On Vacation

I am on vacation until september 10.

NTLMv2 and LMCompatibilityLevel

Although Windows Vista has not been released yet, it is worthwhile to point out some changes in this operating system related to these protocols. The most important change is that the LM protocol can no longer be used for inbound authentication—where Windows Vista is acting as the authentication server. Windows Vista will no longer store the LM hash by default. Acting as a client, Windows Vista also makes a change to outbound protocols by setting LMCompatibilityLevel to 3 by default. In other words, NTLMv2 will finally be the default protocol for non-domain authentication. In the next scheduled release of the Windows Server platform, code-named "Longhorn Server," a lot of work has been done to reduce the need for NTLM altogether. In Windows Server 2003, NTLM, and sometimes even LM, is used in many cases, such as in clusters. In the next version of the operating systems many of these protocols will finally be turned off by default.

Read Jesper Johansson's article in technet and the related weblog post.

Biometric Security

Will there be a "biometric-of-choice", i.e. a technology dominating all biometric systems? The answer is most likely no. The reason is that no biometric trait is fully universal, permanent and unique at the same time. Today's most accurate technologies are based on characteristics of eyes and fingers that are highly unique and permanent in structure, but not completely universal. At the same time, none of the fully universal characteristics (e.g. faces and DNA) are sufficiently unique to distinguish between monozygotic twins. Faces are even highly variant with time.

Read Biometric Security whitepaper (pdf file - 111 pages - 1708 KBs) by Bori Toth.

Internet Drive-By Shootings

The key requirement is that the attacker must be able to force the user to execute a small piece of Javascript code. There are a number of ways this can happen:
* Embed Javascript into a Flash-based banner ad
* Send an email to each user with a link to a web site
* Post a link inside blog comment spam
* Post a link inside a web forum comment
* Exploit a XSS issue to embed Javascript into a trusted web site
* Trigger a PostBack link into a high-profile blog
* Flood popular sites with bogus referrers

Read this post from metasploit blog.

No compensation for 'responsible disclosure': Microsoft

Microsoft has said it will not offer money to security researchers for responsibly disclosing vulnerabilities in its products... "I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under 'responsible disclosure' or pay off my mortgage; which one do I choose?" asked Ingram.

Read zdnet.com.au article.

ISMS Implementation Guide

Various other tools that can be used for risk assessment are:

• Asset Track
• CRAMM
• Riskwatch
• RA2 art of risk
• Exrisk
• Risk Point

The document is in PDF format by Vinod Kumar Puthuseeri.

Auditors and Security Policies

For years auditors have simply asked for something and they've received it. In today's corporate environment, Security plays a large role in determining whether the auditors' requests are compliant with security policies, standards, and guidelines. Each security manager has the responsibility to assist with audits as a means of protecting the organization as well as its employees, customers, and shareholders while not weakening system defenses. This requires patience as the auditors learn how to work within the new constraints we've imposed on them, and it's our job as security professionals to assist as much as possible in training our auditors on secure means to get the information they need.

Read Tom Olzak's weblog post.

Cash for Exploits

Among the security firms who do business with bug writers are 3Com/TippingPoint's Zero Day Initiative, iDefense, and Digital Armaments. "They typically pay between $2,000 and $10,000 for these so they are able to better protect their clients from these exploits and work with vendors to help them develop protections," Maynor says.

Read darkreading article (through ha.ckers)

Required Attributes of Security Solutions

Jesper Johansson writes:

I've been trying to come up with a list of attributes that a security solution needs to have to be complete and sufficient. The idea is to develop a set of attributes that can be used when analyzing security to see if it fulfills the needs of the situation.

Biological Approaches to Computer Security Course (2005)

Course on the applicability of biological metaphors to computer security. Computer immunology, autonomic computing, and computer homeostasis are compared with traditional approaches to authentication, integrity, and intrusion detection. Relevant background biology will be presented. Students will design and critique new security mechanisms.

See the 'Daily class outline' in the page to find interesting articles. (through netsec)

Windows Vista Network Attack Surface Analysis

The network stack in Windows Vista was rewritten from the ground up. In deciding to rewrite the stack, Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects. This may provide for a more stable networking stack in the long term, but stability will suffer in the short term. Despite the claims of Microsoft developers, the Windows Vista network stack as it exists today is less stable than the earlier Windows XP stack. We have identified several implementation flaws in the 5270 Windows Vista build and even more in earlier builds, though these have been fixed in 5384. While it is reassuring that Microsoft is finding and fixing these defects, we expect that vulnerabilities will continue to be discovered for some time. A networking stack is a complex piece of software that takes many years to mature.

Read the pdf file and see their weblog post on this. See CNET News.com and Dailytech articles.

Internet Security Glossary, Version 2

$ security: ...
Parker suggests that providing a condition of system security may involve the following six basic functions [Park]; however, these functions overlap to some extent:
- "Deterrence": Reducing an intelligent threat by discouraging action, such as by fear or doubt. (See: attack, threat action.)
- "Avoidance": Reducing a risk by either reducing the value of the potential loss or reducing the probability that the loss will occur. (See: risk analysis. Compare: "risk avoidance" under "risk".)
- "Prevention": Impeding a security violation by using a countermeasure.
- "Detection": Determining that a security violation is impending, is in progress, or has recently occurred, and thus make it possible to reduce the potential loss. (See: intrusion detection.)
- "Recovery": Restoring a normal state of system operation by compensating for a security violation, possibly by eliminating or repairing its effects. (See: contingency plan, main entry for "recovery".)
- "Correction": Changing a security architecture to eliminate or reduce the risk of reoccurrence of a security violation or threat consequence, such as by eliminating a vulnerability.

Someone asked me about a good security glossary. See Internet Security Glossary, Version 2; 20 March until 20 September 2006; Obsoletes: RFC 2828, FYI 36

Wireless Networking for Small Businesses - Security Considerations

Unauthorized wireless network access is probably one of the biggest threats to small and medium sized businesses. This is described as a user from outside the company using the network. Unauthorized access can be something as simple as a neighboring business using the wireless LAN to access the Internet. If the unauthorized user is just surfing the Internet it would not present a very big problem except for potentially slowing your network down...

InfosecWriters pdf article by Rusty Morgan. See also wikipedia page on wireless security.

Comments on SANS CDX Briefing

1- Know the Network and Keep it Simple: Each additional device is another avenue of attack. The entire team must understand the network. Troubleshooting is easier with a simple design.
2- Deny by Default Policy: Only allow what is absolutely necessary. It's easier than blocking known bads.
3- Remove Unnecessary Services, Software, and User Accounts: What is the role of the computer? Remove unnecessary software completely.
4- Plan for Contingencies: All networks will eventually have a problem.

Read this in Richard Bejtlich's blog.

Why Information Security is Hard - An Economic Perspective

In an ideal world, the removal of perverse economic incentives to create insecure systems would depoliticize most issues. Security engineering would then be a matter of rational risk management rather than risk dumping. But as information security is about power and money, the evaluator should not restrict herself to technical tools like cryptoanalysis and information flow, but also apply economic tools such as the analysis of asymmetric information and moral hazard.

'Why Information Security is Hard - An Economic Perspective' by Ross Anderson - pdf file - (through netsec blog )

Predicting the Number of Vulnerabilities that will be found in a Software

Want to know how many flaws will be in the next version of a software product? Using historical data, researchers at Colorado State University are attempting to build models that predict the number of flaws in a particular operating system or application... In an analysis to be presented at a secure computing conference in September... The latest research focuses on fitting an S-shaped curve to monthly vulnerability data, positing that a limited installed based and little knowledge of new software limits the finding of vulnerabilities in a just-released application, while exhaustion of the low-hanging fruit makes finding vulnerabilities in older products more difficult... The models used for prediction of future vulnerabilities assume that defect density--the number of software flaws per 1,000 lines of code--remains the same between software versions... (SecurityFocus.com, Page 1 and Page 2)

I choose this title: 'Predicting the Number of Vulnerabilities that will be found in a Software'. The real number of vulnerabilities exist in the software is not countable/predictable. By the way I think they count the number of vulnerabilities discovered in first few months of the release and predict the next months based on statistical methods. Not too bad.

Intrusion Detection Systems in Hospitals

As technology in the hospital environment continues to evolve and move forward, Intrusion Detection Systems must be an instrumental part of an organizations security posture. There is too much at risk, legally and organizationally, to not be aware of vulnerability exploits, attacks, and other threats. These are the kinds of things that we must monitor and track to ensure the integrity of our systems. Intrusion Detection is one tool that should be deployed to help maintain this integrity... Once we have an Intrusion Detection Solution in place, we must be ever vigilant in maintaining them to insure optimal performance. IDS is a ever evolving arena so we must do everything that we can to insure what we have works as efficiently and effectively as possible. Even with the most effective system possible, we are only helping to eliminate the risk. As stated by Cuvusoglu, Mishra, and Raghunathan, “even the best IDSs could only detect about 80% of the attacks”. Great care in the selection and placement of IDS in a hospital environment must be taken to fully realize it’s benefits. ('Intrusion Detection Systems in Hospitals: What, Why, and Where.')

I am aware of some famous HISs (Hospital Information Systems) developed and being used in Iran, and I must say that they are so poor in security side. Islamic Republic of Iran Ministry of Health and Medical Education is working on an 'Integrated Health Information System' which will be distributed country-wide and I wish it would be better than that HISs.

Detailed Visual Guide To Penetration Testing

Security Investigator writes:

What's that? You really want a visual guide to penetration testing?... Something that could be printed out and be your all-in-one guide to penetration testing?... This is a must see!

See this. YAMR (Yet Another Must Read)!

Basic Journey of a Packet

The purpose of this introductory article is to take a basic look at the journey of a packet across the Internet, from packet creation to switches, routers, NAT, and the packet's traverse across the Internet. This topic is recommended for those who are new to the networking and security field and may not have a basic understanding of the underlying process. ('Basic journey of a packet')

TCP/IP is a boring topic full of detailed explanations that you ask yourself 'So What?'. If you are a new comer, you should oblige yourself to learn it; So you must start from somewhere and this is an elementary somewhere!

Google Indexing Executable Files

Claudiu Spulber's original post:

See this, search for "Signature: 00004550" and you'll see about 200,000 results of executable files being indexed... Anyway, this must be a bug. I mean what use is from having the executable files indexed, as in the View as HTML section there is no relevant information. Plus this is a security risk, even a high one. Because sites full of spyware might use this redirect bug to have spyware executables indexed and when the user will click it automatically installing all the malware in the world.

googlesystem's detailed explanation:

Google indexes the file's headers and if you look at the cache, you'll see something like this:
WINDOWS EXECUTABLE
32bit for Windows 95 and Windows NT
Technical File Information:
Image File Header
Signature: 00004550
Machine: Intel 386
Number of Sections: 0003
Time Date Stamp: 3b7dc821
Symbols Pointer: 00000000

Websense security labs blog explains how they have used this to find malicious Web sites (no direct link to the post):

We queried not only for the NT signature, but also for unique identifiers within the PE file format that would allude that the file was potentially malicious... Our results show that we were able to collect thousands of pieces of malicious binaries, mostly posted to newsgroups with false names that would normally trick a user, we found many on forum sites, as well as regular personal, educational, compromised, and underground sites. We also found several pieces of spyware on poker and casino sites. We found variants of the Bagel, and Mytob worms, various trojans, and many other malicious binaries... It should also be noted that although this is also a useful tool for other security research experts to discover malicious code, the potential for malcode authors to use it is also there.

And finally this article ('Google's Binary Search Helps Identify Malware') in pcworld:

Google has seen this happen "on occasion," and is making an effort to shield users from this malicious software, a Google spokeswoman said... "I think the 'tricking your browser into running an executable file' trick is a little old," said Long, who wrote the book Google Hacking for Penetration Testers. "There are other more elegant attacks to worry about."

To index, or not to index: that is the question!

Is Effective Security Possible?

Roger A. Grimes' article ('Effective security isn't easy, but it is possible') introduces some fundamental points about security that are really useful. Mike Rothman's post ('Effective security - within reach?') about Roger's is useful too. But my question is: 'what is effective security?'

Roger Grimes says:

There are many companies -- small and large, five-person businesses and Fortune 100 conglomerates -- that follow these rules. And they live without a world of malware and malicious hackers. When I visit them, they tell me that it’s been years since a significant malicious event happened to their environments.

If he thinks that effective security's definition is the above paragraph he makes a mistake. DOD dictionary of military terms defines 'security' as:

1. Measures taken by a military unit, activity, or installation to protect itself against all acts designed to, or which may, impair its effectiveness. 2. A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. 3. With respect to classified matter, the condition that prevents unauthorized persons from having access to official information that is safeguarded in the interests of national security.(DOD: security)

For a more practical definition Federal Standard 1037C (Telecom Glossary 2000) says:

1. A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. 2. With respect to classified matter, the condition that prevents unauthorized persons from having access to official information that is safeguarded in the interests of national security. 3. Measures taken by a military unit, an activity or installation to protect itself against all acts designed to, or which may, impair its effectiveness. (FS-1037C)

Wikipedia's simple and clear definition of effective security is:

A secure system is a system which does exactly what we want it to do and nothing that we don't want it to do even when someone else tries to make it behave differently. (wikipedia.org - security)

Is 'effective security' something different from 'security'?
- If the answer is negative, then: "Effective security isn't easy and it is NOT possible." Just think about 0-day exploits, underground exploits and so on. 100% security is not possible (at least for now).
- If the answer is positive, he should tell me what 'effective security' is. 'Practicable security' in my idea is 'the maximum or best security you can do on a network using all of the resources available for securing it.' When you do 'practicable security' it may be not so 'effective' against hostile acts. I have no idea about 'effective security'.

The next question is: 'Is it possible to make the network secure enough only by using the points he has recommended?'. For example consider that the software A is naturally insecure, B is secure and you cannot change A software to become a secure one. The company is using A and doesn't want to switch to B. 'Is my effort (based on his article) makes the network secure enough when there are some insecure softwares running on it?'

How to Bypass BIOS Passwords

BIOS passwords can be add extra layer of security for desktop and laptop computers, and are used to either prevent a user from changing the BIOS settings or to prevent the PC from booting without a password. BIOS passwords can also be a liability if a user forgot their passwords, or if a malicious user changes the password. Sending the unit back to the manufacturer to have the BIOS reset can be expensive and is usually not covered in an a typical warranty. However, there are a few known backdoors and other tricks of the trade that can be used to bypass or reset the BIOS password on most systems. ('How to Bypass BIOS Passwords')

See also Elf Qrin's article and i-hacked article (mirrored from abmice.techtarget.com). Also check this and this from computerhope. They are all similar but I was hesitate to choose one!

HP Active Countermeasures (HPAC) Service

I was aware of HP's 'Active Countermeasures' since 2005. I believe that HP-UX is a very insecure unix (compared to other famous ones) but they want to be active in securing other servers with various operating systems. Believe it or not, HP is planing to give penetration testing service to costumers:

The HPAC team will use hacking techniques to gain control of clients' systems. They will use exploit code for known vulnerabilities found on the Internet, or write their own exploit code. The HPAC team won't fix problems themselves, but will alert customers and work with them if necessary until the issue is resolved. We're most concerned with 'wormable' vulnerabilities — ones that can be exploited using worms, as they have the largest impact on business," said Brown. ('HP: Hacking techniques help security')

Yes, they will write their own exploit code if necessary. First mr.scriptkiddy registers for the service. Then he monitors/logs to see what is performed on his machine by HPAC. Then he has the HPAC's-only-for-testing-purpose exploit code. Finally he uses it against other machines. HP will be his fresh source of new exploits.

SSH/OpenSSH for New Comers

One of my friends (Modjtaba) has sent a post in his persian computer weblog about OpenSSH and how blindly some sudo-sysadmins are using it. His post encouraged me to seek some basic tutorials about SSH/OpenSSH and found these for beginners:

- openssh.com: official site
- aperiodic.net: Simple SSH Tutorial Outline
- suso.org: SSH Tutorial for Linux
- openbsd.org: ssh man page
- netbsd.gw.com: ssh man page
- jakilinux.org: SSH tricks
- linuxjournal.com: The 101 Uses of OpenSSH part1
- linuxjournal.com: The 101 Uses of OpenSSH part2
- suominen.com: Getting started with SSH
- linuxjournal.com: Eleven SSH Ticks
- wikipedia.org: SSH
- wikipedia.org: OpenSSH
- ibm.com: OpenSSH key management, Part 1
- ibm.com: OpenSSH key management, Part 2
- ibm.com: OpenSSH key management, Part 3
- windowsecurity.com: SSH
- csociety.org: SSH slides by Seth Heckard
- gatech.edu: Secure Shell (SSH) Tutorial

may help someone...

Using Fuzzing to Detect Security Vulnerabilities

Besides all the advantages that the fuzzing techniques offer, it is important to note it is not a universal method for security vulnerability detection. In order to detect a certain security vulnerability, the target application has a set of specific conditions for which the fuzzing tool might not be used. In cases like this, some other methods have to be applied, depending on the type of a security vulnerability that is being analyzed. When network applications are being discussed, it is important to note that the fuzzing technique is very useful for general testing of the application stability as tests like these can be destructive.

Leon Juranic's article (through Gadi Evron's post in securiteam blogs). It is a practical article.

AJAX Security (XMLHTTPRequest and IFrame objects)

Ajax security will be an important topic in the near future (despite being a several year old technology). Web-based applications are going to be rewritten using Ajax technology. But in my opinion there is a little difference between classic web-based application and an Ajax-based one in security considerations. The danger happens when you want to do server-side checking (input validations, ...) in client-side (using Ajax or javascript in general). We will not encounter new exploiting mechanisms, instead existing techniques will be performed more using Ajax because Ajax increases the complexity of the code.

This article from it-observer.com worth reading. This article from securityfocus, this one, this, this, this and finally Max Kieler's post to find related links.

Power Users in Windows are Potential Administrators

Jesper Johansson's post:

Power Users are simply Administrators who have not made themselves Administrators yet. There are access control lists, privileges, and other settings all over the OS that allow them to do so. Making someone a power users only makes it marginally more difficult to shoot yourself in the foot. It does not actually limit their privileges, nor does it protect them from malware, which can typically run just fine with Power User privilege.

and Mark Russinovich's detailed explanation:

I’d now finished the major phase of my investigation and just confirmed what everyone has been saying: a determined member of the Power Users group can fairly easily make themselves full administrator using exploits in the operating system and ones created by third-party applications.

I felt over the time that microsoft is reducing power of 'power users group' step by step and pushing it down to not be so close to 'Administrators'. By the way I must say that putting someone in 'power users group' is better than giving him the Administrative privileges; And then I must emphasize that 'Power Users in Windows are Potential Administrators' again. Mark Russinovich's post is really informative and insightful. Yet another must read (YAMR).

Penetration Tester Hiring Made Easy!

A useful post 'Get Hired as a Penetration Tester' in 'A Day in the Life of an Information Security Investigator' blog.

I had something similar to this in my mind to find security collaborators in my security projects; But this will help me a lot. On the other hand it has a list of useful security and penet-test tools and also a list of famous security certifications. A must read.

Update: see also penetration-testing.com

IPsec and 'Server and Domain Isolation (windows)'

You can mitigate some of the risks associated with unauthorized and potentially unfriendly access to your network and its resources by creating an isolated network... To isolate the authorized and managed computers from the other computers on your network, you can create an isolated network; a set of network nodes whose grouping is independent of the physical network topology. [1-] You can create an isolated network based on the Physical layer of the Open Systems Interconnection (OSI) model, in which you run a separate cabling system for the isolated network... [2-] You can also create an isolated network based on the Data Link layer of the OSI model, in which you use Layer 2 switches and virtual LAN (VLAN) technology to create logical network segments by grouping computers regardless of their physical connection to a set of switches. With VLAN technology, you can also create an isolated network based on the Network layer of the OSI model, in which you create logical subnets and define the routing between the subnets. [3-] With the Microsoft® Windows® operating systems, you can logically isolate your domain and server resources to limit access to authenticated and authorized computers. Windows-based network isolation occurs at the Network layer of the OSI model [He means based on IPsec, not a new invention as you may feel from the text!]... (Server and Domain Isolation main page Microsoft)

These links are enough, no need to my explanation:
+ Improving Security with Domain Isolation: Microsoft IT implements IP Security (IPsec)
+ James Morey blog IPsec and Domain Isolation; Related posts: 1, 2, 3
+ IPsec in wikipedia
+ An Illustrated Guide to IPsec
+ OpenBSD: IPsec man page see also isakmpd(8)
+ NetBSD: IPsec man page see also racoon(8)