Monday, December 3, 2007

Another nail in the coffin for MD5

While collisions in MD5 hashes are nothing new, this most recent study by Wegner, Stevens, Lenstra (Article Link ) adds even more concern to the trustworthiness of an MD5 hash. If you can't trust a signed executable, what can you trust? I think nothing. Their technique however requires much premeditation. Its not as if you can create a collision on an existing executable. To be effective in a malicious way, it would require that you create two executables up front with the same hash. This is done by appending 832 bytes of useless data to the existing executables. As you can imagine, this would make it very easy for a criminal to create two versions of software, one with a backdoor, that have the exact same MD5 hash. Of course, it would be easy for them to get the good one signed and then create a download site with the malicious one. While this is somewhat sophisticated, i could definitely see this being utilized by the hack for money crews. It doesn't take much to get your software posted on some shareware download site. Also, I could see elite crews even trying to get drivers signed in this method. So what are we supposed to do about it? The authors of the paper suggest that SHA-1 is much more resistant to collisions and is a better alternative. Despite that, I think a search for a better hashing and signing algorithm get underway if it already hasn't. I don't think the threat is imminent by any means, but we will need something stronger in place within the next 2-3 years.

Thursday, October 25, 2007

Windows Forensics and Incident Recovery

Windows Forensics and Incident Recovery

Notes

Windows Event Log

-clearing the Security Event Log generates event ID 517

-Stealing info via USB drive may cause event ID 134: "Removable Storage Service"; If logs have been cleared,check HKEY_LOCAL_MACHINE\System\MountedDevices Registry key. A right click on these entries may show "RemoveableMedia"

-Logon events http://support.microsoft.com/default.aspx?kbid=174073

-Logon types http://support.microsoft.com/default.aspx?scid=kb;en-us;140714

-More security Events http://support.microsoft.com/kb/174074/

CMD Line History

- doskey /history or the RunMRU registry key

File Associations

- C:\>assoc will list out every association; C:\>assoc .exe ---> .exe=exefile

- ftype exefile ---> exefile="%1" %* ; shows what variables used at runtime; matched the value in HKEY_CLASSES_ROOT\exefile\shell\open\command

- if this value has been moded by malware use --> C:\>ftype exefile="%1" %* to change back

Hidden Files

- To view hidden files ---> C:\> dir /ah; using the attrib command will list out all file attributes

Scheduled commands

- Sometimes malicious code is scheduled; use at cmd or schtasks.exe to view scheduled tasks

File Signatures

- located in the first 20 bytes of a file; MZ is found in executables; look 4 mismatch of signature and extension

- a good list of file headers http://www.techpathways.com/uploads/headersig.txt

File Times(MAC Times, Modified Accessed Created)

- C:\>dir /ta ----> lists in order last accessed

- The Unix touch cmd has been ported to windows http://www.dwam.net/docs/aintx/

- if auditing is enabled, changes to MAC times create events with ID 560 in the eventlog

FileBinding-

- Elitewrap will combine 2 files and compress http://homepage.ntlworld.com/chawmp/elitewrap/

- GUI version inPEct http://sysdlabs.hypermart.net/proj/inpect.txt

ADS(Alternate Data Stream)

- Lads will detect this http://www.heysoft.de/Frames/f_sw_la_de.htm

- Also Streams from sysinternals http://www.sysinternals.com/utilities/streams.html

- the best way to remove an ADS is to copy the file, delete the old, and rename

- ADS can also be created as directories ---> echo "FooBar" > :ads.txt

- This adds an executable to a common txt file -> C:\ads>type c:\windows\system32\notepad.exe > myfile.txt:np.exe

- Call it like this -> C:\ads>start .\myfile.txt:np.exe , the full path works also

- vb scripting can be hidden in ads and launched --> C:\ads>wscript //E:vbs myfile.txt:ads.txt

Registry Hiding

- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation is a common hiding place because it is not used by the OS. Strings or small programs can be hidden in this key http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/gettimezoneinformation.asp

Document Metadata

- Strings from sysinternals will also find metadata http://www.sysinternals.com/utilities/strings.html

- rhdtool from MS will remove metadata http://www.microsoft.com/downloads/details.aspx?FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360&displaylang=en

OLE Storage

-Merge Streams will combine files http://www.ntkernel.com/w&p.php?id=23

Steganography

- Free Tools at http://home.earthlink.net/~emilbrandt/stego/software.html (S-Tools4)

- Hydan is also popular http://www.crazyboy.com/hydan/

Windows Server Port List

- http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

NTFS Conversion

- to convert from FAT to NTFS --> C:\>convert /FS:NTFS c:\

NSA Templates

- you can download OS templates for windows secedit(Local Security Policy) http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1

GPO settings

- gpresult.exe can be run to find policy settings http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

Login Restrictions

- you can modify lockout settings using the net accounts cmd to allow for unlimited paswd attemps

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194739

IIS Application mappings

- using the MMC, bring up application mappings and disable all uneccessary mappings

- IIS Lockdown and URLscan can provide additional security for ISS servers

Windows File Protection

- backup copies of protected files are restored from cache if modified or deleted %SYSTEMROOT%\system32\dllcache

- the cmd line utility sfc can be used to replace modified files

Perl lib Win32::AdvNofity

- allows you to creat your own WFP, for example a static website, which will monitor for defacements and automatically replace the file and notify you. http://idnopheq.perlmonk.org/perl/packages/x86/Win32/

Patch Management

- Download MBSA here http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

- Shavlik Trial http://www.shavlik.com/pDownloadForm4.aspx?productid=1

Web Vulnerability Assessment

- Free tools available at http://www.ntobjectives.com/freeware/index.php

Centralized Logging

- ntsyslog, kiwi syslog daemon, dumpevt.exe(somarsoft)

- port reporter provides mapping logs http://support.microsoft.com/?id=837243

Volatile Information Recovery

- C:\>date /t && time /t , recovers system date and time for comparision

- systeminfo.exe , native on XP or newer will show uptime also, psinfo.exe from sysinternals

- psloggedon.exe from sysinternals shows remote and local logged on users

- netusers.exe from somarsoft will also show previously logged on users with the /h switch

- C:\>net session will displya any active remote connections

- C:\>net use * \\\c$ /u:Administrator , to remote log on

- to list process out pulist from resource kit, or pslist from sysinternals, using the /t switch with pslist will display processes in a tree. Trojaned processes often will fall outside the tree

- listdlls.exe from sysinternals will give you version information along with the command used to start the process

- handle.exe from sysinternals lists out everything the process is accessing

- c:\>tasklist /svc native to XP lists out processes along with window title information

- tlist from the windows debug kit is very functional http://www.microsoft.com/whdc/ddk/debugging/default.mspx

- svchost is a windows generic process that shows up multiple times. To find out what they are mapped to review the following reg key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

Remote Shell

- Net use \\machine\ipc$ /user:machine\administrator

- psexec \\machine cmd

Process Info Guidelines, at minimum collect the following:

-Process identifiers (PIDs) for each process running on the system (provided by most all tools)

-Process name (provided by most all tools)

-Length of time the process has been running (pslist.exe)

-Command line used to launch each process (listdlls.exe, cmdline.exe, tlist.exe)

-Full path to the executable file that each process was launched from (cmdline.exe, tlist.exe)

-User context that each process runs under (handle.exe, pulist.exe)

-Services running under each process (tlist.exe, tasklist.exe)

Additionally, the investigator will also want to collect the following:

-Handles used by each process (handle.exe)

-Modules (DLLs) used by each process (listdlls.exe)

Process Memory

- using pmdump.exe from http://www.ntsecurity.nu/toolbox/pmdump/ you can extract whats in memory for a given PID

- dd from http://users.erols.com/gmgarner/forensics/ will slice out entire physical memory contents

- c:\>dd if=\\.\physicalmemory of=c:\win2k-physmem.dd bs=4096

Network Stat & Connections

- promiscdetect from http://www.ntsecurity.nu/toolbox/promiscdetect/ will find interfaces in promiscuous mode, locally

- netstat lists may 0.0.0.0 connections which results from apps binding to the INADDR_ANY constant

- on XP or newer, netstat -ano, the -o option lists the PID

- nbtstat -s, lists current netbios over tcpip sessions

- fport from http://www.foundstone.com/resources/freetools.htm will map ports with the full path of process

- net use lists out all shares currently mapped

- net share lists out all resource shared out on the system

- net session lists active SMB sessions made to the system over the network

- net file lists out any files in use by an active net session

Clipboard info

-pclip.exe from http://unxutils.sourceforge.net/ will dump clipboard info to STDOUT

Command History

- C:\> doskey /history will show command line history

Service & Drivers

- net start will list all services running but not device drivers

- sc.exe from resource kit and native on XP or newer

- drivers.exe from resource kit and driverquery on XP or newer provide alot of driver related info

GPO settings

- can be used to determine how a system was compromised is settings were changed

- GPList from http://www.ntsecurity.nu/toolbox/gplist/ shows GPO's applied on a system

- GPResult.exe from Resouce kit shows settings of current user only

Protected Storage

- pstoreview.exe from http://www.ntsecurity.nu/toolbox/pstoreview/ can reveal user info in PS

MAC Information

- dir with /tw , /ta. /tc will give specific mac time information

- macmatch found here http://www.ntsecurity.nu/toolbox/macmatch/ will search a given time period

File permissions

- cacls, native to windows, will show permissions of any given file

File integrity

- md5deep from http://md5deep.sourceforge.net/ will calculate md5 hashes for you

Recycle Bin Analysis

- Rifiuti from http://www.foundstone.com/resources/forensics.htm will parse the INFO2 file

Registry Analysis

- reg.exe from resource kit will pull out any keys from the registry that your looking for form the cmd line

- HKEY_LOCAL_MACHINE or CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is most popular for malware

- keytime.pl from the book will show last write times for any given registry key

User Accounts

- most often compromised machines contain a new account(s) created by the hacker that needs to be anaylyzed

- last logon, time created, # of logins, and permissions will all be useful information

Event Logs

- Auditpol.exe from RK can be used to verify the level of logging set on the system

- dumpel.exe from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp will grab all el data

- D:\>psloglist –s –x system , from http://www.sysinternals.com/Utilities/PsLogList.html can be used remotely

File Analysis

- strings from http://www.sysinternals.com/Utilities/Strings.html will retreive ascii/unicode from hex

- bintext from http://www.foundstone.com/resources/proddesc/bintext.htm is a gui w/ a good filter

- ms has a dll lookup online http://support.microsoft.com/dllhelp/

- dependencywalker from http://www.dependencywalker.com/ has a gui to show all file dependencies

- WordLeaker will rip out word metadata, along with revision history, available at http://www.elligre.tk/madelman/madelman/index.php/archivos/2005/02/23/wordleaker-extracting-info-from-word-files/

- fdte from http://www.digital-detective.co.uk/freetools/fdte.asp will grab hidden dates & times from a binary

- you can view pdf metadata by using Adobe Reader, FILE | Document Properties

CA Identity Theft Law(SB 1386) - affects all companies doing business in CA

- http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Know What To Look For

- The goal of any incident investigation should be to determine whether an incident occurred, and if so, how was it able to occur(RCA)

Infection Vectors

- common vectors: email, p2p, IM, web browser, OS/application buffer overflows, default/weak passwords

Malware Footprints

- often leave new files and directories

- added to startup C:\Documents and Settings\\Start Menu\Programs\Startup

- added to run in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run

- afind(foundstone) or macmatch(ntsecurity) can be used to find recently modified/created files/dirs

- can be a scheduled task(at cmd) and creates a job in C:\WINNT\Tasks

- example (2K) c:\>at 11:00pm /every:5,10 cmd /c "sol.exe"

- example (XP) c:\> schtasks /create /tn Solitaire2 /tr sol.exe /sc onlogon

- often malware changes how the system handles .exe files, HKEY_CLASS_ROOT\exefile\shell\open\command

- original value "%1"%*, other extension modified are .bat, .com, or .txt

- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon can also be modified too

- Shell should be set to "Explorer.exe"

- abnormal processes, inparticular svchost.exe is often mimicked(scvhost or svchosts) or duplicated

- malware can often be set up as a windows service, using srvany.exe (resource kit)

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q137/8/90.asp&NoWebContent=1&NoWebContent=1

- example C:\>path\instsrv.exe path\srvany.exe, by editing the following registry entry

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name, you can run any app or executable

Rootkits

- popular Windows RK site is Greg Hoglund's site http://www.rootkit.com

- user-mode rootkit simply replaces files with trojaned verions or uses DLL injection to overwrite while in memory

- kernel-mode rootkit overides the TCB and hooks into all system calls

- a good way to remove is to boot into Safe Mode and remove entries in Run key and actual files themselves
Forensics Server Projet(POC for automated system info collection)

- http://www.windows-ir.com/fsp.html, runs on windows/linux, requires perl(requires Win32::GUI, Digest::MD5, and Digest::SHA1, use c:\>perl>ppm install ), can run on any port(default 7070)

- setup of the First Repsonders Utility(FRU) requires Win32::GUI, Win32::Lanman, Win32::Perms, Win32::API::Prototype, Win32::TaskScheduler, Win32::DriveInfo, Win32::IPConfig. Requires a CD Burner and you must also download the following 3rd party utilites: cmd.exe(clean), (sysInternals psloggedon, pslist, psloglist, psinfo, listdlls, handle), tlist from MS Debugging Tools, (DiamondCS cmdline, iplist, openports), (FoundStone rifiuti), (NTSecurity.nu promiscdetect) and reg and auditpol from MS.

- FRU also requires the following perl scripts getos.pl, pclip.pl, e_cmd.pl, service.pl, getsys.pl, tasks.pl, regdump.pl, mdmchk.pl, shares.pl, dt.pl, and ip.pl

- the clean cmd.exe should be placed in the root directory of the CD-rom

- The File Client Component(fcli.pl) should be installed as apart of the FSP, it allows suspect files to be copied off
Scanners

- netcat can be used as a port scanner; D:\tools>nc -v -w 2 -z 10.1.1.15 ; will display open ports on given range.

- Adding an echo and dropping the z will grab bannners; D:\tools>echo QUIT | nc -v -w 2 10.1.1.15 0-1024 ;

- portqry is microsoft's version; http://support.microsoft.com/?kbid=310099

Sniffers

- netmon is built in by microsoft; http://support.microsoft.com/kb/148942/EN-US/ ; can also be run remotely via SMS
- windump is another w32 tcpdump; http://www.winpcap.org/windump/docs/manual.htm

Friday, September 21, 2007

Book Review: PYWN

I had the pleasure of reading Protect Your Windows Network From Perimeter To Data by Jesper Johansson and Steve Riley. Even though it lacks Vista coverage being written in 2005, it is still very relevant and useful to security professionals today. It's a book that I wish I had read sooner, as its a very good primer to security in a windows environment. Its the perfect companion to the Windows Security Resource Kit. The book's two authors are both seasoned security veterans and their IT geek humor is enjoyed throughout the book. I found myself thinking, "Yeah, I've been there before" several times and laughing at the absurdity of the situations we are frequently presented with.

Two notes of caution about this book before delving in. These guys were both Microsoft employees at the time of the writing, so yes you will see some mild MS bias throughout, but they do a good job of reminding you in the text as well. I mean really, who recommends ISA server over a FW appliance like Netscreen, Checkpoint, or ASA, other then a MS employee or a Redmond Kool-aid drinker. Also, while this book contains great nuggets of information, for someone thats been in the security industry awhile, there will be a lot of general IT security information that you can just skim through in the first few chapters. This does not take away from the book in any way, just broadens the target audience some.

One of things I enjoyed most about this book was its readability. You can easily read a chapter a night and finish it quickly, because its interesting and not dry like many books(i.e. Official ISC2 Cissp Guide). Also, the authors revel in giving their brutally honest opinion, even when not always right, but it makes for very good reading. One of the early points they make, which should be known to the masses, is that complete security is unattainable. They used the illustration of chasing unicorns. While only possible in theory, you can only hope to reduce your attack surface and keep your risk at acceptable levels, because security is a dynamic state, not something that can be statically reproduced in reports and stamped with a seal of approval. Anybody that says their network is "secure" doesn't understand that security isn't really a state, but an ongoing process of managing risk. The book also provides, excellent coverage of Windows patching schemes, developing security policies, and educating your users on what not to do. One of the stand out chapters for me, was the security dependency one, which illuminates something that most people don't really address. Services accounts and dependencies on other systems present a very big danger to networks. You in essence reduce your security to that of the least secure system when you allow your critical assets to be dependent on a workstation that has the same service account. Also, often times domain admins will use their account to login to low security systems, thus exposing their credentials. Another great chapter, which I never would have thought reading the title, was the chapter on passwords. It has the most concise and easy to understand discussion of windows authentication schemes that I've ever read. In just a few pages, it discusses the differences between LM, NTLM, NTLMv2, and Kerberos and what configurations are available. The book also includes the requisite hardening guidelines for servers and clients and a very nice chapter on how to evaluate application security in an accurate and reproducible way. The book also comes with CD, the most notable tool being their passgen script.

The only negatives I really noticed in the book, was that they tried to justify not putting outbound filtering on the windows firewall, only to see that feature show up on the Vista version. Also, their discussion of Arp failed to mention hard coding your gateway with a static arp entry, which I thought was odd. Overall though, I would have to say I was mightily impressed with this book and would recommend it to anybody running a windows environment. If interested, you can peruse my notes here

Thursday, August 30, 2007

Protect Your Windows Network

Protect Your Windows Network From Perimeter to Data

by Jesper M. Johansson and Steve Riley



1 - Introduction to Network Protection

Information technology is working properly only when users can stop thinking about how or why it works

Security Management is about spending good money to have nothing happen

Fundamental Tradeoffs are between Cost, Level of Security, and Usefullness/Usability

Microsoft Library - Security Center

A protected network is one with an absence of unmitigated vulnerabilities that can be used to compromise the network

To have a truly secure network you must enumerate every place where it might be insecure and demonstrate that it is not insecure in any of them. This is only possible in theory not in practice (i.e. Chasing Unicorns)

2 - Anatomy of a Hack

No network is any more secure than the least-secure device connected to it

SQL injection is a vulnerability in the application, not the DBMS itself

The only proper way to clean a compromised system is to nuke and pave it

3 - Patch Your Systems

If required by support contract, ensure your 3rd Party Vendor(ISV) certifies the patch prior to rollout

Having a test bed that mirrors production is essential for patch testing, typcially VMware is utilized

Its also a good idea to use a small group of cross-functional users from withing your organization to beta test the patches prior to full rollout

Use MBSA as a free alternative for patch scanning

For small businesses WSUS is recommended, where as SMS is utilized in larger organizations

Hot patching replaces the code in memory, but not on the system files until after a reboot or service restart

You can minimize reboots by unpacking the update(use /x switch) and determining which files will be installed. Then determine which running processes have the same files opened. Often times this requires you to disable a service, stop the service, and then install the update.

Slipstreaming is critical to get patches rolled into your new installs. Requires ISOBuster . Read More

4 - Devloping Security Policy

Policies may include: Acceptable Use, Antivirus, Remote Access, Email & Retention, Data Protection, Password, Physical Security, Server Security, Direct Tap, Perimeter Protection, System Sensitivity Classification, and Privacy Policies

Sans Security Policy Center

Relevant Legislation/Stds: HIPAA , GLBA , SOX , ISO17799 , Financial Institutions

DISA Checklists , STIGs

The Site Security Handbook

5 - Educating Those Pesky Users

Social Engineering is the art and science of getting people to comply with your wishes

Diffusion of Responsibility - "Hey the VP says you won't bear any responsibility"

Chance for Ingratiation - "Look at the Reward you will get out of this"

Trust Relationships - "He sounds honest, I think I can trust him"

Moral Duty - "You've got to help me! Doesn't this make you so mad?"

Guilt - "What? You don't want to help me?"

Identification - "You and I are really two of a kind, huh?"

Desire to be helpful - "Would you help me here, please?"

Cooperation - "Let's work together. We can do so much"

If Two people know about it, It ain't a secret!

Security Awareness Training

A good policy for the helpdesk to follow is to use a bogus question or callback mechanism

6 - If you do not have physical security, you do not have security

Windows PKI Guides

Windows EFS Guide ,EFS should be used on all laptops

Adding USB Security

Setting name


Location


Default value


Possible values

WriteProtect


HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Control \StorageDevicePolicies


DWORD=0


0 - Disabled

1 - Enabled

Key-In-Registery SYSKEY can be cracked, use Password Mode SYSKEY instead

7 - Protecting Your Perimeter

Quick Tips:

Block all inbound traffic where the source address is in your internal network

Block all outbound traffic where the source address isn't in your internal network

Block all inbound and outbound traffic with an RFC1918 source or destination

Block all source routed traffic

Block all fragments (except where IKE VPNs apply)

Deperimeterization

8 - Security Dependencies

Fundamental Rules for Network Segmentation

Less-sensiitive(low security) systems may depend on more-sensitive(high security) systems

More-sensitive(high security) systems MUST NEVER depend on less-sensitive(low security) systems

Service Account dependencies such as Backup Software accounts must be mitigated via reduced permissions and stronger passwords

Domain Admin accounts should only be used on a domain controller. Logging into a desktop system, which is less sensitive, via a domain admin account puts those accounts at risk.

To prevent SMB reflection attack on older systems ensure SMB Message Signing is enabled on the client and server

9 - Network Threat Modeling

Spoofing

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of privelege

10 - Preventing Rogue Access Inside the Network

802.1X requires clients(supplicant) and switches/APs(authenticators) that support 802.1X, as well as an authentication server(Radius). Windows supports either EAP-TLS, which involves mutual trust of digital certificates, and PEAP, which allows for the supplicant to authenticate via traditional accounts(MS-CHAPv2).

Legacy devices that don't support 802.1X should be placed on a separate segment. Also, note that 802.1X will prevent PXE boot from working on the network. While several GPO's existe for managing wireless 802.1X networks, no published API's exist for wired 802.1X networks, making a large deployment very difficult. Another major flaw in 802.1X, is that once a client authenticates the port is opened and never reauthenticated, making it possible for an attacker to join a network. This only requires that the attacker spoof the MAC and IP address, however communication must be stateless(ICPMP,UDP).

Given the major decrease in the time it takes to crack wireless keys, recommended key lifetimes are now 8 mins(B) and 90 secs(A,G)

ipseccmd.exe can be used to define static and dynamic block rules on windows hosts. Note the policyagent service must be restarted in order for the rule to take effect. Only one policy can be assigned at a time. Read More

Domain Isolation

11 - Passwords and Other Authentication Methods

Cached Credentials for the local storage of domain logon info are a concatentation of your NT Hashed password salted with the username and domain, which is then hashed via MD4.They are stored in the Security Hive of the OS not in LSA Secrets.

Kerberos authentication is used between systems in a W2K or higher domain, except when connecting via IP instead of hostname. In that instance, it falls back to NTLM or NTLMv2, because Kerberos doesn't natively support reverse DNS.

Passing-The-Hash, alleviates the need for cracking the password. Both NTLM and LM are susceptible to this, where a a MITM can intercept the hash and resend it himself without even knowing the password. This only works for local accounts and on the system they came from. To be used on a remote host, the hash must be cracked.

Removing LM Hashes makes cracking the password take 4X longer

With Admin permissions CAIN|Credential Manager will extract and crack cached credentials immediately. Its best practice to disable the storing of cached credentials on all non-laptops.

12 - Server and Client Hardening

Microsoft Security Guidance

User Software Restriction Policies(SRPs) - Restrict by IE Security zone, full or relative path, by signing certificate, or by a hash.

Disable anonymous SID/Name translation

Disable anonymous enumeration of SAM accounts and Shares

Disable Everyone permissions for anonymous users(Default)

Disable Anonymous access to Named Pipes and Shares(Null session access)

Disable autoadminlogon

Enable SMB Message signing, requires that both clients have signing enabled

Recommended to use Send NTLMv2 response only\refuse LM

Create the SynAttackProtect key. Set 0 for systems on slow links. 2 for internet facing servers.

Restricted groups allow you to control who is a member of local groups(Powerusers,BackupOperators,etc) via GPO. This policy must be refreshed frequently to be effective.

Do not audit the use of Backup and Restore privilege, creates to many logs.

scwcmd transform, will convert an SCW role into a GPO

13 - Protecting User Applications

To get a full list of installed software check this key, it shows more then what you see in add/remove software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Make every effort to use LUA priveleges

Make use of RSoP in the MMC snap-in to determine what net policy effect is on your machine. GPO should be used to secure many applications, most importantly IE and Outlook

Utilize the Attachment Manager to limit what types of files can be downloaded. Unsafe List

All applications must be reviewed for patch levels.

14 - Protecting Services and Server Applications

Uninstall unnecessary components, disable unnecessary features

To secure a service account, remove it from default groups, use a strong password, remove terminal services capability, and use GPO to deny log on locally and deny access to this computer from network for that account. Then use filemon/regmon to see what permissions are required for the account to function.

You can use sp_dropextendedproc in SQL server to remove unused stored procefures. Read More

More SQL Server Security Presentation and Checklist

IIS Lockdown only for IIS 5.0, IIS Whitepaper, and URLScan

15 - Security for Small Businesses

Windows Defender for Spyware, integrated into Vista

Vista UAC Documentation

Exchange Best Practices Analyzer

MS Small Business Security Guidance and More SB Resources

16 - Evaluating Application Security

Baseline a system after new software is added, check for new users/groups, new files/folders/registry entries, new priveleges granted, new acl's, and any security settings that may have been changed.

InCtrl5 and > secedit /generaterollback can be used, along with showaccs

SQL Profiler will show you what the SQL server sees coming from the webapp

OWASP application testing guides, more SQLsecurity

Don't trust home grown cypto, they often only use encoding like base64, XOR, or ROT13

17 - Data-Protection Mechanisms

Everyone group is identical to Authenticated Users. Do not modify default ACL's on XP or higher

Windows RMS

Protected Storage(Pstore) has been deprecated by Microsoft, as it is not secure, still used by many apps though

DPAPI is the replacement

Thursday, May 17, 2007

The Value of Certifications

After reading a very spirited, informative discussion on this topic over at SecurityFocus I decided to throw my own hat into the ring. I want to expand on several relevant topics. 1 - Certifications are a joke - A certification alone, without experience is typically not worth that much in the real world. It proves that the candidate can pass a test, often with having the questions in advance( see Testking/ActualTests). All it really guarantees, is that the candidate has some basic knowledge of the subject. Even the certs with experience requirements are pitiful, due to the fact that they do not audit every candidate. And if they did, there's always a chance they lied, like most people do on their resume. 2 - Certifcations are necessary - until the HR machine is overhauled, you cannot afford to not have certifications. Unless you have a good contact in the company, most non-certified individuals will be screened out by the non-technical HR employee, who basically knows keywords. I think also if your very specialized, like on a certain product or field, having one of the more advanced certs could be very rewarding financially. Also on the opposite spectrum, having certs in several different areas, like various OSes, networking, security, etc can show that your pretty versatile. 3 - Experience is still king - despite the fact that you have a lot of "enhanced" resumes out there, experience is still the most important factor in deciding whether or not a candidate will be successfull. A good track record of completing projects, troubleshooting, implementing, etc along with personal references from those jobs are still the best indicator that I've seen. Granted you need to do a fair amount of vetting via the technical interview, I still think its what employers should put more emphasis on versus certifications. In conclusion, I would like to state that I don't think its possibile for anyone to argue that the current certification system we have is not broke on multiple levels. We have hiring managers without a clue. We have money grubbing, so called experts selling us mediocre certifications. In short, we all have to take responsibility for fixing it. Whether its done by educating people of the dangers of paper only certified employees or by designing a new system, something needs to be done.

Thursday, April 26, 2007

Lets download the entire Internet!

As ridiculous as that sounds, startup Robot Genius aims to do just that. Talk about an ambitious project. Not only do they want to scour the entire internet, they also want to analyze the binaries present on the websites for malicious characteristics. Such a product is sure to be in high demand, given that web-based malware has taken the reigns from email-based malware as the vector of choice. This biggest gap I see, is how quickly they can do this. Its very common for malware authors to change IPs on a daily or weekly basis to stay ahead of the whitehats. With such a dynamic environment as the internet, surely they will not be able to keep uptodate with the daily changes. More realistically monthly changes would be feasible. Still, I see the value of the service as a more accurate blacklist then has been delivered in the past. I think this will serve to raise the bar for other AV/Security vendors to improve their products as well. And if that doesn't work, some behemoth like Symantec or Microsoft will just buy them out.

Read the Full Story HERE

Tuesday, March 20, 2007

MOMBY is on deck

So I'm still undecided on whether or not Mondo Armando and Müstaschio are for real. All the news reporters seem to think so, but I think it could also be just another April fools joke. Either way, if they actually produce some Myspace exploits, that would be awesome. Myspace has such a history of slow response to security issues, that I'm not feeling sorry for them in any way. And given that it hosts millions of peoples personal information and they tend to be mostly computer illiterate and lack security knowledge, it looks like a good target for hackers. I also really like the approach these guys are taking, by making fun of the other Month of Whatever projects. HD Moore's original Month of Browser Bugs was awesome, but the ones that followed seemed to get less and less important. So in the end, I guess we will just have to wait and see whether this is just another publicity stunt or if these guys have something to offer other then humour. Stay tuned.

Read the Story HERE

Monday, March 19, 2007

Got Identities?

Brian Krebs has written a few articles recently focusing on how bad identitiy theft and credit card fraud really is. There are 2 facts that I find really hard to ignore, which are also really infuriating. The first is that according to Symantec, the majority of the Credit Card trafficking is being done on servers located inside the USA. So what happened to that Patriot act? Why are these criminals allowed to continue doing this, when clearly the FBI has the power to stop it. I know the logic they are using is that they are going after the kingpins and not the small fish, which makes sense. Except that tens of thousands of US citizens are getting thier lives destroyed in the process. And even though they may take down a kingpin one day, another one pops up the next. So eitherway, US citizens are getting screwed. The second problem I have is that we are infact subsidizing our own credit cards getting stolen. The Credit Card industry on a whole acknowledges fraud as an acceptable loss and simple passes on the costs to the customer. They even go so far as to sell us identity theft protection. That is completely ridiculous. Here's a novel idea, how about you make your product secure before selling it to the American public.

Read the Story HERE