from the memory accesses by software additionally protects the memory state of both kernel and userspace code. This model of virtual memory utilizes secondary storage, such as a hard disk, to store data that running code gets to treat as being in memory even if the amount of memory being used exceeds the capacity of the physical RAM. (Jessup et al., 2003) Implementing such abstraction requires dedicated, specialized code in the kernel which can perform actions while running such as permission checking. While the abstraction code is running it is also utilized to provide significant additions to security scheme protecting system memory.

A third related, but not entirely limited to memory, system protection is the polyinstantiation of shared resources. Polyinstantiation is the generation of a separate instance of an accessed resource for the accessor. A common, necessary occurrence in multilevel databases, poly-instantiated records are records that share a supposedly unique key. (Jajodia & Sandhu, 1994) Virtual memory, as a model, is itself an example of polyinstantiation of the addressable memory space.

Jajodia, S., & Sandhu, R. (1994). Solutions to the polyinstantiation problem. GEORGE MASON UNIV FAIRFAX VA.

Jessup, L. M., Valacich, J. S., & Wade, M. (2003). Information systems today. Upper Saddle River, NJ, USA: Prentice Hall.

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman

Web Database Vulnerabilities

What specific vulnerabilities affect Web enabled databases? What can be done to prevent them from happening?

Meier, from Microsoft, claims that the main threats to a database server are SQL injection, Network eavesdropping, Unauthorized server access, and Password cracking. (Meier, 2003) Since we are focusing on web databases, the relevant two threats are SQL injection and network eavesdropping. The other two are primarily local threats, assuming that the password cracking is hash cracking.

Network eavesdropping is a concern if the database is being accessed over an unencrypted protocol, such as HTTP, since the communicated data is visible in the traffic. This causes threats to the confidentiality of the data being read from or written to the database as well as threats to the integrity of the data. If the network connection is being manipulated by a man-in-the-middle attacker, they could modify requested database writes or the returned database reads. (Kabay, Holden, & Walsh, 2002) The ultimate threat of network eavesdropping is if credentials are being passed in the clear because that risks turning over complete database control to the attacker. (Meier, 2003)

Eavesdropping is most easily addressed by forcing all traffic to be encrypted, like using HTTPS instead of HTTP for the web connections.

SQL injection, or attacking “Applications that construct queries on the fly can be fooled into constructing improper queries” (Gertz & RosenThal, 2006), is where “the attacker exploits vulnerabilities in your application's input validation and data access code to run arbitrary commands in the database using the security context of the Web application.” (Meier, 2003) This vulnerability occurs regularly, despite its severity, because the quickest, easiest way to generate a SQL query is through normal string building operations can concatenating in the search specific values. Often these values have been received directly from the outside and may have been maliciously crafted, but not validated or escaped. Thus, special characters and keywords have special meaning to the database and get executed instead of just searched for.

All input data should be limited, checked for validity, and sanitized of anything that may be viewed as code. This can mean escaping special characters or stripping them out of the string entirely. Limiting data to expected formats helps too, such as a search for numerical data should be checked that it only contains numerical characters. SQL queries should use type safe parameters, as this prevents string building and mismatched data types as well as guaranteeing that data passed in is treated as data and not executable statements. Lastly, the web facing account should have the least privileges possible. If the web interface is only for reading then the account should not even have write privileges. Tables that will not be queried through the web should not be readable by that account either. (Meier, 2003)

Gertz, M., Rosenthal, A. (2006) Database Security. In H. Bidgoli (Ed.), Handbook of information security, volume 3. "Database Security Mechanisms and Models" p. 164. New York, NY: John Wiley & Sons, Inc.

Kabay, M., Holden, D., Walsh, M. (2002). Operations Security and Production Controls. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Meier, J. D. (2003). Improving web application security: threats and countermeasures. O'Reilly Media, Inc..

Necessity of Securing Database Config

There are many problems with securing enterprise databases, far more than the IT industry would care to acknowledge. Research and discuss one particular database security issue. How can this problem be addressed?

One significant database security issue, according to McGowan, Bardin, and McDonald, is that “With any complex software system, poor configuration practices cause vulnerability.” (2009, p171) They, correctly, assert that this is the case with database systems. Oracle databases are a good example of the complexity and how poor configuration can occur. Configurable options include accounts, authentication modes, options and products, schemas, and passwords. (Oracle, 2012)

For instance, features of user accounts which are configurable include limits on failed login attempts, password lifetime, password reuse restrictions, number of concurrent sessions, and idle timeout. (Baccam, 2010) Preventing remote password brute force attempts, making sure to expire passwords, and making sure an idle session isn’t left available for hijacking all can be implemented through this type of options.

Another important configuration to be aware of it being sure to maintain audit trails and transaction records. Baccam’s paper details exact configuration options that should be enabled for security: settings like “AUDIT_SYS_OPERATIONS (Should be set to TRUE.)” and “AUDIT_TRAIL (Avoid FALSE or NONE settings.)” (2010, p5)

Default accounts, especially ones with static or predictable passwords, need to be addressed. It is the fourth item on Oracles Guidelines for Securing a Database Installation and Configuration.

  1. Before you begin an Oracle Database installation on UNIX systems, ensure that the umask value is 022 for the Oracle owner account.
  2. Install only what is required.
  3. During installation, when you are prompted for a password, create a secure password.
  4. Immediately after installation, lock and expire default user accounts.
(Oracle, 2012)

Limiting the install will be familiar to anyone who has tried to harden a server, where all unnecessary services running present additional potential attack vectors. Oracle mentions that the installation media defaults to installing multiple products and ones not required should be uninstalled or not installed by way of the custom choice. Similarly sample schemas are included for helping set up test databases. These should not be used for production machines. (Oracle, 2012)

Baccam, T. (2010). Oracle Database Security: What to Look for and Where to Secure. SANS Analyst Program. Retrieved from https://www.sans.org/reading-room/analysts-program/oraclewhitepaper-201004

McGowan, J., Bardin, J., & McDonald, J. (2009). Storage security. In Vacca, J. R. (Ed.), Computer and information security handbook. Boston, MA: Morgan Kaufmann Publishers.

Oracle. (2012). Keeping Your Oracle Database Secure. Oracle® Database Security Guide. Retrieved from http://docs.oracle.com/cd/B28359_01/network.111/b28531/guidelines.htm#i1007892

Sunday, October 20, 2013

Smartcards: Solving the authentication problem

Discuss ways in which the use of strong authentication can be designed to be "user friendly" without compromising its effectiveness.

In 1989 Ken Fifield was already writing about the value of plastic cards containing microprocessors to be used for digital signatures and strong authentication. (Fifield, 1989) Jumping forward to today, we still see it as a reasonable solution because, as Bruce Schneier (2005) put it “We're all good at securing small pieces of paper.” Protecting a small, plastic card? We do this all the time. Our credit cards, our driver's license: these items are almost always on our person or in a known protected location. If an organization is implementing physical security then there is probably even already a small plastic card that the employees carry with them to access the building and swear who they are.

A picture identification badge is being used to authenticate the wearer into a space when a human guard validates the authenticity of the badge and that the wearer matches the picture. Digitally, the same thing can be accomplished with the same card, if it is a smart card. The module this week explicitly points out that “single smart card can serve as an employee ID badge, building access card, PKI credential store, and application password provider.” (UMUC, 2001) The PKI credential store what really allows the smart card to shine because that provides the card holder the ability to easily provide digital signatures on their work and communications and also easily decrypt information sent to them. Authenticated access to documents is free if the infrastructure can provide everything PKI encrypted, only the intended user can decrypt the documents, even if they end up in the hands of an un-authenticated attacker.

Fifield, K. J. (1989). Smartcards outsmart computer crime. Computers & Security, 8(3), 247-255.

Schneier, B. (June 17, 2005) Write Down Your Password. Schneier on Security Retrieved from: https://www.schneier.com/blog/archives/2005/06/write_down_your.html

UMUC. (2011) Authentication , CSEC-630 – Module 4. Retrieved from: http://tychousa11.umuc.edu/cgi-bin/id/FlashSubmit/fs_link.pl?class=1309:CSEC630:9050&fs_project_id=384&xload&cType=wbc&tmpl=CSECfixed&moduleSelected=csec630_04

Thursday, October 3, 2013

Defending once authenticated: Time outs

After users are authenticated, what measures can be employed in order to maintain security when users are away from their computers?

Although it clashes with the desired convenience, or “user friendliness”, of the system and common and reliable security measure is to limited the authenticated session duration through a time out. Time outs assist in maintaining security because they cause authentication artifacts to stop assisting intruders in the event of a compromise. The replay attack on Kerberos discussed in our module demonstrates the value of a time out, because the “Kerberos authenticators include time stamps so that authenticators are valid only for a short period of time.” Attempting to resend an authenticator after that time window has expired will fail to provide the excepted authenticated action. (UMUC, 2011)

The time out protection philosophy is regularly seen in the protection of the authenticated user on desktop operating systems. This the protection being implemented when the a password protected screen saver or other lock-out style screen locks are used. Groves writes that “In the event that you are dragged away from your machine having the screen saver activate after a set period of time will help to prevent unauthorized access to the console.” (2003, pp. 11) Once configured, this protection assures that the authenticated user does not have to actively protect their session, merely not interacting with the computer for the duration of the time out will lock it down. They do have to re-authenticate afterwards, but an attacker who has accessed the system will be unable to act as them.

Groves, Z. (2003). A Best Practices Guide To Secure a Windows XP Professional Installation. SANS Penetration Testing Retrieved from: http://cyber-defense.sans.org/resources/papers/gsec/practices-guide-secure-windowsr-xp-professional-installation-105157

UMUC. (2011) Authentication , CSEC-630 – Module 4. Retrieved from: http://tychousa11.umuc.edu/cgi-bin/id/FlashSubmit/fs_link.pl?class=1309:CSEC630:9050&fs_project_id=384&xload&cType=wbc&tmpl=CSECfixed&moduleSelected=csec630_04

Saturday, September 28, 2013

Trying to do my lab

This week is a lab week, specifically learning cryptography with CryptTool. This is a cross-platform tool which is also available on the school lab VMs so that we don't have to install strange software on our own systems. Not being a big fan of installing strange software, I opted for using the VMs.

First off, the instructions are posted in docx files. I use Google Drive for as my office suite, interacting with docx files is irritating. Okay, head over to LibreOffice.org to get a compatible office suite. Two files, one with instructions on accessing the VPN and the other with instructions on accessing the VMs once you are on the VPN.

Next I head to the site to use their Cisco SSL VPN Service. Lots of instructions to the side, but a link in front that says "Start". Click it. First thing I notice is a checkbox by "Java Detection", then I see that Chrome is informing me that Java is required to display the page, including a helpful "Install plug-in" button. What? No. No. No, no, no!

After the attempt to use Java times out the window presents a download link followed by the message: Alternatively, retry the automatic installation. Really? Not only did you want me to have and allow Java, but you expected me to let it auto install software? Pretty sure that is exactly why I don't have Java!

Fine. I'll download the VPN client myself and run it. Once I'm connected to the VPN, I have a new site to go to. Step 1, ignore the untrusted SSL certificate. Step 2, click past the "Warning: This browser will not work with vCloud Director. The vCloud Director Console requires Microsoft Internet Explorer 7 or higher or Firefox 3 or higher" message since I'm in Chrome. Which doesn't work, the site requires a VMWare plugin that is only compatible with IE and Firefox. Uggh.

Honestly, I have not had any real complaints about IE 10 (other than I haven't given it a real chance since it is IE) so I kick that up... and get the same warning. Wait a sec, I'm not a math major (actually, I was), but I'm pretty sure 10 is higher than 7. Maybe the IE version display is showing the version number in binary? Once again I clicked past the warning and tried to continue. 0 for 2, just like the Steelers!

Fire up Firefox. Download plugin, install. Amazingly... still doesn't work. Probably not compatible with 64 bit Windows 8. Strike three, I'm out.

Time to look into putting a VM onto my Ubuntu server. The CryptTool instructions say it is available for Linux, so that will be my first attempt. Install VirtualBox, download an Ubuntu workstation iso. That download took 2 hours and just finished while I was writing this up. Since that two hours was far longer than I wanted to wait, I tried other solutions first. Set up my Ubuntu laptop to accept an ssh connection from the server. Tunnel into the laptop and make a limited, throwaway user account for running this test.

Download the Linux package of CryptTool. cat INSTALL to get instructions. Oh! Turns out I don't have cmake installed. Apt-get cmake. Try again, nope. No Qt. Right now the Qt SDK is downloading, thank you wikiHow.

Looks like the lab will get done tomorrow night. Who has two thumbs and a soon to be irritated wife once she finds out about another night dedicated to schoolwork? This guy.

UPDATE: www.cryptool-online.org has an online version. Time to try and just do it in Chrome.

Friday, September 27, 2013

Restricting and allowing access by work function

How would you organize your information resources so that only authorized individuals, both internal and external, have access to the information they need, in order to carry out their job responsibilities?

This is a situation especially well suited to role based access controls. Individuals that need access to resources can often be categorized by their set of required accesses, the set of which is their role. (Anderson, 2008) Roles can be defined as the sets of accesses that are needed by all likely groups, from both internal employees or contractors and external vendors or consultants.

By utilizing roles instead of assigning permissions individually, handling changes is easy and easily auditable. (Sandhu, 1998) If an employee moves to a different work position then they just need to have their role changed to match the new unit. One change and they have lost access they no longer require and gained all the newly required accesses. One addition allows a new vendor access to, and only to, the predetermined accesses associated with the role they are assigned.

Anderson, R. (2008). Security engineering: A guide to building dependable distributed systems. New York: Wiley.

Sandhu, R. S. (1998). Role-based access control. Advances in computers, 46, 237-286.

Thursday, September 19, 2013

Limiting insider damage

How would you limit the damage that one person could cause, by making sure that they have access only to what they need?

There are two prime methods of limiting the damage a single person can cause, limiting access to data and limiting impact to data.

Limiting access to data is most strictly implemented through mandatory access control, in which every piece of data is given a classification of value. An individual is rated for access up to a specific classification and only may read data at or below it. The most common example cited for this is the United States Government’s use of the Unclassified, Confidential, Secret, and Top Secret national security classifications. (Anderson, 2008) This example is cited so often it is nearly a cliche, yet it is done so because it is effective. A person intent on causing damage has difficulty damaging data they never can read.

Limiting impact to data involves preventing data from being modified or otherwise manipulated by a malicious actor. Embezzlement is an effective example of damage that is caused through data impact. A person with the ability to modify the audit trail concerning monetary funds can make it appear that money went where it was intended when the actual destination was someplace that they profited from. A common solution to these type of threats is to utilize two-person integrity controls. (Humphreys, 2008) When data modification actions require two individuals to occur, it guarantees that single person cannot overtly damage the data. When data modification notifies a separate reviewer of an action that may be carried out by an individual then damaging changes will be detected in short order, which reduces the time available to cause damage, limiting the overall damage that can be accomplished.

Anderson, R. (2008). Security engineering: A guide to building dependable distributed systems. New York: Wiley.

Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4), 247-255. doi:10.1016/j.istr.2008.10.010

Honeypots: When and when not

Under what conditions should you consider implementing a honeypot? And, under what conditions should you not operate a honeypot?

Honeypots make excellent research tools for tracking spam and worm propagation. Tang and Chen suggest a worm detection strategy of using two honeypots, one that receives data from the network and one that only can receive data from the first. They first hypothesize, then support, that such a setup can be used to automate the detection and collection of even unknown worms. By limiting the traffic seen on the second machine to being 100% malicious, traffic signatures can be developed automatically. (2005)

A situation where a honeypot should not be used is one where you are unable to control outgoing packets. Since the purpose of the honeypot is to allow attackers to exploit it, the server can be re-purposed as an attack platform if not properly controlled. Hallberg et al describe how poorly protected honeypots pose a serious vulnerability to your network. They discuss the vulnerability being so severe that re-purposed honeypots could likely be seen as making the operator liable for downstream damages launched utilizing the platform. (2009)

Hallberg, C., Kabay, M. E., Robertson, B., & Hutt, A. E. (2009). Management Responsibilities and Liabilities. In Bosworth et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.

Tang, Y., & Chen, S. (2005, March). Defending against internet worms: A signature-based approach. In INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE (Vol. 2, pp. 1384-1394). IEEE.

Wednesday, September 18, 2013

Getting Started on Intrusion Detection

If someone asked you for advice on what he or she should do first to get started on Intrusion Detection, what would you recommend?

Honestly, I would meet the question with another. What is meant by “to get started on intrusion detection”? I read this as a set of distinct scenarios, all of which need to be addressed separately. When I first read the sentence, the image brought to mind was a home user first looking to secure their own network.

  • When I first read the sentence, the image brought to mind was a home user first looking to secure their own network. Technical experience is very little, maybe a help desk job; existing host based software consisting of just operating system software firewalls, possibly an assortment of pre-loaded trial personal security products; network size limited to a small handful of consumer out-of-box operating systems.
  • Not too different of a use case is an IT professional looking to add intrusion detection to their existing small business network. More machines, likely with pro OS licenses, but similar a similar basic starting point.
  • My final use case is a significant direction away from the other two. It focuses not on the network just gaining intrusion detection, but rather the asker attempting to break into the field of intrusion detection. They will be, or aspiring to, joining a mature network with entrenched intrusion detection components.

Given that the significant aspects of intrusion detection boil down to host-based monitoring, traffic monitoring, signature-based detection, and behavior anomalies, each of the above use cases need to focus on specific cases. The new home user needs to select and install off-the-shelf monitoring components, as detection cannot be done without the pieces in place. Host based logging should be enabled and a file scanning security product can catch the low-hanging fruit of intrusion detection: recognizing known malicious code on disc. Installing Snort with its default configuration should be sufficient to get the network side started for the small home network, harnessing its preloaded rules for signature detection. (Vacca, 2009, pp 64-65)

The new network admin will want to build up all the components like the home user, while also including behavior anomaly detection in the traffic and host logs. Unlike the home network, the administrator cannot personally vouch for all of the legitimate actions; thus, it is important to have assistance in locating which actions are anomalous.

Even though this write up has gotten far longer than I had intended, there is the third, and far different interpretation of the question: how to get started effectively utilizing the existing, mature intrusion detection setup. As stated by Kemmerer and Vigna, “Auditing your system is useless if you don’t analyze the resulting information.” (2002) Get comfortable with logs and traffic dumps, automating as much of automation as you can. In a large network with a mature set of intrusion detection tools running you will have all the data you can handle to analyze. Learn the protocols of the traffic you are scanning so that your comments about the traffic can be more than just “it’s all greek to me”, to use a Shakespearean idiom.

Kemmerer, R. A., & Vigna, G. (2002). Intrusion detection: a brief history and overview. Computer, 35(4), 27-30.

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman

Tuesday, September 3, 2013

Another semester

New school year, new class.

Prevention and Protection Strategies in Cybersecurity, starts next Monday. Should be fun, the first week will be all about Enterprise Network Intrusion Prevention Systems.

Objective: Analyze the strengths and weaknesses of firewall technologies and methodologies in protecting enterprise networks.

Can't wait.

Tuesday, August 13, 2013

Et tu, Google?

I was just reading through the comments over at theYcombinator comments about Elliott Kember’s blog about Chrome. I am shocked. You, as my only reader, are already familiar with the fact that my hobby, education, and profession are all security. Initially software, but expanding to just security.

Not only shocked, but absolutely appalled. Mister Kember is writing about how Chrome has revealed that OS X provides programmatic access to your “Keychain” without requiring a password. Think about that again. OS X pretends to be guarding your passwords, but... not really. About half the comment replies are attacking Google, for not protecting something which is not otherwise protected!

What the Google haters are asking for is no different than “encrypting” your passwords.txt file by renaming it passwords.exe. Sure, it means that your Grandma can’t double click on the desktop icon to read them, but it doesn’t mean it is secure.

Justin Schuh, from Google, had this to say about the password security...

I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater. Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants. We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

… and it is all true. Thank you, Google for concerning yourself with true security instead of faking it.

Now, onto my list of favorite fails from the comments!

  1. This sets up a situation where Chrome actually circumvents and makes passwords originally stored in Safari less secure than they were initially - Without having a Mac to research, I can’t say for sure, but it sounds like neither Chrome nor Safari are storing the passwords on a Mac, they use the operating system keychain. Which obviously doesn’t require a password to access or Chrome couldn’t do it.
  2. This concerns me. I have friends that I would not trust around my computer now because... - Sorry mate, you shouldn’t be trusting those friends to access your computer then. Think a bit more about what all you are exposing yourself to. Chrome isn’t the problem.
  3. Also, going off what you have said, the "locking" process in windows is pointless since it offers a false sense of security. It can be broken just by rebooting the computer with a boot disk, right? - A rebooted machine has wiped system state and still doesn’t gain the attacker anything if you defended against it. *cough* disk encryption *cough* Applications can’t reasonably defend against the OS and the OS can’t defend against the hardware. Thems the breaks.
  4. that does make it psychologically harder - When your standard of security is “I’m protected against someone that doesn’t want to attack me” then you have lost. Leave up a sign that says “Key under mat” or don’t lock your door, neither is protecting you.
  5. Yes, but by your reasoning, surely obfuscating passwords when inputted into websites is also pointless, yet you do do this in Chrome - Masking passwords is not done to protect them from the user, it is done to protect them from anyone with visible access to the screen.

You only defend against the threats you try to defend against. Chrome has decided to not try to defend against the malicious user legitimately logged into your system, because they can’t. Not really. It even says so in their FAQ Why aren't physically-local attacks in Chrome's threat model?! So, either use Chrome as it is or don’t. Just realize that that whatever else you use is failing to protect you from a malicious user too. How long does it take to steal your Chrome passwords? No longer than it takes to install a RAT from a thumbdrive!

The title is just amusing to me, I don't feel betrayed by them at all. In fact when I forgot a password I had saved, Chrome reminded me. And I was glad for it.

Saturday, August 10, 2013

My Introduction to the Physical Side of Cybersecurity

Let me apologize if you came in expecting a discussion of cold-boot attacks.

A few months ago I moved to a new townhouse. The front door has an interesting handle lock/ deadbolt combination; in which the handle lock defaults to engaged with buttons on the covered side of the door which disables it. Interestingly, if the deadbolt is engaged then the buttons revert back to engage. Not knowing about that feature, the first time after moving in that I went to leave was the first time I was locked out of the house. It was a scary moment, as I didn't even know any of the neighbors yet and the landlord is out of state. Remembering a trick I was shown years ago by a neighbor helping us re-enter our apartment, I attempted to jimmy open the latch with an unused credit card. (Don’t use your primary debit card, the attempt can snap a card in half!) Thankfully, and terrifyingly, the front door opened with a soft click. My feelings about the moment were echoed back to me upon returning to the car when my house-guest stated “I’m glad you got it open but a big part of me was hoping it would be harder than that!”

That day and the sudden feeling of helplessness when the door first clicked shut told me that I don’t ever want to feel like that again. This event occurred about a month before my wedding anniversary, I informed my partner that the only gift I wanted was a set of lock picks and a how-to guide. Soon my very own copy of the “CIA Lock Picking: Field Operative Training Manual” arrived followed by a small set of lock picks. (Less than 4 stars on Amazon, not a very detailed book)

Once my picks arrived, I went searching through my house of locks to practice on. Turns out that all of the keyed lock in the house are the exterior doors; to practice I would have to sit in public picking at the lock. Something tells me that this sort of activity would not endear me to my new neighbors. So, off to Walmart I go, purchasing a Brinks deadbolt, single cylinder, spending about sixteen dollars. (Hindsight: who thinks that a sixteen dollar lock is a good choice to protect that 60 inch television?)

Television time became practice time, up to two hours a night, depending on when the days obligations finished. That first successful pick took a few weeks to occur. I kept practicing with that dead bolt until I could open it three times in a single show. The keyway scraped wide so that the tension wrench could slip without the chamber turning, so I felt it was time to retire that one.

Today I decided to try a new lock, so I picked up a Master padlock. One was labeled as “Level 5” and one was labeled as “Level 9”, so I grabbed the nine. My assumption was that it should provide me with another few weeks of practice. Wrong. Time to first pick was measured in seconds, what a waste. For the next few minutes I just kept clicking it back open. So much for “pick-resistant.”

These two locks are a significant milestone in the development of my security growth. Picking provides me an ability to assess the physical security of a space. Recommending ten to twenty dollar lock from Walmart to secure your spaces and data storage is not a recommendation I would make.

In my basement I discovered that there is a locked box from an old, disconnected security system. Fairly ironic that a metal box with the word ‘Security’ in the brand label has a lock which is trivial to pick.

Amusingly, one lock I have not yet attempted is my own front door. Not disturbing the neighbors is still the excuse I give myself, but maybe I just don’t actually want an honest assessment.

As a closing thought, I want to stress as strenuously as a newbie security blogger can that handle locks are worse than no lock. Security theater, where the lock does not do anything. An actor willing to walk into your house will likewise have no scruples against just unlatching the door. Cost required? Free, as I have found store club cards to be better than credit cards for doing this. They flex around the corners better than the stiffer credit cards and you can get more just by walking into a store and asking for one. My “pick” of choice right now is a Safeway card!

TLDR; Locks seem to really be a place where you get what you pay for! Handle locks just let you think you're secure!

Saturday, July 20, 2013

Lazy Saturday and tech woes

Strangely enough, I find myself this Saturday with some free time and keyboard access. Upon browsing my own blog, I found that my most recent post (The Blonde in the Bar) had been reverted to an out of date draft.

Originally, I had the inspiration for the write up while I was on vacation. As such, the post was created using the Blogger app on my phone and then saved as a draft. When I got home I cleaned up the post on my desktop through Chrome. A few days ago I had reopened the Blogger app on my phone which was still open to the first draft of that write up. Closing the app saved the writing back to the version cached in the phone! Thank you, Google Cache. That was how I had to revert to the correct version.

I would love to write something deep and thought provoking or, better yet, get some coding done but I just heard life calling again.

Wednesday, July 10, 2013

The blonde in the bar

In A Beautiful Mind Russell Crowe plays a brilliant mathematician John Nash. Part way through he has a moment at a bar which inspires him to write. His bar moment gave him insight into his field and he left after thanking the blonde in the bar. I have been inspired to write about what I've recently learned from a night in a bar. To my blonde in the bar, thank you.

At some level, everyone knows that their privacy is at best only as safe as the protect it. People also tend to be really bad at doing that protection. When a gorgeous, dashing gentlemen lonely, bored drunk in the bar asks for a dance can be an awkward moment, since both parties are keeping the physical contact to less than that of a middle school formal. Small talk fills the few minutes of the dance.

What has you in town? School.
Study? Interesting sounding topic.
Prompt for information. Chat, including a brief, slightly bragging mention of a great internship.

Part way through the song her friend cuts in and the dance ends. Part ways, no names given. Anonymous.

How anonymous? Not at all. The school, the program of study, and the internship was all that was given. When searched appropriately online, that tuple points initially to a person. One that just happens to share the same first name which was overheard in the bar, said by the blonde's friends. Even without that tidbit, that first entry contains a full name. Searching for that full name on another site provides a picture along with the results. Match.

The friend that cut in, the only information she ever provided was her face and her association with the blonde. Solid anonymity? No more than the first. The online trail included her full name and even a friendly nickname. Hometown? High school? Interests? All exposed based entirely off a chance meeting with her friend, the blonde in the bar.

What is the appropriate amount of information to share and what is the information that must be held close to the chest? A brief, anonymous chat with a stranger in a bar can potentially have wide rippling effects. How much do you say without thinking about if it exposes you, your friends, or your family? In The Art of Deception, Mitnick poses a challenge which should be trained into employees: "If I gave this information to my worst enemy, could it be used to injure me or my company?" (2002, pg 53) This is a question that should probably be employed by all of us about all our information.

Once again, thank you. I never before had thought as deeply about what information I may be exposing just by chatting away.

I can't not leave you without the clip that I began by discussing...

Sunday, June 30, 2013

Summer Reading List

I was browsing an actual Barnes and Noble yesterday and it was a pretty nice experience. The draw in was that I wanted to grab the new expansion to the deck building game Legendary, (Dark City!) but they didn't have it in stock. Since I had thirty minutes to kill anyway, I used the rest of my time to shop around, though not intending to buy anything.

If it has been a while (for me it has been years since I spent any significant time in a library or bookstore, outside of the SciFi/Fantasy sections) since you explored a brick and mortar book source, I recommend you head back for a bit. Getting to handle the books and look them over was a nice way to shop, rather than the sterile, recommendation filled environment of Amazon. Sure, Amazon is really efficient, but the hands-on nature of the Barnes and Noble was enjoyable.

Anyway, in the Professional Computing section, I found a whole set of books that I want to have.

The book I wound up getting was Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick. So far it has been a great read. I plan on writing my thoughts about it here.

Also, in making this list I saw I could order The Shellcoder's Handbook for under $7, including shipping. It should arrive in a week or so!

Monday, March 11, 2013

Canned Spam

There are no published comments on this blog because no one has commented. I just read through the spam filter and it is quite full. Annoying, but why bother spamming a blog that apparently has no readers?

Saturday, March 9, 2013

Hiccups and funding

I have not been posting recently, since most of my posts were just dumps of work from my cybersecurity courses. This semester became a break when I encountered a last minute hiccup for my funding. I regret that I have not been posting because this blog is a way to lay out my thoughts permanently.

Upon selecting to learn more about cybersecurity, I was thinking that the field would be computer science with a focus on dangerous coding. That has not been the experience at all. As is encapsulated in my existing posts, cybersecurity is a much more big-picture field. Personnel management, policy development and compliance, physical security, access control, vulnerability discovery, incident response, intrusion detection, cryptography... the list of topics related to cybersecurity goes on and on. All these topics come up in blogs I read and news I see. Both the articles I read and the thoughts I have from them deserve comment, so I should be writing here.

I don't know if there are any repeat readers here or if the visitors are just stumbling on things related to the classes they take, but I said I started this blog to "dump thoughts and archive work." There has been precious little of me just dumping thoughts, so that will have to change since I'm not currently in a class to need to archive the work.

I almost published this as a big blog of text because I nearly left out the HTML. Have a nice weekend!